IETF Logo Mail Archive

Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Tue, 18 June 2013 17:10 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80E8611E80F0; Tue, 18 Jun 2013 10:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjsZs7F81wtv; Tue, 18 Jun 2013 10:10:21 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id AEC3921F9B7D; Tue, 18 Jun 2013 10:10:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3564; q=dns/txt; s=iport; t=1371575421; x=1372785021; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=+hlGh+C++SrXDUQzquKhgpIyxvVI+lyR41mFbWx3p6c=; b=gfzZQRI498ui8ajAaKuqPEDxRMrYTYCIBzj/rw9Irytkm90faOGjIf5B HjIX8Y5eewwOL3Q0Kb5OhVBKlZOYJgyQxVOgXON/h/OpS4TqYPC7kApuo vzBHWMz5JXYkKJuAWQBwpw9obPjZfu9QTvfMnj1nb/uAWEa+msI9ueyBS c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag0FAAaUwFGtJXG//2dsb2JhbABPCoMJer8PgQIWdIIjAQEBAwE6PwULAgEIIhQQMiUBAQQOBQiIAAa7Eo1/gQkCMQeDAGEDqQSDD4FqJBo
X-IronPort-AV: E=Sophos;i="4.87,890,1363132800"; d="scan'208";a="224374188"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by rcdn-iport-3.cisco.com with ESMTP; 18 Jun 2013 17:10:20 +0000
Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id r5IHAKcY000945 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 18 Jun 2013 17:10:20 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.220]) by xhc-aln-x08.cisco.com ([173.36.12.82]) with mapi id 14.02.0318.004; Tue, 18 Jun 2013 12:10:19 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Sam Hartman <hartmans@painless-security.com>
Thread-Topic: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
Thread-Index: Ac5rzQ3h5Vr98eb9RParuraCHgwUcgAYb7oMABB0QQA=
Date: Tue, 18 Jun 2013 17:10:19 +0000
Message-ID: <A95B4818FD85874D8F16607F1AC7C628CF9E35@xmb-rcd-x09.cisco.com>
References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com> <tsl38sfbiyd.fsf@mit.edu>
In-Reply-To: <tsl38sfbiyd.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.222]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4F7AA199DE677B4EBAFAEF02DB1C2F7F@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "abfab@ietf.org" <abfab@ietf.org>, "Black, David" <david.black@emc.com>, General Area Review Team <gen-art@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 17:10:26 -0000

On Jun 18, 2013, at 7:18 AM, Sam Hartman <hartmans@painless-security.com>
 wrote:

>>>>>> "Black," == Black, David <david.black@emc.com> writes:
> 
>    Black,> The next to last paragraph on p.3 begins with this sentence:
> 
>    Black,>    For these reasons, channel binding MUST be implemented by
>    Black,> peers, EAP servers and AAA servers in environments where EAP
>    Black,> authentication is used to access application layer services.
> 
>    Black,> It appear that this "MUST" requirement applies to all uses
>    Black,> of EAP, including network access authentication, not just
>    Black,> application layer access authentication.  If so, that's not
>    Black,> immediately obvious from the text, and an additional
>    Black,> sentence should be added to make this clearer.  If not, the
>    Black,> above sentence needs to exclude network access
>    Black,> authentication from that requirement.
> 
> 
> I know you're correct that AAA servers and EAP servers need to implement
> channel binding for network access in such environments.
> I'm not sure whether peers only doing network access SHOULD implement
> channel binding or MUST implement channel binding.
> 
> Practically speaking, it will be a while before peers implement channel
> binding for network access.
> The sorts of attacks that result without channel binding are attacks
> where a peer thinks it is doing network access authentication but what
> it's really doing is helping an attacker access an application.
> If all the application access peers support channel binding, then you
> could potentially require the eap-lower-layer attribute or similar for
> application authentication and work securely in environments where peers
> for network access have not been updated yet.

[Joe]  I'm trying to get a handle on the attack mechanism here.   In this attack a valid network service is trying to spoof an application service?  Since it knows the MSK it can do this if the channel-binding of the lower-layer into the EAP conversation is not enforced.  If the AAA server always enforces channel bindings for applications then it will catch the spoofing attempt.   The reverse case may also be an issue where an application service is trying to spoof a network service.   In this case, if the AAA server validates that the application channel binding is not present then it can prevent the spoofing.  However the server MUST understand channel bindings even if the peers do not.   I think the document did try to capture this in the following sentence:

"If the EAP server is aware that authentication is
   for something other than a network service, it too MUST default to
   requiring channel binding."

I think we could state this a bit better as something like:

"In environments where EAP is used for applications authentication and network access authentication all EAP servers MUST understand channel bindings and require that application bindings MUST be present in application authentication and that application bindings MUST be absent in network authentication.   All network access EAP peer implementations SHOULD support channel binding to explicitly identify the reason for authentication.  Any new usage of EAP MUST support channel bindings to prevent confusion with network access usage. " 



> It's also kind of tempting to stick our head in the sand and just add
> the clarification that "yes, we mean network access too."
> 
> --Sam

v2.23.0 | Report a Bug | By Email