Re: [Emu] draft-ietf-emu-eap-tls13-16.txt

Alan DeKok <> Mon, 14 June 2021 00:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8E4853A168B for <>; Sun, 13 Jun 2021 17:21:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3JZqk2ltpnwP for <>; Sun, 13 Jun 2021 17:21:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 43A723A168A for <>; Sun, 13 Jun 2021 17:21:41 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id EA513389; Mon, 14 Jun 2021 00:21:38 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none)
From: Alan DeKok <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Sun, 13 Jun 2021 20:21:37 -0400
References: <> <> <> <> <> <>
To: Joseph Salowey <>, EMU WG <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Emu] draft-ietf-emu-eap-tls13-16.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jun 2021 00:21:47 -0000

On Jun 13, 2021, at 7:49 PM, Joseph Salowey <> wrote:
> [Joe]  The existing text already refers to relying on the underlying TLS version negotiation.  

  Yes.  I was trying to address the confusion between version negotiation and other handshake negotiation.

> [Joe]  I don't see a problem with covering new TLS handshake messages in the document, however they are covered somewhat inconsistently.  Perhaps we should cover them all in a "new handshake messages section". 

  My point was that if the EAP layer doesn't need to do anything with those new handshake messages, then there isn't a need to mention them in the specification.

> TLS 1.3 introduces several new handshake messages including HelloRetryRequest, NewSessionTicket, KeyUpdate.  In general, these messages will be handled by the underlying TLS libraries and are not visible to EAP-TLS, however there are a few things to note.  
> The HelloRetryRequest is used by the server to reject the parameters offered in the ClientHello and suggest new parameters.  When this message is encountered it will increase the number of round trips used by the protocol.  

  If that's the only change, then I would suggest there's no need for a section dedicated to HelloRetryRequest.  Perhaps just saying "there are a number of new messages in TLS 1.3 which affect round trips, but the EAP layer doesn't have to do anything other than exchange more TLS messages".

> [Joe]  OK how about adding:
> "An example of limiting network access would be to invoke a vendor's walled garden or quarantine network functionality."

  Sounds good.

> >>   I don't understand why it's necessary to include discussion of TLS negotiation in EAP, when that negotiation does not affect EAP in any way.
> > See above.
>   In short: TLS version negotiation does affect EAP-TLS.  HelloRetryRequest messages do not.
> [Joe] The EAP TLS layer needs to know which TLS version was negotiated.  HelloRetryRequests affect the number of round trips in the exchange, but are opaque with respect to EAP-TLS.

  Yes.  I was confused at Section 2.1.6. which essentially says "HelloRetryRequest is a new TLS message, here's a diagram of using it with EAP-TLS".   As an implementor, the immediate question is "What do I *do* with this message?"  and the answer is essentially "nothing".

  Pretty much every other section in the document says "this is new in TLS 1.3, and here's how to handle it".

> [Joe]  HelloRetryRequest is a feature of the underlying TLS library so the RFC8446 Should determine the underlying behavior, specifying a different behavior is problematic. 


> >>   The updated text is clearer, but still does not address some of the questions raised below about calling this out as a new requirement from 5216, and what happens in an HA environment.
> > Please let us know a good reference to "implementation and 
> > interoperability experience." about the upper limit on EAP packet 
> > exchanges. This would also be useful for draft-ietf-emu-eaptlscert.
>   I posted references on this list previously:
> [Joe] I think this is the wrong link.  

  Yes.  The new mail archive interface is substantially worse than the older "mailman" interface.  It's difficult to follow threads, quickly search by dates, etc.

  In any case, this is the previous message:

> >>> Requiring a supplicant to be configured with a peer name is a new requirement from RFC 5216, and isn't called out as such.
> > I agree with you that we could benefit from more clarification on 
> > relationship between section 2.2 and 5.2 of this draft vs. the old RFC 
> > 5216. Do you have a suggestion how best to split the text and reflect 
> > the updates to RFC5216?
>   Updating 2.2 with a note after the text on page 18 seems best:
> While this requirement to verify domain names is new, and was not mentioned in [RFC5216], it has been widely implemented in EAP peers.  As such, we believe that this section contains minimal new interoperability or implementation requirements on EAP peers.
> [Joe] This does not seem to add to the specification. 

  I agree that text doesn't add any new requirements to the specification.  However, it's useful to make a note for implementors that while Section 2.2. is officially a new requirement in theory, there is little to do in practice, because implementations already meet these requirements.  There has been similar text in many other specifications.

  Alan DeKok.