IETF Logo Mail Archive

Re: [Emu] Potential Notes in EAP-FAST Documents

"Glen Zorn" <glenzorn@comcast.net> Tue, 03 February 2009 02:57 UTC

Return-Path: <emu-bounces@ietf.org>
X-Original-To: emu-archive@megatron.ietf.org
Delivered-To: ietfarch-emu-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE2B33A6BE4; Mon, 2 Feb 2009 18:57:48 -0800 (PST)
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF1183A6BDE for <emu@core3.amsl.com>; Mon, 2 Feb 2009 18:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.26
X-Spam-Level:
X-Spam-Status: No, score=-2.26 tagged_above=-999 required=5 tests=[AWL=0.339, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urNeMGxxz-72 for <emu@core3.amsl.com>; Mon, 2 Feb 2009 18:57:46 -0800 (PST)
Received: from QMTA03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [76.96.62.32]) by core3.amsl.com (Postfix) with ESMTP id A70E23A6BDD for <emu@ietf.org>; Mon, 2 Feb 2009 18:57:46 -0800 (PST)
Received: from OMTA13.westchester.pa.mail.comcast.net ([76.96.62.52]) by QMTA03.westchester.pa.mail.comcast.net with comcast id BCw11b03617dt5G53ExTE3; Tue, 03 Feb 2009 02:57:27 +0000
Received: from gwzPC ([124.120.224.111]) by OMTA13.westchester.pa.mail.comcast.net with comcast id BEwq1b00Y2QpjrQ3ZEwzLx; Tue, 03 Feb 2009 02:57:22 +0000
From: Glen Zorn <glenzorn@comcast.net>
To: 'Russ Housley' <housley@vigilsec.com>
References: <20090201204629.D5F093A6974@core3.amsl.com>
In-Reply-To: <20090201204629.D5F093A6974@core3.amsl.com>
Date: Tue, 03 Feb 2009 09:56:46 +0700
Message-ID: <012a01c985ab$210b2490$63216db0$@net>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Content-language: en-us
Thread-Index: AcmEvRAQ0y6B4oIXTimmQwZpaLUAnQA6M8pQ
Cc: iesg@ietf.org, emu@ietf.org
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: emu-bounces@ietf.org
Errors-To: emu-bounces@ietf.org

 
> Dear EMU WG:
> 
> These two documents are in the RFC Editor queue:
> 
>    draft-cam-winget-eap-fast-provisioning-10.txt
>    draft-zhou-emu-fast-gtc-05.txt
> 
> The IESG has received a very late comment about these documents, and
> we seek your input on the proposed resolution.
> 
> The late comment raises a potential interoperability concern with
> existing implementations of EAP-MSCHAPv2 and EAP-GTC.
> 
> The draft-cam-winget-eap-fast-provisioning-10.txt document specifies
> a very specific way to generate the challenges used in EAP-MSCHAPv2
> that provides binding between the EAP-FAST tunnel and the EAP-MSCHAPv2
> exchanges.
> 
> The draft-zhou-emu-fast-gtc-05.txt describes EAP-FAST-GTC, which is
> uses EAP Type 6, originally allocated to EAP-GTC [RFC3748]. EAP-FAST-
> GTC
> employs a subset of the EAP-GTC formatting.
> 
> The IESG recognizes the difficulties caused by re-use of an EAP Type.
> Further, the IESG recognizes the concern about implementations that
> might not easily adapt to additional requirements.  However, the IESG
> also recognizes the significant value in documenting EAP methods that
> are implemented and deployed in the Internet today.
> 
> The IESG believes that the right thing to do in this situation is to
> proceed with the publication of these documents.  However, the IESG
> also
> sees value in warning future EAP method designers about this experience
> so that this pain might be avoided in the future.
> 
> The IESG is considering the additional informative paragraph in the
> IANA
> considerations section of both documents that says:
> 
>     IESG Note: EAP-FAST has been implemented by many vendors and it is
>     used in the Internet.  Publication of this is intended to promote
>     interoperability, even though the use of the EAP-MSCHAPv2 and
>     EAP-FAST-GTC EAP methods might be difficult in some software
>     environments.  If EAP-FAST were to be designed today, these
>     difficulties could be avoided by the assignment of new EAP Type
>     codes.
> 
> Please provide comments on the proposed way forward.

I am strongly opposed to the publication of these documents as RFCs in their
current form.  Not only is the "fast provisioning" for EAP-FAST what can
only be characterized as a security disaster, but EAP-FAST-GTC has nothing
whatsoever to do with the EAP-GTC type.  EAP-GTC was "defined for use with
various Token Card implementations which require user input" but
EAP-FAST-GTC is used solely to transfer a username/password combination, the
password in plaintext.  It's hard to see what this has to do with actual
token cards & appears to be a lazy misuse of an existing type.  Furthermore,
it's even harder to see how rewarding this kind of nonsense with publication
will serve as a warning of any kind; I would expect that the action of
publication (with or without IESG note) would be more likely taken as notice
that one can do whatever one please without fear.

> On behalf of the IESG,
>   Russ
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email