IETF Logo Mail Archive

Re: [Emu] RFC7170bis and lack of identities

Alan DeKok <aland@deployingradius.com> Thu, 02 February 2023 19:17 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72808C1575DF for <emu@ietfa.amsl.com>; Thu, 2 Feb 2023 11:17:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2-ttWLoGpA5 for <emu@ietfa.amsl.com>; Thu, 2 Feb 2023 11:17:06 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 710DEC151534 for <emu@ietf.org>; Thu, 2 Feb 2023 11:17:05 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id E67FB2FF; Thu, 2 Feb 2023 19:16:59 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <1165a702-ee9e-4269-8af1-0406eb798de0@app.fastmail.com>
Date: Thu, 02 Feb 2023 14:16:58 -0500
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E7F39732-D012-4D2A-A34F-44965763C808@deployingradius.com>
References: <972E80E4-CB18-4154-A407-5BC04D2677FE@deployingradius.com> <45426003-4eb9-9c31-d66b-3d2b51896bcb@lear.ch> <FFFD2F98-2E7F-4603-9B85-E6C80ACE0799@deployingradius.com> <1165a702-ee9e-4269-8af1-0406eb798de0@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/Hn1KS1NtH21KZVznkDnEgHRoBpc>
Subject: Re: [Emu] RFC7170bis and lack of identities
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2023 19:17:10 -0000

On Feb 2, 2023, at 1:52 PM, Alexander Clouter <alex+ietf@coremem.com> wrote:
>>  I'm not clear how that would happen.  Nothing in the doc discusses 
>> how a client may choose authentication methods.
> 
> The documentation does not but I did see Appendix C.9 lets the client state what it wants to do:
> 
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-03#name-c9-peer-requests-inner-meth

  i.e. the client authenticates in phase 1, via something like a client cert.

  That flow does look a little odd to me:

EAP-Response/
  EAP-Type=TEAP, V=1
  [TLS certificate,]
   TLS client_key_exchange,
  [TLS certificate_verify,]
   TLS change_cipher_spec,
   TLS finished ->
                          <- EAP-Request/
                          EAP-Type=TEAP, V=1
                          (TLS change_cipher_spec,
                           TLS finished,
                           Crypto-Binding TLV (Request),
                            Result TLV (Success))


  So... the first set of data in the tunnel is Crypto-Binding?  Hmm..

  I'll have to test that to see if it works.

> Using the Identity-Hint TLV to steer the server so at least it knows if it is machine or a user authentication coming its way is useful. Some if not most sites should find this good enough for them.
> 
> Though if you are proposing this to be optional, why not define another new TLV the client MAY send with Identity-Hint TLV that takes the place of the EAP-Identity response for only when it wants to go and do Basic-Password-Auth.

  I think it would just need Identity-Hint?

Identity-Hint "bob" --> 

                <-- Basic-Password-Auth-Req

Basic-Password-Auth-Resp  "bob" password "hello" -->

> To trim a round trip, you could add language on for servers supporting this MAY wish to treat this as a username if the server would only send a Basic-Password-Auth-Req asking for the same information anyway...to trim a round trip.
> 
> I'm unable to think of a time why you would respond to a username request differently for an inner method, so it should be safe...mostly.

  Different authentication types required for user / machine auth?  Password for users, and EAP-TLS for machines?

  For me it's also partly about not forbidding certain work flows.  Right now, "select auth based on identity" is either impossible, or requires extra "oopsie" packet exchanges.  That doesn't seem right.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email