Re: [Emu] Proposal: SASL over EAP
Rick van Rein <rick@openfortress.nl> Sat, 18 April 2020 18:05 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 543B23A0F0E for <emu@ietfa.amsl.com>; Sat, 18 Apr 2020 11:05:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pZgTGw-kIyfD for <emu@ietfa.amsl.com>; Sat, 18 Apr 2020 11:05:41 -0700 (PDT)
Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13C9F3A0F0D for <emu@ietf.org>; Sat, 18 Apr 2020 11:05:38 -0700 (PDT)
Received: from popmini.vanrein.org ([IPv6:2001:980:93a5:1::7]) by smtp-cloud8.xs4all.net with ESMTP id PrqPjKy0nlKa1PrqQji4Or; Sat, 18 Apr 2020 20:05:36 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1587233133; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=VaMNZd5CNhZnAu3YcpkCUYHA4J2uAyBERt6ZpGPRiTI=; b=oakVkWM9jtuitHfna065KG8phLjkIMExeYxvjsfo9n4c0+ksOWjDJ/c9 8YDSe/B7/0aw4FCcAJt+H23dub15cL6k0xViBJARWdXCHLe5qcDsXgER1M mDKPb5f/NvJroIW5eTvBrWea53rFuX9Zivxw3VDOZbpq4vOkrXStVsFuY=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 724E539ED7; Sat, 18 Apr 2020 18:05:32 +0000 (UTC)
X-Original-To: emu@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 2F0DB39ED4; Sat, 18 Apr 2020 18:05:27 +0000 (UTC)
Message-ID: <5E9B4165.1050703@openfortress.nl>
Date: Sat, 18 Apr 2020 20:05:25 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Alan DeKok <aland@deployingradius.com>
CC: emu@ietf.org
References: <5E98981B.7020606@openfortress.nl> <260BBB7D-4201-4B68-92A4-6A2755555A2A@deployingradius.com>
In-Reply-To: <260BBB7D-4201-4B68-92A4-6A2755555A2A@deployingradius.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfMUn/BgoFM2LvQF+X6EjmaqtiwKamz2Z6EgjdJe+nMXwfRHU4rOl20qPPqoYcu9yHmUqPJFj/tih7f+hGKH/QKtPc74KmmMRkLWXd+oPrcpwW9DnV6es lxyN6ESKtwpHszW2PQRcjFEWNlpIZHcECU3Yp8rLEPywrUdgJmhtwXutTLWlwaw1FpagsFqKM0AkvQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/EqsKxvV9TDIZ697zCbTi4A-tq3U>
Subject: Re: [Emu] Proposal: SASL over EAP
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Apr 2020 18:05:46 -0000
Hi Alan, >> An interesting usecase for EAP-SASL with all this would be WiFi and LAN >> authentication (EAPOL or 802.1x) passed over Diameter to *any* domain on >> the Internet, and receiving back tunnel information. > > Or RADIUS.... That's what everyone is thinking ;-) The reason for Diameter is that it scales up to the Internet (in terms of connection pooling / efficiency and in terms of security). RADIUS is really useful for internal networks, but becomes rather clumsy when crossing the Internet -- it is not suited for worldwide public service. > TBH, I can't recall seeing many WiFi deployments which use Diameter. None of the access points support it. Similarly, EAP over LAN is implemented in most switches, but they definitely don't do Diameter. Catch-22 -- no use case, no software. That's why I'm describing the use case here. We'll probably package our kit for OpenWRT, so everyone can benefit / derive from it. A patchy solution is possible for closed routers; RADIUS and Diameter can crossover, so a local node doing that is possible. > Is there a specific reason why Diameter was chosen? Certainly, - It enforces mutually authenticated TLS for peer-validation - It does not silently assume a profile but negotiates at startup - It can pool validated TLS connections for reuse - It runs over SCTP for realiability without head-of-line blocing These are hardly a concern for internal networking, and very much concerns for dynamic realm crossover. >> Clients would be >> tunneled to their own network/IP/routing and it would be easier for >> public access providers to offer full networking without worry about the >> behaviour it outputs over their IP range. > > I think that's a separate step from EAP, or SASL over EAP. It may be difficult to in practice to define that tunneling. Yes it is separate, and just here to give you some context. There are several AVP sets for tunneling in RADIUS / Diameter, and making a choice would probably help the crossover to work in general. >> Before this group existed I wrote a spec for EAP-SASL, is it worthwhile >> to continue, and how/what do you advise? >> https://www.ietf.org/archive/id/draft-vanrein-eap-sasl-00.txt > > That draft looks reasonably clear. Thanks for taking the time to judge that. I'll wait a little more to hear others respond on what to do here. I agree with your take that it's not an exact fit here but that it has no other place either. >> The other work is progressing in >> https://tools.ietf.org/html/draft-vanrein-diameter-sasl-03 > > I have no opinions on that draft. ...as it merely provides context, yes of course. Thanks, -Rick
- [Emu] Proposal: SASL over EAP Rick van Rein
- Re: [Emu] Proposal: SASL over EAP Alan DeKok
- Re: [Emu] Proposal: SASL over EAP Rick van Rein
- Re: [Emu] Proposal: SASL over EAP Alan DeKok
- Re: [Emu] Proposal: SASL over EAP Rick van Rein
- Re: [Emu] Proposal: SASL over EAP Alan DeKok
- Re: [Emu] Proposal: SASL over EAP Rick van Rein
- Re: [Emu] Proposal: SASL over EAP Jim Schaad
- Re: [Emu] Proposal: SASL over EAP Rick van Rein
- Re: [Emu] Proposal: SASL over EAP Rick van Rein