Re: [Emu] Iotdir early review of draft-ietf-ace-wg-coap-eap-08
Dan Garcia Carrillo <garciadan@uniovi.es> Tue, 18 July 2023 10:20 UTC
Return-Path: <garciadan@uniovi.es>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E430C151094; Tue, 18 Jul 2023 03:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cr--7ESeSVkT; Tue, 18 Jul 2023 03:20:12 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2055.outbound.protection.outlook.com [40.107.104.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A0D9C14CE4B; Tue, 18 Jul 2023 03:20:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oF/U3KNZctbluJtdWwDu6OtJqaf3szp9igVN7ddEklJii7CAT3165/s0iAAB6Z4MOAPyy9hJOS/Jgjb5KpIJKSD0Mf2Lja8EYjiDMciozESBVVb+C7jI/3ewC9GlIzpZEjsKZB2dMAzBLak/OzohU+xP6n3Q7ckgt/ZiqChBikJ+gCe/Q1XpRQtkOSSEXtNOCBe4Oe6P2mgeFbzEoApeAu1bdXa8CRF4fgG0QGbvpb0vo+WOWbt3hB7BHvGnz+07aZ8a+Cc6uQ9PU5X9D6X6LGhqRZ8PDZgPfWOO1wn3/apyuyuwychPPBQMnZRNVSuF1S/IQDyv+KVvKtua5/V7BQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5ratkAK6GjTxBXXMd8pO7H0xFvf7Rc46wpzQPKTWLig=; b=n7djxc/vPsLaLw9W4P9rMPyRawd8T2ny058T8OsBbuFkKWXNo1lf6JEHNmPlr4Mlg6Vj/pKp8u08/IgZJ8ijz3Z6AeF4ITEkTLpyMAZECZCyryeNZPQtdbIxLaDgwkruKMKjq+SuoB/HaMrM2khqZW5JuHIrKFstB7CxNRJlKurLin2yOBohPPQmrh52gfOHPzN4y1QpeLF4HzHtohgino10nsAsCt/pZY6gYcW3nP6dodVYU9mpEzO5wkkAGO7MmnUDj1t2qtyk3BgfTu31v/B3Fw1okCyn399AXFntrB5v+gC+xlO1SmTpyMgVzOJPQPu5EropkbzMS3FseOVMtg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5ratkAK6GjTxBXXMd8pO7H0xFvf7Rc46wpzQPKTWLig=; b=ozMPxqas43k9ra0jB+kXH6tDv9aqsiz0klyCMbZRByRF1DTmexONB8dLuSX9FcPef8ygPIfAwY6tDv674dLmdgfCk6S1GqzA0/kCLqz3WifI2QVpx+vThAYVpxEaUFF8u0/Eydosv4/fLm+CWeR5xPcchfsyarRPi9L4TqfWHdE=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uniovi.es;
Received: from GV1PR08MB8081.eurprd08.prod.outlook.com (2603:10a6:150:97::19) by PAVPR08MB9305.eurprd08.prod.outlook.com (2603:10a6:102:306::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.31; Tue, 18 Jul 2023 10:20:08 +0000
Received: from GV1PR08MB8081.eurprd08.prod.outlook.com ([fe80::6ddf:d8e2:ddc5:8b06]) by GV1PR08MB8081.eurprd08.prod.outlook.com ([fe80::6ddf:d8e2:ddc5:8b06%3]) with mapi id 15.20.6588.028; Tue, 18 Jul 2023 10:20:08 +0000
Message-ID: <86b5f75b-f9e8-8b53-c86e-1ebab04557dd@uniovi.es>
Date: Tue, 18 Jul 2023 12:20:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Cc: garciadan@uniovi.es, ace@ietf.org, draft-ietf-ace-wg-coap-eap.all@ietf.org, emu@ietf.org
To: Eliot Lear <lear@cisco.com>, iot-directorate@ietf.org
References: <168854454528.40191.3181198363158363836@ietfa.amsl.com>
Content-Language: en-US
From: Dan Garcia Carrillo <garciadan@uniovi.es>
In-Reply-To: <168854454528.40191.3181198363158363836@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: PR1P264CA0172.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:344::20) To GV1PR08MB8081.eurprd08.prod.outlook.com (2603:10a6:150:97::19)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GV1PR08MB8081:EE_|PAVPR08MB9305:EE_
X-MS-Office365-Filtering-Correlation-Id: b3df3752-cfc2-4da4-087b-08db8778900a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: s/ZwkwFAXw3dsRkko+3OYAPbap9MtuIE9j800exKbpB3Xor1oUiE49Y7kHSGKq6SJLSM5wQI4DBdnkw3IpwXjSCk2NnjU1fN4qUS7bejShjJhnWD91xMVOv5GtAUrXDWFP7TD1VSrhoJ6ZRKdrcUZj6LuLNrq3/dXjoCEC0XqjSVLhNvbWUZKmLXSad/TQX0cHyf3ATHyLBghbdQDYOyfhCUIPcaqVvhBCVdA4Uce4T212BOX7kzU/ZskZfaMamgz2/CAFBE/RoaJqxnKU5D7/nA85W0ccKE4P/GfC6FNwFjVHR8f4+kguspzwbvkj8hIc8+SmFZoowUq35MQApuKSnBVuizQNLu6mvoGvl8qVh2fNh3nMEFrpz/3ayREGFSgoUoHP+HcSLN42do1GqT6jyjKjOCoauSiIlPc52onNeMMV1uasmO6MZm6o871t10n5gDSUkE8kLei2L9ahJvSmrVPtSrMjr7H97IDQNgZORKoztIOtLZJQr23Zy7/9ZobxLkDlz2tOevonuw1i/pWKPmDURTWX+Ll4KIv9DR81Jbbap1qgKxlvNdyNHnQdVxJRVqpnbyk9BBsd6guQ9ucJts0qTYhGllFUwMgl28l6IFnzNWDKQkrITtw1iR09dsleOopYoMvtAcm3bcCNBknZaNcsBSk3t5G6dtSFGJkMzdwq4YP2Kcj+M05s4Y+iJ1
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV1PR08MB8081.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(136003)(376002)(366004)(396003)(346002)(451199021)(2906002)(38100700002)(6512007)(83380400001)(5660300002)(2616005)(186003)(6506007)(26005)(31696002)(86362001)(53546011)(38350700002)(36756003)(8676002)(4326008)(52116002)(478600001)(6486002)(786003)(316002)(41300700001)(8936002)(66946007)(66556008)(66476007)(31686004)(43740500002)(45980500001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: h4dQDeBpLDLTsVnalsNtAMrLCfG/NeH07cPptT4Ly4L9+j76y1ywnaRE1WJbsVI3Qk/7jDQMirpHbSJGVhpfvFW5li1OOtAx3KpVgH+1Zey9ttdHrHu2aJwQnFIM3fqgS+s8xDFiJt1KoEFDshvvSPJWSn7xSFIufc46pTAGpwBGjETzOflV1D+YZDte7J1mnKAc9NYVrjjIWAz+CNxyg+LcMbrclaotVlFl4rC6SUdubaaVahMfQT8z2wkNVpA348tShBCsu1oqjkXWjKjFZdCHrOoivupVLUoTXblk6saS64dkJuesZU6Q5XAF/M0oN6QNxJBE10+G9Zh8T9uXF+mBsR0sebOFgL5k5Eo+YBk6BrlXtzQ/Xp6NHPJtNTlzFPDF41bHhfP0vRB4925R9q0gV3Pmo9Whs1FqxfOXROtx4iXvsU0Dux3BRlAaQ/cCFiT3n1DqG9Npr2Ot9gak5a3GNy95ZYhBetz6zwNv8Ioss4QRaqffW3AWJqZe2JX0/YUDKy2XN1masu+LKcTOVe2wDzM7UNoZfy5YIyTvS7S8jlP0/gYwJWmhi6A8t3el1/Cqll0y+6TqpoiksOzBZ8d1qCHuPc5jbwL5fo/AZFJ66xq7WdtlqzECYLK3VnKVD1OWQTlAwFqeXyznwnv0LsPP29M5BssRNfns5p4ogdsdpzk4VQgt0FA/XFj8IkViYhmp6aT48/UIt04iR/ormIZQc5UsBu+z5aSRG9fypRX9FMwFmkVJai1ysp9fojQ9RJsHSg2goAu0vym2kXWQoHQfMGX64HUCZoteCR4l5j1A9vmO6zRWizGH4dv0p4ltbbE2YWYjtNM4EO8FcmXhrG2C7fk3Iq59VzsRdZmeD6pYSsY9ZpS9ZwkK/u4Zg0DxvbCqZXZJ+F2YH9u1wEtcexLfyFHCGlJ5CBgrxVgx9ufhmrrjvCz7/7HRie/aBnI6EvwscEtxbfyANUIG0q5lrkjzN1L0RW2IM1UrGfnFuq3A2249xIPFJAy1UocxUH1W9/3lC+nwmR6JUt1VJKSmpXaiQ4g8sUxudXSyC3lDPFZgkqwi4N3mzdVHSxgDJYomDfzgrSj137EQeU4UAukyBEvmIQdxVb1Xr4sLNo3uM6/sEqxh/SpTzrTBimyJocF8ZEHILOgWMXSxt0DxFPFItIbuldnE726v4RHSkFrwd9Qqy9BxjIjCbspidDs1XQh4wBAxrrvmZes+2z1qN/9YU4tUPF2a7oblUdMhD0WwORpJn3Ex69hVSuIawzgExsjhQhB9DOfJiTlRC59aaUJVERibeW17dJAj4o9zOlgI9s48HRly789kW3Ej2wBhH9Kw+fyjyfTkm4ImidOVkwvt0oa8QzjKyFJbyzJCOw+JBOP7FybqorzqShFx7jv1jCL/g7kK/z5IR1s96vTHtGRxG480s9ybTskpGXpdcqqd+kUf2RAhkVS7DuX9ox1S0diLHvCExycpof16z+Xs8BWl4Qk4sTEn/N2wroRQGMXPk6tBjC2myoJoeoSkd9MeohdomCShWsSLhLT8fTcAhzxSmLKe3G1AM5T+/jwInXrvZ1KAp0xJU5gdcT9lwoyctmzA
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: b3df3752-cfc2-4da4-087b-08db8778900a
X-MS-Exchange-CrossTenant-AuthSource: GV1PR08MB8081.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2023 10:20:08.6531 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: XIDHTdr7FsbIG4Tit64qSdbeYzaiDvy3gnrlEjO3lQP911Xrna/urrNVphihSSF9YFyRmull99emam+GuqQ7wA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAVPR08MB9305
X-MS-Exchange-CrossPremises-AuthSource: GV1PR08MB8081.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 156.35.171.42
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: PAVPR08MB9305.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/D3Aw9dhFo2uEdOyOjNNRx78_siY>
Subject: Re: [Emu] Iotdir early review of draft-ietf-ace-wg-coap-eap-08
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2023 10:20:17 -0000
Hi Eliot, Thank you very much for your time to review the document. On 5/7/23 10:09, Eliot Lear via Datatracker wrote: > Reviewer: Eliot Lear > Review result: On the Right Track > > This draft provides a means for EAP authentication via CoAP. This is > an evolution on top of EAPoL/EAP so as to not require 802.1X on > certain classes of devices. The general goal of reusing existing EAP > methods – and code – is admirable. Thank you very much, this was one of the objectives of the work. > > I would like to bring several issues to the attention of the working group: > > 1. There is, I think, a fundamental change between 802.1X and CoAP > that needs to be better stated: when used without a bypass (MAB), > 802.1X prevents *any* IP connectivity to a network. While Section 7.1 > discusses authorization, it does not really note this aspect, and in > my opinion it should. This is an interesting point. Yes, indeed CoAP and 802.1X are different, and to be able to work with CoAP we would have to allow one-hop link-local connectivity (with the possibility of using a proxy), without L2 protection until the authentication is completed. We will add these consideration to the document. > > 2. While the draft describes out to derive an EMSK, and while the > appendices begin to talk about application, it would be good to show > at least one entire flow in which that EMSK is used by L2, and in > particular may I suggest any of the 802.15.4 specifications such as > THREAD. A key point is that many of these technologies have their own > encryption practices, and understanding how they fit together will > make this work far more applicable. I suggest this because it is not > clear to me how to bridge the gap. To secure L2 after the authentication is completed, we can follow different models, depending on the objective. - We could use CoAP-EAP to derive the needed PSK to run 6TiSCH Constrained Join Protocol (CoJP) [RFC9031]. - If we want to have a network shared key shared among all devices at L2, we can follow the process Zigbee IP does. They use PANA as EAP lower layer for authentication and delivering a network-wide key to the authenticated devices. The MSK is used only for securing the PANA security association. Analogously, with CoAP-EAP, once performed the authentication of the EAP peer, it can receive through the CoAP-EAP security association (OSCORE) the needed L2 security configuration in the CoAP-EAP_Info CBOR Object securely. - If we want to deliver pairwise keys at L2, once the EAP authentication is finished (without L2 security yet), we can derive pair-wise keys either with the MSK or the EMSK. We understand that your comments on the EMSK is for the purpose of using a different root key, right? So MSK can be used to protect CoAP-EAP and EMSK for other purposes (e.g., L2 security). This would imply, though, that we would have to distribute to the EAP authenticator the MSK and a key that is derived from the EMSK at the same time. We could also simplify things and use the MSK as root key, using different tags when deriving keys for different purposes. What do you think? > > 3. The terminology is a problem. On the one hand, some people like > to use the terms "IoT Device" and "Controller". In the EAP world, > this term is meaningless. We use "peer", "authenticator", and > "authentication server". I would suggest that those implementing this > work will be from the EAP world, and that this document will be far > more accessible to them if those terms are used. Also, the use of > "IoT Device", while demonstrating application, limits applicability of > the work. In the immortal words of Larry Wall, "So don't do that." Thank you for this point, surely we do not want to limit the applicability. We will fall back to using only EAP terminology to avoid issues. > > 4. The discussion about packet sizes is interesting, but too > abstract. Some form of an example involving the use of certificates > seems in order, since the most taxing examples may involve methods > such as EAP-FAST, TEAP, and EAP-TLS. These have been made to work > perfectly reasonably across 802.11 networks, and a reasonable question > is whether any adaption layer for smaller MTUs should occur here, > doubly so since the draft state: > > Lower layers need to provide an EAP MTU size of 1020 > octets or greater. > > I realize this is a can of worms. Certainly fellow EMU colleagues > will have had more experience at opening and managing it than I have. > I think this is solved by EAP itself. According to RFC3748: "EAP methods can assume a minimum EAP MTU of 1020 octets in the absence of other information. EAP methods SHOULD include support for fragmentation and reassembly if their payloads can be larger than this minimum EAP MTU." Thank you. > > >
- [Emu] Iotdir early review of draft-ietf-ace-wg-co… Eliot Lear via Datatracker
- Re: [Emu] Iotdir early review of draft-ietf-ace-w… Alan DeKok
- Re: [Emu] Iotdir early review of draft-ietf-ace-w… Dan Garcia Carrillo
- Re: [Emu] [suspect] Re: Iotdir early review of dr… Dan Garcia Carrillo
- Re: [Emu] [suspect] Re: Iotdir early review of dr… Heikki Vatiainen
- Re: [Emu] [Ace] [suspect] Re: Iotdir early review… Behcet Sarikaya
- Re: [Emu] [Ace] [suspect] Re: Iotdir early review… josh.howlett
- Re: [Emu] [Ace] [suspect] Re: Iotdir early review… Alexander Clouter
- Re: [Emu] [suspect] Re: Iotdir early review of dr… Dan Garcia Carrillo
- Re: [Emu] [Ace] [suspect] Re: Iotdir early review… Heikki Vatiainen