[Emu] RE: Revised liaison response for IEEE 802.11u EAP method for emergency calls
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Mon, 15 October 2007 21:30 UTC
Return-path: <emu-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IhXWM-0002eM-IL; Mon, 15 Oct 2007 17:30:42 -0400
Received: from emu by megatron.ietf.org with local (Exim 4.43) id 1IhXWK-0002dR-EK for emu-confirm+ok@megatron.ietf.org; Mon, 15 Oct 2007 17:30:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IhXWJ-0002dB-FX for emu@ietf.org; Mon, 15 Oct 2007 17:30:39 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IhXWI-0005ax-69 for emu@ietf.org; Mon, 15 Oct 2007 17:30:39 -0400
X-IronPort-AV: E=Sophos;i="4.21,278,1188802800"; d="scan'208";a="23710725"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 15 Oct 2007 14:30:37 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l9FLUb07025554; Mon, 15 Oct 2007 14:30:37 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l9FLUSxJ021752; Mon, 15 Oct 2007 21:30:37 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Oct 2007 14:30:04 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 15 Oct 2007 14:30:15 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE504A9DBE2@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <BAY117-F31462A15E540BF50F42E1093A30@phx.gbl>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Revised liaison response for IEEE 802.11u EAP method for emergency calls
Thread-Index: AcgPZscPji/sJWf/ToynicK9zpyQywACIl3g
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>, emu@ietf.org
X-OriginalArrivalTime: 15 Oct 2007 21:30:04.0743 (UTC) FILETIME=[8D10B570:01C80F72]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3887; t=1192483837; x=1193347837; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@cisco.com> |Subject:=20RE=3A=20Revised=20liaison=20response=20for=20IEEE=20802.11u=2 0EAP=20method=20for=20emergency=20calls |Sender:=20; bh=lLt3YH1ar2vmYRrpwY2msbJ5PdhoUqTKOQkXbVHVlKQ=; b=nnVW7EC8Drk/7oWDgD7BS/Il4a28USgbxDuA9qKjQ1I5IukogBCGuAyr1miP+3G+VrJL51Mr J8mY8EUE5eEXuvLx0+B43EwiVaw5R21OsaKvga+zWNHov8ZVcYRIRFmegQX5pd5H2f6ASirWSx SQqN6YN1JXJpaAB4lzR7MWlXw=;
Authentication-Results: sj-dkim-1; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: a2c12dacc0736f14d6b540e805505a86
Cc: ecrit-chairs@tools.ietf.org
Subject: [Emu] RE: Revised liaison response for IEEE 802.11u EAP method for emergency calls
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
Errors-To: emu-bounces@ietf.org
> -----Original Message----- > From: Bernard Aboba [mailto:bernard_aboba@hotmail.com] > Sent: Monday, October 15, 2007 1:06 PM > To: Joseph Salowey (jsalowey); emu@ietf.org > Cc: ecrit-chairs@tools.ietf.org > Subject: RE: Revised liaison response for IEEE 802.11u EAP > method for emergency calls > > >TTLS (draft-funk-eap-ttls-v0-01.txt) and EAP-FAST (RFC4851) are TLS > >based methods that can support server only authentication. > It was also > >pointed out that EAP-TLS (draft-simon-emu-rfc2716bis-11.txt) > >could be modified to create a new EAP method that only > requires server > >side authentication. > > In general, in TLS-based EAP methods the TLS client > authentication policy is determined by the server. That is, > the server decides whether to request a client certificate; > RFC 2716 recommends but does not require inclusion of a > certificate request in the Server hello message; in the > examples in RFC 2716 the certificate-request field is not > shown as mandatory. By not including a certificate request, > an EAP-TLS server can support anonymous clients. It is my > understanding that existing EAP-TLS peer implementations > support server-side only authentication. > [Joe] OK, how about modifying the above sentence to: "It is possible for EAP-TLS (draft-simon-emu-rfc2716bis-11.txt) implementations to support modes that only require server side authentication." > >If the peer can validate the server then it is possible to mitigate > >many man-in-the-middle attacks against the authentication, > however if > >the peer cannot validate the server then this > >would leave the protocol open to man-in-the-middle attacks. > These TLS > >based methods require a significant number of round trips, > however this > >may not be an issue especially if the emergency authentication is > >terminated locally instead of in a home server. > > > >There were also several questions raised in the working group during > >the discussion that might help in further determining the > best approach. > >These are summarized below: > > > >1) It is not clear what security properties are desirable. Is it > >important for the emergency services network to be > authenticated? Is > >it possible for the peer to have a trust root for emergency services > >network? Is there expected to be an existing profile with a specific > >SSID that needs to be authorized? Is there another use for the > >authenticated identity? > > > >2) What regulatory requirements are driving the need for encryption? > >This creates some conflicts because encryption without > authentication > >does not satisfy most useful security requirements. > > > >3) Will the authentication for emergency services be > terminated locally > >or in a remote network? What is the tolerance for delay > before network > >connectivity is established? > > > >4) PSK was described as having worse DOS resistance > properties that EAP. > >It seems that in many cases EAP would have worse DOS resistance that > >PSK, which cases is EAP better? > > > >5) It seems that most public access networks already provide an open > >access network, why couldn't this network be used for emergency > >communication? > > > >As the 802.11u group is certainly aware, there are other > groups within > >the IETF that are looking at unauthenticated emergency services. In > >particular, the ECRIT group within the IETF has ongoing work in this > >area: > > > >http://tools.ietf.org/html/draft-schulzrinne-ecrit-unauthenti > cated-acce > >s > >s-00 > > > >We encourage IEEE working group members to continue the > discussion with > >the IETF in the EMU and the ECRIT working groups. > _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
- [Emu] Revised liaison response for IEEE 802.11u E… Joseph Salowey (jsalowey)
- [Emu] RE: Revised liaison response for IEEE 802.1… Bernard Aboba
- [Emu] RE: Revised liaison response for IEEE 802.1… Joseph Salowey (jsalowey)
- [Emu] RE: Revised liaison response for IEEE 802.1… Joseph Salowey (jsalowey)