[Emu] TEAP - RFC 7170 - Errata
Oleg Pekar <oleg.pekar.2017@gmail.com> Sun, 03 May 2020 17:01 UTC
Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D7F03A103C for <emu@ietfa.amsl.com>; Sun, 3 May 2020 10:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eC38z6FipTAn for <emu@ietfa.amsl.com>; Sun, 3 May 2020 10:01:43 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91E593A1046 for <emu@ietf.org>; Sun, 3 May 2020 10:01:43 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id t199so4562976oif.7 for <emu@ietf.org>; Sun, 03 May 2020 10:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=9/6XqTkeORe0/MfxHBic8CW2VUJ4je7Xht0YnKWItiE=; b=bvoPWeNPMuekxs1BdSHm1EKuYBwUJPWthQnMTYAbtGJH7lsAtsOwzsZbD+xdw29k2e fcOsIK/6bd7tnTwSpKVM3Z3jzrSNeKo4PjN0ENRUksFXdXX7AuhXfQl5wSVONsKsLJgi jsqFyXTvZ5+I9iXKDD4tmQnfVOE/70YULLmZ5/h901QT8apIAHcSJ86EiWwCL0scXJDK KeJM1g3+FrpaKML96TRu5JZ3myWkN5cPfNAgyRliH+1Px/dqYAo9WAvlya7VPBxvJp0i tX1PIHbjXwMpwaGGDS/vJiRVCcjKRhup42Ao4yP0QncHeSYulUKuwxBNPyVdQud4U8Ne +pfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=9/6XqTkeORe0/MfxHBic8CW2VUJ4je7Xht0YnKWItiE=; b=EvK/2rgxMcoRZPoU5lXYIn7oL1mCMk9IG6ZBpKoBBLyGCPnQSACYnyfKrMxW6aROqX bNQMETj6GmFD5gRV7QRT+9ZlwzfDaC/qI+q69iCIF15OWSjfdY6mADZcpykdBES+T0we xxAhteguc6N9OAz+yNOfBg0o+BYpXzp5+2iKmduc97ukfzvTHmEzNip99etkgmNdKznd ++eug9lQaxFiXVvaOIkKIbaVrMFzi5doRjvnqNqHfrV9k6gILLo/XXqHmC2pWw4Gpx78 B2dFqJ/HDj7tMczCpfdgE5RdshSZr7+CxjGOAKOXjG2CBAZt0NEJL8QkeUH7HOkvyvds tSSg==
X-Gm-Message-State: AGi0PuZUJ4V2vr2dEZCJ5SpksHnoBb5B66ZgYTbTuIUwMfD9h77BUVYy A+CIeA3Us4/FF3InaY9Ioa9jddI2yJVVrU6QUUYV4LGT
X-Google-Smtp-Source: APiQypJ6usvKRBUnQcP6AEkVjvM+XWSuR9QRDcHp55bDroIaugnhjDMvLutyvglHcOV+Z+hlc4mtsTuyE6FwuChKBts=
X-Received: by 2002:a54:4085:: with SMTP id i5mr6653993oii.107.1588525302540; Sun, 03 May 2020 10:01:42 -0700 (PDT)
MIME-Version: 1.0
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Sun, 03 May 2020 20:01:31 +0300
Message-ID: <CABXxEz8Q8MynrA1migU04LwXp0Zm7YdgPbj+qSO7pTEXE_onbQ@mail.gmail.com>
To: Jouni Malinen <j@w1.fi>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005feda905a4c15e17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/N_o_2rwYf2MddM4nYdqGAubYGPw>
Subject: [Emu] TEAP - RFC 7170 - Errata
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2020 17:01:45 -0000
Hi Jouni, You filed Errata ID: 5767, 5844, 5845 regarding sending of Intermediate-Result TLV. Can we clarify a general scheme of sending Intermediate-Result TLV and Crypto-Binding TLV in all cases? It is not exactly clear what is "EAP authentication method" and what is its different from "EAP method" (you referred to appendix C.3 as an example of "EAP Method" but it is not clear why it is not an "EAP authentication method" - could you please clarify). Here's the list of cases with the current RFC instructions (please add if something is missing): 1. A single inner EAP method is executed inside the tunnel. *** RFC says *** Section 4.2.11 "An Intermediate-Result TLV indicating success MUST be accompanied by a Crypto-Binding TLV". Section 3.3 "Phase 2 MUST always end with a Crypto-Binding TLV exchange" 2. Multiple inner EAP methods are executed inside the tunnel. *** RFC says *** Send Intermediate-Result TLV if more than one method is going to be executed in the tunnel. Send Crypto-Binding TLV if Intermediate-Result TLV indicates success. Section 3.3.1 "If more than one method is going to be executed in the tunnel, then upon method completion, the server MUST send an Intermediate-Result TLV indicating the result" - wrong Section 3.3.3 "The Crypto-Binding TLV and Intermediate-Result TLV MUST be included to perform cryptographic binding after each successful EAP method in a sequence of one or more EAP methods" - correct 3. Basic Password Authentication (using Basic-Password-Auth-Req/Response) is executed inside the tunnel *** RFC says *** Send Intermediate-Result TLV. Section 3.3.2 "Upon receiving the response, the server indicates the success or failure of the exchange using an Intermediate-Result TLV" - thus Crypto-Binding TLV MUST be also sent as quoted in #1. 4. No inner EAP method is executed inside the tunnel. *** RFC says *** Section 3.3.3 "A successful TEAP Phase 2 conversation MUST always end in a successful Crypto-Binding TLV and Result TLV exchange. A TEAP server may initiate the Crypto-Binding TLV and Result TLV exchange without initiating any EAP conversation in TEAP Phase 2" Section 4.2.13 "The Crypto-Binding TLV MUST be exchanged and verified before the final Result TLV exchange, regardless of whether there is an inner EAP method authentication or not" ****** Jouni, you provided multiple suggestions for fixing this. Incorporating you suggestions, the bottomline could be: * Send Intermediate-Result TLV after each inner EAP method but not after Basic Password Authentication TLV exchange * Send Crypto-Binding TLV based on inner method MSK/EMSK after each inner EAP method that exports MSK/EMSK and send Crypto-Binding TLV based on Zero-MSK in case of no inner method was executed And then it should be declared explicitly and all the places where these TLV are mentioned can be fixed accordingly. Please share your opinion. ~ Oleg
- [Emu] TEAP - RFC 7170 - Errata Oleg Pekar
- Re: [Emu] TEAP - RFC 7170 - Errata Jorge Vergara
- Re: [Emu] TEAP - RFC 7170 - Errata Oleg Pekar