IETF Logo Mail Archive

Re: [Emu] Adoption call for eap.arpa

Alan DeKok <aland@deployingradius.com> Wed, 13 March 2024 14:05 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 846EDC14F74E for <emu@ietfa.amsl.com>; Wed, 13 Mar 2024 07:05:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3wCDyEaS5Sr for <emu@ietfa.amsl.com>; Wed, 13 Mar 2024 07:05:19 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276E7C14F68C for <emu@ietf.org>; Wed, 13 Mar 2024 07:05:18 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id D6A02611; Wed, 13 Mar 2024 14:05:14 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <1233533.1710337878@dyas>
Date: Wed, 13 Mar 2024 10:05:13 -0400
Cc: Alexander Clouter <alex+ietf@coremem.com>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AC085A71-D4A1-499B-92C8-86291D5DBEE6@deployingradius.com>
References: <F1FD786F-D0B1-494B-B384-95BBB4B7790B@akayla.com> <ccaa089f2ee34a5e83fe270d2d6adee0@huawei.com> <2a07a31a-b9ff-4640-a348-cd36b270e63a@app.fastmail.com> <7cbce6da-bc18-4c5b-a812-9de4f94bebb9@dfn.de> <11f28e4b-1f21-4cf1-950e-43fdc620447f@app.fastmail.com> <1233533.1710337878@dyas>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/OHnI3ZiIUINt2pgKMR5_k9rSQpA>
Subject: Re: [Emu] Adoption call for eap.arpa
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 14:05:23 -0000

On Mar 13, 2024, at 9:51 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>>> I don't think it's that straight forward.  For Enterprise-WiFi we
>>> still need cryptographic keys for the WiFi 4-way handshake, so
>>> establishing a TLS-Tunnel is needed to derive the WPA keys.

  We also need it for MacSec on wired connections.

  Perhaps the document should be updated to say it SHOULD run a method which derives MSK and EMSK, and MUST NOT simple return an EAP Success.

> Doing this is significantly better than either unencrypted wifi (w/portal),
> or encrypted WPA-PSK wifi.
> 
> So yes, we always want to run EAP-TLS to generate keys.
> This document is related to
> https://datatracker.ietf.org/doc/draft-richardson-emu-eap-onboarding/, (which
> I'll repost on Saturday), but modularizes the work into smaller pieces.

  EAP-TLS has had peer unauthenticated mode since 2008 (RFC 5216 Section 2.1.1).  But there's been no way to actually use it.

  Hopefully this set of documents will address that issue.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email