IETF Logo Mail Archive

Re: [Emu] Potential Notes in EAP-FAST Documents

Bernard Aboba <bernard_aboba@hotmail.com> Wed, 11 February 2009 18:25 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E9373A6D1F for <emu@core3.amsl.com>; Wed, 11 Feb 2009 10:25:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZzTXN5g0yMcp for <emu@core3.amsl.com>; Wed, 11 Feb 2009 10:25:16 -0800 (PST)
Received: from blu0-omc3-s38.blu0.hotmail.com (blu0-omc3-s38.blu0.hotmail.com [65.55.116.113]) by core3.amsl.com (Postfix) with ESMTP id C8D953A6D29 for <emu@ietf.org>; Wed, 11 Feb 2009 10:25:15 -0800 (PST)
Received: from BLU137-W38 ([65.55.116.73]) by blu0-omc3-s38.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Feb 2009 10:25:20 -0800
Message-ID: <BLU137-W385A9052FA9DC67EB7BD9B93BA0@phx.gbl>
X-Originating-IP: [24.16.117.112]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: emu@ietf.org
Date: Wed, 11 Feb 2009 10:25:20 -0800
Importance: Normal
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Feb 2009 18:25:20.0730 (UTC) FILETIME=[18D34BA0:01C98C76]
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2009 18:25:27 -0000

Tim --

This works for me. 

Thanks (to you and other members of the IESG) for putting in the time to get this right. 


=======================================
Folks,

As the AD that sponsored publication of the EAP-FAST documents under  
discussion,
I have been trying to find the best way forward.  I believe that the  
best course of action
involves some clarifications to draft-cam-winget-eap-fast- 
provisioning to distinguish
the modified and unmodified use of EAP-MSCHAPv2, and IESG notes to  
ensure these
publications do not establish precedent for future reuse of EAP type  
codes with
different semantics.
First, I support revising draft-cam-winget-eap-fast-provisioning so  
that the modified
form of EAP-MSCHAPv2 is consistently referred to as EAP-FAST- 
MSCHAPv2.  The
authors offered to make this change earlier in the thread, and I have  
seen some
support and no opposition to this suggestion.
Second, I will be offering the following text for IESG notes on both  
documents.  The
notes clearly state the drawbacks for EAP type code reuse and define  
an acceptable path for future protocol developers.
------ draft-cam-winget-eap-fast-provisioning -----

    EAP-FAST has been implemented by many vendors and it is used in the
    Internet.  Publication of this specification is intended to promote
    interoperability by documenting current use of existing EAP methods
    within EAP-FAST.

    The EAP method EAP-FAST-MSCHAPv2 reuses the EAP type code  
assigned to
    EAP-MSCHAPv2 (26) for authentication within an anonymous TLS  
tunnel.  In
    order to minimize the risk associated with an anonymous tunnel,  
changes
    to the method were made that are not interoperable with EAP- 
MSCHAPv2.
    Since EAP-MSCHAPv2 does not support method-specific version  
negotiation,
    the use of EAP-FAST-MSCHAPv2 is implied by the use of an anonymous
    EAP-FAST tunnel.  This behavior may cause problems in  
implementations
    where the use of unaltered EAP-MSCHAPv2 is needed inside an  
anonymous
    EAP-FAST tunnel.  Since such support requires special case  
execution of
    a method within a  tunnel, it also complicates implementations  
that use
    the same method code both within and outside of the tunnel  
method. If
    EAP-FAST  were to be designed today, these difficulties could be  
avoided
    by utilization of unique EAP Type codes. Given these issues,  
assigned
    method types must not be re-used with different meaning inside  
tunneled
    methods in the future.

----  draft-zhou-emu-fast-gtc  ------

    EAP-FAST has been implemented by many vendors and it is used in the
    Internet.  Publication of this specification is intended to promote
    interoperability by documenting current use of existing EAP methods
    within EAP-FAST.

    The EAP method EAP-FAST-GTC reuses the EAP type code assigned to
    EAP-GTC (6).  The reuse of previously assigned EAP Type Codes is
    incompatible with EAP method negotiation as defined in RFC  
3748.  Since
    EAP-GTC does not support method-specific version negotiation,   
the use of
    EAP-FAST-GTC is implied when used inside the EAP-FAST tunnel during
    authentication. This behavior may cause problems in  
implementations where
    the use of another vendor's EAP-GTC is required.  Since such  
support requires
    special case execution of a method within a tunnel, it also  
complicates
    implementations that use the same method code both within and  
outside of
    the tunnel method. If EAP-FAST were to be designed today, these
    difficulties could be avoided by utilization of unique EAP Type  
codes.
    Given these issues, assigned method types must not be re-used with
    different meaning inside tunneled methods in the future.

I am not under the illusion that this text will be entirely  
satisfactory to anyone,
but I believe that it is an *appropriate* resolution to the problem.

Thanks,

Tim Polk

v2.23.0 | Report a Bug | By Email