Re: [Emu] [EXTERNAL] Re: More TEAP issues
Joseph Salowey <joe@salowey.net> Thu, 01 December 2022 05:23 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11197C13A077 for <emu@ietfa.amsl.com>; Wed, 30 Nov 2022 21:23:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfegxK3L6JPn for <emu@ietfa.amsl.com>; Wed, 30 Nov 2022 21:23:00 -0800 (PST)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7125DC13A073 for <emu@ietf.org>; Wed, 30 Nov 2022 21:23:00 -0800 (PST)
Received: by mail-il1-x132.google.com with SMTP id m15so334031ilq.2 for <emu@ietf.org>; Wed, 30 Nov 2022 21:23:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zGGG12KqSA93UHvSCRtHpR/SJTBf+KrJGoeLatA5y28=; b=5jox6yL9L1RrJVw4BbKIiEslsq3HKf3A33wcbRxwNkOalSh4la4/xecl5YYId7CLw0 +BuHQLJmc3mLqFbzGIjCtZlf7hhCj449ou3CLtRjvEJwxVFhOPO6AuqCJjNWPnXLzvLS /ApUMJAqlOUowuYFlf+CVq5Eck+Gm34UHHgnRfTRlrY1HqLW46rENYSScEDHOnwPQQf7 nwFS5/LIZ9oyJUjrPyBwrB+IakWo/8fJayfU6jnNxBI/RdE5NIin3FbIKFkbv6QmjvTb hodxUoJMqneHYF2/PocjkN82kvzHRywLFa/KxhzVLmznAAWfoh8otQfYfxYjLlSXNFFy zwmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zGGG12KqSA93UHvSCRtHpR/SJTBf+KrJGoeLatA5y28=; b=Vhi0/lbtASo8IDkq1TijCIbTVklEeB7uwSZm18AZtERSCT1hIcZiH15QHTOpHn7n4s bat+7lV2t2d+vl3joBaiBy7HxV1sxxpWib7ZM9BHu3bZZU7fGugyKbf76pkr8+qvfy2m /yrXIbGaZg8wVxUlQKrp+dxIrqNKybOW71JsaUIwaf+3aBtZok9i0oOGgowLcfXnRaVq uTyg8LfA66eoJKSxcTSPCqlf6s6GddtvIyszXBMKYGYDeYmhLpW3AzwThUMjkuTFY7Rd RyqmDym5TxU19iDuK9KDDrwvXnezs73qZeRqloSrsQfWwfzsJc2UssJchre9DWTmgtGq YGMQ==
X-Gm-Message-State: ANoB5pkxZqKQjzTlz3TcRwVmLsq/XH+fEMpbW1DoldRBKX4uCWEVzobF GSrVPk41B0suAcPmu6hVS+Uz0sNmSEYxBErq9CDnqfNUKvn6+A==
X-Google-Smtp-Source: AA0mqf4GZsmdCwvZ6yH6H1E2HEUtslIuiEXRxcy+Gp9ng6wcvMIGFkvOejUlGjXwiWaZIgIcjpOAMrnUG3HOsRSuY3g=
X-Received: by 2002:a92:cb46:0:b0:302:dd2d:1f5d with SMTP id f6-20020a92cb46000000b00302dd2d1f5dmr19674006ilq.108.1669872179113; Wed, 30 Nov 2022 21:22:59 -0800 (PST)
MIME-Version: 1.0
References: <449FBD6E-34F7-49A2-A9A1-72BD716E1DDA@deployingradius.com> <b6b1d0d3-18ea-4d2c-9935-5fec335b191b@app.fastmail.com> <20221130183254.GB452842@w1.fi> <MW4PR21MB1923E8AA31416BAF4559CED7FD159@MW4PR21MB1923.namprd21.prod.outlook.com>
In-Reply-To: <MW4PR21MB1923E8AA31416BAF4559CED7FD159@MW4PR21MB1923.namprd21.prod.outlook.com>
From: Joseph Salowey <joe@salowey.net>
Date: Wed, 30 Nov 2022 21:22:47 -0800
Message-ID: <CAOgPGoCRxF84D7Fjs-mdMSKwuSmNxejd7brVSTV3ZC2AQvnMqA@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Cc: Jouni Malinen <j@w1.fi>, Bruno Pereira Vidal <bruno.vidal=40microsoft.com@dmarc.ietf.org>, Alexander Clouter <alex+ietf@coremem.com>
Content-Type: multipart/alternative; boundary="0000000000000e8aa205eebd6a40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/42sxy7xmH4LgMIgQzmRMH9DcHCc>
Subject: Re: [Emu] [EXTERNAL] Re: More TEAP issues
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 05:23:05 -0000
It sounds like we are gaining consensus to create a revision of TEAP. The emphasis would be (in priority order): - Aligning specification with current implementations - Clarifying the existing specification - Adding missing TLVs to make existing use cases work better The goal is to get this revision done quickly to prevent further implementation divergence. Changes will need to go through the working group process. Errata should be addressed when relevant portions of the document are updated. Does anyone object to this approach? Thanks, Joe and Peter On Wed, Nov 30, 2022 at 12:48 PM Bruno Pereira Vidal <Bruno.Vidal= 40microsoft.com@dmarc.ietf.org> wrote: > I also think option 3 is the preferred one at this point, given the > interoperable implementations that have already shipped. In addition to > Cisco ISE, the Windows TEAP implementation has also been validated against > Aruba ClearPass. > > The person who implemented the Windows client code is no longer at > Microsoft and, unfortunately, I don't recall why this ended up being > implemented like this. It is likely that it was inadvertently inherited > from EAP-FAST as mentioned below. > > Thanks, > Bruno > > -----Original Message----- > From: Emu <emu-bounces@ietf.org> On Behalf Of Jouni Malinen > Sent: Wednesday, November 30, 2022 10:33 AM > To: Alexander Clouter <alex+ietf@coremem.com> > Cc: EMU WG <emu@ietf.org> > Subject: [EXTERNAL] Re: [Emu] More TEAP issues > > On Wed, Nov 30, 2022 at 03:01:08PM +0000, Alexander Clouter wrote: > > On Tue, 29 Nov 2022, at 22:34, Alan DeKok wrote: > > > Based on interoperability testing, it looks like implementations > > > followed EAP-FAST for derivation of the MS-MPPE keys, and not RFC 7170: > > > EAP-FAST almost does not document this until you look at a latter RFC > covering the provisioning component: > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > > rfc-editor.org%2Frfc%2Frfc5422%23section-3.2.3&data=05%7C01%7CBruno.Vi > > dal%40microsoft.com%7C0e1894aabf524f8c70d708dad30154ed%7C72f988bf86f14 > > 1af91ab2d7cd011db47%7C1%7C0%7C638054299953760498%7CUnknown%7CTWFpbGZsb > > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > > 7C3000%7C%7C%7C&sdata=PqpDLwSPz0sh%2BsSlXadTZCAWI2835mdqgZvR2jN1Vgw%3D > > &reserved=0 > > And that section has a history of its own.. If you take a look at the > latest draft (-10), that language is not there, i.e., it got added quite > late in the process and the related discussions were not exactly > considering this positively. If I remember correctly, this mismatch with > how EAP-MSCHAPv2 was defined was seen as something that should not really > have been done and the EAP-FAST-MSCHAPv2 was named such to be distinguished > from EAP-MSCHAPv2 and also as a reminder not to use this variant for > anything else than EAP-FAST (which had already been deployed with it). > Nevertheless, here we are 15 years later hitting this exact same thing with > TEAP having been deployed with the design that was not supposed to be > repeated.. > > > Really easy to miss for an implementer, especially as when you start > implementing FAST (or TEAP) you begin with authentication and think you can > ignore the PAC component at first. > > While I started working on TEAP implementation by copying FAST > implementation to be the starting point, one of my first steps was to try > to remove all the hacks needed to get EAP-FAST interoperable since I was > familiar with the history.. But yes, it would be next to impossible to > implement either EAP-FAST or EAP-TEAP based on just the RFCs and get to > something that interoperates with anything already deployed. > > > The other biggy is that it is easy to miss that for each EAP method in a > sequence, you need to include an EAP Identity response along with the > Identity-Type TLV to the peer. > > And that will hopefully not include another instance of Crypto-Binding for > the EAP-Identity exchange. This is related to one of my errata comments on > EAP method vs. EAP authentication method (the latter needs crypto binding; > the former probably does not, but RFC 7170 is not clear). > > > > 3) declare 7170 irretrievably broken, and write 7170bis which > > > documents how TEAP version 1 operates in practice. > > > > This is my preference too. > > While this might not result in the cleanest protocol design, I'd agree > that this is likely the best approach from the view point of getting > something useful out there and into wider use. > > > Regarding a separate comment about new TLVs (and new functionality in > general, I'd guess), I have no significant issues including that in a new > RFC, but I do hope that the initial focus would be in addressing the > existing areas and already identified issues to get to a point where there > is a clearly identifiable Internet-Draft describing how one can > successfully implement EAP-TEAP in a manner that interoperates with > deployed implementations. > > -- > Jouni Malinen PGP id EFC895FA > > _______________________________________________ > Emu mailing list > Emu@ietf.org > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=05%7C01%7CBruno.Vidal%40microsoft.com%7C0e1894aabf524f8c70d708dad30154ed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638054299953760498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pz4lgBHc0Y37IWf6EJ5Dr%2BaR7COUYesNVhomKHmNrIs%3D&reserved=0 > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- [Emu] More TEAP issues Alan DeKok
- Re: [Emu] More TEAP issues Joseph Salowey
- Re: [Emu] More TEAP issues Eliot Lear
- Re: [Emu] More TEAP issues Alan DeKok
- Re: [Emu] More TEAP issues Alexander Clouter
- Re: [Emu] More TEAP issues Jouni Malinen
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Bruno Pereira Vidal
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Joseph Salowey
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Eliot Lear
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Alan DeKok
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Alexander Clouter
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Peter Yee
- Re: [Emu] More TEAP issues Owen Friel (ofriel)
- Re: [Emu] More TEAP issues Alan DeKok