Re: [core] [Ace] Proposed charter for ACE (EAP over CoAP?)
Dan Garcia <garciadan@uniovi.es> Thu, 10 December 2020 09:04 UTC
Return-Path: <garciadan@uniovi.es>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6123A0B5C; Thu, 10 Dec 2020 01:04:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9M3mWrLhlLFZ; Thu, 10 Dec 2020 01:04:41 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2057.outbound.protection.outlook.com [40.107.22.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830FE3A0BD4; Thu, 10 Dec 2020 01:04:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lOrH+iC6zsTINTnEGc2R1JLVBKRbbw3fAy8Z+J81CEy5EVB31J+3RxKamqHjg9cVtRTMZPpJwpC+1o9/eD1ANCcQRflz8/cqCI2TLdBZw3G//Ocsakot8Ba0C9dU/cc16Oqkf5lNYTm0gAFCtM47ov9TMZotD394EFmWy9OpZsd/5yscJT2o2U4LRiCiv3g9wwraTotRfqF/N2dgFI0K2T5IW+U7Gkf3+7t9dko9IyFIN1EjBL0oz9g4DTj0jpfdGAcTfDZD8W/lKQBWWK0IbOQMKnwo3U23buVBa86w7+eaaS+KXxTNG9bTx8Sfhm12chGrn5nYltrDTvWCtO5buw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OnfGbTkulmuLihmoksCO/OLgtd+sfEb2/TAQC55Zlu0=; b=OuyHdwAyiKBwNnLpJ7JAxKLqEEsPRe4fHVVvYFiZkvSK4WGHPQ3pMDZFPQTJdOReHQiVDKpUQdVeFcyqTminxhfDYoC5jnRGPFAirdoc11gngUOebUhKefQCvtrJD43XpYMMocrdmXgWl8fX165c6m4TdkBGhPJDay1jehjdH2A3wdDLf3pgXZD0Tj0T2b33KH8y/r786KRXxFjLsMe2ouqknKyGBI/QOF/Gv9ilzdaSf/UnN5XmErk7XNgBAVfJ8WdjDpIAVVWDgFeFcJ+tkmOUXnh8qAkEoglhFhE6AgyGc4+N43oJJdIIh3W6Bk482i1MlzsZsHsBYDoShFWh6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OnfGbTkulmuLihmoksCO/OLgtd+sfEb2/TAQC55Zlu0=; b=xM7ALbuqMJ4vw9cXMMtB7FgHAg3ZM/VzsD3O+eEFllMFtJqaZ7qyUG8mvKHsnkzmen9XKRAga1DPjgnMhcYIWijsrAfwLUq5jtzFTQrTwpE9FyjJkXCjFu4foqc3s6oEELomLwiWqy1IFPd4MRzptBE6A3bClbN+kjEG2Gi68R4=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=uniovi.es;
Received: from AM0PR08MB3940.eurprd08.prod.outlook.com (2603:10a6:208:124::19) by AM0PR08MB3442.eurprd08.prod.outlook.com (2603:10a6:208:d7::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21; Thu, 10 Dec 2020 09:04:30 +0000
Received: from AM0PR08MB3940.eurprd08.prod.outlook.com ([fe80::9c65:30a3:58fe:e6dd]) by AM0PR08MB3940.eurprd08.prod.outlook.com ([fe80::9c65:30a3:58fe:e6dd%7]) with mapi id 15.20.3654.012; Thu, 10 Dec 2020 09:04:30 +0000
To: Michael Richardson <mcr+ietf@sandelman.ca>, EMU WG <emu@ietf.org>, "core@ietf.org WG (core@ietf.org)" <core@ietf.org>, "ace@ietf.org" <ace@ietf.org>
References: <CADZyTkmnV_Dhb5iXzykUyEAskLDg7tj=80CbEBGmSyFQNS2FHw@mail.gmail.com> <HE1PR0702MB36740BAAFD7FDA2688564BF7F4E60@HE1PR0702MB3674.eurprd07.prod.outlook.com> <CADZyTkkpLRvqD5Vx704u=qbRvE82o4cKk3Ff2Y2ZXes_B+nRbA@mail.gmail.com> <CADZyTkkSGiUvXf0NoVUwj0Vjf7AQ=pjdEHyHZsDdE67OvfTepw@mail.gmail.com> <20201117234700.GR39170@kduck.mit.edu> <CADZyTknej3DUbbKbRxdfi0HqVR7G7qkAh5htu3w9yFjE09sOtg@mail.gmail.com> <b78c1176-ffa0-9ad5-847e-94e9134b4212@um.es> <DM6PR15MB2379308BD779061F6F46233EE3F20@DM6PR15MB2379.namprd15.prod.outlook.com> <CABONVQZRWa5gcN6Z1pfBKx=UVvOTvi1FjLSv0-T_UTUc3XGG5Q@mail.gmail.com> <HE1PR0702MB367429A9C8921A5252133523F4CE0@HE1PR0702MB3674.eurprd07.prod.outlook.com> <24523.1607378991@localhost> <3a4e4b59-3712-7eb9-23b2-8160ad14b6aa@um.es> <2923.1607540144@localhost>
From: Dan Garcia <garciadan@uniovi.es>
Message-ID: <62dad652-8acd-0890-36cd-f7aacde19de2@uniovi.es>
Date: Thu, 10 Dec 2020 10:04:28 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
In-Reply-To: <2923.1607540144@localhost>
Content-Type: multipart/alternative; boundary="------------2CC5B6F2F9AC00C1F41295BD"
Content-Language: en-US
X-Originating-IP: [217.113.247.231]
X-ClientProxiedBy: MR2P264CA0038.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::26) To AM0PR08MB3940.eurprd08.prod.outlook.com (2603:10a6:208:124::19)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from MacBook-Pro-de-Dan-2.local (217.113.247.231) by MR2P264CA0038.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21 via Frontend Transport; Thu, 10 Dec 2020 09:04:30 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 334aa923-eabf-4ee8-c107-08d89cea9af3
X-MS-TrafficTypeDiagnostic: AM0PR08MB3442:
X-Microsoft-Antispam-PRVS: <AM0PR08MB3442A41E7F095D0B11B8BBE0B4CB0@AM0PR08MB3442.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: S2Yi7b6yueEBsKGHbEb+ce5vUltyn2p3X1QQpEe4sogOUNn2c67CGTb/PSppw6TfZI3FiPlvpkKVhEG6aihoNdhsdUhMf9/qkwhxIWWfPeVFI28j2SaGe7eLfIlPYeVY0YXgaoYnOP36L8VBA9uYs3FVhH8PRwhi578TiCwcvFDlJoGHauVmqZLCtqlad6BhS3y82LAbCylYHtuxijHnsylFqEF1/VlsrGnJYufJBayjmySLw/CFTkwpZpSQCLkmlzLbUWwItf0JDjeU5+CVoSfksI9iaobUTYkDkX//rIq2S6BbKt3dYhDo0SQAzvjZD6QB4ZKv9m7hXx9M97cqgWvmrHUc1s1oucuSigSqjv1A/eXsU+iuBhUu16Oye5iZd6iPfsQt/2h5i/iL3hXjvOl5ihyYFotu4rY6Ez/sTmE=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3940.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(346002)(136003)(786003)(508600001)(66946007)(8936002)(66556008)(36756003)(956004)(31696002)(66574015)(110136005)(83380400001)(86362001)(66476007)(2616005)(186003)(2906002)(8676002)(16526019)(52116002)(33964004)(26005)(6506007)(53546011)(6486002)(31686004)(6512007)(5660300002)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: HfAw6bTxjDgyTsq9oO9iQSyTM+4QKtw/nfCN1TBspAN6smpovwQ2IuWPPaBAb6wzGM9pfaITp24naED6aiyhyixwyoxJPS3ayaJ8q6BgIT0D7T2zRd558Ox3kpre4KZdYUD2GnQaMuy/WrddfXPzWcLqzRPzaA9kuLiGNLTbVNq/EBhr1Li3fDCWIx3+rf5YMcQnYEQgO4D6IOaRrPdC38UblD1eoraNnLZETHSVuY4QRD9MV2Ke7v19ijr6azKYaUM2v4zRMKgVFCHxzqJovNqBk7EDo7tqjAh8XRGgYe8aWZxEqjXA5XKfGZ1eTFyzLoBpue1xCXNu59VBlatyF6s1Akk868xX+9xquUWhS13eEbVvUOe2iLg/FjliLBHaNvln/55E7zfBYkG9EgL/jDf0r9csYMhMgW1yTXlnkBkwW4/S34iAl0hbmAFsVEDyadHOs1Xla4Aio1NgCtpvq3QpqALfbHWxxqImS+rMFth2+Jh1L4ulLsi0AhFbdkYlnsNbHNjaf0RB9L/T6Kbl4mPz1gwZAi/Hvp9de+Hzhf2PzWwnjxVh9YjRu69J6gxuTWQDeC5Pe6pQx1U4KhKz4HBYp7v3Inc1KefkwiXiyNFrtAm0rUaAHSuQGc5nlNgtbkkbXYj7uHYPQjtfMuGNtb7z/i3JxiyMO0tjRg/hkp7JQKfpQB2fb7SGLM2IPOQsyjF3BWp+DalZ2VUkI7TDWTxLbr75ztmb6ivt/QuegqqRsQSjYjFXQvAGjTO4+BK0LI9h6ogUNM4PsHthCu89c6ybntp3Df61TIFs/L3ITZDcGbSnRKRN4DrLqPH4gLyHKF8ItB0hfrLhvZYEy9jmtvgvHODSm/oi7EpGFQg8i+tJ8waQYd/NXOp25QD7W9BqvT41oF8WWY0KGKg61gZgtU1y1plBxoPsJexYrFP2ByTfdrZmhRovJjxe5dAL6wRlbKRxeNNglqaMjZPO2oBzLzyi1J9T8I4O9mN+TakpnFSlGeNgkGAWHJV3OV99lb85
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-AuthSource: AM0PR08MB3940.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Dec 2020 09:04:30.7752 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-Network-Message-Id: 334aa923-eabf-4ee8-c107-08d89cea9af3
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: rcxUgXGXEw3qEBLvXbYQLkHrfxaYmfPcCzA+LugC9B0TMYqCFUE6iFWxXz9BBeUNl87Il3S3vPFLiXxerBctow==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3442
X-MS-Exchange-CrossPremises-AuthSource: AM0PR08MB3940.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 217.113.247.231
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: AM0PR08MB3442.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/E2XsPIYFKgx0VaZ8dPv4tRLfIY4>
Subject: Re: [core] [Ace] Proposed charter for ACE (EAP over CoAP?)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 09:04:44 -0000
Hi Michael, "/1) .../" For onboarding a new device, where there is no connectivity after authentication, you propose to use 802.1X, which is an EAP lower layer. EAP over CoAP is in fact a proposal for a application level EAP lower layer that overcomes the limitation that 802.1X works on an inferior layer, hence, giving the possibility to perform the network authentication through nodes. This idea is not new, in fact, you have PANA, another EAP lower layer that works on top of UDP. As you comment , draft-ietf-6tisch-minimal-security - offers minimal security and has several deficiencies that can be solved by using EAP and AAA infrastructures. Regarding your second point "/2) If it for application authentication, then you need to use EAP to setup MSK for later use by a context. We do this in IKEv2, (D)TLS already./" Our proposal is to define an EAP lower layer that is specifically designed for constrained devices and networks. The setup of the MSK for later use, is what the EAP KMF does, and this key material is used to run a security association protocol, that could be DTLS or OSCORE. That is why it is not an afterthought as you say. I wrote could, because is one of the possibilities. That is another benefit of using EAP. With respect to do this with IKEv2, EAP already has an EAP method for IKE. Why limit the options when EAP gives you more. What will you do if the specific network does not support running IKEv2 due to severe constrains in the network or any other reason? That is why I believe the flexibility EAP gives you is worth considering. Best Regards, Dan. On 9/12/20 19:55, Michael Richardson wrote: > Dan Garcia <dan.garcia@um.es> wrote: > > EAP can be used in the context of IoT for authentication. > > But, to what end? > > 1) If it is onboarding a new device, then there is no connectivity until after authentication. > so you can't use CoAP, you have to use 802.1x, or some equivalent, or > create a system such as draft-ietf-6tisch-minimal-security. > Which does use CoAP and OSCORE already. > > 2) If it for application authentication, then you need to use EAP to setup > MSK for later use by a context. > We do this in IKEv2, (D)TLS already. > > So the only left would be OSCORE, yet you write "could", as if it was an afterthought. > > Tell me what is your application? What will be impossible if we don't do > this work? > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > >
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Daniel Migault
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Laurent Toutain
- Re: [core] [Emu] [Ace] Proposed charter for ACE (… Mohit Sethi M
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Göran Selander
- Re: [core] [Emu] [Ace] Proposed charter for ACE (… josh.howlett
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Michael Richardson
- Re: [core] [Emu] [Ace] Proposed charter for ACE (… Dan Garcia
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Dan Garcia
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Alexander Pelov
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Christian Amsüss
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Carsten Bormann
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Michael Richardson
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Dan Garcia
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Mališa Vučinić
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Dan Garcia Carrillo
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Mališa Vučinić
- Re: [core] [Ace] Proposed charter for ACE (EAP ov… Dan Garcia Carrillo