Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
Mohit Sethi M <mohit.m.sethi@ericsson.com> Sun, 20 June 2021 09:14 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A110E3A07C4 for <ace@ietfa.amsl.com>; Sun, 20 Jun 2021 02:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.437
X-Spam-Level:
X-Spam-Status: No, score=-1.437 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4CjLkVkZsOO for <ace@ietfa.amsl.com>; Sun, 20 Jun 2021 02:14:33 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60040.outbound.protection.outlook.com [40.107.6.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67CC53A07C3 for <ace@ietf.org>; Sun, 20 Jun 2021 02:14:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=alXVeEfRFPeYx67xXtToK8gMkTjG8kIRsIQMG72Zp+L2CQIZgzm2X2wsf/Sxx+rtZxandW8CF4RoHRVG87VA1Wqr+wRHDFmlq1tRdYWZd7rpCY3nE3RntRJYeVy+OSxfFvy4M41xsx5CwY5XFHaJkEFH9s6EFtIM7d+5+bI873Uj89X9kMKubEFZb9/AcwzQgW3LWFoSFoPQc3tWxA9DuhxuvdKkGKxTtTIF1Pl71Jj8GXjbZthyt5abTRULhsWTq2Yz4sGzuYCZIbVOGpKUeJ7wlKIfWEnW6ue5kDyR85Vvxga3lA7Xj/kmygiEJSqm1a0vPZZ6KefuspedayKRLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PEwq2Vqrq/UejBgvvIJGOCSEsw6lOCf/hZDTNYJmv+E=; b=CMQr7v5Kcln9qWTo+y+CDTgT9xWDDvZNn8Lo4h1HJsJyg1XvT5Ox0vo5Sm2RChqIwiLZtRSOqtDXH5r9n/i3mzRbusC2R/QJvDNF8rYTI2xEqFTzfx3HJtxXdR6OJX+Wum7I+MMLZtFttGw0kqEhcy20SoRAI0XXC7HsJoAM1Udvgkjm1l+ZC9VrOth7WS9cHYO6iKdPbGUxTPujeINb5czjV2YckiNZAUAb4ZAvmqyNhmziX1oSOf24rJEPNBYO1LTCuSuWd6MeWTgt79VLpDQWuGJTg4rJA/jWbqkuVjetvtn7pxj+1l4x6RN3+vxmJHTPbHmyqg3QIkTG9y56SA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PEwq2Vqrq/UejBgvvIJGOCSEsw6lOCf/hZDTNYJmv+E=; b=b/o93HJw1eqyAtAmAok2aIwVDPHrTmI4cGqMbii6R4uC9OCMxdN90Bw0mLthq9F5BKVwxdjjff16JedOuuLVqwixLUMcu+uAQmB3ycIK5V0gQyazuJXI46YjVnGKT+nlzRj7BPaLGyL0+dVgix3qTTDQjD6BWqZhWzYLfSFgIpI=
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com (2603:10a6:7:37::31) by HE1PR0702MB3611.eurprd07.prod.outlook.com (2603:10a6:7:82::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.16; Sun, 20 Jun 2021 09:14:26 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::9dbf:3074:b496:7704]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::9dbf:3074:b496:7704%7]) with mapi id 15.20.4242.014; Sun, 20 Jun 2021 09:14:26 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Loganaden Velvindron <loganaden@gmail.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
Thread-Index: AQHXZbSpV7ikk2ZQdkqg8kRjENGQRA==
Date: Sun, 20 Jun 2021 09:14:26 +0000
Message-ID: <e713a008-f37f-e723-f7e5-5d2667d53109@ericsson.com>
References: <CAOp4FwR-pNpfqEY-6aDhd+ThiSWZtg4qBPLy7Xyp1kfRpC-XuQ@mail.gmail.com>
In-Reply-To: <CAOp4FwR-pNpfqEY-6aDhd+ThiSWZtg4qBPLy7Xyp1kfRpC-XuQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e9fb52d-0da0-4920-c1a7-08d933cbcd39
x-ms-traffictypediagnostic: HE1PR0702MB3611:
x-microsoft-antispam-prvs: <HE1PR0702MB3611AB5202ECA26F5CD47319D00B9@HE1PR0702MB3611.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Zz2CsxZVwndCHZEyoYUzyAt7ccTKhNgmP/cOtDvz16EBTwlSPbMQvvj74BGAiTCYkE7embVoZMG4QQuhVclPIe4wE7ZlOTcvwxbY5NMPXg405+iGQcUFcDq2lFra7PtXii0h8f401or1HjTLv77WfMuRmOIXN6FPe09r+HdsY8M28Duj5A3P5HeN2G9ixW1K3FIE7QoY/Rq92f7/ieVGQJqMU2Xo6Hjc2OWiAwqPD9dBlmsIFgOJF0m0LxiFBJ9MNyeMCXG6Wsn+4WmXwL9lax4ZMMyjv+qv6ZtSS3hnqFEClxft4hnYyTT2aQxErx/PThBMG1AWcheh3E0cksJr8wP9LAmR1SZOmRXqBiLd0BOstxw/KNQk9cPIg4jwwNbamnfH5Ip7EcAWWaKRrX04/Xo01q8EgC5hUmCmmTMMUBK3brJOsAPLHSW45hRZ3ULVh/3paeB8KxdDoRjObUMeGbuvUjDWSZmfS/5I6WSCDpf5A6IK+F/4ildvxyyHy0yjA+ewShMGb32ewy6RmxV9x57ysjdgu9ibiJM9EYzPLAE06yR/Q5NdiRwN3Vwp84QIkILCjk1zWLTeq1ZXVDpWEpj5pAVxRY3iIouJ6JZR1YJKlp7C7q/gdF8uzybiXBrwIl+v/Vcnp+C8p/39qetc9YkdV2HHinKZTULsDxoElL5Zr0jRpVyCoHHDfC4yq46a5i1Cu2NhNpzKJ5dgv39KWXHAp7DBW96SGB8BCN4VjRxc/8yfyoQagTYKIIAQjhx8ECJybfb9Pp5/tOIq0A16U3cj5Jkpe/h2c2uriAHyvtzGCpOGfmQ9yAFmCcZMpxhnbA4K8chRwDYYMyt3OK/BDg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(396003)(39860400002)(376002)(366004)(6506007)(53546011)(186003)(110136005)(478600001)(316002)(5660300002)(31686004)(966005)(31696002)(2616005)(36756003)(76116006)(6512007)(66556008)(66476007)(64756008)(8936002)(66946007)(86362001)(6486002)(2906002)(66446008)(71200400001)(66574015)(122000001)(38100700002)(83380400001)(8676002)(45980500001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dYFQy7LOuo8SY7Iz+wYWPCjt5DCotBietZXsjNznJTzsRMn8tBB8QIxnl+6qU8WdctdR4DtauPLDUxztziUN5i65L/djZxA6geWhUFt8v9jgd51AFWPtc8pLc6+kBxgVFLnuFg6/7KTE9kT4oU6nXuev+oyp3i0bBqXsbZ03T/J+lKV8p5NZG1Qd59Nv6nMgk7u2XFxRLIDNtjHI1nCreRPoQgqro2Aa0T2+PHNeUY94ZznXhmB7UfHdP814eE0t2aCR2ulZoxwtsivJvyvguj1PYbL28RFmdrLDQMC8eY/JdXb9//IZ3BKqPPXw1wD9/bjH8wGuD8ui5HZ0DxcpWur0XRBtuAAbFECkFOtRHysSzx36DL5QbTTQbJ2vTas9Wc0yzBd7ZWAVYoVxEbasSlxtUwKna14g0vX6NvrkY/UPrIBrRZQ6t91LcQG+panCDdmRc4V0LD1gWScgHKQQJRMqkkbsFa7OHRhna2dtfX35BRXH2Agcm/j3DDxsKi8+DPTIQvARAbZ5MgYiHz8XlTambgXBsXVa+svsKHJ/mrAXobrd8xZ19ENR/V8gxxJ7TT+dl15bQGgTS5qxypbqU0AKmHqq80JMph//2BWrABaNcvuMcA80bp9yWeHuY/QR4hWnRL3B/I2wp5Zw3NrPXJJH43hX9lky08Fc22Omfnbi8YGYMErpZWCEYTUSm73ezB/01cRzG39XC7t3g6EN9kD2vgmvYRS7pWrRzC0l3K4Nza29RP6dTLlM7wPfWNa1nHyswwhw/i6TvrNSQC+t9PzHbdCqS4j9rGT3dtacrEBn7dV4cqtf9Lampvl3+5vNzVLrD3Dl8BtMwM68RabXA5kU7nKeX5iTdZKhGljdNRJC7Cf41Mt1/ozE1221dNTdZMhgImw9+RiLfd5Xfg/ebVaXiR3H3dstdY8AagmG/BYest0cR+4nrftg70Zprfm5Q/VKO2lomFvVctePi+A8zK53RGTnQvWDlLW1M3uDQv4k89PhvGlyHXboEo6vUAtKjMyl0PuqO+G3rrbtgqvr3ThjGid9bxDVMIeOfX+/0Obvf5zmevNBPrTlHYAI6uaLwyO67pvb5GfgnRKtCnbKvuhmcwFiwXfPm7tlqYB3dT1bZ13EOxRvxutGiDrG3SdJ1qaJH4vQlj8HeRGKkV5AJwOn6gVXPctXl8eB0svxVF8xQ11wyqb1Mqna9KGC9ab90JmcTDCuociS30XJR6BarwQ39cPdcDvSPe0Z7gx4tX08NV6lIXK4+/c4Ro+Eu7UMQmepKdistnKd/Kin8khC2EqjhQBXla7ZJuG/qmFH8i1AEQGW7LBX3C9kqUeRMQ5ksJH3Cgi4UJLeiwyZ6delTKscmj2UdM/8aEZikVDd3F0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <AFDCFF555C1FE14A8CE6A34788DB9A7A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e9fb52d-0da0-4920-c1a7-08d933cbcd39
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2021 09:14:26.2648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X3A6Evw9rz9hFY6tnWLHtdEN0mXuj2ENVzb/Ob3pE1AbAm7Bi4F7x6PEevxwOT3kWxzSINNcWX1hnCbRr1wSaQKAt+SpYqmO/jmsC0g6uzo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3611
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/JJgrKmj4OtbxMwdE4rLuI0fQfhs>
Subject: Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jun 2021 09:14:39 -0000
The document is currently intended for standards track publication. But both the abstract and the introduction mention "describes a service". You don't describe a standards specification. You define it? Moreover, I find the entire tone of the document to be somewhat lacking for a standards track publication. For example, there is text in the document which says "The URI of the CoAP-EAP service CAN be set to "/b"? First, "CAN" is capitalized but it is not in the list of keywords defined by RFC 2119/RFC 8174. What if the URI is something different? How are devices supposed to interoperate? I would recommend to either make the language more precise or publish this as informational. However, I leave the final decision to the chairs and the AD. I don't want to be an impediment to the publication of this document. Please expand eap, coap, and IoT on first usage in abstract. It's not great to have bullet lists in abstracts. Also, the capitalization of some words looks odd. For example, why "Security Associations" is capitalized? Add a reference to RFC 8174 in section 1.1. Besides, you already use "MAY"/"MUST" in section 1. For example, the text says: "The CoAP client MAY contact with a backend AAA infrastructure to complete the EAP negotiation as described in the EAP specification [RFC3748]" but "MAY" is defined as a keyword only later? I also wonder if CoAP-EAP reflects the correct sequence of protocols. EAP is encapsulated in CoAP. Shouldn't it be called EAP-CoAP? Maybe it's too late to change that now. "The assumption is that" -> instead just say EAP methods used in this specification MUST generate key.". Standards specifications don't make assumptions and rather dictate what implementations/deployments should do. Expand OSCoRE to Object Security for Constrained RESTful Environments. Section 2: "The rationale behind this decision, as we will expand later, is that EAP requests go always from the EAP authenticator to the EAP peer.". I think the more correct terminology here is that EAP requests are always sent from the EAP server to the EAP peer. CoAP-EAP service CAN be set to "/b" to save bytes over the air. Wouldn't it make sense to standardize this. For example: /.well-known/bootstrap? You'll need to define URI scheme syntax and semantics but it would go a long way in helping interoperability. Language issue: " signalling the intention the EAP peer" Section 3.1: "In any case," -> Not clear. Please rephrase. For example: Regardless of whether a No-response option is used, the CoAP client sends .... "This CoAP server can select this value as pleased, as long as, it serves to process the following message adequately." -> Hard to parse this sentence. Which server? which value? have an ongoing authentication -> one authentication session? I don't fully understand the logic behind having separate resources for each request. I read Christian Amsüss's CoAP FAQ on this. It helped a bit but I am not sure why this is needed since RFC 3748 says: "EAP provides its own support for duplicate elimination and retransmission."? Why can't you send the identity already in the first POST message from the device. AFAIK, a separate Identity request and response is not necessary. You'll save on one round trip? This will also help the authenticator to decide already on the first message if it should continue or not (depending on the domain name in the NAI)? Section 3.3: casuistics -> interesting choice of words. At least I had to lookup the meaning. MSG-ID -> Not used in RFC 7252 so I recommend that you should not use it either. Also, perhaps adding a bit more context would not hurt. For example, Message Id in CoAP is used for....... In CoAP-EAP, the Message Id can be used for ..... You have also used MSGID (vs. MSG-ID) in the document. "unauthorized communications from the IoT device towards the Controller within the security domain." -> I think the more likely repercussion is that there will be no access to the network, services, and resources for the IoT device. Not clear which message is lost in Figure 4. I also don't know if EAP-X MSG 1 is best representation in the figure. Perhaps EAP-X-Req 1 and EAP-X-Res 1? Please explain what is meant by "due to internal tracking" Perhaps rename Master Key Session (MSK) to Main Session Key (MSK) AS -> never expanded before or introduced properly? what is it referring to? Is AS the authenticator or backend server? Key material needed to derive the OSCORE Security Context, from the MSK can be done as follows:? What if it is not done as follows? KDF can be AES-CMAC-PRF-128? What if some other KDF is used? Shouldn't labels be registered with IANA somehow? What if my implementation uses "IETF_MASTER_SECRET_FOR_OSCORE" "The ID Context can be set to the identity of the EAP peer"? Is it the NAI? Is it the identity associated with the EAP peer credentials (example: PSK identity or the identity in the TLS client certificate)? Is it the Peer-Id? Not all EAP methods export Peer-Id? Do you mind adding a reference to EAP-NOOB in the list of lightweight methods? For full disclosure: I am a co-author of EAP-NOOB. I think it is a reasonable example to add given that an implementation with CoAP-EAP already exists : https://www.youtube.com/watch?v=rPuFKoihl5E "Cryptographic suite is not negotiated". I think this is wrong. Many EAP methods inherently include cryptographic suite negotiation. I guess what you intend to say here is that the KDF used on the MSK is fixed. Why AES-CMAC-PRF-128 is the best choice here for IoT devices? KMF? I guess you are referring to the Key Management Framework. But the original RFC 5247 does not use this acronym so I recommend you avoid it as well. IANA Considerations section only says TBD.?? I would have thought that it would be complete before issuing the working group last call? At the very least you should consider registering CoAP-EAP as a lower layer : https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-lower-layers. --Mohit On 6/17/21 8:25 PM, Loganaden Velvindron wrote: > Dear All, > > After a quick check with the other working group chair, we are ready > to proceed to WGLC for: > > https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/ > > Please send your comments to the list. > The WGLC period will end on the 1st of July. > > Kind regards, > Daniel and Logan. > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Loganaden Velvindron
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Mohit Sethi M
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Carsten Bormann
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Dan Garcia Carrillo
- Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02 Dan Garcia Carrillo