Re: [Ace] call for adoption for draft-marin-ace-wg-coap-eap

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 22 January 2021 14:37 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0693A1210 for <ace@ietfa.amsl.com>; Fri, 22 Jan 2021 06:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PReToA5x5cuy for <ace@ietfa.amsl.com>; Fri, 22 Jan 2021 06:37:03 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30047.outbound.protection.outlook.com [40.107.3.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 768953A0D87 for <ace@ietf.org>; Fri, 22 Jan 2021 06:37:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f6wuA/bdrU9Ilyky2iP9HeHiID8qAHUB35zLb8jEgMP5MlGnav2qXdjQhYKSvRNs/GGdD73TgxzjzKzk3JW/ao31q6wbK13oCM5/kdCJgj4/E2lzBBha4q7tnS5OzOJiaBd+TJ+Dxg7viPRGalHy7JqR5nTv5pbCPXjGx6IC9bHFsbyqtchRSLXMD5NHLneRCvqTWL/piOJ5pEHw3M0VnbX8Qcr18RSW0sLQ8/9uxlwSQVZmnk5OHhwQ4PJIcmi/dUZcqkyuQVbjC5njnILYvgPGjQUtbwxXFGXc5nOH1MlfbR+oc2EDuGkYl0++vSLO+88M9GDQ6Mj0ENTFj4QJ5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NRgUbcCgYodO0WWFxFI0Om55lLHSrHPFipQCQPNPKTg=; b=FKTdftJDnxz8UZMNtjEVHMBnsxt3XFeUVto/Nu8EPSVZa4+6HrIg3QLUKIxPhIsDlegkSpcwTmYDhfEeBw19guF/qzZV8ugYL2nOBpTtksbbfviMIS8Z1rOAbOO5NpqY4pBtMFsyOsVHpDTPb3qDPodYYDrsp/sPUXAsli7/aTeiNYTcafARkR1qWbqsDVcOMAY8j47wQ2cgO+dt0DFUnNmE21RapLErZ0ONf9aTd/9QdqNWraCK3DLZlarfXt7TmDhLUOsXVWHDcO+ZwvvefTav1W7pW4/YBRny5UYbsXCiCkR8BZhQu8GbfdqBqLvzvDBY62RjY8XAKUmPhQbqhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NRgUbcCgYodO0WWFxFI0Om55lLHSrHPFipQCQPNPKTg=; b=ijYqXHcqXRluv9r813lD62z4upO1BEdzMEh+8nmKixgE7E5mBK2C5bnA21mviMtP1GjYboZSjIXAuloDtaKU5LTcH6azp8Tov2jHKJ78ovBXlCmgw1SEGA0uuo7wFhguU/2jQCRZPWK2PgvXVeX5xqW6xVgwz2bmXW1RIoX8CGw=
Received: from (2603:10a6:7:37::31) by HE1PR0701MB2091.eurprd07.prod.outlook.com (2603:10a6:3:21::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.5; Fri, 22 Jan 2021 14:36:59 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::8495:3af0:7b21:e13e]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::8495:3af0:7b21:e13e%4]) with mapi id 15.20.3784.013; Fri, 22 Jan 2021 14:36:59 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] call for adoption for draft-marin-ace-wg-coap-eap
Thread-Index: AQHW8MwKWOQH99GAMUiKIGR71bIpqw==
Date: Fri, 22 Jan 2021 14:36:59 +0000
Message-ID: <919f10b3-7ec5-1575-1893-41e4d4cc25b8@ericsson.com>
References: <CADZyTkkiqC=x_oAYsc_jHHeiNWhjvXHHvOKEeF=9W3si8Dp3pw@mail.gmail.com> <25210.1611242790@localhost>
In-Reply-To: <25210.1611242790@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:140:22a5:d7d1:4871:8600:2f1c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 415c9db6-b5ae-43a4-5af5-08d8bee32d1b
x-ms-traffictypediagnostic: HE1PR0701MB2091:
x-microsoft-antispam-prvs: <HE1PR0701MB2091037913F88C162FAA40BAD0A00@HE1PR0701MB2091.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: a1EAzs+CAy5DBqYAsbiG7KuvcGTPulym6OOYvP1TfksP1JLAXLdrI0O+Ogos+w293GbxDfW/avBlvHdM33dfloEwxMxnXs/FSv7LrTB5ZyTvVp2sQAlhsQIB2s4gSxJrwUV/4z7vw06SdROH+OaGroLN9fsLToubJoHatBnxce5URaemdBnkV+b89Yu5V9Bnwt/3oM9vY3S4sNoccVFK3ue7p+6GKQyJRRsBarb925fFWFbohhemQQ58ixyRK4ZaxlGGZKqnka2kWif84S+A5z1jRT20kAMlx5YQCDLw9Nl+9k9Btu/yLtcz137kISF9aNLiYtKlNYvu1W0/Q4Z+Lm6oEXr3hFb21b2nUGtbDMq4jPElNVCDz7C07tzF+w+kswPfHPbB3hKZhb396j+d/7Ns40iarAnychVZOH11URBuej8yvnFw3JrJTX7uir0fZg0dJmA40MZzGMOERSPv31xFd+jTjgC0n2p9jkSE4dFm8gitMVfThw8OdHWyIaTRfVwUDPgCIBMpAYVF+COv7Yk5ArgTqc8mDo029qm7Y8piTXOiZvQaZNpenZWsCjRdQcyr0uAkQxaQMo7ubz9bP7ltzTumOc/ZewnXJMDBL7a+y8L4+11EZ6ykEGOGJQHLwgMDoN47dzdAVPjIHGPWDqZ6242rkvZW/+IaykDua06PhFS81dmshHj7edRQQn3V
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(346002)(366004)(39860400002)(66946007)(36756003)(66556008)(64756008)(966005)(66476007)(316002)(478600001)(166002)(71200400001)(66446008)(110136005)(76116006)(2616005)(31696002)(66574015)(5660300002)(6506007)(6512007)(8676002)(31686004)(83380400001)(8936002)(53546011)(2906002)(86362001)(186003)(6486002)(45980500001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?N3JucFlZS2JOZzNGMWVFMDFIb3NWMS9uZXpuQXRYTlFtWjdsczNTNzV0YVZV?= =?utf-8?B?UkJrcGZjZzZ4b3NCcktoNDZ0OTJlem1jeHc5eGxmc0tiZE9aUXBIUmZkVlF3?= =?utf-8?B?d3Vsblh5WWVKSGhwUUdScExTTEJOdDdVbm5GdWhnTEpyc3V2NXYwd29HVzdC?= =?utf-8?B?aStNSXFTYmV5b3AwazViVVh3b05wNnNjUS9IQ0IraXpLL1llYWh6QXJvSndW?= =?utf-8?B?Njk2dFo1S21uRy9DMjFmdXRGT3lVNk9pR0F3czVlWVZESmlJRzBkRzNFN3pi?= =?utf-8?B?Q3J4R0pURzlVZmhEMW96d1R1RmdnY0cwelBqVlVRbittOHFmancwY2NzVDFB?= =?utf-8?B?VTNvNnh4amtCWlhsOHY4UXMwOTg4bUxFb3k4ZFh6YnlNVEF2azNXeGJKL0p3?= =?utf-8?B?ejNnMzlCSjMvczBQbWtzZUFCcGd2YWJ0TVZSRzdSa213SkFRWWZ0R0g5cHRu?= =?utf-8?B?aHBBWUQ5cklhYUNxZXA5bjdjVllZZVUrZEc3SzRvNDAzVkUybUhRRkV3ZzNv?= =?utf-8?B?THpDcXpNOGZsSjlaMkxITXFobGVXUlhaNUpkRy9pTDQ3VUhzMmtGVXBPSDRM?= =?utf-8?B?eUJLZFY4MlNBNUVhVWYydE5EWjQrWXJkOTM2NzRBMzlCTFdJM1BjNC8rQUJI?= =?utf-8?B?VTRqWGJ4cWJEMXhuSitTeE9hMjFPckluSXVvRk1SQ094YTZ2aVU5M2ZVZ1ZM?= =?utf-8?B?a1gvcGJrbktHby9uZ1ZOY1hxbms1aElaeXNoTU04ZHJkTU54SWR1bFFIN3o2?= =?utf-8?B?NXgvVkQ5Tlo0anl0VXR1S2lIKy9KaXZuU2RGVlNiWG9LOVpFSkxFK3UxYUVa?= =?utf-8?B?NjUvNU1YMTM3eWFoSHpkeVRzazJCN2xNajY0ZTJaRmMxNDR3d2ZycXVFczFo?= =?utf-8?B?NHNWNHBHRjhSb2xWYUV2ckZNOERwd2RETmJNREszODF5TDh3UndoNE5xUWdT?= =?utf-8?B?cmRDMDk5d1lSSTVZVytxWXAxQm5Rak5aQXErcnRtM1N6U0dPeC9XTGxsb1VC?= =?utf-8?B?Rm1LYmR0SDd2Zmo0K3ptVmNFNWJrTUpUa001eStLcnpGc0VHQW8vMzZBT0xy?= =?utf-8?B?OE9UaVdGNzRaUzV2aHZla3RhSTM1Vno2ZUt6azU1QjJoa09mc3NqcHV6VmR5?= =?utf-8?B?UGVXMXd5UVQ5dkM4Q1VEZUNDZEFZTWhWeU5jKzM5dVdrbUlEaERmK08xNExK?= =?utf-8?B?MjNCc0xaTThRM3FHa3lrUWpZQVo0c3o2ZkM4WW55ZURtZGY2L0NuWlVjd1hC?= =?utf-8?B?RDFNVU4vd2tHMlYxbXdCczQycGZmVVZuSTRnbXRDL05JY25pWVdTRDlVS0NM?= =?utf-8?B?TGsxalNUdnpNZG9TV3FwMlVLVTN1YWlPRGo5UCtpTlJGMkJaRUsySm9RcnFa?= =?utf-8?Q?X6euv4xccsjj2BnX0SjLT50b6E45ciE8=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_919f10b37ec51575189341e4d4cc25b8ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 415c9db6-b5ae-43a4-5af5-08d8bee32d1b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2021 14:36:59.5027 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: z1GyzAstZ9CguvVDYPTn9LvitGQY59TUBnKvQbZtaKBVH9SbTZ4+4S43+RTBQ9WeXazSNIdfrer9hyOF4dbVo2ahn+pQhgHY49Bt4RDOfiY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2091
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/OsEGd5RPnXtmRhYgDAbuH5BbgAQ>
Subject: Re: [Ace] call for adoption for draft-marin-ace-wg-coap-eap
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 14:37:06 -0000

Hi Michael,

I guess the question you are asking is: what is the benefit of adding the overhead of EAP. For EAP-TLS, you could directly use TLS. For EAP-pwd (which is a PAKE) one could use any PAKE without the EAP encapsulation overhead?

Is your concern only in the context of IoT or do you think in general we are better off using protocols directly without the EAP framework overhead?

--Mohit

On 1/21/21 5:26 PM, Michael Richardson wrote:


I reviewed the document before, and my concerns were not really answered.

I can not understand what the applicability is.

The document starts off with:

   The goal of this document is to describe an authentication service
   that uses the Extensible Authentication Protocol (EAP) [RFC3748].
   The authentication service is built on top of the Constrained
   Application Protocol (CoAP) [RFC7252] and ALLOWS AUTHENTICATING TWO
   CoAP endpoints by using EAP without the need of ADDITIONAL PROTOCOLS
   TO BOOTSTRAP A SECURITY ASSOCIATION BETWEEN THEM.


...
   The assumption is that the EAP method transported in CoAP MUST
   generate cryptographic material [RFC5247]

This implies use of one of the many EAP-TLS modes, some EAP PAKE
mode, or maybe, in theory some EAP-SIM/AKA mode.

1) TLS modes could just use TLS, or DTLS and omit the extra EAP
   bytes.  If saving those bytes are not important, then
   the use of PANA seems to do the same thing.

2) The EAP PAKE modes could just TLS with some PSK or PAKE
   authentication.

3) The EAP-SIM/AKA modes are not realistic, as they generally depend upon
   being able to talk to a database of SIM/AKA secrets.

So, which modes that generate cryptographic material are envisioned?

The document goes on to say:

   The CoAP client MAY contact
   with a backend AAA infrastructure to complete the EAP negotiation as
   described in the EAP specification [RFC3748].

which is a third party, when the intro told me that no third party was
required.  Even figure 1 show three parties.
And section 5 says there might be five parties, again including an AAA server.

I believe that this entire proposal goes against the ACE architecture,
and should not be adopted by this WG.
This work seems to duplicate the work in LAKE, as well as cTLS, while not
bringing any clear advantage over existing protocols.

If adopted, I don't review the document.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca<mailto:mcr@sandelman.ca>  http://www.sandelman.ca/        |   ruby on rails    [



--
Michael Richardson <mcr+IETF@sandelman.ca><mailto:mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide








_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://www.ietf.org/mailman/listinfo/ace