IETF Logo Mail Archive

Re: [Emu] EAP and Fragmentation

slon v sobstvennom palto <slonvpalto@gmail.com> Thu, 14 February 2019 13:27 UTC

Return-Path: <slonvpalto@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AF1713106D for <emu@ietfa.amsl.com>; Thu, 14 Feb 2019 05:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooPTd1is0gQ3 for <emu@ietfa.amsl.com>; Thu, 14 Feb 2019 05:27:35 -0800 (PST)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B16F5128CB7 for <emu@ietf.org>; Thu, 14 Feb 2019 05:27:34 -0800 (PST)
Received: by mail-vs1-xe2d.google.com with SMTP id z18so3609042vso.7 for <emu@ietf.org>; Thu, 14 Feb 2019 05:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c8yKHPaC0Qa9LF9WdBFQWi6FFAyeIgkBAJqrjYV9Lrs=; b=VJGFO5RlO4fdK29u0JmVDKAzwvk/Ku9KPgx6YLrMf12AtFP2s8I9d5D9VND26XHKxU 3QcfPitKQ4S9kkPtbB9PJEx+sVY377zXutkagx1FujxZQd8DXeJrSLfvCMm4/Ttvdye9 DB1iz0lRdus30figDtz4MsJeSSEe83pMQH5942DxaGf0fOFlQT+h2tQAIlsrUF+a5Fcw LbH6+oYVX2ZrTUhSb7dlBfzWeJVoej7y5HFhuMxOx5j4cvbS3zBiiZ8DGx8w888JTqVJ sl6LTsG06XSXXkI9mk684Dra7PLSzgmVszuvwYGlnuOB7UQ6MMTF1fHRckxo3q92r1mB LoQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c8yKHPaC0Qa9LF9WdBFQWi6FFAyeIgkBAJqrjYV9Lrs=; b=BbMwvpu0nSxwgS44BgXBUrI2B/vFbdmaVwGaYN1yfe/kz2tzu0bz8aGprtdLRLeuUt 3yHQq/wWmPMifOzZRKGvG2/Yvsf8ECHyVXtUW//RLSe+rZC2n4edVs/M/VnAgdBn7ZrQ 6ghidiWPH//YlNGQ5JrX6X27o1elfZlgRJF5Zm0FQC8q1lbMODWABXlnUUjoa5l85w8j Vztpg3CT+eY8wwGoPtNd5i1nZjalkiTH/WJqlcfovIi2UlsO5ORpuGxPjPuwxfoXc5HJ lECMvf+CHQg6w1pYcUY77yapSV2mq6ipF9sLdKeukLbGZqVgpq9rviv9T5o3ggtzGipi rT7g==
X-Gm-Message-State: AHQUAubhERGV/K4Vo21gXFu5gx+TJMv4UdghpgAFtndvQzJOBdcNcT6Q E6gIB6CRVdgHaEHUNnqplFhmtVQBosp1ORGzOE4=
X-Google-Smtp-Source: AHgI3IbDj3hkRxjC26U2dKhTl1S+k+6mrwhc/MO84xLrsRIaOPkAwCnWCX/fGq7PcgqwMfbJtTCYEwxSu7yF+EHblJc=
X-Received: by 2002:a67:fdd0:: with SMTP id l16mr1820999vsq.103.1550150853508; Thu, 14 Feb 2019 05:27:33 -0800 (PST)
MIME-Version: 1.0
References: <f7548f45-e9ed-3c96-fd55-d87006c5ce70@openca.org> <b5a2a434-b631-6edc-840d-0b3b9b78f27e@ericsson.com>
In-Reply-To: <b5a2a434-b631-6edc-840d-0b3b9b78f27e@ericsson.com>
From: slon v sobstvennom palto <slonvpalto@gmail.com>
Date: Thu, 14 Feb 2019 15:27:22 +0200
Message-ID: <CABe6AHgnOJUoNuLsD6oJUZMg4q2c3aa+PpM=6s24xE4gugtt9w@mail.gmail.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>
Cc: "Dr. Pala" <director@openca.org>, EMU WG <emu@ietf.org>
Content-Type: multipart/related; boundary="000000000000f95ce50581da9e4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/AtemcVU5vMB4yNHO14XqTqZC0Uw>
Subject: Re: [Emu] EAP and Fragmentation
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 13:27:37 -0000

Hi all,
These are my first steps in this group so please correct me if I don't
follow the rules.

Per my experience the existing fragmentation method described in EAP-TLS
RFC 5216 serves good for all fragmentation needs. The method is reused by
PEAP, EAP-FAST, TEAP and EAP-TTLS. There's an ambiguity in EAP-TLS RFC that
doesn't specify whether a not-fragmented message should have the L bit and
the 4 octets length field so different peers treat it differently. However,
for example, EAP-TTLS RFC closed it tightly saying that even a
single-fragment message should have it nevertheless on its redundancy.

~Oleg

On Thu, Feb 14, 2019 at 1:54 PM Mohit Sethi M <mohit.m.sethi@ericsson.com>
wrote:

> Dear Dr. Pala,
> On 2/12/19 7:36 PM, Dr. Pala wrote:
>
> Hi all,
>
> I am working on a draft for credentials management via EAP. When looking
> at the different specifications, it seems a bit weird that EAP does not
> provide Fragmentation control and requires each method to define their own
> way.
>
> *This, led me to my first question:* is there a de-facto "standard" way
> to add Fragmentation support we can just use (without having to re-invent
> the wheel all the time) ? If we had such a mechanism, then we could just
> say "implement the mechanism as defined in ... ". This would definitely
> help developers that could safely re-use code/libraries. The other approach
> would be to modify EAP to add Fragmentation support there. The main reason
> to have a standard behavior is to have also better management for ack and
> nak packets. As far as the solution goes, the main ones I looked at are the
> ones mentioned in EAP-TTLS and EAP-TEAP. They are both practically the
> same, active ACK-based - are there other methods that have been implemented
> ? Has anybody ever looked at how fragmentation is handled in practice and
> if there are better solutions than others ?
>
> No hat: I think having a standard mechanism for supporting large messages
> and fragmentation independently of any particular EAP method would
> definitely be something useful. As you said, it would allow developers to
> safely re-use code. If you have a draft proposal, I would be happy to
> review it. Perhaps we could start by looking at existing mechanisms used by
> EAP-Pwd/EAP-TTLS.
>
> --Mohit
>
> *Further thinking let me to my second question:* the method we are going
> to propose requires some form of authentication for the server, therefore I
> can see its use mainly as a tunneled method where the communication with
> the server is assumed to be already secure. If we go down the route of
> requiring the use of an outer method that provides authenticity and,
> optionally, confidentiality we would also not need to provide support for
> Fragmentation control, since the records would be encapsulated within the
> outer-method messages that already provide fragmentation support. Would
> this be acceptable ? Or should the method not have such assumptions and
> provide support for explicit fragmentation control ? What would be the
> preferred path here ? I personally would like to have a method that could
> be used independently, but I would also like to focus on simplicity of
> implementation so that if you already have EAP-TTLS/EAP-TEAP support,
> adding support for EAP-CREDS would be very simple.
>
> Looking forward to some great guidance and advice :D Also, if you would
> like to collaborate/contribute, please let me know!
> --
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> [image: OpenCA Logo]
>
> _______________________________________________
> Emu mailing listEmu@ietf.orghttps://www.ietf.org/mailman/listinfo/emu
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email