Hi,
I am Philip Ginzboorg from Huawei Finland. Together with my colleague Sandeep
Tamrakar we are working on IoT security-related project and had a look at
EAP-NOOB.
Here is our comment on the EAP-NOOB draft version 7:
- In addition to the functionality that EAP-NOOB already provides, we would
like to have the possibility for the EAP server to configure the EAP Peer. For
instance, the EAP Server could provision long-term credentials to the EAP Peer.
- For that purpose, we would like to have one optional message pair in the
EAP-NOOB protocol exchanged, just before the Completion Exchange (Section
3..2.4) ends.
- The first additional message, from EAP Server to EAP Peer, could be of a
separate Command message type (e.g., type=10). It should be send only during
the Completion exchange, after the server verifies the correctness of the
received MAC (i.e. MACp) from the EAP Peer, and before EAP-Success message.
- Upon receiving this message, the EAP Peer will configure itself as
instructed by the EAP Server, if MACs is correct. Then, the EAP Peer will
respond with configuration success message.
- For example, in Fig 6 (https://tools.ietf.org/html/draft-aura-eap-noob-07)
after 4th message (Type=4,PeerId,MACp) and before EAP-Success message, there
would be a possibility of sending additional message (e.g., Type=10, say, a
configuration Command message) to the EAP Peer, and expect back a response.
Philip
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
