IETF Logo Mail Archive

Re: [Emu] Short review of draft-friel-tls-eap-dpp-01

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 27 July 2021 17:23 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024ED3A0C36 for <emu@ietfa.amsl.com>; Tue, 27 Jul 2021 10:23:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.596
X-Spam-Level:
X-Spam-Status: No, score=-9.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=AAhFzrT1; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=n+NRK7+e
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mV6MQEAphaIn for <emu@ietfa.amsl.com>; Tue, 27 Jul 2021 10:23:20 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B50C43A0C2A for <emu@ietf.org>; Tue, 27 Jul 2021 10:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3273; q=dns/txt; s=iport; t=1627406600; x=1628616200; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=QsO4aKCEpo1x7bqXmdnklDw5IsepfkKk005W3bNhBjw=; b=AAhFzrT1rdvZis7fMUs82WPZeP6QT0M8qXswjqAV+IKx1GJpZoRH+awv Qc0X1er0J2IIX3GJwwsRnU3BDZgWB+EY/NCzF3DKo3tL0Obm8tgVtxbC6 l09TsRQSpWRLyeTvoHL7JxEvAGkKZzNVvGlufAKabwiTHXCvdi42l+3Wc s=;
X-IPAS-Result: A0AkAAC1QABhl4MNJK1RCR0BAQEBCQESAQUFAUCBRQgBCwGBUlF+WjcxiA8DhFlgiF4Dj22KRYEugSUDVAsBAQENAQEqCwwEAQGEWAKCfgIlNAkOAgQBAQEBAwIDAQEBAQUBAQUBAQECAQYEFAEBAQEBAQEBcoVoDYZCAQEBAQMBARAoBgEBLAwLBAIBCBEEAQEfECcLHQgCBAESCBqCTwGCVQMvAQ6cOAGBOgKJUBo1eIE0gQGCBwEBBgQEhSgYgjQJgToBgnuGeIN6JxyBSUSBFUOCYj6CYgEBgTQUGoNLgi6CO4FFBEMQIA8sPXssCSASkQgjNYwBjQOSFgqDJoo3hzqMaBKmY5YLn14ChS4CBAIEBQIOAQEGgWA5gVtwFTuCaQlHGQ6OHxmCCIFQhRSFSnM4AgYLAQEDCYpJAQE
IronPort-PHdr: A9a23:rsDpFBWmrZ9yuAMEgA4LF2cATjfV8K0OAWYlg6HPw5pCf7yn+IXjO kPF7PlskUSPVoLeuLpIiOvT5qbnX2FIoZOMq2sLf5EEURgZwd4XkAotDI/gawX7IffmYjZ8E JFEU1lorH22KUxSCcf4aEfbrnyv9ngZHRCsfQZwL/7+T4jVicn/3uuu+prVNgNPgjfYA/tyI Ry6oB+XuNMRhN5pK706zV3CpX4bE9k=
IronPort-HdrOrdr: A9a23:BTxpeKrxYXgr7OxdygZf+HQaV5uKL9V00zEX/kB9WHVpm5Oj9v xGzc506farslkssSkb6Ky90dq7MAzhHPlOkMgs1NaZLUfbUQ6TTL2KgrGSuwEIdxeOk9K1kJ 0QDpSWa+eATWSS7/yKmzVQeuxIqLLsnczY5pa9854ud3ARV0gK1XYfNu/vKDwOeOAwP+teKH Pz3LsimxOQPVAsKuirDHgMWObO4/fRkoj9XBIADxk7rCGTkDKB8tfBYlul9yZbdwkK7aYp8G DDnQC8zL6kqeuHxhjV0HKWx4hKmeHm1sBICKW3+4oow3TX+0OVjbZaKvq/VQMO0aeSAZER4Y DxSiIbToBOArXqDzmISFXWqlLdOX0VmgHfIBej8AreSIrCNWgH4w4rv/METvMfgHBQ4e2UmZ g7r16xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOLFuIoO5gLZvtH+9Kq1wVx4SKbpXZN VGHYXZ/rJbYFmaZ3fWsi1mx8GtRG06GlODTlIZssKY3jBKlDQhpnFoiPA3jzMF7tYwWpNE7+ PLPuBhk6xPVNYfaeZ4CP0aScW6B2TRSVbHMX6UI17gCKYbUki95qLf8fEw/qWnaZYIxJw9lN DIV05Zr3c7fwb0BciHzPRwg1nwqaWGLELQI+RlltdEU5HHNcjW2By4OScTepGb0oYi6+XgKo OOBK4=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.84,274,1620691200"; d="scan'208";a="774306234"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Jul 2021 17:23:19 +0000
Received: from mail.cisco.com (xbe-aln-001.cisco.com [173.36.7.16]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 16RHNJrF024746 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Tue, 27 Jul 2021 17:23:19 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-aln-001.cisco.com (173.36.7.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Tue, 27 Jul 2021 12:23:19 -0500
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Tue, 27 Jul 2021 12:23:18 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Tue, 27 Jul 2021 12:23:18 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SIL9x2E7SEqr215pWqMpgaXs2CBMQSmPx6MdwtDzfGJyTeXDB6geyvDSfPasC2LtH1D/vVPhWyhUH2slSj9A6ZGLLkLOgjwBS1NbebRxQXv85qpIjSumj5iTE0GIy/MqYBHoP+t1bNp4wi6/eyo/ZVTcjnxjlfu7mIK5xQddIv/bTjAyCDLcbgGygIOyzEVrnUIF5w4FJgzDspHQjm4TOb5GQx/aMQ2fap3HM12xCGQaAkdsWNCxxS/Qw8CkIdPE8w9UlAWeuIk05G0LpXbGGcYodVYmPNU0mPWjSQ+2MWxNUDEZ2ZHDhXpNFlyPtBulsaB8+RikS7W8OL41ZEjzyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JjaxLV5oOy3OBqKJ1sWY4ATp2GddxzRp7qvQ975wLMw=; b=EW7/KvymWpvqMt4OEM7G6e+nJufpgYsjmo1EDNDsn9wT1roa74cS0IrHEd3psiS2qWV4v+2tbrGOOAAZ2dSiVX/PGGdONTinKDNMlvlRWMletuZVtwCoEsJmBRDmoRXqaA0UUi1NB1jnYEwLXHeWzW0TUN8AkdkpjNjMWmPvw9TT45K5/oasfd9iYUovpl/soUgnTfgiry3UFIBEKQ73wBaLkp47dvXT1P+TH1J1xzUzfg63peBPykA42TotKI34J31QpfcTFlDQxwlpuSxkEoQp3onjmB3EvZEZgrmaXA3KCl36tZ0nYfkzZXQ0yJ8CsRpeNOyW5P2/ij4Xy98jwg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JjaxLV5oOy3OBqKJ1sWY4ATp2GddxzRp7qvQ975wLMw=; b=n+NRK7+e7Deiffc8GpJkT5vE0B8lYDT7R3BR4UFo24+QL3wr60WwpqF3tna2zJhq4JJBBfPjFa+0qSJgzfOeSgcvV35KnTdx51qYivNQopGt+E+G5zVsSq4KslvmPTiACNwrC4ywY6KjMFquBGdMb+i063ooqTzBJJbmnxVQhcI=
Received: from MW3PR11MB4746.namprd11.prod.outlook.com (2603:10b6:303:5f::15) by MWHPR1101MB2254.namprd11.prod.outlook.com (2603:10b6:301:58::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.29; Tue, 27 Jul 2021 17:23:17 +0000
Received: from MW3PR11MB4746.namprd11.prod.outlook.com ([fe80::8879:4d5d:bbfb:9da1]) by MW3PR11MB4746.namprd11.prod.outlook.com ([fe80::8879:4d5d:bbfb:9da1%3]) with mapi id 15.20.4352.031; Tue, 27 Jul 2021 17:23:17 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Short review of draft-friel-tls-eap-dpp-01
Thread-Index: AQHXe/OTJiA05oqKX0ykHHIZJEkYo6tXHw+w
Date: Tue, 27 Jul 2021 17:23:17 +0000
Message-ID: <MW3PR11MB47467A3A2E47F9723E2CFEC8DBE99@MW3PR11MB4746.namprd11.prod.outlook.com>
References: <1FE63FE4-4B23-4E0C-AF06-1372D6DA8869@deployingradius.com>
In-Reply-To: <1FE63FE4-4B23-4E0C-AF06-1372D6DA8869@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0491dbfd-7c8b-42d2-14db-08d951233956
x-ms-traffictypediagnostic: MWHPR1101MB2254:
x-microsoft-antispam-prvs: <MWHPR1101MB225444C7ADB8DECBB72E016EDBE99@MWHPR1101MB2254.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 52fF+0U0PTd7WTpg+M5loCrKFX5Bk5Qiokk9exHrCZbBmGMCAAx+qj6yy4uUIUkWxGVJXq4hQPqNxYOVVysgral3E+6V0rz4ZySYSmJrdvyImxEG8OPJ6fRWiOlMxu67MoY3XkcNjXiDLCQFu66buPs2DUveIDJEty8gmMOgO3u8lhR/e5DiuX1ewxbZ5rWc+XGa/GlXzfh1NsJ2GaoTsAjxJX9C/FEZxiEcGRw9juaA9edc3v3asPPu/jX8BNYraH17d19V8TmtudE9+Jhm7G5d2YKU2KzpDHKbhglT6IDWen3RGNY+xsjIVQOIIu6YVu9Ar/vWmL2H6qn/UHE2ujQLKDuodVmdgoUzD1v3Ak7Sxu5aqrt/d1vpr73BQ372fIXUYCm7exJu5X8mAtx7mac4PTvxuBBp8uoe3zhB5aaiT8TYVfsCmC8fGr0laxYjAyWeZn8g++ZSMI7zRewGGRlu0FebeZWGury/d7+x3D/xox3YttI2Rjx0ESHVvZ862Cvw3yg0brlf7PsD9RJSVGHDMIQ5PoEeLz//fah5GQ2hrOgDrxZdeNZWL4BWf1TvRsEqiSYZTeAkGb5/4IVsEE/ZBlYcQSjZc2hGM14IFlY//KumOBVFVK0lBUES1i9C1yIS6LT44Pz40yUhN44f4f2ej5UiyBqaHG/2VHVfT0PqTKvmz4vA2Tk9aDuTsNqHVAlR/IchQQ3val4wB52hgONYAd27HWmdOlDUCYSlNlNFuRAqt9WKZWXWGK4Fex1p+iMxAoiHLZor7prtT7byFDkdnaVch9uPc+KfJ/7YUAo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4746.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(71200400001)(53546011)(38100700002)(83380400001)(66476007)(966005)(186003)(66946007)(2906002)(5660300002)(55016002)(6506007)(508600001)(64756008)(33656002)(66556008)(86362001)(316002)(110136005)(9686003)(7696005)(26005)(122000001)(66446008)(76116006)(52536014)(8676002)(8936002)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1bnqZ1vc9Upz5qyRO70vNJFvei0VPUpnLxOyQMRKbV8bRLQnDaLKt45xbAacX9m3Oif9hoHRGX5u/O12ljFC6eGuCHJVnMeJEmjZkgFoXJ/ytQLTQj7DIUT9upnfbkQENawH1hINdlpe+VVW7JHkKrTwyYP9acD13vfRzR7Uc/NMfof5MDBsQz0BeMyPcyFs8HcW4mGYPBeSBdA3byDPfWNavh4sUfrsPsmq4QxlMaW8rr+VxZjO2PLIqWMcSw0NZ9zK4AqvwnDr2JXD352L9mNnhuYQcnC9xNHML6OPBkv5tczAfe6g13Rm10F0PWm61eyWGBokb4hr5+6EQ69yhyLhRumGNJzLGePV4YmJpBFCDG25cA8LmMaZmDTM0UsUZf57jsaP809sn8BzTDodgno5bzGM/tt9gJUybNKNK7YmGySa2soED1vJw3bVj9kjFtvgM+/mI594SQBgSRic0edBBOXC1Xhnib2ahRdD3OaFU85cOFqEYalWL7YY3z7MxfrObI0+fmHyri9k5HS3txwJcxyQwUTOb4FS9xLKF4ug5UUtzNN7MoDO96r296w1I1POogZcr32wRkDImg/1Z5WAsJy0qQ28TUr/F7jZZIrUalqRuwzFLlxpqZTE72ZNnEfLRbcf4IPB7Te1uF4OtvPm5QVOow8Th3HMt0P/eC2QYhVrHh61aMXsU8LqdS6p1fyyo0EwVmXXgjF+N3gJIvuUR3HYUJ/dy2bhfzHeK6/fLZy04LW6rSGwzAavMImrnBh9cVo/jWspLwH1KUuzjNqxWyLcZtWw0diyUqzG34Ufp+zi9RawaTu3FKIh6w//0zm1FG1W62WcIQfartamquBvBdt16qnEjihGOjnDLdxfYdVvmvOxDyRhprsZnnR5DaK5/AF+CLJ6fV+35AxwyVu4RKOQkHzdSAqGBAUIQjeJU2qOmVZPv1MBd08oseGlLYPzZqGSHeUlHPbbqGLnS8dijlWtbFY82v9/ybDkBLoF9Cxfxo8Afydlpi/KTPdJYSG6w1YsxKOX+esbo39vw39RlBsqBkcBvwG2LucFjw9T8Q6Y/VEVhyA2Z5QTMBKSHVXLVK1WboqgFdWIBi3U3/H19BFZ8NpjRJifS5KnVnWBp3THsI7mbVIcGN9BnBFil6Fh3uKrBWqZa+MCLK0ey5c11nHy5/jOLyNJ4g9dY6HROE2+SQ5gob2Js2xAIV53mMZvlab/j8iITjz5iuqTT23yL7IQV1dwsajjl4fa2LfhqitELyO66sVnvCVSovX/YaX6OBYOdhNUuNgyY+QFPjFFgfeyIwWc1eO2Cfn+EsoIG42uys+Zyn9W0MY6nGAr
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4746.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0491dbfd-7c8b-42d2-14db-08d951233956
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2021 17:23:17.7054 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9lzMXhWWZ7llwj0uiHwhM6w4m8Lg5WtHZeD1uRES7Z00RVZlvcEzCEvP8SK7FJsq+lKLe2kRLZiVHlPgafwxaw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2254
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.16, xbe-aln-001.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/K8hB3i0BoiIbL6Ex5aPmH64meZo>
Subject: Re: [Emu] Short review of draft-friel-tls-eap-dpp-01
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 17:23:26 -0000


-----Original Message-----
From: Emu <emu-bounces@ietf.org> On Behalf Of Alan DeKok
Sent: 19 July 2021 00:40
To: EMU WG <emu@ietf.org>
Subject: [Emu] Short review of draft-friel-tls-eap-dpp-01

  No major notes here.  There's still a lot of TBD in the document.  :)

NITS:

  Section 3 says:

  ... For
   unprovisioned devices that desire to take advantage of TLS-POK, there
   is no initial realm in which to construct an NAI (see [RFC4282]) so
   the initial EAP Identity response SHOULD contain simply the name
   "TLS-POK" in order to indicate to the Authenticator that an EAP
   method that supports TLS-POK SHOULD be started.

* RFC 4282 has been deprecated by RFC 7542

* There just might be a user with name "TLS-POK", so using bare names is likely not a good idea.

  After looking at this, EAP-NOOB, and my latest document, there seem to be some overlap with EAP identities.  EAP-NOOB suggests a ".arpa" realm.  It would be good to agree on, and use, a common naming scheme.

  My suggestion is to define "eap.arpa" for EAP purposes.  This realm would be defined to be handled locally at the EAP server.  i.e. never proxied.  And used only for provisioning purposes.

  We can then have:

* noob@eap.arpa for EAP-NOOB

* TLS-POK@eap.arpa for this document

* perhaps "provisioning@eap.arpa for "I want a captive portal / provisioning network".  I have some updates pending to my document which discusses this concept.

  One issue we currently have today is that there's no standard way for an EAP client to say "I want network access, but I don't really care who it's from, and I don't really care to prove who I am".  This kind of authentication-less network access is still useful, as noted in the EAP-TLS 1.3 document.  Similar provisioning is in EAP-FAST and TEAP.

  I suspect that would be useful to have full network capabilities for provisioning.  While it can be nice to push all kinds of provisioning into an EAP method, TBH that seems like re-inventing the wheel.

[ofriel] the goal here is to push the provisioning info (e.g. CA roots, peer identity certs) inside TEAP using existing TEAP mechanisms e.g. Trusted Server Root, PKCS#7 TLVs. We are trying to avoid wheel reinvention. The novel bit here is the mutual authentication in the TLS stack based on the already defined Wi-Fi Alliance DPP bootstrap key.



  Instead, we could just have the EAP client go "I want access as @eap.arp" or maybe "provisioning@eap.arpa".  It then gets a "captive portal" network, and can rely on the rest of the TCP/IP stack, and the web PKI to download complex provisioning data.

  From an implementation point of view, updating EAP clients and servers is hard.  It takes a long time for changes to be written, tested, and widely deployed.  In contrast, if the client had access to a provisioning network, it can be easier to write a simpler utility which downloads information.  Among other benefits, there is also a clear separation of roles between network access, and configuration changes.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email