Re: [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

Dan Garcia <garciadan@uniovi.es> Thu, 10 December 2020 09:04 UTC

Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6123A0B5C; Thu, 10 Dec 2020 01:04:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9M3mWrLhlLFZ; Thu, 10 Dec 2020 01:04:41 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2057.outbound.protection.outlook.com [40.107.22.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830FE3A0BD4; Thu, 10 Dec 2020 01:04:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lOrH+iC6zsTINTnEGc2R1JLVBKRbbw3fAy8Z+J81CEy5EVB31J+3RxKamqHjg9cVtRTMZPpJwpC+1o9/eD1ANCcQRflz8/cqCI2TLdBZw3G//Ocsakot8Ba0C9dU/cc16Oqkf5lNYTm0gAFCtM47ov9TMZotD394EFmWy9OpZsd/5yscJT2o2U4LRiCiv3g9wwraTotRfqF/N2dgFI0K2T5IW+U7Gkf3+7t9dko9IyFIN1EjBL0oz9g4DTj0jpfdGAcTfDZD8W/lKQBWWK0IbOQMKnwo3U23buVBa86w7+eaaS+KXxTNG9bTx8Sfhm12chGrn5nYltrDTvWCtO5buw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OnfGbTkulmuLihmoksCO/OLgtd+sfEb2/TAQC55Zlu0=; b=OuyHdwAyiKBwNnLpJ7JAxKLqEEsPRe4fHVVvYFiZkvSK4WGHPQ3pMDZFPQTJdOReHQiVDKpUQdVeFcyqTminxhfDYoC5jnRGPFAirdoc11gngUOebUhKefQCvtrJD43XpYMMocrdmXgWl8fX165c6m4TdkBGhPJDay1jehjdH2A3wdDLf3pgXZD0Tj0T2b33KH8y/r786KRXxFjLsMe2ouqknKyGBI/QOF/Gv9ilzdaSf/UnN5XmErk7XNgBAVfJ8WdjDpIAVVWDgFeFcJ+tkmOUXnh8qAkEoglhFhE6AgyGc4+N43oJJdIIh3W6Bk482i1MlzsZsHsBYDoShFWh6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OnfGbTkulmuLihmoksCO/OLgtd+sfEb2/TAQC55Zlu0=; b=xM7ALbuqMJ4vw9cXMMtB7FgHAg3ZM/VzsD3O+eEFllMFtJqaZ7qyUG8mvKHsnkzmen9XKRAga1DPjgnMhcYIWijsrAfwLUq5jtzFTQrTwpE9FyjJkXCjFu4foqc3s6oEELomLwiWqy1IFPd4MRzptBE6A3bClbN+kjEG2Gi68R4=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=uniovi.es;
Received: from AM0PR08MB3940.eurprd08.prod.outlook.com (2603:10a6:208:124::19) by AM0PR08MB3442.eurprd08.prod.outlook.com (2603:10a6:208:d7::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21; Thu, 10 Dec 2020 09:04:30 +0000
Received: from AM0PR08MB3940.eurprd08.prod.outlook.com ([fe80::9c65:30a3:58fe:e6dd]) by AM0PR08MB3940.eurprd08.prod.outlook.com ([fe80::9c65:30a3:58fe:e6dd%7]) with mapi id 15.20.3654.012; Thu, 10 Dec 2020 09:04:30 +0000
To: Michael Richardson <mcr+ietf@sandelman.ca>, EMU WG <emu@ietf.org>, "core@ietf.org WG (core@ietf.org)" <core@ietf.org>, "ace@ietf.org" <ace@ietf.org>
References: <CADZyTkmnV_Dhb5iXzykUyEAskLDg7tj=80CbEBGmSyFQNS2FHw@mail.gmail.com> <HE1PR0702MB36740BAAFD7FDA2688564BF7F4E60@HE1PR0702MB3674.eurprd07.prod.outlook.com> <CADZyTkkpLRvqD5Vx704u=qbRvE82o4cKk3Ff2Y2ZXes_B+nRbA@mail.gmail.com> <CADZyTkkSGiUvXf0NoVUwj0Vjf7AQ=pjdEHyHZsDdE67OvfTepw@mail.gmail.com> <20201117234700.GR39170@kduck.mit.edu> <CADZyTknej3DUbbKbRxdfi0HqVR7G7qkAh5htu3w9yFjE09sOtg@mail.gmail.com> <b78c1176-ffa0-9ad5-847e-94e9134b4212@um.es> <DM6PR15MB2379308BD779061F6F46233EE3F20@DM6PR15MB2379.namprd15.prod.outlook.com> <CABONVQZRWa5gcN6Z1pfBKx=UVvOTvi1FjLSv0-T_UTUc3XGG5Q@mail.gmail.com> <HE1PR0702MB367429A9C8921A5252133523F4CE0@HE1PR0702MB3674.eurprd07.prod.outlook.com> <24523.1607378991@localhost> <3a4e4b59-3712-7eb9-23b2-8160ad14b6aa@um.es> <2923.1607540144@localhost>
From: Dan Garcia <garciadan@uniovi.es>
Message-ID: <62dad652-8acd-0890-36cd-f7aacde19de2@uniovi.es>
Date: Thu, 10 Dec 2020 10:04:28 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
In-Reply-To: <2923.1607540144@localhost>
Content-Type: multipart/alternative; boundary="------------2CC5B6F2F9AC00C1F41295BD"
Content-Language: en-US
X-Originating-IP: [217.113.247.231]
X-ClientProxiedBy: MR2P264CA0038.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::26) To AM0PR08MB3940.eurprd08.prod.outlook.com (2603:10a6:208:124::19)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from MacBook-Pro-de-Dan-2.local (217.113.247.231) by MR2P264CA0038.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21 via Frontend Transport; Thu, 10 Dec 2020 09:04:30 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 334aa923-eabf-4ee8-c107-08d89cea9af3
X-MS-TrafficTypeDiagnostic: AM0PR08MB3442:
X-Microsoft-Antispam-PRVS: <AM0PR08MB3442A41E7F095D0B11B8BBE0B4CB0@AM0PR08MB3442.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: S2Yi7b6yueEBsKGHbEb+ce5vUltyn2p3X1QQpEe4sogOUNn2c67CGTb/PSppw6TfZI3FiPlvpkKVhEG6aihoNdhsdUhMf9/qkwhxIWWfPeVFI28j2SaGe7eLfIlPYeVY0YXgaoYnOP36L8VBA9uYs3FVhH8PRwhi578TiCwcvFDlJoGHauVmqZLCtqlad6BhS3y82LAbCylYHtuxijHnsylFqEF1/VlsrGnJYufJBayjmySLw/CFTkwpZpSQCLkmlzLbUWwItf0JDjeU5+CVoSfksI9iaobUTYkDkX//rIq2S6BbKt3dYhDo0SQAzvjZD6QB4ZKv9m7hXx9M97cqgWvmrHUc1s1oucuSigSqjv1A/eXsU+iuBhUu16Oye5iZd6iPfsQt/2h5i/iL3hXjvOl5ihyYFotu4rY6Ez/sTmE=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3940.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(346002)(136003)(786003)(508600001)(66946007)(8936002)(66556008)(36756003)(956004)(31696002)(66574015)(110136005)(83380400001)(86362001)(66476007)(2616005)(186003)(2906002)(8676002)(16526019)(52116002)(33964004)(26005)(6506007)(53546011)(6486002)(31686004)(6512007)(5660300002)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?SGZBdzZiVHhqRGd5VHNxOW9POWlRU3lUTSs0UUt0dy9uZkNOMVRCc3BBTjZz?= =?utf-8?B?bXBvdndRMkl1V1BQYUJBYjZ3ekdNOXBmYUlUcDI0bmFFRDZhaXloeWl4d3lv?= =?utf-8?B?eEpQUzNheWFKOHE2QmdJVDBEN1QyelJkNTU4T3gza3ByZTRLWmRZVUQyR25R?= =?utf-8?B?YU11eS9XcmRkZlhQeldjTHF6UlB6YUE5a3VMaUdOTFRiVk5xL0VCaHIxTGkz?= =?utf-8?B?ZkRDV0l4MytyZjVZTWNRbllFUWdPNEQ2SU9hUnJQZEMzOFVibEQxZW9yYU5u?= =?utf-8?B?TFpFVEhTVnVZNFFSRDlNVjJLZTd2MTlpanI2YXpLWWFVTTJ2NHpSTUtnVkZD?= =?utf-8?B?SHh6cUpvdk5xQms3RURvN3RxakFoOFhSR2dZZThhV1p4RXFqWEE1WEtmR1ox?= =?utf-8?B?ZVRGeXpMb0JwdWUxeENYTnU1OVZCbGF0eUY2czFBa2s4Njh4WCs5eHF1VVdo?= =?utf-8?B?UzEzZUViVnZVT2UyaUxnL0ZqbGlMQkhhTnZsbi81NUU3emZCWWtHOUVnTC9q?= =?utf-8?B?RGYwcjljc1lNaE1nVzF5VFhsbmtCa3dXNC9TMzRpQWwwaGJtQUZzVkVEeWFk?= =?utf-8?B?SE9zMVhsYTRBaW8xTmdDdHB2cTNRcHFBTGZiSFd4eHFJbVMrck1GdGgyK0po?= =?utf-8?B?MUw0dWxMc2kwQWhGYmRrWWxuc05iSE5qYWYwUkI5TC9UNktibDRtUHoxZ3da?= =?utf-8?B?QWkvSHZwOWRlK0h6aGYyUHpXd25qeFZoOVlqUnU2OUo2Z3h1VFdRRGVDNVBl?= =?utf-8?B?NnBReDFVNEtoS3o0SEJZcDd2M0luYzFLZWZrd2lYaXlORnJ0QW0wclVhQUhT?= =?utf-8?B?dVFHYzVubE5ndGJra2JYWWo3dUhZUFFqdGZNdUdOdGI3ei9pM0p4aXlNTzB0?= =?utf-8?B?alJnL2hrcDdKUUtmcFFCMmZiN1NHTE0ySVBPUXN5akYzQldwK0RhbFoyVlVr?= =?utf-8?B?STdURFdUeExicjc1enRtYjZpdnQvUXVlZ3FxUnNRU2pZakZYUXZBR2pUTzQr?= =?utf-8?B?QkswTEk5aDZvZ1VOTTRQc0h0aEN1ODljNnlibnRwM0RmNjFUSUZzL0wzSVRa?= =?utf-8?B?RGNHYlNuUktSTjREckxxUEg0Z0x5SEtGOEl0QjBoZnJMaHZaWUV5OWptdHZn?= =?utf-8?B?dkhPRFNtL29pN0VwR0ZRZzhpK3RKOHdhUVlkL05YT3AyNVFEN1c5QnF2VDQx?= =?utf-8?B?b0Y4V1dZMEtHS2c2MWdaZ3RVMXkxcGxCeG9Qc0pleFlyRlAyQnlUZmRyWm1o?= =?utf-8?B?Um92Smp4ZTVkQUw2d1JsYktSeGVOTmdscWFNalpQTzJvQnpMenlpMUo5VDhJ?= =?utf-8?Q?4O9mN+TakpnFSlGeNgkGAWHJV3OV99lb85?=
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-AuthSource: AM0PR08MB3940.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Dec 2020 09:04:30.7752 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-Network-Message-Id: 334aa923-eabf-4ee8-c107-08d89cea9af3
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: rcxUgXGXEw3qEBLvXbYQLkHrfxaYmfPcCzA+LugC9B0TMYqCFUE6iFWxXz9BBeUNl87Il3S3vPFLiXxerBctow==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3442
X-MS-Exchange-CrossPremises-AuthSource: AM0PR08MB3940.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 217.113.247.231
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: AM0PR08MB3442.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/FkQIbn4PtuOeZQADW_WI8K2mvCY>
Subject: Re: [Ace] [core] Proposed charter for ACE (EAP over CoAP?)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 09:04:44 -0000

  Hi Michael,


"/1) .../"

For onboarding a new device, where there is no connectivity after 
authentication, you propose to use 802.1X, which is an EAP lower layer. 
EAP over CoAP is in fact a proposal for a application level EAP lower 
layer that overcomes the limitation that 802.1X works on an inferior 
layer, hence, giving the possibility to perform the network 
authentication through nodes.

This idea is not new, in fact, you have PANA, another EAP lower layer 
that works on top of UDP.

As you comment , draft-ietf-6tisch-minimal-security - offers minimal 
security and has several deficiencies that can be solved by using EAP 
and AAA infrastructures.

Regarding your second point

"/2) If it for application authentication, then you need to use EAP to 
setup MSK for later use by a context. We do this in IKEv2, (D)TLS already./"

Our proposal is to define an EAP lower layer that is specifically 
designed for constrained devices and networks. The setup of the MSK for 
later use, is what the EAP KMF does, and  this key material is used to 
run a security association protocol, that could be DTLS or OSCORE.  That 
is why it is not an afterthought as you say. I wrote could, because is 
one of the possibilities. That is another benefit of using EAP.

With respect to do this with IKEv2, EAP already has an EAP method for 
IKE. Why limit the options when EAP gives you more. What will you do if 
the specific network does not support running IKEv2 due to severe 
constrains in the network or any other reason?

That is why I believe the flexibility EAP gives you is worth considering.

Best Regards,
Dan.



On 9/12/20 19:55, Michael Richardson wrote:
> Dan Garcia <dan.garcia@um.es> wrote:
>      > EAP can be used in the context of IoT for authentication.
>
> But, to what end?
>
> 1) If it is onboarding a new device, then there is no connectivity until after authentication.
>     so you can't use CoAP, you have to use 802.1x, or some equivalent, or
>     create a system such as draft-ietf-6tisch-minimal-security.
>     Which does use CoAP and OSCORE already.
>
> 2) If it for application authentication, then you need to use EAP to setup
>     MSK for later use by a context.
>     We do this in IKEv2, (D)TLS already.
>
> So the only left would be OSCORE, yet you write "could", as if it was an afterthought.
>
> Tell me what is your application?  What will be impossible if we don't do
> this work?
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>