Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02

Mohit Sethi M <mohit.m.sethi@ericsson.com> Sun, 20 June 2021 09:14 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A110E3A07C4 for <ace@ietfa.amsl.com>; Sun, 20 Jun 2021 02:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.437
X-Spam-Level:
X-Spam-Status: No, score=-1.437 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4CjLkVkZsOO for <ace@ietfa.amsl.com>; Sun, 20 Jun 2021 02:14:33 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60040.outbound.protection.outlook.com [40.107.6.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67CC53A07C3 for <ace@ietf.org>; Sun, 20 Jun 2021 02:14:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=alXVeEfRFPeYx67xXtToK8gMkTjG8kIRsIQMG72Zp+L2CQIZgzm2X2wsf/Sxx+rtZxandW8CF4RoHRVG87VA1Wqr+wRHDFmlq1tRdYWZd7rpCY3nE3RntRJYeVy+OSxfFvy4M41xsx5CwY5XFHaJkEFH9s6EFtIM7d+5+bI873Uj89X9kMKubEFZb9/AcwzQgW3LWFoSFoPQc3tWxA9DuhxuvdKkGKxTtTIF1Pl71Jj8GXjbZthyt5abTRULhsWTq2Yz4sGzuYCZIbVOGpKUeJ7wlKIfWEnW6ue5kDyR85Vvxga3lA7Xj/kmygiEJSqm1a0vPZZ6KefuspedayKRLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PEwq2Vqrq/UejBgvvIJGOCSEsw6lOCf/hZDTNYJmv+E=; b=CMQr7v5Kcln9qWTo+y+CDTgT9xWDDvZNn8Lo4h1HJsJyg1XvT5Ox0vo5Sm2RChqIwiLZtRSOqtDXH5r9n/i3mzRbusC2R/QJvDNF8rYTI2xEqFTzfx3HJtxXdR6OJX+Wum7I+MMLZtFttGw0kqEhcy20SoRAI0XXC7HsJoAM1Udvgkjm1l+ZC9VrOth7WS9cHYO6iKdPbGUxTPujeINb5czjV2YckiNZAUAb4ZAvmqyNhmziX1oSOf24rJEPNBYO1LTCuSuWd6MeWTgt79VLpDQWuGJTg4rJA/jWbqkuVjetvtn7pxj+1l4x6RN3+vxmJHTPbHmyqg3QIkTG9y56SA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PEwq2Vqrq/UejBgvvIJGOCSEsw6lOCf/hZDTNYJmv+E=; b=b/o93HJw1eqyAtAmAok2aIwVDPHrTmI4cGqMbii6R4uC9OCMxdN90Bw0mLthq9F5BKVwxdjjff16JedOuuLVqwixLUMcu+uAQmB3ycIK5V0gQyazuJXI46YjVnGKT+nlzRj7BPaLGyL0+dVgix3qTTDQjD6BWqZhWzYLfSFgIpI=
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com (2603:10a6:7:37::31) by HE1PR0702MB3611.eurprd07.prod.outlook.com (2603:10a6:7:82::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.16; Sun, 20 Jun 2021 09:14:26 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::9dbf:3074:b496:7704]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::9dbf:3074:b496:7704%7]) with mapi id 15.20.4242.014; Sun, 20 Jun 2021 09:14:26 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Loganaden Velvindron <loganaden@gmail.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
Thread-Index: AQHXZbSpV7ikk2ZQdkqg8kRjENGQRA==
Date: Sun, 20 Jun 2021 09:14:26 +0000
Message-ID: <e713a008-f37f-e723-f7e5-5d2667d53109@ericsson.com>
References: <CAOp4FwR-pNpfqEY-6aDhd+ThiSWZtg4qBPLy7Xyp1kfRpC-XuQ@mail.gmail.com>
In-Reply-To: <CAOp4FwR-pNpfqEY-6aDhd+ThiSWZtg4qBPLy7Xyp1kfRpC-XuQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e9fb52d-0da0-4920-c1a7-08d933cbcd39
x-ms-traffictypediagnostic: HE1PR0702MB3611:
x-microsoft-antispam-prvs: <HE1PR0702MB3611AB5202ECA26F5CD47319D00B9@HE1PR0702MB3611.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Zz2CsxZVwndCHZEyoYUzyAt7ccTKhNgmP/cOtDvz16EBTwlSPbMQvvj74BGAiTCYkE7embVoZMG4QQuhVclPIe4wE7ZlOTcvwxbY5NMPXg405+iGQcUFcDq2lFra7PtXii0h8f401or1HjTLv77WfMuRmOIXN6FPe09r+HdsY8M28Duj5A3P5HeN2G9ixW1K3FIE7QoY/Rq92f7/ieVGQJqMU2Xo6Hjc2OWiAwqPD9dBlmsIFgOJF0m0LxiFBJ9MNyeMCXG6Wsn+4WmXwL9lax4ZMMyjv+qv6ZtSS3hnqFEClxft4hnYyTT2aQxErx/PThBMG1AWcheh3E0cksJr8wP9LAmR1SZOmRXqBiLd0BOstxw/KNQk9cPIg4jwwNbamnfH5Ip7EcAWWaKRrX04/Xo01q8EgC5hUmCmmTMMUBK3brJOsAPLHSW45hRZ3ULVh/3paeB8KxdDoRjObUMeGbuvUjDWSZmfS/5I6WSCDpf5A6IK+F/4ildvxyyHy0yjA+ewShMGb32ewy6RmxV9x57ysjdgu9ibiJM9EYzPLAE06yR/Q5NdiRwN3Vwp84QIkILCjk1zWLTeq1ZXVDpWEpj5pAVxRY3iIouJ6JZR1YJKlp7C7q/gdF8uzybiXBrwIl+v/Vcnp+C8p/39qetc9YkdV2HHinKZTULsDxoElL5Zr0jRpVyCoHHDfC4yq46a5i1Cu2NhNpzKJ5dgv39KWXHAp7DBW96SGB8BCN4VjRxc/8yfyoQagTYKIIAQjhx8ECJybfb9Pp5/tOIq0A16U3cj5Jkpe/h2c2uriAHyvtzGCpOGfmQ9yAFmCcZMpxhnbA4K8chRwDYYMyt3OK/BDg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(396003)(39860400002)(376002)(366004)(6506007)(53546011)(186003)(110136005)(478600001)(316002)(5660300002)(31686004)(966005)(31696002)(2616005)(36756003)(76116006)(6512007)(66556008)(66476007)(64756008)(8936002)(66946007)(86362001)(6486002)(2906002)(66446008)(71200400001)(66574015)(122000001)(38100700002)(83380400001)(8676002)(45980500001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?ZFlGUXk3TE91bzhTWTdJeit3WVdQQ2p0NURDb3RCaWV0Wlhzak56bkpUenNS?= =?utf-8?B?TW44dEJCOFFJeG5sKzZxVThXZGN0ZFI0RHRhdVBMRFV4enR6aVVONWk2NUwv?= =?utf-8?B?ZGpaeEE2Z2VXaFVGdDh2OWpnZDUxQUZXUHRjOHBMYzYra0J4Z1ZGTG51Rmc2?= =?utf-8?B?LzdLVEU5a1Q0b1U2blh1ZXYrb3lwM2kwYkJxWHNiWjAzVC9KK2xLVjhwNU5a?= =?utf-8?B?RzFRZDU5TnY2bk1nazd1MlhGeFJMSUROdGpISTFuQ3JlUlBvUWdxcm8yQWEw?= =?utf-8?B?VDIrUEhOZVVZOTRaem5YaG1CN1VmSGRQODE0ZUUwdDJhQ1IydWxab3h3dHNp?= =?utf-8?B?dkp2eXZndWoxUFliTDI4UkZtZHJMRFFNQzhlWS9KZFhiOS8vSVozQktxUFBY?= =?utf-8?B?dzF3RDkvYmpIOHdHdUQ4dWk1SFowRHhjcFd1cjBYUkJ0dUFBYkZFQ2tGT3RS?= =?utf-8?B?SHlzU3p4MzZETDVRYlRUUWJKMnZUYXM5V2MweXpCZDdaV0FWWW9WeEViYXNT?= =?utf-8?B?bHh0VXdLbmExNGcwdlg2TnZya1kvVVBySUJyUlpRNnQ5MUxjUUcrcGFuQ0Rk?= =?utf-8?B?bVJjNFYwTEQxZ1dTY2dIS1FRSlJNcWtrYnNGYTdPSFJobmEyZHRmWDM1QlJY?= =?utf-8?B?SDJBZ2NtL2ozRER4c0tpOCtEUFRJUXZBUkFiWjVNZ1lpSHo4WGxUYW1iZ1hC?= =?utf-8?B?c1hWYStzdnNLSEovbXJBWG9icmQ4eFoxOUVOUi9WOGd4eEo3VFQrZGwxNWJR?= =?utf-8?B?R2dUUzVxeHlwYnFVMEFLbUhxcTgwSk1waC8vMkJXckFCYU5jdnVNY0E4MGJw?= =?utf-8?B?OXlXZUh1WS9RUjRoV25STDNCL0kyd3A1WnczTnJQWEpKSDQzaFg5bGt5MDhG?= =?utf-8?B?YzIyT21mbmJpOFlHWU1FcnBaV0NFWVRVU203M2V6Qi8wMWNSekczOVhDN3Qz?= =?utf-8?B?ZzZFTjlrRDJ2Z212WVJTN3BXclJ6QzBsM0s0TnphMjlSUDZkVExsTTd3UGZX?= =?utf-8?B?TmExbkh5c3d3aHcvaTZUdnJOU1FDK3Q5UHpIYmRDcVM0ajlyR1QzZHRhY3JF?= =?utf-8?B?Qm43ZFY0Y3F0ZjlMYW1wdmwzKzV2TnpWTHJEM0RsOEJ0TXdNNjhSYWJYQTVr?= =?utf-8?B?VTduS2VYNWlUZFpLaEdsamROUkpDN0NmNDFNdDEvb3pFMTIyMWROVGRaTWhn?= =?utf-8?B?SW13OStSaUxmZDVYZmcvZWJWYVhpUjNIM2RzdGRZOEFhZ21HL0JZZXN0MGNS?= =?utf-8?B?KzRucmZ0ZzcwWnByZm01US9WS08ybG9tRnZWY3RlUGkrQTh6SzUzUkdUblF2?= =?utf-8?B?V0RsTFcxTTN1RFF2NGs4OVBodkdseUhYYm9FbzZ2VUF0S2pNeWwwUHVxTytH?= =?utf-8?B?M3JyYnRncXZyM1RoakdpZDlieERWTUllT2ZYKy8wT2J2ZjV6bWV2TkJQclRs?= =?utf-8?B?SFlBSTZ1YUx3eU82N3B2YjVHZmduUkt0Q25iS3Z1aG1jd0Zpd1hmUG03dGxx?= =?utf-8?B?WUIzZFQxYloxM0VPeFJ2eHV0R2lEckczU2RKMXFhSkg0dlFsajhIZVJHS2tW?= =?utf-8?B?NUFKd09uNmdWWFBjdFhsOGVCMHN2eFZGOHhRMTF3eXFiMU1xbmE5S0dDOWFi?= =?utf-8?B?OTBKbWNUREN1b2NpUzMwWEpSNkJhcndRMzljUGRjRHZTUGUwWjdneDR0WDA4?= =?utf-8?B?TlY2bElYSzQrL2M0Um8rRXU3VU1RbWVwS2Rpc3RuS2QvS2luOGtoQzJFcWpo?= =?utf-8?B?UUJYbGE3Wkp1Ry9xbUZIOGkxQUVRR1c3TEJYM0M5a3FVZVJNUTVrc0pIM0Nn?= =?utf-8?Q?i4UJLeiwyZ6delTKscmj2UdM/8aEZikVDd3F0=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <AFDCFF555C1FE14A8CE6A34788DB9A7A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e9fb52d-0da0-4920-c1a7-08d933cbcd39
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2021 09:14:26.2648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X3A6Evw9rz9hFY6tnWLHtdEN0mXuj2ENVzb/Ob3pE1AbAm7Bi4F7x6PEevxwOT3kWxzSINNcWX1hnCbRr1wSaQKAt+SpYqmO/jmsC0g6uzo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3611
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/JJgrKmj4OtbxMwdE4rLuI0fQfhs>
Subject: Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jun 2021 09:14:39 -0000

The document is currently intended for standards track publication. But 
both the abstract and the introduction mention "describes a service".  
You don't describe a standards specification. You define it? Moreover, I 
find the entire tone of the document to be somewhat lacking for a 
standards track publication. For example, there is text in the document 
which says "The URI of the CoAP-EAP service CAN be set to "/b"? First, 
"CAN" is capitalized but it is not in the list of keywords defined by 
RFC 2119/RFC 8174. What if the URI is something different? How are 
devices supposed to interoperate? I would recommend to either make the 
language more precise or publish this as informational. However, I leave 
the final decision to the chairs and the AD. I don't want to be an 
impediment to the publication of this document.

Please expand eap, coap, and IoT on first usage in abstract. It's not 
great to have bullet lists in abstracts. Also, the capitalization of 
some words looks odd. For example, why "Security Associations" is 
capitalized?

Add a reference to RFC 8174 in section 1.1. Besides, you already use 
"MAY"/"MUST" in section 1. For example, the text says: "The CoAP client 
MAY contact with a backend AAA infrastructure to complete the EAP 
negotiation as described in the EAP specification [RFC3748]" but "MAY" 
is defined as a keyword only later?

I also wonder if CoAP-EAP reflects the correct sequence of protocols. 
EAP is encapsulated in CoAP. Shouldn't it be called EAP-CoAP? Maybe it's 
too late to change that now.

"The assumption is that" -> instead just say EAP methods used in this 
specification MUST generate key.". Standards specifications don't make 
assumptions and rather dictate what implementations/deployments should do.

Expand OSCoRE to Object Security for Constrained RESTful Environments.

Section 2:  "The rationale behind this decision, as we will expand 
later, is that EAP requests go always from the EAP authenticator to the 
EAP peer.". I think the more correct terminology here is that EAP 
requests are always sent from the EAP server to the EAP peer.

CoAP-EAP service CAN be set to "/b" to save bytes over the air. Wouldn't 
it make sense to standardize this. For example: /.well-known/bootstrap? 
You'll need to define URI scheme syntax and semantics but it would go a 
long way in helping interoperability.

Language issue: " signalling the intention the EAP peer"

Section 3.1: "In any case," -> Not clear. Please rephrase. For example: 
Regardless of whether a No-response option is used, the CoAP client 
sends ....

"This CoAP server can select this value as pleased, as long as, it 
serves to process the following message adequately."  -> Hard to parse 
this sentence. Which server? which value?

have an ongoing authentication -> one authentication session?

I don't fully understand the logic behind having separate resources for 
each request. I read Christian Amsüss's CoAP FAQ on this. It helped a 
bit but I am not sure why this is needed since RFC 3748 says: "EAP 
provides its own support for duplicate elimination and retransmission."?

Why can't you send the identity already in the first POST message from 
the device. AFAIK, a separate Identity request and response is not 
necessary. You'll save on one round trip? This will also help the 
authenticator to decide already on the first message if it should 
continue or not (depending on the domain name in the NAI)?

Section 3.3: casuistics -> interesting choice of words. At least I had 
to lookup the meaning.

MSG-ID -> Not used in RFC 7252 so I recommend that you should not use it 
either. Also, perhaps adding a bit more context would not hurt. For 
example, Message Id in CoAP is used for....... In CoAP-EAP, the Message 
Id can be used for ..... You have also used MSGID (vs. MSG-ID) in the 
document.

"unauthorized communications from the IoT device towards the Controller 
within the security domain." -> I think the more likely repercussion is 
that there will be no access to the network, services, and resources for 
the IoT device.

Not clear which message is lost in Figure 4. I also don't know if EAP-X 
MSG 1 is best representation in the figure. Perhaps EAP-X-Req 1 and 
EAP-X-Res 1?

Please explain what is meant by "due to internal tracking"

Perhaps rename Master Key Session (MSK) to Main Session Key (MSK)

AS -> never expanded before or introduced properly? what is it referring 
to? Is AS the authenticator or backend server?

Key material needed to derive the OSCORE Security Context, from the MSK 
can be done as follows:? What if it is not done as follows?

KDF can be AES-CMAC-PRF-128? What if some other KDF is used? Shouldn't 
labels be registered with IANA somehow? What if my implementation uses 
"IETF_MASTER_SECRET_FOR_OSCORE"

"The ID Context can be set to the identity of the EAP peer"? Is it the 
NAI? Is it the identity associated with the EAP peer credentials 
(example: PSK identity or the identity in the TLS client certificate)? 
Is it the Peer-Id? Not all EAP methods export Peer-Id?

Do you mind adding a reference to EAP-NOOB in the list of lightweight 
methods? For full disclosure: I am a co-author of EAP-NOOB. I think it 
is a reasonable example to add given that an implementation with 
CoAP-EAP already exists : https://www.youtube.com/watch?v=rPuFKoihl5E

"Cryptographic suite is not negotiated". I think this is wrong. Many EAP 
methods inherently include cryptographic suite negotiation. I guess what 
you intend to say here is that the KDF used on the MSK is fixed. Why 
AES-CMAC-PRF-128 is the best choice here for IoT devices?

KMF? I guess you are referring to the Key Management Framework. But the 
original RFC 5247 does not use this acronym so I recommend you avoid it 
as well.

IANA Considerations section only says TBD.?? I would have thought that 
it would be complete before issuing the working group last call? At the 
very least you should consider registering CoAP-EAP as a lower layer : 
https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-lower-layers.

--Mohit

On 6/17/21 8:25 PM, Loganaden Velvindron wrote:
> Dear All,
>
> After a quick check with the other working group chair, we are ready
> to proceed to WGLC for:
>
> https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/
>
> Please send your comments to the list.
> The WGLC period will end on the 1st of July.
>
> Kind regards,
> Daniel and Logan.
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace