Re: [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

Dan Garcia <garciadan@uniovi.es> Wed, 13 January 2021 20:21 UTC

Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10C9E3A1332 for <ace@ietfa.amsl.com>; Wed, 13 Jan 2021 12:21:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.162
X-Spam-Level:
X-Spam-Status: No, score=-2.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_p322WfcGQR for <ace@ietfa.amsl.com>; Wed, 13 Jan 2021 12:21:40 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60057.outbound.protection.outlook.com [40.107.6.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1030A3A1331 for <ace@ietf.org>; Wed, 13 Jan 2021 12:21:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X9Ascl2sG1COT3pbGDSJuTRgTe5oAHolVSy9QBPN8aEZBfMTjTGGOqAatyIEwmFG2MfSJs7j2e/0goeZP3UdQksB3AgBsHFRwKMj90S64YBqZeJR5uPbVaYLOxwAZcH3NQne5XOkUf/tyqYpNxRtryyOSWualNq+6c6pN/Mnj1EjcLPgLhLBHHCC9g2TOSfy79Yb8XvH4OzMeD3XvBb6Pm8o8TAiWOUR/PRkVFv0y1moZ8zgN+bHSR/QwLVdnbARfpL+G/S8DY5RHtnAeOT2sKiCE7LYtw5sV8D+nrogdNGf+lMzp1pN1bX/UiAhB0QKHasE3LZJtAdSvxEPNdvtvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y6QmTIEus6Y2gbdgnGTcIUTjAvx8PSj0eqGSFMmMDcs=; b=GHO93Rusr6WmSGM4tYR3HreU6IM8Ki6ti2mOHFISSoxeQbaNXboBrVMiyKUMoL5RyWLUQw57ZNDZacKpxVENq3E5EbuJFm/FGQ7o9eHy/k+u+yqZ4kbfrbFirwUSd6IbLHD104eTJJeJwwjhtf+svrl+uuSyLQdtcIAGXZcBJw07+DvCnxu2s9fl21tQ9VOILi6Hfgugn/rGqfhGLdtnEm6tq17Xoy9VzG9P14HIRG3y/BNhguweKoc7muWgpFrib31IZjRoWmXUh0EgkDc6ylwZe+KrbjpHK7VvoppK9eRedjg41PkTCZO4LqWmucoRr3OPKIwvoX239dRVv94Qtw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y6QmTIEus6Y2gbdgnGTcIUTjAvx8PSj0eqGSFMmMDcs=; b=Wh5yDK/wlgNZ4PkqPXx90hj6UO1dDgwvO8+6xB1OQHhOwQDVQttHM7tBR/7+D/9PHsrtPAsG2o/CCmB/DiQk8xdyynGwkCOvnLPFkZX+Aguh7JSo1Sfg1U8TBEKYvsxoXgX0EE6ZbtA71yRRlqZgtQ4p5o8td6yyCHqYfPcw2rc=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DB6PR0802MB2421.eurprd08.prod.outlook.com (2603:10a6:4:a2::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6; Wed, 13 Jan 2021 20:21:35 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::a4a6:c1c:21bb:cdea]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::a4a6:c1c:21bb:cdea%7]) with mapi id 15.20.3763.010; Wed, 13 Jan 2021 20:21:35 +0000
Cc: garciadan@uniovi.es, "ace@ietf.org" <ace@ietf.org>
To: Benjamin Kaduk <kaduk@mit.edu>
References: <CABONVQZRWa5gcN6Z1pfBKx=UVvOTvi1FjLSv0-T_UTUc3XGG5Q@mail.gmail.com> <HE1PR0702MB367429A9C8921A5252133523F4CE0@HE1PR0702MB3674.eurprd07.prod.outlook.com> <24523.1607378991@localhost> <3a4e4b59-3712-7eb9-23b2-8160ad14b6aa@um.es> <2923.1607540144@localhost> <62dad652-8acd-0890-36cd-f7aacde19de2@uniovi.es> <D1AA3C26-4376-409A-A87B-F0D05AD1BAD3@inria.fr> <1fdb134e-54a1-1937-fdd6-3d226c89aea7@uniovi.es> <6C717866-759B-4544-BA04-50D623CF9EFE@inria.fr> <238e2b03-a9b3-918a-2a9b-fbb66b84ddbf@uniovi.es> <20210112190516.GR161@kduck.mit.edu>
From: Dan Garcia <garciadan@uniovi.es>
Message-ID: <7b437403-cc46-3082-7b19-65fcd8300373@uniovi.es>
Date: Wed, 13 Jan 2021 21:21:32 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
In-Reply-To: <20210112190516.GR161@kduck.mit.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: [62.175.19.60]
X-ClientProxiedBy: MRXP264CA0004.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:15::16) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from MacBook-Pro-de-Dan.local (62.175.19.60) by MRXP264CA0004.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:15::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.8 via Frontend Transport; Wed, 13 Jan 2021 20:21:34 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6fc42229-4b65-455a-8a53-08d8b800d31a
X-MS-TrafficTypeDiagnostic: DB6PR0802MB2421:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <DB6PR0802MB2421AEE223FEAD30350426ACB4A90@DB6PR0802MB2421.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nStTG8bcq9ofTWsDQ/vG/LWjhYhzmewCdijmRBvWdkFm+8hL2bDmWkAzM0N9yydHiGcejeypmfa5nFVe5Hcr9QTup2HkZwav+hyPTK4KfXZcvcZaMMotEEzdjKnK1PxiUIRMOylObwGFrbk79h3xG09qkXCcWkwA6lURBwfhdXCx7Dd990lYvBgPiUb2aWLZfuoGaHBiwEgD2Krre1VEzd7gJDd7jLNmGBd1LQOpK2jt+OwvNxgpHavFvhafUCyl4aj/OIzwnoELVLEiV0itMUBe6UErYk9toZLM7lDWITqB4LLxGH+PwJOppBqPRGsZlwwsP5z1XLsdNGm2ksCyx1FjUBzGr1zyiTThq+tUUtWv7yUp1/ANNm2HCxZXOd9Ge1N1tLOLrEelYkKjwT+89mXDXtFStVwNYc17baKFzjOBe2/RPEe/YqbrDencBZ6qcrgAlvj6Wr6VtRml0IzWaBR85NbSmhMwJ7txKFJNsT+nvvsP4o3AAzjHNHVkPIPi7Xv3QzWano2JUF8zvljBmnBfma4F1qv+1Oyt/T0tEDg1kGK5eOQr3OPhIrEL1z+0
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(396003)(346002)(39860400002)(366004)(376002)(6486002)(956004)(6916009)(83380400001)(86362001)(786003)(2616005)(8936002)(316002)(478600001)(31686004)(66574015)(31696002)(5660300002)(8676002)(66556008)(16526019)(66476007)(186003)(6512007)(36756003)(2906002)(26005)(66946007)(52116002)(4326008)(6506007)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?UG85aC80ZXQ5ejR5R0Y1V2RadzZ1elJlSC9NSXo4V0lGYWFQM1QyOTlmSUZZ?= =?utf-8?B?V1drTldNa212aXhhUW1ZcG9nQkpoR0RoMlI0RDNkWlRxY2p2UFBVVTVSSFdo?= =?utf-8?B?UjNwZDhaYlhBYTh5SHladHRBZXV6emxhcW16V2FPaGJtUXhyQ3VIc2RWQ01E?= =?utf-8?B?dFFOU2lDQlZORmo5bXozVWpvelBkNjJubE9BR2lIYUVhK1hYc3h1L2J4YWVy?= =?utf-8?B?cDZpdlZEY2V4WEhUZ0RtSXhSUUlHOS92Y0g1T0NLeHFjQys2b1JoaFlpTUp4?= =?utf-8?B?YzNweEFuaVR1ZTYweXhYMUJqWitPYkIrM2tGVGJNNCsrUnNIU29LNDV5U0xh?= =?utf-8?B?QmVpamZ2bE1tQXRDUm9tYkt2QWtUTTZWcDdDTk9GYWM1S0toQ1FFLytpbG4v?= =?utf-8?B?STNYdHRoZ1pqN0JPbkhJTGFZV2hWK0dMaE5SVkROSVo3d1AyeEFKMWdhTitz?= =?utf-8?B?YVQyeStVMDJDU1pWdXJQSktDejRjU0czU2dYUmRma3FSWFJNbVJ2ZzNRQkZx?= =?utf-8?B?TG9NL2dmNkpRdGVFb0VheUhSdkNvdnBTaHJyQUsyTjNUUjAzeDlKdm8vajZN?= =?utf-8?B?a29ZNVBQV0JLcW1VdGIwOWx6dEY5ejNpVHBoOTdxRDEranR3RURpTFVOVUF5?= =?utf-8?B?UGpIRXFvRFg4bjl3TFZpamVvSnhTaGJXb0U2S29sRmgwZFhNM2JtLzQvM29l?= =?utf-8?B?QXpFWkFVU3l1VmpBZ2dvOVA5R0ErSktndGdTQ2NqUzYwajdjUXd3K2hPSk5s?= =?utf-8?B?MVNRRDIvUGpXTHNsOTJMZE5wbnIyMnpPVGN2WXNDY3ZkaE5zbWFQVnNKdmxQ?= =?utf-8?B?akRPTjVuOUxOTm9CWFozclZPU1A3YXptcktna0FJSXErTVJyVnVCbWMwOWNE?= =?utf-8?B?ZmdOd1B3R3lmYmNKY2U3eThiRTVOOWhTWGlCUzY1NUFqT1FMWkl4RUdOOW54?= =?utf-8?B?NTRxQnMrNmJFcjUvKzNaNGtKKzlOeWxQc0tScW5YMzR0Z2ZTblZoanZWdEc5?= =?utf-8?B?MVU0bzRaV3B0TTh0VEd0TjhPNWJscEcxc3BuMzhEZkIxOW1GV2JhZ3NaNmEz?= =?utf-8?B?TmpDNXBORHNEWWNIM0crK2VJU2xPU0VrS1Q2aDVveFJwaUJ2TVBBeE5mNVdG?= =?utf-8?B?SWF2dWVscG5ZM3dNRXQwamlkS0ZjdFZoTlFBM0oxNkFYY2laUDFLZ3N1NE1l?= =?utf-8?B?RUlQNU1CN0ZPTWNTcFNlWi9XTWVpcER2RFdDWXFIUnB5ejUrbmhxcHNjc0hP?= =?utf-8?B?N0NRSTZncTBRelVuVDVVVVVVcTNEaDBhSjJCN3N6WmhmSHcvMHZaRTMxZ25F?= =?utf-8?Q?qmhSWASZTbtc8=3D?=
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2021 20:21:35.0593 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6fc42229-4b65-455a-8a53-08d8b800d31a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 3b7mYU/BDG9TGlcPEWTApV5+vTJSA+yKa/luHR6LydRrOr9xD4fxUcnafs5q1mMmBtUI5p+gkcdv7Zq8LSEhvA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2421
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 62.175.19.60
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DB6PR0802MB2421.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4i0EJn4XdvZ_WT-3LGIGdN6zgiE>
Subject: Re: [Ace] [core] Proposed charter for ACE (EAP over CoAP?)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 20:21:42 -0000

Hi Benjamin,

Thank you for your suggestion. Your comment is relevant.

In fact, we wrote some time ago an article regarding our initial design, 
and we perform a comparison with other network layer based EAP 
lower-layer (https://www.mdpi.com/1424-8220/16/3/358)

We compared focusing EAP lower-layer (alone) and taking into account 
EAP. On the one hand, at EAP lower-layer level, the usage of CoAP gives 
us an important benefits. On the other hand, when taking into account 
the EAP method overload, this reduction is less but still significant if 
the EAP method is lightweight (we used EAP-PSK as a representative 
example of a lightweight EAP method). As you suggest, if the EAP method 
is very taxing (as the case you mentioned) the improvement carried out 
in the EAP lower-layer is less significant. This leads to the conclusion 
that possible next steps in this field could be also improving or 
designing new EAP methods that can be better adapted to the requirements 
of constrained devices and networks. However, we cannot ignore the 
impact of the EAP lower-layer itself and try to propose something light 
as we do proposing CoAP.

We consider that may be others EAP methods such as EAP-AKA or new 
lightweight EAP methods such as EAP-EDHOC 
(https://tools.ietf.org/html/draft-ingles-eap-edhoc-01) that can benefit 
from a CoAP-based EAP lower-layer, as well as new ones that may be 
proposed in the future with IoT constraints in mind.

Best Regards,
Dan.

El 12/1/21 a las 20:05, Benjamin Kaduk escribió:
> Hi Dan,
>
> Sorry to reply to such an old message...
>
> On Sat, Dec 12, 2020 at 06:36:53PM +0100, Dan Garcia Carrillo wrote:
>> Hi Mališa,
>>
>>
>> El 11/12/2020 a las 19:45, Mališa Vučinić escribió:
>>> Hi Dan,
>>>
>>> Thanks for the clarification regarding minimal-security. The points
>>> that you mention below, e.g. flexible authentication or the fresh
>>> generation of the PSK, were never in the design scope of our work.
>>>
>>> While I fail to understand what exactly do you plan on using
>>> EAP-over-CoAP for, I do not object on this work being done in ACE if
>>> you are willing to spend cycles on it. I do have reservations on the
>>> lightweight aspect of this, however, considering that the sequence
>>> diagram that you depict in Fig. 2 in draft-marin-ace-wg-coap-eap-06
>>> spans 3 pages and consumes 2 round trips just to get things started!
>>> Surely, we can do better?
>>>
>> Yes, we will submit an updated version of the draft.
> When you do, I suggest putting in some discussion of the relative
> size/overhead for CoAP as EAP lower-layer vs the EAP payloads themselves.
> I note that the IESG recently approved draft-ietf-emu-eaptlscert that
> discusses some pathological cases with TLS-based EAP methods and very large
> certificate chains.  While I assume that you're not planning to do
> EAP-over-CoAP with such long TLS certificate chains, giving reviewers a
> sense for how big of an improvement this mechanism can be will presumably
> be helpful.
>
> Thanks,
>
> Ben