Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
Dan Garcia Carrillo <garciadan@uniovi.es> Fri, 25 June 2021 18:16 UTC
Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02493A0E9E for <ace@ietfa.amsl.com>; Fri, 25 Jun 2021 11:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.026
X-Spam-Level:
X-Spam-Status: No, score=-2.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOk6Id70KZOQ for <ace@ietfa.amsl.com>; Fri, 25 Jun 2021 11:16:46 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30082.outbound.protection.outlook.com [40.107.3.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5663A0E9C for <ace@ietf.org>; Fri, 25 Jun 2021 11:16:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqFOwTNKbE2LSjtmI/LWL226KHOvvYDV6p/zoNhYw5Y3zPN9yppcz8D5ijrERhgQnKo2JB4YtjARhR/bxaB8dZ0R1pOVyibkZF3bvjGA+3EF93K0AtUj4yIeQX352PoEKalTrvjO9uK8f528WnkZOJRNCJE/lhVm22+HZjubADAU+3NY8QY48K0UnKy7miAfnBT7id+R6c3z1oZImeB4R/1TG6OZgWtdX57FjnsCyaaaRGzV+CHYuYlHxKVvSnzBmlJ2XCgb6ztXqaV0gYlgx8WOk6BqgU/jm3SqZOLzOOJYFe437FLJDqxCRjiK2Fd1YVnuD1URX1Vstst4ttMDnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rDvwhid+fWhAmVf2lz2ASYtTGXPi78vxPQ72EtOFS+Y=; b=GuoSNyofwI8ImbcoDNDEqPhfm+NCSNJMnKSQLibSuCcnXT1oZPvSWvIZBNfuCi2/v/ueStSO0FwtheIftnTbfMO9UlIpaRT09FGfh5euXdje05vK1s242/ozY1bJuW2a8h69FwUOHuSrku/cp0v6PLalOHD+/0JYuv/FS6qhkM+nhNe89Xk6fExW9ufCOnP5PLI7O5vgQpAizEzWUebNiQGXhQ68/uk9Hs93r0lHZ8ivZfYESZUWMmMdVrVxV3XAIsBfyNNPo7B+nrLJ/i0I1e6KHBp7bZbUDvExPOOGfzE1+rDf3LQMr05R1wuwhk9LxkWfeUNuzuVp4HeLphiCcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rDvwhid+fWhAmVf2lz2ASYtTGXPi78vxPQ72EtOFS+Y=; b=Ceq/46OT3KGnwymakjltLlnFL4XAjanF6UD7oUNEaMYCxaN/o9n5bXQ3j3c1sfaEshCgavXidlX6Pof+ztn2QHmW38SIcDZC+Rwnb8hlCyfEarOg0Day0YKErEp+tN5h/EIAWWi62vh9W3zrfUK5fSvf3vdr+58+eJ2JPLc0WK0=
Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DBAPR08MB5654.eurprd08.prod.outlook.com (2603:10a6:10:1a6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.23; Fri, 25 Jun 2021 18:16:42 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::a912:cb2:6af8:b946]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::a912:cb2:6af8:b946%6]) with mapi id 15.20.4264.018; Fri, 25 Jun 2021 18:16:42 +0000
From: Dan Garcia Carrillo <garciadan@uniovi.es>
Cc: garciadan@uniovi.es, "ace@ietf.org" <ace@ietf.org>, Rafa Marin-Lopez <rafa@um.es>, loganaden@gmail.com
References: <CAOp4FwR-pNpfqEY-6aDhd+ThiSWZtg4qBPLy7Xyp1kfRpC-XuQ@mail.gmail.com> <e713a008-f37f-e723-f7e5-5d2667d53109@ericsson.com>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
Message-ID: <a67e75c7-d002-4e49-b385-28b572b82148@uniovi.es>
Date: Fri, 25 Jun 2021 20:16:40 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <e713a008-f37f-e723-f7e5-5d2667d53109@ericsson.com>
Content-Type: multipart/alternative; boundary="------------7D139D67D10E2A111CF91767"
Content-Language: es-ES
X-Originating-IP: [156.35.171.42]
X-ClientProxiedBy: MR2P264CA0041.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::29) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [156.35.171.42] (156.35.171.42) by MR2P264CA0041.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Fri, 25 Jun 2021 18:16:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5a8d23aa-3338-43bf-2dad-08d938056203
X-MS-TrafficTypeDiagnostic: DBAPR08MB5654:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <DBAPR08MB56548D5531F5B990E5BE8246B4069@DBAPR08MB5654.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: P/4YiqG8zTJSPFLSUWMRHwv7Q3MIVIqtpHcrVK9AakN2dbqhPX4G1VxCd1Q3fCkB0fsUibem4/nqmcUAQ/uxCXbU/eXtAUcvyk+LuWyYoH8Beayf9g1F9ma2rfIUecV2NcoKUMxF7agvxyoWTMvimkooZZx/Cx7Atpsk9jHaGxg5CxYQafXMpBRkj29UgdyVUYmno/++nvppXs6WfQDRsSFUlDGUAPUX0O0mQ2xqpbJIqv+Ead4qb9kSdAf3n7rlZFIMTxTlrTKivxT8r2Tg+x6uNiMy4X717r98lLsaAxJ/ELF2ONtrwgVOQ1xe9QgZ1ZvQKX227W6Xp1FIKBsBNLQfuYgpDowEPcPQjeogz2XfhZ0RaCsFi6BluKLrXgssN1cpJL4G8en2bKY9V3yVibf7kW9Tmim2WSEPytRI2Z3IZf3/LdpkAGBM3opME8obYAVoIsQwu4gmu5JWr3JTH0pUcDPsdOtFWCfK59H+yuelwpz7m/b0UNbNp/NsLEVfMOV75A1P+fYY0q2wmhBYGnG4vU5E2cMX8o/OXheZQXKYTy7mpofvDFof51tQXctIIyqVUzIw025c/fa9v4Wh2CC0bUkplX/Hu0tFYqmuG4PkMH/66BdNRtiq7hWHN2cBK3uuqmzWvdBNjITS53q2h+u9bx4FYgVPRT+Nu+G7eP0q/ym212qhWVoY3K0k42ZcUBrTNi/Wt0Gox0EpPwhOGWSzbm1Q0cfkMh8+nb0/MmjihnujpMs94ZV3zEFteQT1Ic30OuRUCBR/a60uQ6BbXcG+4pWqmcluGxi7rFCJAFbiycXSEEnU6FXbuX/CVdTey9BuR3R32SokO7QS8GmK3tVDv3fVmPoymhSOD8yYyvmJ2KVEpAlacYSb8q9dfMsoE6Wsm8KVLnvWlC9a9qLEHP5xSBnedZK+aro+3wVBBtAQz6VKzrB7UsdbvcyniDPG
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(136003)(39840400004)(396003)(376002)(31696002)(31686004)(2906002)(316002)(36756003)(786003)(86362001)(4326008)(2616005)(30864003)(38350700002)(38100700002)(956004)(5660300002)(478600001)(6706004)(66574015)(66946007)(66476007)(54906003)(966005)(33964004)(16576012)(66556008)(166002)(8936002)(53546011)(83380400001)(52116002)(8676002)(26005)(16526019)(186003)(6486002)(3940600001)(43740500002)(45980500001)(559001)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: LfAzy2qK0+SRPKJGi92PQDiHaS+sAfWtv46BA089Cs65oA4PIMYLEAm6+Y1wvAQobfofRnlfYouB/YeOIFnroSaWFP4lZqBo3jw9PGsGLbWIPurEsu/gKMFqJmEOHekO4IOLLRk2vJO6ghMkne1xEZEbkXXhmt+QK9ySQOwdOs6mxglD0Z6V6vxw7vSHuAPv7tpCKAD4pGka2Aj8TI4nT0ev9iYGXi7jJWqK/7wPONUl8/GAmdb/r+XJDFki8ohEECmpOKC+rdyy1rXv3hq5coy8tXEwg9Cm3rnXEKwWcraqwubPYF8Xphqe6IsarcbqMvqL0v0WuvN1q1RgmkXT+vM5QeS67QHpeJvBPZZ4lp02s2JF5mSCodeV1cB5tTt5pCz/bLUtYo9C+aUNEi3OveOTz3fVExaJMBzBe+7C8K2a2CqwWh9yNxawidqK5Yid5nkGsVV/7XpJpPpDM+rvcqQ0d7RHIJfmtX/WT0lqbkYdJfmNPC4jivtvGGZwHScBdNy1/n/Am93uNJHHQsYkT/FaqUAqMFaZMKypJhhjNvovQYW1X9nuJj4qKNEHkcj9DNkWgs7Sq/qisE/EJ51yD0pNCP0nvj+lx7wV0wrRe9ttf/IfxUVaO8Upy2Dc96eBsPURa+rWipXbLrsX3oFimH0bZzjSRYfOtZyvPqToIQ6kPByIgsqp/BYTGC8gC91L/dfVmS6ZLawN1W4D9nq6m18BFCLvmd7QG5i+1anc+RerkM54GDDMwz41SGqI764k40wpaTXvY06ECnwVXe7Pa7UHHLZLX0nD1r52+k54HWHwS+MOehf/s3uOilvDm9lB8F/gQygpiTxhsnMJNVbBQfkKkGmuVQIQCbs6iNRwQsoYyE3sp7Ap56DbeM+2pZ4qUswK3AAlk6ec6DxLsnJqfxV7+CnTBtrgO5m2EcfVUCJ0ItyDglNpaBm2jkTaGzEqoFQokoB4Mr+d6N3oss9U/OYMJrvQCifG84c4Q0PhRhyGB1l/ZzNocmhjmoe8st/O71hvxa7T4h/Cjnv5GYvxvJomUNiyjKjRkXEzLO4wlfBZOOLs/eIp51rWGNTVAVJtTRx5mcyq7oxTOZp8j3kMbsWNn3K6CF852go0AjYBCxDNKdBWs1N5sYhhRjlruJxGjpWEkaZdoE3n87RR/2GQl934zGOsIGBg2LBIsvIoa9MJ+wFVXlWxFseA91A8uggud1xV041ZUKhTaRH1n9K5S9VVQ7WQIzbl/6LoPSvjK6LxA/EHlws+CKS5lYmIuU21fdg3igUUvue4KBk+MoLUxxWcKVb5pd8mbGJ5UD97WjqYgDjeiY9Okn45Jjgwygc2
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a8d23aa-3338-43bf-2dad-08d938056203
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jun 2021 18:16:42.2143 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 01CPJSJnkirnftfS/3fwRBSmyp7ZF8LOtEYQKn/Itb3JnA/7Dx1Zohg33SgMVw+ya/ESkKHCbKuZesdjtMBQrw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5654
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 156.35.171.42
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DBAPR08MB5654.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4ZKIRUH1AvelrsZCdlHQqPLOOsE>
Subject: Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2021 18:16:52 -0000
Hi Mohit: First of all, thank you very much for review. It is really appreciated and will help to improve the document. Please see our comments inline El 6/20/2021 a las 11:14 AM, Mohit Sethi M escribió: > The document is currently intended for standards track publication. But > both the abstract and the introduction mention "describes a service". > You don't describe a standards specification. You define it? Moreover, I > find the entire tone of the document to be somewhat lacking for a > standards track publication. For example, there is text in the document > which says "The URI of the CoAP-EAP service CAN be set to "/b"? First, > "CAN" is capitalized but it is not in the list of keywords defined by > RFC 2119/RFC 8174. What if the URI is something different? How are > devices supposed to interoperate? I would recommend to either make the > language more precise or publish this as informational. [Authors] Following your advice, we will polish the document in order to make the language more precise. > However, I leave > the final decision to the chairs and the AD. I don't want to be an > impediment to the publication of this document. > > Please expand eap, coap, and IoT on first usage in abstract. [Authors] Correct. > It's not > great to have bullet lists in abstracts. Also, the capitalization of > some words looks odd. For example, why "Security Associations" is > capitalized? [Authors] Let’s change this as you suggest. > Add a reference to RFC 8174 in section 1.1. [Authors] Ok > Besides, you already use > "MAY"/"MUST" in section 1. For example, the text says: "The CoAP client > MAY contact with a backend AAA infrastructure to complete the EAP > negotiation as described in the EAP specification [RFC3748]" but "MAY" > is defined as a keyword only later? [Authors] We will change the text so it is consistent. > I also wonder if CoAP-EAP reflects the correct sequence of protocols. > EAP is encapsulated in CoAP. Shouldn't it be called EAP-CoAP? Maybe it's > too late to change that now. [Authors] We believe that EAP-CoAP may cause some confusion because: - Typically EAP methods names start with EAP-X hence, therefore it could be considered as EAP-CoAP method instead of a lower layer - Regarding the encapsulation order, if we take as an example an EAP method, EAP-TLS for instance, EAP encapsulates the TLS method and EAP goes before in the name. This would still apply for CoAP-EAP as CoAP encapsulates EAP. > "The assumption is that" -> instead just say EAP methods used in this > specification MUST generate key.". Standards specifications don't make > assumptions and rather dictate what implementations/deployments should do. [Authors] Ok, let us rephrase this as: "The CoAP client has the option of contactinga backend AAA infrastructure to complete the EAP negotiation as described in the EAP specification [RFC3748]" > Expand OSCoRE to Object Security for Constrained RESTful Environments. [Authors] Ok, done. > Section 2: "The rationale behind this decision, as we will expand > later, is that EAP requests go always from the EAP authenticator to the > EAP peer.". I think the more correct terminology here is that EAP > requests are always sent from the EAP server to the EAP peer. [Authors] Yes. We mentioned EAP authenticator based on this text in RFC 3748: "Within this document, authenticator requirements apply regardless of whether the authenticator is operating as a pass-through or not. Where the requirement is meant to apply to either the authenticator or backend authentication server, depending on where the EAP authentication is terminated, the term "EAP server" will be used." But we also agree with you that it is clearer to say EAP server. > CoAP-EAP service CAN be set to "/b" to save bytes over the air. Wouldn't > it make sense to standardize this. For example: /.well-known/bootstrap? > You'll need to define URI scheme syntax and semantics but it would go a > long way in helping interoperability. [Authors] We tend to agree here. Taking into Carsten’s comments and yours, it is important to have a well-known path because the controller needs to start the process to a well known URI. Perhaps, we could have something as /.well-known/b would save bytes. We need to consider having the same value in both Controller and IoT device, since the first message goes from the IoT device to the Controller acting as CoAP client and server respectively. All the following exchanges after that the Controller asumes the role of CoAP client. So, in order to allow both entities to access to this service in the first message they would need to resort to a pre-establish URI like //.well-known/b/ After that, the CoAP server would continue as explained in the general flow of operation, telling the CoAP client the localtion path to use in the next exchange. > Language issue: " signalling the intention the EAP peer" [Authors] How about this … "The use of this option will indicate to the EAP authenticator that the EAP peer is ready to start the authentication process." > Section 3.1: "In any case," -> Not clear. Please rephrase. For example: > Regardless of whether a No-response option is used, the CoAP client > sends .... [Authors]Thank you for the suggestion. Let us rephrase it as follows: "Once the EAP authenticatior is aware of the intention of the EAP peer of starting an authentication process, The EAP authenticator acting as CoAP client sends..." > "This CoAP server can select this value as pleased, as long as, it > serves to process the following message adequately." -> Hard to parse > this sentence. Which server? which value? [Authors] How about this: "This CoAP server can select this value as pleased. The only condition is that both end points have to correctly process the following message based on the selected value." > have an ongoing authentication -> one authentication session? [Authors] Yes, we only consider one. We will rephrase this aswell. > I don't fully understand the logic behind having separate resources for > each request. I read Christian Amsüss's CoAP FAQ on this. It helped a > bit but I am not sure why this is needed since RFC 3748 says: "EAP > provides its own support for duplicate elimination and retransmission."? [Authors] Yes, RFC 3748 says this however there is also another important aspect related with this. In first place, that text also mentions: EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Then the RFC talks about “reliable lower layer”. CoAP is reliable and it is used as lower layer in our document. In fact, we have: "Possible duplication. Where the lower layer is reliable, it will provide the EAP layer with a non-duplicated stream of packets. However, while it is desirable that lower layers provide for non-duplication, this is not a requirement. CoAP is providing non-duplicated stream of packets and accomplish “desirable” non-duplication. "Ordering guarantees. EAP does not require the Identifier to be monotonically increasing, and so is reliant on lower layer ordering guarantees for correct operation. “ CoAP is providing this in the way we have describe CoAP-EAP. Regarding retransmission is also said: When run over a reliable lower layer (e.g., EAP over ISAKMP/TCP, as within [PIC]), the authenticator retransmission timer SHOULD be set to an infinite value, so that retransmissions do not occur at the EAP layer. In our specific case, we specifically use the reliability mechanisms of CoAP, which requires the use Confirmable requests. Furthermore, to save bytes and reduce the number of messages we also specify that we expect to receive piggybacked responses, which requires that the request was carried in a Confirmable request. By using the reliabilty mechanisms, we can set the EAP retransmissions to infinte which delegates the responsibility of the retransmissions onto the eap lower layer. > Why can't you send the identity already in the first POST message from > the device. AFAIK, a separate Identity request and response is not > necessary. You'll save on one round trip? This will also help the > authenticator to decide already on the first message if it should > continue or not (depending on the domain name in the NAI)? [Authors] This in fact is something that we evaluated in a different implementation of the protocol for LPWAN which has very high constraints (https://www.mdpi.com/1424-8220/17/11/2646 <https://www.mdpi.com/1424-8220/17/11/2646>) . We agree with you in this case that would be useful, but I think it is would be good to have the opportunity of forcing the exchange of these two messages at the Controller's discrection at least. So avoing an IoT device blindly sending POST messages that require the creation of a CoAP-EAP state in the EAP authenticator as well as an EAP state machine state in the EAP server without knowing if the EAP peer is capable of engaging in a minimal conversation. > Section 3.3: casuistics -> interesting choice of words. At least I had > to lookup the meaning. [Authors] Sorry about that, as Carsten said, it is not good to use language that needs to be looked at in the dictionary. > MSG-ID -> Not used in RFC 7252 so I recommend that you should not use it > either. Also, perhaps adding a bit more context would not hurt. For > example, Message Id in CoAP is used for....... In CoAP-EAP, the Message > Id can be used for ..... You have also used MSGID (vs. MSG-ID) in the > document. [Authors] We will correct this and provide additional context. > "unauthorized communications from the IoT device towards the Controller > within the security domain." -> I think the more likely repercussion is > that there will be no access to the network, services, and resources for > the IoT device. > > Not clear which message is lost in Figure 4. I also don't know if EAP-X > MSG 1 is best representation in the figure. Perhaps EAP-X-Req 1 and > EAP-X-Res 1? [Authors] Sure, lets change it as you suggest, it might help make the example more clear. > Please explain what is meant by "due to internal tracking" [Authors] We will clarify that in the text. By internal tracking it was intended to conve the idea is that the CoAP messaging layer takes care of retransmissions without sending the information the the application if not needed. > Perhaps rename Master Key Session (MSK) to Main Session Key (MSK) [Authors] We are referring to the Master Session Key derived from the EAP Key Management Framework. > AS -> never expanded before or introduced properly? what is it referring > to? Is AS the authenticator or backend server? [Authors] We refer to the Authorization Server (AS) of the ACE framework. we will elaborate more in the text. > Key material needed to derive the OSCORE Security Context, from the MSK > can be done as follows:? What if it is not done as follows? [Authors] You are right. The text should establish how the process is done. > KDF can be AES-CMAC-PRF-128? What if some other KDF is used? [Authors] This is a good point. Given the fact that we are using OSCORE as Security Association we will change the specification to the same crypto suites used in OSCORE. Understanding that IoT devices can be limited, we intended to have no negotiation, going for the default crypto suites algorithms. If negotiation is something we really want, we should add to the first 2 messages carrying EAP, an additional Option to exchange the list of prefered cryptosuites by the Controller in the first one, and the chosen cryptosuite by the IoT device in the second one. This could contrast with the initial discussion that was had regarding the definition of additional CoAP options, and if they were necessary. A possible solution for this would be to have this information available in the AAA server alongside the credentials of the device, making the negotiation unnecessary for this case. What do you think? > Shouldn't > labels be registered with IANA somehow? What if my implementation uses > "IETF_MASTER_SECRET_FOR_OSCORE" [Authors] That is a good point. I have looked in other RFCs but no explicit mention of labels are done for IANA. We will check this. > "The ID Context can be set to the identity of the EAP peer"? Is it the > NAI? Is it the identity associated with the EAP peer credentials > (example: PSK identity or the identity in the TLS client certificate)? > Is it the Peer-Id? Not all EAP methods export Peer-Id? [Authors] Good point here. The peer-id in this case would be the NAI. > Do you mind adding a reference to EAP-NOOB in the list of lightweight > methods? For full disclosure: I am a co-author of EAP-NOOB. I think it > is a reasonable example to add given that an implementation with > CoAP-EAP already exists :https://www.youtube.com/watch?v=rPuFKoihl5E [Authors] Sorry about that, It should be in the list. > "Cryptographic suite is not negotiated". I think this is wrong. Many EAP > methods inherently include cryptographic suite negotiation. I guess what > you intend to say here is that the KDF used on the MSK is fixed. Why > AES-CMAC-PRF-128 is the best choice here for IoT devices? [Authors] Yes, indeed. In fact, we ought to change the cryptosuites to the ones specified by OSCORE as we are explicitly saying we are establishing an OSCORE security association after a successful authentication. The choice is based on the requirement of the use of OSCORE. > KMF? I guess you are referring to the Key Management Framework. But the > original RFC 5247 does not use this acronym so I recommend you avoid it > as well. [Authors] We will do that, thank you. > IANA Considerations section only says TBD.?? I would have thought that > it would be complete before issuing the working group last call? At the > very least you should consider registering CoAP-EAP as a lower layer : > https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-lower-layers. [Authors] We will change this. Thank you again, Best Regards. > --Mohit > > On 6/17/21 8:25 PM, Loganaden Velvindron wrote: >> Dear All, >> >> After a quick check with the other working group chair, we are ready >> to proceed to WGLC for: >> >> https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/ >> >> Please send your comments to the list. >> The WGLC period will end on the 1st of July. >> >> Kind regards, >> Daniel and Logan. >> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Loganaden Velvindron
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Mohit Sethi M
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Carsten Bormann
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Dan Garcia Carrillo
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Dan Garcia Carrillo