IETF Logo Mail Archive

Re: [abfab] Summary of proposed changes to eat applicability document

Alper Yegin <alper.yegin@yegin.org> Wed, 27 February 2013 21:36 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE15121F8883 for <abfab@ietfa.amsl.com>; Wed, 27 Feb 2013 13:36:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1uJLt-69QvB for <abfab@ietfa.amsl.com>; Wed, 27 Feb 2013 13:36:28 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id F014421F8870 for <abfab@ietf.org>; Wed, 27 Feb 2013 13:36:27 -0800 (PST)
Received: from [192.168.2.49] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0MLNZC-1UAGhz3Z6Q-000ynX; Wed, 27 Feb 2013 16:36:25 -0500
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <A95B4818FD85874D8F16607F1AC7C628A444E2@xmb-rcd-x09.cisco.com>
Date: Wed, 27 Feb 2013 23:36:20 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BEF4D48-9904-4B8A-8555-A3827EC07B3E@yegin.org>
References: <A95B4818FD85874D8F16607F1AC7C628A444E2@xmb-rcd-x09.cisco.com>
To: Joseph Salowey <jsalowey@cisco.com>
X-Mailer: Apple Mail (2.1283)
X-Provags-ID: V02:K0:dXlEYupNZVlB4efODNr2SzjoM2xGz18g717lofN6rNA ASqG+1RfxojWD/JfxvdYZYeAgkYPMu5aAQ1ywPqlUXqFbWZjgN YHCQozdDBcpGLurZV8TfEy8A6Cyxi8SxlZnDO1l3WMijNAIXXw nuiU1XGQN3xm7fSXAX8AKzgfbWLpiNttzt4MfdK3br9vy0vxFh fGV8WPjWCQFrWwWJFupTWbLdlpyTzgJBLZXQGrO8VF5xu5NHeb RtRU1ndl8z0P0ZibhAiaQPaB7J0Rvpvx2tTt01JhY4eo2Bbdl4 FyGi9jVF37Aido1KoihDua3MMWMjSWOQRNGS66aY0ccOQzyPTC AksDIaQj7DqAxdappVFWatpV/mYM520ryiSRXDcpWxS5tyfADX rqRBU6H3D5XHQ==
Cc: "abfab@ietf.org" <abfab@ietf.org>
Subject: Re: [abfab] Summary of proposed changes to eat applicability document
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2013 21:36:28 -0000

> 
> 2.1 Retransmission
> 
> In EAP, the authenticator is responsible for retransmission. By default
> EAP assumes that the lower layer (the application in this context) is
> unreliable. The authenticator can send a packet whenever its
> retransmission timer triggers. In this mode, applications need to be able to receive and process 
> EAP messages at any time during the authentication conversation.
> 
> Alternatively, EAP permits a lower layer to set the retransmission timer
> to infinite. When this happens, the lower layer becomes responsible for
> reliable delivery of EAP messages. Applications that use a lock-step or
> client-driven authentication protocol might benefit from this approach.
> 

It'd be useful to explain why so, even briefly. 


> In addition to retransmission behavior applications need to deal with
> discarded EAP messages. For example, whenever some EAP methods receive  erroneous
> input, these methods discard the input rather than generating an error
> response. If the erroneous input was generated by an attacker,
> legitimate input can sometimes be received after the erroneous
> input. Applications MUST handle discarded EAP messages,
> although the specific way in which discarded messages will be handled
> depend on the characteristics of the application. Options include
> failing the authentication at the application level, requesting an EAP 
> retransmit and waiting for additional EAP input.   
> 

Are these the only three options for how apps must handle discarded EAP messages? If so, we should state that clearly. If not, then the "MUST handle" statement is not meaningful at all. Unless we state specific way of handling, or provide some general guidelines (e.g., characteristics of handling), "MUST handle" does not mean anything to implementors.

Also, as I had stated earlier, this requirement implies an interface between the EAP method layer and the EAP lower-layer. Such an interface does not exist, there is EAP in between. 
This requirement has additional implications on EAP methods too. Existing EAP methods need to be modified??

> Specifications of how EAP is used for application authentication SHOULD
> document how retransmission and message discards are handled.
> 


Why not MUST? 

> 4) Re-Authentication
> 
> ADD
> 
> 2.2 Re-Authentication
> 
> EAP lower layers MAY provide a mechanism for re-authentication to happen
> within an existing session [RFC 3748]. Diameter standardizes a mechanism
> for a AAA server to request re-authentication [RFC
> 4005]. Re-authentication permits security associations to be updated
> without establishing a new session. For network access, this can be
> important because interrupting network access can disrupt connections
> and media.
> 
> Some applications might not need re-authentication support. For example
> if sessions are relatively short-lived or if sessions can be replaced
> without significant disruption, re-authentication might not provide
> value. Protocols like HypertextTransport Protocol (HTTP) and Simple
> Mail Transport Protocol (SMTP) are examples of protocols where
> establishing a new connection to update security associations is likely
> to be sufficient.
> 
> Re-authentication is likely to be valuable if sessions or connections
> are long-lived or if there is a significant cost to disrupting them.
> 

There's a bit of a terminology confusion here, I believe.

I think the intention is to state that we don't need to run EAP again and again in order to maintain an always-on security association. It is OK to let EAP sessions expire. We can run EAP again if and when we need a security association again. One could call this "re-authenticaiton".

On the other hand, letting the security association expire and having to run EAP again on-demand can also be called "re-authentication".


> Another factor may make re-authentication important. Some protocols only
> permit one part in a protocol (for example the client) to establish a
> new connection. If another party in the protocol needs the security
> association refreshed then re-authentication can provide a mechanism to
> do so.
> 
> Lower layers SHOULD describe whether re-authentication is provided and
> which parties can initiate it.

I'd say "MUST" here too.

Alper




> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab

v2.23.0 | Report a Bug | By Email