Re: [Emu] Potential Notes in EAP-FAST Documents
"Glen Zorn" <glenzorn@comcast.net> Wed, 04 February 2009 06:09 UTC
Return-Path: <glenzorn@comcast.net>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF64528C0CE for <emu@core3.amsl.com>; Tue, 3 Feb 2009 22:09:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.29
X-Spam-Level:
X-Spam-Status: No, score=-2.29 tagged_above=-999 required=5 tests=[AWL=0.308, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjJM-MwrAhZr for <emu@core3.amsl.com>; Tue, 3 Feb 2009 22:09:50 -0800 (PST)
Received: from QMTA08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by core3.amsl.com (Postfix) with ESMTP id AA5C63A6774 for <emu@ietf.org>; Tue, 3 Feb 2009 22:09:50 -0800 (PST)
Received: from OMTA09.emeryville.ca.mail.comcast.net ([76.96.30.20]) by QMTA08.emeryville.ca.mail.comcast.net with comcast id BfS91b00B0S2fkCA8i9YSU; Wed, 04 Feb 2009 06:09:32 +0000
Received: from gwzPC ([124.120.227.232]) by OMTA09.emeryville.ca.mail.comcast.net with comcast id Bi921b00251UzLU8Vi97kM; Wed, 04 Feb 2009 06:09:29 +0000
From: Glen Zorn <glenzorn@comcast.net>
To: Nancy Winget <ncamwing@cisco.com>
References: <1668467045.107361.1233682336329.JavaMail.mail@webmail01> <9958B444368E884DBB215F3FEF36F5B708E37AD3@xmb-rtp-212.amer.cisco.com>
In-Reply-To: <9958B444368E884DBB215F3FEF36F5B708E37AD3@xmb-rtp-212.amer.cisco.com>
Date: Wed, 04 Feb 2009 13:08:49 +0700
Message-ID: <001d01c9868f$1bd4b560$537e2020$@net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_001E_01C986C9.C8338D60"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcmGJWminpIXM8RGTDeNjvItBjlcQwAIRdngABFVWvA=
Content-Language: en-us
Cc: emu@ietf.org, housley@vigilsec.com, iesg@ietf.org
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2009 06:09:53 -0000
Nancy Winget (ncamwing@cisco.com) writes: Dave and Dorothy: We don't believe there are interoperability issues, as the intended informational RFCs clearly describe the protocol and packet format over the wire for these inner methods specifically when running inside EAP-FAST. The so called "interoperability issue" raised is at most an implementation issue, only applies to certain software environments where the same inner methods are used both inside and outside EAP-FAST, and could be worked around. This is demonstrated by the numerous existing client and server implementations already deployed in the field (most of which support these inner methods both inside and outside EAP-FAST), and lack of reporting of this issue. The intent of these drafts is informational and to clearly document the existing implementations started 5 years ago. Assigning new EAP types isn't going to solve any interoperability problems, but is likely to generate new ones. It appears that you mistake the purpose of the IETF as being to enhance proprietary protocols. I, for one, couldn't care less if two implementations of some Cisco Systems proprietary nonsense interoperate or not; however, I do care about hijacking EAP type codes & subversion of the IETF process for essentially marketing purposes. It's hard to imagine what interoperability problems could be caused for a pair of EAP-GTC implementations by changing the type code and name of EAP-FAST-GTC to something more appropriate (say, 666 & EAP-PAP ;-). If we were to redesign today, certainly we would probably take a different approach to make the software implementation easier. We are open to all of your suggestions for enhancements on the next version of EAP-FAST. Given that you've had 5 years to get it right & failed, it's hard to believe that "suggestions for enhancements" would have much effect. We believe these drafts have documented these potential points of confusion. The difference between EAP-MSCHAPVv2 inside and outside EAP-FAST is documented in draft-cam-winget-eap-fast-provisioning. As for EAP-FAST-GTC, the draft-zhou-emu-fast-gtc documents the difference it has with EAP-GTC in turns of handling password authentication. As for regular OTP or token authentication, the implementation could strip the labels and pass the rest to the regular EAP-GTC state machine. Sorry, I'm just ignorant: can you tell me where "the regular EAP-GTC state machine" is defined? How GTC handles the token exchanges is outside the scope of this draft (under defined in RFC3748). If you do see areas of requiring more description of the differences, we are certainly open to suggestions. _____ From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of David Mitton Sent: Tuesday, February 03, 2009 12:32 PM To: dstanley1389@gmail.com Cc: housley@vigilsec.com; iesg@ietf.org; emu@ietf.org Subject: Re: [Emu] Potential Notes in EAP-FAST Documents I'm sorry, I haven't responded earlier either, but I would like to pile on with some of my comments. When I read the Cisco EAP-FAST GTC description and was similarly shocked by the nature of the changes, and how poorly they technically met their own rationale. Encoding the "REQ=" and "RESP=" into Request and Response text, is absolutely useless, since the data flow is unidirectional and known to the requester/responder peers. And then claiming that is more efficent because the username and OTP are combined in one response, really ignores the issue that GTC doesn't define what the appropriate response is. And they did nothing to clue the client as to what is being requested, or the format of the response. Given that, a Client can only strip the useless cybercrud, and continue with the normal GTC state machine which is let the user type something in and send it. A more robust OTP implementation may have several different inputs that it wants from the user besides for username and OTP. (BTW; username could be derived from the EAP Identity) There are possible next token challenges, new PIN assignment (user or system generated) and followup re-authentications. Their protocol did nothing to codify a standard for interoperation where a sequence of requests were enumerated or named, and response items were described. I'm all for documenting practice, but this design/implementation doesn't really seem to solve anything and just creates more confusion. Dave Mitton Feb 3, 2009 11:13:36 AM, dstanley1389@gmail.com wrote: The interoperability concern with existing EAP-MSCHAPv2 and EAP-GTC implementations and incorrect re-use of EAP Types must be addressed/corrected prior to publication. One solution is to (a) Get a new, correct type number for use by the method in the published document, and change the name of the method (could use "name-CR" for "corrected/revision", or similar). This eliminates the interoperability concern with existing methods, and uniquely identifies the IETF published method. and (b) Add descriptive text in the document to explain the difference between this IETF published method and similar deployed methods - to meet the desire to document deployed methods. Dorothy Stanley On Mon, Feb 2, 2009 at 6:56 PM, Glen Zorn <glenzorn@comcast.net> wrote: > Dear EMU WG: > > These two documents are in the RFC Editor queue: > > draft-cam-winget-eap-fast-provisioning-10.txt > draft-zhou-emu-fast-gtc-05.txt > > The IESG has received a very late comment about these documents, and > we seek your input on the proposed resolution. > > The late comment raises a potential interoperability concern with > existing implementations of EAP-MSCHAPv2 and EAP-GTC. > > The draft-cam-winget-eap-fast-provisioning-10.txt document specifies > a very specific way to generate the challenges used in EAP-MSCHAPv2 > that provides binding between the EAP-FAST tunnel and the EAP-MSCHAPv2 > exchanges. > > The draft-zhou-emu-fast-gtc-05.txt describes EAP-FAST-GTC, which is > uses EAP Type 6, originally allocated to EAP-GTC [RFC3748]. EAP-FAST- > GTC > employs a subset of the EAP-GTC formatting. > > The IESG recognizes the difficulties caused by re-use of an EAP Type. > Further, the IESG recognizes the concern about implementations that > might not easily adapt to additional requirements. However, the IESG > also recognizes the significant value in documenting EAP methods that > are implemented and deployed in the Internet today. > > The IESG believes that the right thing to do in this situation is to > proceed with the publication of these documents. However, the IESG > also > sees value in warning future EAP method designers about this experience > so that this pain might be avoided in the future. > > The IESG is considering the additional informative paragraph in the > IANA > considerations section of both documents that says: > > IESG Note: EAP-FAST has been implemented by many vendors and it is > used in the Internet. Publication of this is intended to promote > interoperability, even though the use of the EAP-MSCHAPv2 and > EAP-FAST-GTC EAP methods might be difficult in some software > environments. If EAP-FAST were to be designed today, these > difficulties could be avoided by the assignment of new EAP Type > codes. > > Please provide comments on the proposed way forward. I am strongly opposed to the publication of these documents as RFCs in their current form. Not only is the "fast provisioning" for EAP-FAST what can only be characterized as a security disaster, but EAP-FAST-GTC has nothing whatsoever to do with the EAP-GTC type. EAP-GTC was "defined for use with various Token Card implementations which require user input" but EAP-FAST-GTC is used solely to transfer a username/password combination, the password in plaintext. It's hard to see what this has to do with actual token cards & appears to be a lazy misuse of an existing type. Furthermore, it's even harder to see how rewarding this kind of nonsense with publication will serve as a warning of any kind; I would expect that the action of publication (with or without IESG note) would be more likely taken as notice that one can do whatever one please without fear. > On behalf of the IESG, > Russ > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu _____ _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
- Re: [Emu] Potential Notes in EAP-FAST Documents Jari Arkko
- [Emu] Potential Notes in EAP-FAST Documents The IESG
- Re: [Emu] Potential Notes in EAP-FAST Documents Chris Hessing
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Dorothy Stanley
- Re: [Emu] Potential Notes in EAP-FAST Documents David Mitton
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Hao Zhou (hzhou)
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Bernard Aboba
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Jari Arkko
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Jari Arkko
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Nancy Cam-Winget (ncamwing)
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Yoshihiro Ohba
- Re: [Emu] Potential Notes in EAP-FAST Documents Tim Polk
- Re: [Emu] Potential Notes in EAP-FAST Documents gabriel montenegro
- Re: [Emu] Potential Notes in EAP-FAST Documents Bernard Aboba
- Re: [Emu] Potential Notes in EAP-FAST Documents Jouni Malinen
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Hao Zhou (hzhou)
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Bernard Aboba
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Glen Zorn
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Dan Harkins
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Jouni Malinen
- Re: [Emu] Potential Notes in EAP-FAST Documents Tim Polk
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn