IETF Logo Mail Archive

[Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt

zhou.sujing@zte.com.cn Wed, 06 June 2012 09:18 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE2421F886E for <emu@ietfa.amsl.com>; Wed, 6 Jun 2012 02:18:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.424
X-Spam-Level:
X-Spam-Status: No, score=-96.424 tagged_above=-999 required=5 tests=[AWL=1.211, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hY8y07jcQI08 for <emu@ietfa.amsl.com>; Wed, 6 Jun 2012 02:18:48 -0700 (PDT)
Received: from mx5.zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id 75ACC21F86AA for <emu@ietf.org>; Wed, 6 Jun 2012 02:18:47 -0700 (PDT)
Received: from [10.30.17.100] by mx5.zte.com.cn with surfront esmtp id 286201794749335; Wed, 6 Jun 2012 17:17:49 +0800 (CST)
Received: from [10.30.3.21] by [192.168.168.16] with StormMail ESMTP id 97084.3144591867; Wed, 6 Jun 2012 17:18:33 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id q569ISHZ087502; Wed, 6 Jun 2012 17:18:28 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <7E016FDC-A12A-42B7-BE6C-6BDA8DF71878@cisco.com>
To: Joe Salowey <jsalowey@cisco.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF8FD781D7.20C7280F-ON48257A15.0033086C-48257A15.003318C0@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Wed, 06 Jun 2012 17:18:22 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-06-06 17:18:31, Serialize complete at 2012-06-06 17:18:31
Content-Type: multipart/alternative; boundary="=_alternative 003318BF48257A15_="
X-MAIL: mse02.zte.com.cn q569ISHZ087502
Cc: emu@ietf.org
Subject: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2012 09:18:49 -0000

Section 1
"The other type of  PT, PT-TLS [I-D.ietf-nea-pt-tls], operates before the 
endpoint gains
   any access to the IP network. "
==>should be "after the endpoint have gained access to the IP network"

"PT-EAP is an inner EAP [RFC3748] method designed to be used under a
   protected tunnel such as TEAP [I-D.ietf-emu-eap-tunnel-method], EAP-
   FAST [RFC4851] or EAP-TTLS [RFC5281]."
==>PEAP is more widely supported.


"Finally, it describes how the  tls-unique channel binding [RFC5929] may 
be used to PA-TNC exchanges
   to the EAP tunnel method, defeating MITM attacks such as the Asokan 
attack [Asokan]."
==>
 

"Some EAP tunnel methods may provide explicit confirmation of inner method 
success; others may not. "


section 3.4 " Attack Analysis [16], " the reference [16] 

section 4.2.3
"The strong integrity protections (hashing) offered by EAP-TTLS allows the
   PT-EAP message recipients to detect message alterations by other
   types of network based adversaries. "
===>it is not hashing offering the integrity, but MAC
section 4.2.4
" the  session can be encrypted and hashed to prevent undetected
   modification that could create a denial of service situation.
"
===> only MAC, not encryption and hashing can prevent modification

section 4.3
  "The phase two dialog may include authentication of the user by doing
   other EAP methods or in the case of TTLS by using non-EAP
   authentication dialogs.  PT-EAP is also carried by the phase two
   tunnel allowing the NEA assessment to be within an encrypted and
   integrity protected transport."
==> TTLS can also use EAP method as inner method.
 

"These inner methods may perform additional security handshakes including 
more
   granular authentications or exchanges of integrity information (such
   as PT-EAP.)  "
===> IMO,PT-EAP better be exchanged after the phase two of the EAP tunnel 
method, so that
 the resulted key derived from tunnel and inner authentication method can 
be used to protect it. 

section 5
  "To support countermeasures against NEA Asokan attacks as described in
   Section 3.4, the EAP Tunnel Method used with PT-EAP will need to
   support the tls-unique channel binding.  This should not be a high
   bar since all EAP tunnel methods currently support this but not all
   implementations of those methods may do so."
====> It seem no current EAP tunnel support tls-unique now.
  And Asokan MitM attack is countered by crypto binding, where tunnel 
method is bound with inner method.
  While TLS-unique is limited to the tunnel method to provide binding 
between TLS and application, I wonder 
  if there is some confusion in the document. 
 

Regards~~~

-Sujing Zhou



Joe Salowey <jsalowey@cisco.com> 
发件人:  emu-bounces@ietf.org
2012-06-06 02:05

收件人
emu@ietf.org
抄送

主题
Re: [Emu] [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt






June 4 has come and gone and we haven't received any comments.  If you 
have reviewed the document and not found any issues please indicate that 
on the list.  I'll leave the review open until 6/12.  If you can commit to 
review the document, please let me know. 

Thanks,

Joe
On May 21, 2012, at 2:01 PM, Joe Salowey wrote:

> The NEA working group has produced a draft for carrying NEA posture 
methods within EAP.  It would be helpful if some EMU working group members 
reviewed the draft.   Please send your comments to the EMU list by June 4, 
2012.
> 
> Thanks,
> 
> Joe
> 
> Begin forwarded message:
> 
>> From: internet-drafts@ietf.org
>> Date: May 15, 2012 8:36:14 AM PDT
>> To: i-d-announce@ietf.org
>> Cc: nea@ietf.org
>> Subject: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts 
directories. This draft is a work item of the Network Endpoint Assessment 
Working Group of the IETF.
>> 
>>               Title           : PT-EAP: Posture Transport (PT) Protocol 
For EAP Tunnel Methods
>>               Author(s)       : Nancy Cam-Winget
>>                         Paul Sangster
>>               Filename        : draft-ietf-nea-pt-eap-02.txt
>>               Pages           : 20
>>               Date            : 2012-05-15
>> 
>>  This document specifies PT-EAP, an EAP based Posture Transport (PT)
>>  protocol designed to be used only inside a TLS protected tunnel
>>  method.  The document also describes the intended applicability of
>>  PT-EAP.
>> 
>> 
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> This Internet-Draft can be retrieved at:
>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt
>> 
>> The IETF datatracker page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-nea-pt-eap/
>> 
>> _______________________________________________
>> Nea mailing list
>> Nea@ietf.org
>> https://www.ietf.org/mailman/listinfo/nea
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email