IETF Logo Mail Archive

Re: [Emu] Provisioning, configuration, etc. and EAP

Oleg Pekar <oleg.pekar.2017@gmail.com> Fri, 25 March 2022 19:18 UTC

Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC9B13A1588 for <emu@ietfa.amsl.com>; Fri, 25 Mar 2022 12:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.857
X-Spam-Level:
X-Spam-Status: No, score=-6.857 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YcehTORMhMx for <emu@ietfa.amsl.com>; Fri, 25 Mar 2022 12:18:53 -0700 (PDT)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9F63A0925 for <emu@ietf.org>; Fri, 25 Mar 2022 12:18:53 -0700 (PDT)
Received: by mail-pg1-x52a.google.com with SMTP id t14so7188535pgr.3 for <emu@ietf.org>; Fri, 25 Mar 2022 12:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NV7kW6+2aB2MCd6Csq/Yx9AzZ/X8hV4A0PVWsvjN0TA=; b=eroIpk2HlFX0Ih6kcAWCP7NShlrj4cTr/Y3z9psUC1GaDfCyf8AW8YOnuYEumuaJRA Yt9N2hJ9jXkL2RAwVvKJMOpW3vUXEAKjop75kJIpDPydfhcvEv/WwlKbv4ceESJAzxU+ 87qmXo8Q5LNeSp8JyB9eiHJ/UA+pg4+ZhbvhnpBCuKQmXoWU4eQJCnHJbfrBJFG0COQd fmDHQ/OQdiig2EE8BzEGIcOu9SMIwCecNWJx2UEu3e9Dzo2aaNVi2ZY77wjp3iovKoAo hjIssCgq9qe20JWre0l5F5wcCQs2vuSgtdgAa/8IpuwbKletOZ8roFqYJxzM8p3ftmxC QhVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NV7kW6+2aB2MCd6Csq/Yx9AzZ/X8hV4A0PVWsvjN0TA=; b=LN3naReVFDi+dTmv09o3nXZsWZUmHCOPnP2C71Cu6frZR0NnZEzrzgmztxC9miey9f +kaR5XdD9P9UitNFAWvhAziEP0sVKNFafiwejDy52z8Rs2nWzW7d0fTHBF3EQDTFHeOD f/KACMGNQFsr6vM4HPx/tioFOmTac3nFskrQ7Dg8VPi94+xltkJ3QUtmDkbvNGHaJrjd 0A3pqu/dq8U5rzx7PJ+Lg+vb6bdA2Yu13vMthS1MWCGN4rw/vprDcKM2AaND1JQ6CN8u fsWKp7iA4E5kjtyV3Jkx3h7tQNQZ8GXznQ5ldvFSPpfav3uCGKi0isV22x2WCFjAjn2E n4uQ==
X-Gm-Message-State: AOAM532ma+czDPTtJHlpXwwC3hiHTDvE2nrECpR0FqnwDaa0U68MYzVY bIeznNC+g6hJNplyJUy+jKgy7Fpn8vXwYmOvIUB1lNOiJuf+uCpz
X-Google-Smtp-Source: ABdhPJyqtJXq2C1dWg5+wQvRjAmBfjplMsIUU56ueYFyxMW76MmSnttdfMF+lK5aoViZfd4VwSc8n4m1aOyFBunTnL0=
X-Received: by 2002:a05:6a00:1490:b0:4fb:1544:bc60 with SMTP id v16-20020a056a00149000b004fb1544bc60mr4230507pfu.73.1648235932227; Fri, 25 Mar 2022 12:18:52 -0700 (PDT)
MIME-Version: 1.0
References: <8C03CE4A-B987-4962-9AA3-5DF8FB32ECB5@deployingradius.com>
In-Reply-To: <8C03CE4A-B987-4962-9AA3-5DF8FB32ECB5@deployingradius.com>
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Fri, 25 Mar 2022 22:18:40 +0300
Message-ID: <CABXxEz8scU=JEeLjftj3_LWt8Qf4Z0dDmQ+hLe6A47HL4KVitQ@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f1c5a05db0fd5be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/88BnPx0fICCGD4L6D56RvIk7PFQ>
Subject: Re: [Emu] Provisioning, configuration, etc. and EAP
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 19:18:58 -0000

>When this configuration process fails or does not work, there is typically
no way to inform the user or administrator as to what went wrong.  Which
makes it essentially impossible to debug configuration and compatibility
issues.
[Oleg] If the configuration process is conducted by a centralized system
(connected to EAP authentication server) then each step of configuring a
specific supplicant can be tracked on the system, inducing the final
result. So the admin can see it and undertake some recovery action. What
are the example scenarios where such tracking is impossible?

>However, the benefit of this approach is that the provisioning system
becomes infinitely flexible.  It can use any existing internet protocol.
It can download any amount of data.
[Oleg] There are existing configuration and provisioning methods that
require the supplicant to connect to a quarantine network and get the IP
layer this way, then the provisioning software or manual user actions do
the configuration. But this method is usually proprietary per network
access control system and is pretty complicated. We can standardize this
method: create a configuration and provisioning protocol over IP (not EAP)
that will be supported by supplicants and network access control systems
and all they need to do before is to accept the supplicant on the
quarantine network.

On Fri, Mar 25, 2022 at 9:37 PM Alan DeKok <aland@deployingradius.com>
wrote:

>   There has been a push to perform provisioning and/or configuration over
> EAP.  e.g. TEAP, NOOB, and various other proposals.  There are both costs
> and benefits to this approach.
>
>   The benefits are that admins can configure end-user systems with minimal
> effort.  "Download things over EAP" is simply to explain, and simple to
> administer.  When it works, it's great.  No one has to deploy additional
> systems, or do additional configuration.  Just poke the authentication
> servers, and they will configure the clients / supplicants.
>
>   However, there are multiple standards for doing provisioning over EAP,
> and more are proposed.  This would seem to indicate that the solutions are
> designed for specific needs, and that there is no over-arching design
> theory, requirements, or process.
>
>
>   On top of that issue, the costs of using EAP are non-zero, and the
> failure modes are significant.
>
>   When this configuration process fails or does not work, there is
> typically no way to inform the user or administrator as to what went
> wrong.  Which makes it essentially impossible to debug configuration and
> compatibility issues.
>
>   EAP implementations are limited to exchanging ~64K of data before
> supplicant and/or server gives up.  If there is a need to exchange more
> data than this, it's impossible.  Configuration data tends to grow over
> time, because of a tendency to just use the existing system, even though it
> isn't really intended for that use.  People tend to (ab)use existing
> systems in surprising ways, too.
>
>   As Bernard noted in the meeting, RFC 3748 Section 1.3 says that EAP is
> not a general transport protocol:
>
>    EAP was designed for use in network access authentication, where IP
>    layer connectivity may not be available.  Use of EAP for other
>    purposes, such as bulk data transport, is NOT RECOMMENDED.
>
>    Since EAP does not require IP connectivity, it provides just enough
>    support for the reliable transport of authentication protocols, and
>    no more.
>
>
>     I've been pushing for provisioning via standard internet protocols.
>  RFC 9190 Section 5.6 explicitly provides for unauthenticated EAP-TLS,
> where the client may not even verify the servers certificate.  This
> practice has not been widely used.  IIRC, either the WiFi alliance or the
> WBA defines unauthenticated EAP-TLS for provisioning, but uses a
> vendor-specific EAP type.  It's not clear why EAP-TLS was insufficient here.
>
>   This method also has a cost.  Administrators now have to set up
> additional services in order to do provisioning.  This may not always be
> possible.  As Eliot pointed out, there are also security issues with
> exposing additional servers (EST, etc.) to unauthenticated users.
>
>   However, the benefit of this approach is that the provisioning system
> becomes infinitely flexible.  It can use any existing internet protocol.
> It can download any amount of data.
>
>   I think it's useful to take a step back, and discuss the requirements.
> There are many users of EAP, and each are creating solutions largely in a
> vacuum.  It would be helpful to get a good description of the problem
> statements, as it relates to EAP.
>
>   I would split this up into:
>
> bootstrapping - starting from nothing, or almost nothing, how does a
> device get on the network, and get a minimal configuration enabled?
>
> provisioning - how does a device with some existing network access /
> configuration get onto a new network, perhaps with a new identity?
>
> reconfiguration - how does a device with an existing configuration update
> it?  When / where / why / how?
>
>   I'm sure that there are good reasons for using EAP here.  But I can't
> help but wonder if there's a better way that 3-4 different methods which
> all layer on top of EAP.
>
>   Alan DeKok.
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email