Re: [Ace] [EXTERNAL] Re: call for adoption for draft-marin-ace-wg-coap-eap
Seitz Ludwig <ludwig.seitz@combitech.se> Fri, 22 January 2021 15:18 UTC
Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE8563A0F39; Fri, 22 Jan 2021 07:18:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqjCmzv2zHT0; Fri, 22 Jan 2021 07:18:05 -0800 (PST)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1829C3A1244; Fri, 22 Jan 2021 07:18:02 -0800 (PST)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald.air.saab.se (8.14.4/8.14.4) with ESMTP id 10MFI0O3021742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 22 Jan 2021 16:18:00 +0100
DKIM-Filter: OpenDKIM Filter v2.11.0 weald.air.saab.se 10MFI0O3021742
Received: from corpappl16590.corp.saab.se (corpappl16590.corp.saab.se [10.12.12.96]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 10MFHdEL013088 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 22 Jan 2021 16:17:39 +0100
Received: from corpappl16595.corp.saab.se (10.12.12.127) by corpappl16590.corp.saab.se (10.12.12.96) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Fri, 22 Jan 2021 16:17:39 +0100
Received: from corpappl16595.corp.saab.se ([fe80::eca7:e370:adcc:2c99]) by corpappl16595.corp.saab.se ([fe80::eca7:e370:adcc:2c99%6]) with mapi id 15.01.2176.002; Fri, 22 Jan 2021 16:17:39 +0100
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Ace Wg <ace@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Ace] call for adoption for draft-marin-ace-wg-coap-eap
Thread-Index: AQHW8MwKWOQH99GAMUiKIGR71bIpq6ozwVtQ
Date: Fri, 22 Jan 2021 15:17:39 +0000
Message-ID: <ede851121bbe4f31905ae968355937f2@combitech.se>
References: <CADZyTkkiqC=x_oAYsc_jHHeiNWhjvXHHvOKEeF=9W3si8Dp3pw@mail.gmail.com> <25210.1611242790@localhost> <919f10b3-7ec5-1575-1893-41e4d4cc25b8@ericsson.com>
In-Reply-To: <919f10b3-7ec5-1575-1893-41e4d4cc25b8@ericsson.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [136.163.101.121]
Content-Type: multipart/alternative; boundary="_000_ede851121bbe4f31905ae968355937f2combitechse_"
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 10MFHdEL013088
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.296, required 5, BAYES_00 -0.50, HELO_NO_DOMAIN 0.00, HTML_MESSAGE 0.00, RDNS_NONE 0.79, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1611933459.69454@JMrZxOLPnTV1K/kgyXxq/w
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald.air.saab.se [136.163.212.3]); Fri, 22 Jan 2021 16:18:01 +0100 (CET)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/CxvL1R9TkECRhXr36De2CkqnBy0>
Subject: Re: [Ace] [EXTERNAL] Re: call for adoption for draft-marin-ace-wg-coap-eap
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 15:18:09 -0000
I’d like to second the question Mohit assumes Michael is asking: What is the benefit, in the context of IoT, to add the overhead of EAP to say TLS? /Ludwig From: Ace <ace-bounces@ietf.org> On Behalf Of Mohit Sethi M Sent: den 22 januari 2021 15:37 To: Michael Richardson <mcr+ietf@sandelman.ca>; Ace Wg <ace@ietf.org> Subject: [EXTERNAL] Re: [Ace] call for adoption for draft-marin-ace-wg-coap-eap Hi Michael, I guess the question you are asking is: what is the benefit of adding the overhead of EAP. For EAP-TLS, you could directly use TLS. For EAP-pwd (which is a PAKE) one could use any PAKE without the EAP encapsulation overhead? Is your concern only in the context of IoT or do you think in general we are better off using protocols directly without the EAP framework overhead? --Mohit On 1/21/21 5:26 PM, Michael Richardson wrote: I reviewed the document before, and my concerns were not really answered. I can not understand what the applicability is. The document starts off with: The goal of this document is to describe an authentication service that uses the Extensible Authentication Protocol (EAP) [RFC3748]. The authentication service is built on top of the Constrained Application Protocol (CoAP) [RFC7252] and ALLOWS AUTHENTICATING TWO CoAP endpoints by using EAP without the need of ADDITIONAL PROTOCOLS TO BOOTSTRAP A SECURITY ASSOCIATION BETWEEN THEM. ... The assumption is that the EAP method transported in CoAP MUST generate cryptographic material [RFC5247] This implies use of one of the many EAP-TLS modes, some EAP PAKE mode, or maybe, in theory some EAP-SIM/AKA mode. 1) TLS modes could just use TLS, or DTLS and omit the extra EAP bytes. If saving those bytes are not important, then the use of PANA seems to do the same thing. 2) The EAP PAKE modes could just TLS with some PSK or PAKE authentication. 3) The EAP-SIM/AKA modes are not realistic, as they generally depend upon being able to talk to a database of SIM/AKA secrets. So, which modes that generate cryptographic material are envisioned? The document goes on to say: The CoAP client MAY contact with a backend AAA infrastructure to complete the EAP negotiation as described in the EAP specification [RFC3748]. which is a third party, when the intro told me that no third party was required. Even figure 1 show three parties. And section 5 says there might be five parties, again including an AAA server. I believe that this entire proposal goes against the ACE architecture, and should not be adopted by this WG. This work seems to duplicate the work in LAKE, as well as cTLS, while not bringing any clear advantage over existing protocols. If adopted, I don't review the document. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca<mailto:mcr@sandelman.ca> http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca><mailto:mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide _______________________________________________ Ace mailing list Ace@ietf.org<mailto:Ace@ietf.org> https://www.ietf.org/mailman/listinfo/ace
- [Ace] call for adoption for draft-marin-ace-wg-co… Daniel Migault
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- Re: [Ace] call for adoption for draft-marin-ace-w… Mohit Sethi M
- Re: [Ace] [EXTERNAL] Re: call for adoption for dr… Seitz Ludwig
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- Re: [Ace] call for adoption for draft-marin-ace-w… Dan Garcia Carrillo
- Re: [Ace] [EXTERNAL] Re: call for adoption for dr… Dan Garcia
- Re: [Ace] call for adoption for draft-marin-ace-w… Dan Garcia Carrillo
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- [Ace] Fwd: call for adoption for draft-marin-ace-… Dan Garcia
- Re: [Ace] call for adoption for draft-marin-ace-w… Josh Howlett
- Re: [Ace] call for adoption for draft-marin-ace-w… Francisco Martin de la Fuente
- Re: [Ace] call for adoption for draft-marin-ace-w… Göran Selander
- Re: [Ace] call for adoption for draft-marin-ace-w… Alexandre Petrescu
- Re: [Ace] call for adoption for draft-marin-ace-w… Pedro Moreno-Sanchez
- Re: [Ace] call for adoption for draft-marin-ace-w… Eduardo Inglés (IMT)
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- Re: [Ace] call for adoption for draft-marin-ace-w… Daniel Migault
- Re: [Ace] call for adoption for draft-marin-ace-w… Daniel Migault