Re: [Emu] Working Group Last Call for draft-ietf-emu-tls-eap-types

Alan DeKok <aland@deployingradius.com> Mon, 04 July 2022 19:28 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFC1C157903 for <emu@ietfa.amsl.com>; Mon, 4 Jul 2022 12:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wa_q8P4FbTKS for <emu@ietfa.amsl.com>; Mon, 4 Jul 2022 12:28:24 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2034DC14F735 for <emu@ietf.org>; Mon, 4 Jul 2022 12:28:22 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 6C46AA01; Mon, 4 Jul 2022 19:28:18 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <751ee6f5-f06a-9709-4122-2f11304b97f6@iki.fi>
Date: Mon, 04 Jul 2022 15:28:17 -0400
Cc: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <30AA13C2-D030-4D2D-B17C-654DFBEFACD2@deployingradius.com>
References: <5585_1654705009_62A0CB71_5585_2706_1_CAOgPGoCmE-dQ_frOp=vV0Oc=u_=k+QZ3W9JOo_NOwFijiQppqg@mail.gmail.com> <751ee6f5-f06a-9709-4122-2f11304b97f6@iki.fi>
To: Mohit Sethi <mohit@iki.fi>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/MAtk0cG1iHBpDUR9vk92YVJG7_Q>
Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-tls-eap-types
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2022 19:28:28 -0000

On Jul 4, 2022, at 2:56 PM, Mohit Sethi <mohit@iki.fi> wrote:
> 
> Some late last call comments:
> 
> 1. For PEAP and TTLS, it is no longer possible to use client certificates without phase 2 authentication. Does the same restriction apply to TEAP. I think it would make sense to add an explanation on why this was done? 

  I think it should be done for TEAP, too.  The text could mirror TEAP:

The practice of using client certificates with no "inner tunnel" method is forbidden when TEAP
is used with TLS 1.3.  If there is a requirement to use client
certificates with no inner tunnel methods, then EAP-TLS should be used
instead of TEAP.

> How about using server certificate in phase 1 and client certificate in phase 2 (with no further inner methods)? TEAP supports such behavior for TLS 1.2 to hide client identity?

  My inclination is to forbid that for TLS 1.3.  However, TEAP can do multiple inner method authentication (host + user), unlike TTLS and PEAP.  Which means that it is possible to do TEAP with inner EAP-TLS, and then also inner "other method".

  Perhaps the document could just say it's NOT RECOMMENDED to do TEAP with only inner EAP-TLS.

> Would it not be better to simply mandate at least one NewSessionTicket message?

  I can see situations where resumption isn't used.

> I can think of a TTLS deployment where some peers only authenticate with client certificates while other peers authenticate with client certificates and one-time passwords in phases 2. Depending on the type of authentication, peers are put in different VLANs.

  I'm not sure how that affects NewSessionTicket?

  One-time passwords in phase 2 are a significant issue with EAP methods.   Where people have tried to deploy them, there are many issues.  They just don't work in practice for a host of reasons.

  The simplest one is that the supplicant caches the inner identity, and re-uses it when the WiFi signal is lost / re-gained.  While a NewSessionTicket will help here, it won't always help.  There are situations where the end user will be prompted again (sometimes repeatedly!) in a short period of time.

  I would suggest that one-time passwords in phase 2 are NOT RECOMMENDED, unless the passwords can be automatically entered without human intervention.

> 2. I don't think this makes sense:
> 
> 
>> Implementations SHOULD NOT use inner identities which contain an NAI
>>    realm. 
>> 
> 
> 
>>  if the inner identity does contain an NAI realm, the inner
>>    realm SHOULD be either an exact copy of the outer realm, or be a
>>    subdomain of the outer realm.
>> 
> 
> Eliot would agree that there are all kinds of IoT uses cases where the outer NAI has a realm of the device manufacturer while the inner NAI has a realm of the enterprise where the device is installed (or vice-versa). 

  I think that's best described as "surprising" from an EAP standpoint.  The outer NAI is overwhelmingly used to determine routing, as with Eduroam.  Having different outer / inner NAIs means that the routing is broken:

* packets get sent to "example.com"
* the example.com server sees authentication requests for "example.net", and says "that's not me, why did you send these packets to me?"

  For the IoT case, we would never route the authentication packets to the device manufacturer.  So it's not clear to me why the outer NAI has to contain that value.


  If this is a necessary use-case, I would suggest requiring that these authentications MUST be handled locally, with no routing.

  This issue is why I was proposing to define the outer NAI realm of "@eap.arpa".  Those packets are clearly labelled as "site local", and are not forwarded.

> I also don't understand why this is bad:
> 
> 
>> For example, if a user
>>    has an inner identity of 
>> "user@example.com"
>> , then it generally makes
>>    no sense to have an outer identity of "@example.org".  
>> 
> Most university guidelines for eduroam recommend exactly what you are trying to prevent. For example: https://www.aalto.fi/en/services/installation-instructions-for-eduroam says:

  I haven't seen this recommendation in most universities.  My discussions with the eduroam people make me believe that such configurations are in fact discouraged by the wider Eduroam recommendations.

>> Review your settings in the Wi-Fi Settings window:
>> Wireless security: WPA & WPA2 Enterprise
>> Authentication: Protected EAP (PEAP)
>> Anonymous identity: anonymous@aalto.fi
>> CA certificate: ca-certificates.crt
>> PEAP version: Automatic
>> Inner authentication: MSCHAPv2
>> Username: firstname.lastname@aalto.fi
>> Password: <your Aalto password>

  Which is using the same realm for both outer / inner identities.  So I don't understand why there's an issue.

  Incidentally the recommendation violates the RFCV 7542 recommendation to just use @aalto.fi as the outer NAI.   i.e. an outer *user* portion of the NAI is not needed.  But both *realms* are identical for inner and outer NAIs.

> @Joe: I am not confident that this section has had sufficient review. I am generally not comfortable with the text. This draft was anyways about TLS 1.3 for TEAP/PEAP/TTLS etc. I think this is going way beyond what the draft originally was trying to solve.

  This section describes wide-spread practice in the community for about a decade.

  While the updated text is not specific to TLS 1.3 and TTLS / PEAP / FAST / TEAP, it does give guidelines to users of TTLS / etc. for TLS 1.3.  WhichI think is critical for success in real-world use-cases.

> 3. Section 2.4 says:
> 
>>  the response from the EAP peer MUST be either
>>    EAP-Success or EAP-Failure.
>> 
> I though the Success and Failure messages are sent by the EAP server?

  That was a typo, already addressed in a previous comment.

> 4. Section 4 says:
> 
> 
>> If either peer or server instead
>>    initiates an inner tunnel method
>> 
> I thought you have mandated the use of an inner tunnel method? So why the 'if'?

  Resumption doesn't use an inner tunnel method.  So the "if" is necessary.

  Alan DeKok.