Re: [Emu] [EXTERNAL] Re: More TEAP issues
Eliot Lear <lear@lear.ch> Thu, 01 December 2022 05:41 UTC
Return-Path: <lear@lear.ch>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F264EC13A075; Wed, 30 Nov 2022 21:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.087
X-Spam-Level:
X-Spam-Status: No, score=-7.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0N8Y97kle51g; Wed, 30 Nov 2022 21:41:46 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43D43C13A065; Wed, 30 Nov 2022 21:41:44 -0800 (PST)
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1669873301; bh=KTh4stzqtHt/uhWb8nba515tEaTPT08zNVmz43bTLMM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=jwzsTYPM4a9wF2F01ZYgYnfgOM9DSmi1yBtcKIS1M6woUOQaVB3vcIZqptDjveSkL udI57vTju50XW63Vv+vbmpdska98ncIrGXvkpR+Pc0oqukuxzdMIeKNu7Bdo8rHoH/ jEsEGdejg0reDZ06SU3kcGoNRDlUIy0nvKQvyvlY=
Received: from [IPV6:2001:420:c0f8:1001::c3] ([IPv6:2001:420:c0f8:1001:0:0:0:c3]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 2B15fe9l360198 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 1 Dec 2022 06:41:40 +0100
Content-Type: multipart/alternative; boundary="------------5SX3esizFzq20Jy3pgh6G8B0"
Message-ID: <a826a4be-c0ae-0e74-473f-5cc3c201d997@lear.ch>
Date: Thu, 01 Dec 2022 06:41:36 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
Content-Language: en-US
To: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Cc: Bruno Pereira Vidal <bruno.vidal=40microsoft.com@dmarc.ietf.org>
References: <449FBD6E-34F7-49A2-A9A1-72BD716E1DDA@deployingradius.com> <b6b1d0d3-18ea-4d2c-9935-5fec335b191b@app.fastmail.com> <20221130183254.GB452842@w1.fi> <MW4PR21MB1923E8AA31416BAF4559CED7FD159@MW4PR21MB1923.namprd21.prod.outlook.com> <CAOgPGoCRxF84D7Fjs-mdMSKwuSmNxejd7brVSTV3ZC2AQvnMqA@mail.gmail.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <CAOgPGoCRxF84D7Fjs-mdMSKwuSmNxejd7brVSTV3ZC2AQvnMqA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/4sybvK6xNVzwAPplgn1Ypvs6UUg>
Subject: Re: [Emu] [EXTERNAL] Re: More TEAP issues
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 05:41:51 -0000
No, but I would ask that we still have an interim to close the errata. Eliot On 01.12.22 06:22, Joseph Salowey wrote: > It sounds like we are gaining consensus to create a revision of TEAP. > The emphasis would be (in priority order): > > * Aligning specification with current implementations > * Clarifying the existing specification > * Adding missing TLVs to make existing use cases work better > > The goal is to get this revision done quickly to prevent further > implementation divergence. Changes will need to go through the > working group process. Errata should be addressed when > relevant portions of the document are updated. > > Does anyone object to this approach? > > Thanks, > > Joe and Peter > > On Wed, Nov 30, 2022 at 12:48 PM Bruno Pereira Vidal > <Bruno.Vidal=40microsoft.com@dmarc.ietf.org> wrote: > > I also think option 3 is the preferred one at this point, given > the interoperable implementations that have already shipped. In > addition to Cisco ISE, the Windows TEAP implementation has also > been validated against Aruba ClearPass. > > The person who implemented the Windows client code is no longer at > Microsoft and, unfortunately, I don't recall why this ended up > being implemented like this. It is likely that it was > inadvertently inherited from EAP-FAST as mentioned below. > > Thanks, > Bruno > > -----Original Message----- > From: Emu <emu-bounces@ietf.org> On Behalf Of Jouni Malinen > Sent: Wednesday, November 30, 2022 10:33 AM > To: Alexander Clouter <alex+ietf@coremem.com > <mailto:alex%2Bietf@coremem.com>> > Cc: EMU WG <emu@ietf.org> > Subject: [EXTERNAL] Re: [Emu] More TEAP issues > > On Wed, Nov 30, 2022 at 03:01:08PM +0000, Alexander Clouter wrote: > > On Tue, 29 Nov 2022, at 22:34, Alan DeKok wrote: > > > Based on interoperability testing, it looks like implementations > > > followed EAP-FAST for derivation of the MS-MPPE keys, and not > RFC 7170: > > > EAP-FAST almost does not document this until you look at a > latter RFC covering the provisioning component: > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > > rfc-editor.org > <http://rfc-editor.org>%2Frfc%2Frfc5422%23section-3.2.3&data=05%7C01%7CBruno.Vi > > dal%40microsoft.com > <http://40microsoft.com>%7C0e1894aabf524f8c70d708dad30154ed%7C72f988bf86f14 > > > 1af91ab2d7cd011db47%7C1%7C0%7C638054299953760498%7CUnknown%7CTWFpbGZsb > > > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > > > 7C3000%7C%7C%7C&sdata=PqpDLwSPz0sh%2BsSlXadTZCAWI2835mdqgZvR2jN1Vgw%3D > > &reserved=0 > > And that section has a history of its own.. If you take a look at > the latest draft (-10), that language is not there, i.e., it got > added quite late in the process and the related discussions were > not exactly considering this positively. If I remember correctly, > this mismatch with how EAP-MSCHAPv2 was defined was seen as > something that should not really have been done and the > EAP-FAST-MSCHAPv2 was named such to be distinguished from > EAP-MSCHAPv2 and also as a reminder not to use this variant for > anything else than EAP-FAST (which had already been deployed with > it). Nevertheless, here we are 15 years later hitting this exact > same thing with TEAP having been deployed with the design that was > not supposed to be repeated.. > > > Really easy to miss for an implementer, especially as when you > start implementing FAST (or TEAP) you begin with authentication > and think you can ignore the PAC component at first. > > While I started working on TEAP implementation by copying FAST > implementation to be the starting point, one of my first steps was > to try to remove all the hacks needed to get EAP-FAST > interoperable since I was familiar with the history.. But yes, it > would be next to impossible to implement either EAP-FAST or > EAP-TEAP based on just the RFCs and get to something that > interoperates with anything already deployed. > > > The other biggy is that it is easy to miss that for each EAP > method in a sequence, you need to include an EAP Identity response > along with the Identity-Type TLV to the peer. > > And that will hopefully not include another instance of > Crypto-Binding for the EAP-Identity exchange. This is related to > one of my errata comments on EAP method vs. EAP authentication > method (the latter needs crypto binding; the former probably does > not, but RFC 7170 is not clear). > > > > 3) declare 7170 irretrievably broken, and write 7170bis which > > > documents how TEAP version 1 operates in practice. > > > > This is my preference too. > > While this might not result in the cleanest protocol design, I'd > agree that this is likely the best approach from the view point of > getting something useful out there and into wider use. > > > Regarding a separate comment about new TLVs (and new functionality > in general, I'd guess), I have no significant issues including > that in a new RFC, but I do hope that the initial focus would be > in addressing the existing areas and already identified issues to > get to a point where there is a clearly identifiable > Internet-Draft describing how one can successfully implement > EAP-TEAP in a manner that interoperates with deployed implementations. > > -- > Jouni Malinen PGP id > EFC895FA > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=05%7C01%7CBruno.Vidal%40microsoft.com%7C0e1894aabf524f8c70d708dad30154ed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638054299953760498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pz4lgBHc0Y37IWf6EJ5Dr%2BaR7COUYesNVhomKHmNrIs%3D&reserved=0 > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=05%7C01%7CBruno.Vidal%40microsoft.com%7C0e1894aabf524f8c70d708dad30154ed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638054299953760498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pz4lgBHc0Y37IWf6EJ5Dr%2BaR7COUYesNVhomKHmNrIs%3D&reserved=0> > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu
- [Emu] More TEAP issues Alan DeKok
- Re: [Emu] More TEAP issues Joseph Salowey
- Re: [Emu] More TEAP issues Eliot Lear
- Re: [Emu] More TEAP issues Alan DeKok
- Re: [Emu] More TEAP issues Alexander Clouter
- Re: [Emu] More TEAP issues Jouni Malinen
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Bruno Pereira Vidal
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Joseph Salowey
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Eliot Lear
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Alan DeKok
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Alexander Clouter
- Re: [Emu] [EXTERNAL] Re: More TEAP issues Peter Yee
- Re: [Emu] More TEAP issues Owen Friel (ofriel)
- Re: [Emu] More TEAP issues Alan DeKok