IETF Logo Mail Archive

Re: [Emu] Adoption call for eap.arpa

Alan DeKok <aland@deployingradius.com> Fri, 22 March 2024 00:50 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84BDAC14F5F7 for <emu@ietfa.amsl.com>; Thu, 21 Mar 2024 17:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LC5_pvxR7Ldy for <emu@ietfa.amsl.com>; Thu, 21 Mar 2024 17:50:50 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AFC7C14F6B8 for <emu@ietf.org>; Thu, 21 Mar 2024 17:50:48 -0700 (PDT)
Received: from smtpclient.apple (dhcp-918a.meeting.ietf.org [31.133.145.138]) by mail.networkradius.com (Postfix) with ESMTPSA id C94F72F1; Fri, 22 Mar 2024 00:50:44 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <6752380a-0155-4ba4-9aee-107162538a4b@iki.fi>
Date: Fri, 22 Mar 2024 10:50:41 +1000
Cc: Peter Yee <peter@akayla.com>, "emu@ietf.org" <emu@ietf.org>, hvn@radiatorsoftware.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <06836614-D52C-4CC4-B26C-1D66BC049C55@deployingradius.com>
References: <F1FD786F-D0B1-494B-B384-95BBB4B7790B@akayla.com> <6752380a-0155-4ba4-9aee-107162538a4b@iki.fi>
To: Mohit Sethi <mohit@iki.fi>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/9ciI7QrFgeC_FQROD0V9dt3zPvs>
Subject: Re: [Emu] Adoption call for eap.arpa
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 00:50:55 -0000

On Mar 21, 2024, at 11:30 PM, Mohit Sethi <mohit@iki.fi> wrote:
> 
> I would like to support the adoption of the document with two caveats based on my deployment experience thus far. Obviously, Alan and Heikki have much more expertise and experience than me but just providing a data point:
> 
> 1. Instead of servers deciding the EAP method based on the username part of the NAI, the EAP method could be decided based on the sub domain under eap.arpa in the realm portion of the NAI. Thus a peer wanting to be provisioned would use provisioning@noob.eap.arpa or provisioning@tls.eap.arpa depending on whether it supports: EAP-NOOB or EAP-TLS for provisioning. Leaving the username semantics to individual provisioning drafts (example: draft-ietf-emu-bootstrapped-tls) might be beneficial in the long run as explained below.

  That's a good idea.  My once concern is if IANA / IAB would allow for a separate sub-registry for the subdomains, and allow EMU to control that registry.

> The username part will likely be needed to distinguish, for example, initial certificate enrollment during provisioning (NAI provisioning@teap.eap.arpa) from later certificate renewal during re-provisioning (NAI re-provisioning@teap.eap.arpa). I assume the certificates issued will have a limited lifetime and need to be renewed. There are other good reasons where the username part is used to indicate the provisioning state. For example, if provisioning a certificate and a password, the peer may use different username in the NAI: phase1@teap.eap.arpa for provisioning the certificate and phase2@teap.eap.arpa for provisioning the password. There have been proposals in the past about provisioning different types of credentials: https://datatracker.ietf.org/doc/draft-pala-tian-eap-creds-spp/

  I think this is a good idea.

> There are other legitimate reasons for avoiding such limitation. For example, a network owner wants to outsource the provisioning of a new device to the device vendor. Such scenarios were briefly discussed a while back: https://datatracker.ietf.org/doc/html/draft-st-t2trg-nw-access-01 and there was support from Hannes Tschofenig and others. It was later covered in the media as well so I presume there was some interest: https://www.theregister.com/2018/07/25/internet_draft_iot_security/.
> 
> Finally, there are situations where the device vendor installs the device at the customer site and uses the the customer network for Internet-connectivity but is still responsible for the device provisioning, lifecycle management, services, maintenance, etc. For example, a bunch of elevators installed at customer premises using customer network for sending back maintenance requests. Here again, the customer intentionally wants the device to be provisioned and managed by a remote vendor server.

  It would be useful to allow some local self-allocation for this case.  So that a site can see requests in the eap.arpa domain, and associate them with a remote vendor that it has a relationship with.

  Perhaps subdomains?  e.g. "provisioning@vendor.teap.eap.arpa".  I'll have to think about that some more.

> I don't think all these scenarios need to be described in this draft. Just removing the limitation is sufficient. My pull request already includes such a change, should this amenable to Alan and others in the working group: https://github.com/FreeRADIUS/eap-arpa/pull/1

  I would lean towards explaining the common use-cases in this document.  Otherwise I'm worried that it either won't meet peoples needs, or people will get it wrong.

> If the working group finds these requests amenable and my pull requests are useful, I'd also volunteer to co-author and help drive
> this document to the RFC editor queue.

  I'll take a look.

> Also, at some later point, if volunteers are needed for the IANA expert registry or something else, I'd be available.
> 
> --Mohit
> 
> PS: There was also an issue that the current draft recommends Expert Review for assignment of new values but then also expects RFCs: "The intention is that any non-prefix allocation will be accompanied by a published RFC.". I think it will be beneficial to have "Specification Required". Note "Expert Review" and "RFC Required" are separate things in RFC 8126.

  Agreed.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email