Re: [Emu] Éric Vyncke's No Objection on draft-ietf-emu-eap-noob-04: (with COMMENT)

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 16 July 2021 09:35 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 776BA3A2FE4; Fri, 16 Jul 2021 02:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ompshqQ86rNB; Fri, 16 Jul 2021 02:35:27 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2068.outbound.protection.outlook.com [40.107.20.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D423A2FDF; Fri, 16 Jul 2021 02:35:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YyT7xR89dL/K6cFApuGG6kA0V7FUNUUtOXYMHSYY3Cjz7pBjbxpd9sS4odX6QD1IYdmhCYRT5Iw1kiUgbQxa6FjBPyF9R0HMu+DWpEqFq1r36940yrZGHpaM8AV8qEii7HCles2LjtMiJVjN7BSwjA80ckkTWNRS3NU7JtQzKZpditXWjmnh0L667S2U3FrsdJBXQX4543+5vFL798ZvrZJkGhsZ2RqwdIMowEkTfGPlVdK418QDKs+s95AuXMCpy6oeyFvF+AFtiTpyrxcJxkQTA8vKauXILbnwlPH/YTCOspMRlTuKsItUuHwVYHgy7TUgvu6csVUR1dhnSQN7yA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DXmR/16xp9eUTVGSA4Uq+iDTq4dBA4Z40itaniwa4k=; b=JGIJAoDahhMG6C/gcqeThX6fiHaJMNs4Rwzvzq3SmKTvxCgvG0Y6MhcLXfI7qH/0kJ0h0DY7oY8Ys971v3LiYN4tZ+q9ugcK6+qwXVAzRFJwO5McXcUtI6kMBGUzumSCKZMWp+9QeFCzBQj9kojURSCBizGP36Za3vNynxX9uzRjClrpIpx0lAQ9esV0LId615bKP8dEOUV2pk/lGc6vVP16w+U/Ltdvs7U7MdIgCGaCArs/0PfIl25BUwNdcaujwXnIaBg1btc+9GR53ZDC9/FXAsDqW7TFMETy+D3fPqDt9vOM3jXCwqabBp/94jAn2QQYDozzyQtPXEjc0hVfdw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DXmR/16xp9eUTVGSA4Uq+iDTq4dBA4Z40itaniwa4k=; b=eWDGzu2UMMvgJM4Bzvu+gzezPpDVemh2uOemX46hKKBwWpajNCxGuRDfmh3kZkLswm46IEBrd37MEfhl36jFuVcWKlPR5x1E8zI+jFyiFJ+LknuouzC40t9eKo3K+hKEByob0tlZkmV55xzaBQP36L48Ni87+l3wAE+THy4yXD8=
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com (2603:10a6:7:37::31) by HE1PR07MB3194.eurprd07.prod.outlook.com (2603:10a6:7:31::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.17; Fri, 16 Jul 2021 09:35:24 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::c04b:9f4f:3494:b84c]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::c04b:9f4f:3494:b84c%7]) with mapi id 15.20.4331.024; Fri, 16 Jul 2021 09:35:24 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: =?utf-8?B?w4lyaWMgVnluY2tl?= <evyncke@cisco.com>, The IESG <iesg@ietf.org>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: =?utf-8?B?W0VtdV0gw4lyaWMgVnluY2tlJ3MgTm8gT2JqZWN0aW9uIG9uIGRyYWZ0LWll?= =?utf-8?Q?tf-emu-eap-noob-04:_(with_COMMENT)?=
Thread-Index: AQHXNelBGQKWWX4G5ki6owOw4YMpsatF3/sA
Date: Fri, 16 Jul 2021 09:35:24 +0000
Message-ID: <608e51a3-32e0-9245-ee6a-d3386a903b54@ericsson.com>
References: <161892538146.15621.4594007013406188131@ietfa.amsl.com>
In-Reply-To: <161892538146.15621.4594007013406188131@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 596db852-4a09-4e58-3342-08d9483d0a11
x-ms-traffictypediagnostic: HE1PR07MB3194:
x-microsoft-antispam-prvs: <HE1PR07MB3194C244C535030FFC2E4564D0119@HE1PR07MB3194.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qAYjWtYtxTFQjr0KwgOOJ/hkz9WCxRydab0VQWJbG8UrYIsDgXO87tn5dp1lmkaUTglOT4Nz7RfHHEpnWBxSdFzo7RTk76iV+0kNvCLmc7MYQVG4ONJ7iqSAnfROtHyjlCdF8VSoWN8dGTu0eK9N+Q+rzfOfqchLGdUo4hI33umUqA7gPRf/FMSyi/Ag1jyhc8gNiQ5ADFtuUpixYMsHgWCTBoEJeb3N407IuarBLwF3BpU8CrowgTGDW16X8GEKgKhXTEM+VplzrmIc7k9D1qF8jicVfw6xS0uS8nXi4VpG7Rk2ZKsBVqsvHxKWjGMGeQ4C2Tqiysdk8j4jSd0tUBJY06Pr/oMyvTsmr6F7412W8a7AImpOEpmkHr81e25OynI/W2EDMSenQIMiDb8dE8GxdgbYVmfTjAukx62yYpxHpt6uU5a//azGNuiHMfpedgO3xmXfgONq312l1WYKVwYwqH+FZ+pyAloAeiJ09Lvl9vImf42LQ4aMRxg7ai+8X3YDTtmtzk7Z1DMTHqHIgRq6ba1KJMQkHmmCaNg5wxp4fWbMJVBlifZORSX/pIh7nO8/swe893rAF7AkjtGtgVfxScXG9c1Gge+Zm9HlzMptKazUWKBqSgeg8dUu4RkZU+Pmh/KSqq2ay3863RC/dMqzeKt3nqoD39MWi4Zf9aiGg/k1JNgdphL7xWNJLp24KswYFBiUf8madwOJMgqqZpH3LWtjywxFNFfVKTpsjNaDSVm4WfyWCtkiHJMLg00eLUiTkJyeEpNzpLKStrRwc/HPvnO1eobl6DbaRMR8sGmAYGqca8aj5VmFV/vqzwJh8jOfkfwjWH8NRBePTTJKjRYQnPMdOXUZJbuIrAscAMUig34Viv0oC+tzrP4gAsr51p5NWmtDzhGBA5GY3lpa9g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(6486002)(8936002)(5660300002)(66574015)(4326008)(36756003)(83380400001)(186003)(2906002)(53546011)(31686004)(224303003)(2616005)(6506007)(6512007)(76116006)(478600001)(71200400001)(122000001)(86362001)(66446008)(66476007)(66556008)(64756008)(966005)(66946007)(110136005)(31696002)(38100700002)(316002)(45980500001)(43740500002)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?Mml4QmFYeDJ5cXdicHRRdk1lL2lrdkN1YXlxdmVwbHR5dTlzWmRyK2s0SnFn?= =?utf-8?B?OEhCZmR2SzV3NVkyTkdHZWsxUUU0aGNmSElmZ1VLVDhqQlpJN052cXErSnJN?= =?utf-8?B?Wk5ybXBjM1UrVUo1QURDaGNGSDZ0SWk3clBDUUJqOTZxNW0vcjRNaUdRZ3hZ?= =?utf-8?B?NWFUQ0ZxZzFiQ1lVQUtaZmYvbE9SZlVhcDBNcjFkZFVmazk2NU5RNmk0S08x?= =?utf-8?B?SDIvMVpYMGdUc0JHc2NKalFNeTFQa0pGSHBWQzYvanJCZy84OHdLcGdONm9L?= =?utf-8?B?eERIKzR6cXkzUGdiUkl0U2QxWXdnSm0rVk1ZWG15Z0NKcDVoMmVlbERrWGJr?= =?utf-8?B?bTNBZXVCNkZBT0ZjdVVmRzcwU1BLdkVHZjBRVnRoa0IxZlFMRkhJelYrK0ZK?= =?utf-8?B?MlFsUFRQUmFwd1dBTkw0VmI1N2pBMTg2YUVya1NuYVcra3hubmlKS0h0d0xW?= =?utf-8?B?MHRQUVBNVStDTTBTMFJEWkJRWkNPUGFQQWpvdXJlSUk4WFdmb2taTVg4TzFD?= =?utf-8?B?d0FVbUw0eGZjNVg1NmtYSnBsSGxoNVVVRFFSZ2t4OUF4MkFwcjliblZFaVNQ?= =?utf-8?B?ZExNWVVpWGV3dFQzK0ZuMm1jYnlIbmFWa3ExUmQzVjZXODJMLzVvZlA1c3Fk?= =?utf-8?B?UDBCU1o5MFdnTEo0TFhidzBvT3RJeitUUGFTc0huc2lQN2tuSm1teXFkNmpJ?= =?utf-8?B?czRzTGF0WmFScllnaGlUL0JROGxXQVdvcW4rUFd1UklJcjdvVkNrNkZjdkNQ?= =?utf-8?B?Q0FOL3pJODJ3NzJEbm1VOTFZbmUzbEE2RE5vWllGL2p0TWFCMFMrdXBoZmtF?= =?utf-8?B?blpSVldDZmdmeFc1bjFyeVJMTUVWL2NPWEZBWmRLNEJZMVc3TVA5VzJzSDNl?= =?utf-8?B?ZTJPLytLMnRaZTdKenNMNmV0bnVGYjMvb0NVSEVtS01EbUU0NGY1YkM3M3FF?= =?utf-8?B?VkkyMmtyUGptYjBlcUpPckZvZTFuYmpqdXhnTDdSS1d5NmNrcURya3hGUnhi?= =?utf-8?B?MmxTLy9WRndJWWFyVDhDTFBBMXpBMThGSnpYSGJLWjJ4Q2FFcXY4YlZsOWpX?= =?utf-8?B?Q3l2d20rVzR3TnNMRVhmc2g2aytLZ0ZkYmVQQmNZNHdhakhneHJNTnA0N2hx?= =?utf-8?B?S0d5OWJsZk1odE8ra29jaTdrQThDbmtJOEN2bkQvSVo0TlRZUHRHWVVqU3VJ?= =?utf-8?B?VjJuWjdYNTFyZVpDRHVCOGFyRGFFQjV4OVExQTBhK3FjN2ZicE9QQ1BPUHo5?= =?utf-8?B?WVNWL2IvdUtxNkJaVER3ckkwOXpvaFVKSHJFMjUwbGd6eFZNOWZBVGxhZldD?= =?utf-8?B?ZWhJUmlENGlyYzMzSTZBdU83dGFyaHYyZFBZU2ZHVnJvWE0rN2J2NlVhcjBl?= =?utf-8?B?RjFBRVZ2Y01HNmdQcUdrYmVmZlJlM1hVMmRXTDNtMUcxbW1OcWNhVFduaGlO?= =?utf-8?B?NTZnMkpNU0o3RVJabjNxMnJIZk5DNEw4OFdoK0NKdU5aOElqWHVONHdMdlpL?= =?utf-8?B?MEh2VldidjlvUlJGN09WOE95bmoyUDVNbFJyWGkrYnJUeXY0SzZOS3R1OU1q?= =?utf-8?B?OFg1ZXBpRExXVTR6cVduZzQ0V0p5YnNUQjFWUGcySGJWTUZEYlhGdzgvZ3l4?= =?utf-8?B?QjYwODU3MGd2NFowa2htZExTTnBLMm9JNmZKTmJlV2ZKMWd5MnhSNEIyYVI1?= =?utf-8?B?TjBVM3VBYklkVjZqcnI3aklSclloMUwwZUNaM3VsaFhuRHg3SklGZVhtNHds?= =?utf-8?B?bjl3QU90ZzhiL3hqbjdOUklqeVpIUCtKeW9NOVNld015VlJUK0xrTG1jQjVW?= =?utf-8?B?SGhRUmE3SEpjLzRBKzc1dyt4ek5qbWtydVBGNkhCNVA2aDArL3pxa0xDYlI5?= =?utf-8?Q?enlkd4/mfZoSA?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5E7683AB64E4544DAB78B2F0E9FFC89F@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 596db852-4a09-4e58-3342-08d9483d0a11
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2021 09:35:24.7141 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AYl2AzbEjr55KDJAh2q2g5IsKZYpCYZYge4hgudmYyhq5DxcIUAPEiUPIWcRFrv5fJtJ4JxrcOq3sQNWAZkBW86VKaTjRpyY8ztEwztvEHk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3194
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/R2NN1WM7klTSkCijd_BzeMw6E-k>
Subject: Re: [Emu] =?utf-8?q?=C3=89ric_Vyncke=27s_No_Objection_on_draft-ietf-?= =?utf-8?q?emu-eap-noob-04=3A_=28with_COMMENT=29?=
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 09:35:34 -0000

Hi Éric,

Thanks for the review. Answers below.

--Mohit

On 4/20/21 4:29 PM, Éric Vyncke via Datatracker wrote:
> Éric Vyncke has entered the following ballot position for
> draft-ietf-emu-eap-noob-04: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer tohttps://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-emu-eap-noob/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you for the work put into this document. I really like the ideas behind
> this OOB authentication.
>
> Please find below some non-blocking COMMENT points (**but replies would be
> appreciated esp around CBOR**), and some nits.
>
> Special thanks to Dave Thaler for his early IoT directorate review (and the
> CBOR discussion with Carsten):
> https://datatracker.ietf.org/doc/review-ietf-emu-eap-noob-01-iotdir-early-thaler-2020-06-12/
> https://mailarchive.ietf.org/arch/msg/iot-directorate/PNi6nxtR7_1T2rxu7O49HRx5Kdg/
>
> I hope that this helps to improve the document,
>
> Regards,
>
> -éric
>
> PS: when the ballot for this document was created, I failed to spot the DNS &
> IoT aspects of it, hence, the absence of INT and IoT directorates telechat
> reviews.
>
> == COMMENTS ==
>
> Like Carsten, I am really puzzled by the lack of consideration of CBOR to
> replace JSON especially for a protocol aimed at constrained devices. Was this
> discussed at the WG level ? I was unable to read any discussion on the mail
> list except about the IoT directorate thread.
>
> This non-obvious choice of encoding ***should really be discussed*** in the
> document.

The working group had extensive discussion on the issue of CBOR vs JSON 
encoding. See, for example, slide 8 from IETF 108 
(https://datatracker.ietf.org/meeting/108/materials/slides-108-emu-eap-noob-00 
<https://datatracker.ietf.org/meeting/108/materials/slides-108-emu-eap-noob-00>). 
At the end, there was consensus for using JSON (with the possibility of 
adding CBOR later). There were many reasons for this decision by the 
working group. First, there were several implementations and early 
deployments of EAP-NOOB already using JSON. Second, there is support for 
JSON encoding/decoding in wpa_supplicant. wpa_supplicant is the most 
popular EAP peer implementation. It does not have support for CBOR 
encoding/decoding. Third, devices using EAP are either class 1 or 2, as 
defined in RFC7228. So while the benefits of CBOR would have been nice, 
they can live with JSON.

> -- Section 2 --
> Please apply the current BCP 14 template and not the old RFC 2119 one.
We have updated the text.
> -- Section 3.1 --
> "timeout needs to be several minutes rather than seconds" can this lead to a
> DoS against the server, which potentially needs to keep states for minutes ?
We have added a new sub-section on "Denial of Service" in the security 
considerations section: 
https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-noob-05#section-7.8 

> -- Section 3.2.1 --
> I am not a EAP expert, so bear with my possibly naive question, "based on the
> realm part of the NAI", isn't it always "eap-noob.arpa" in this case ?
That's a good question. You are right that in the default case, it will 
always be eap-noob.arpa. However, EAP-NOOB allows the server to assign a 
new NAI: "the server MAY assign a new NAI to the peer in the Initial 
Exchange or Reconnect Exchange, in the NewNAI field of request types 2 
and 7, to override any previous NAI value.". So it can be different if 
the server assigns something other than eap-noob.arpa.
> -- Section 3.2.2 --
> What happens if the peer does not support any of the server's ciphersuite? Esp
> in the world of IoT where peers are old and cannot always be updated.Should
> there be a forward pointer to section 3.6.4 ?
We have tried to make the text readable by collecting error handling 
into one section (3.6), rather than constantly interrupting the flow of 
the text by mentioning possible error conditions. We hope that the list 
in section 3.6 gives the implementers a more complete picture of error 
handling than if some, but not all, errors were explained in the 
sections where they may occur.
> -- Section 3.2.3 --
> Suggest to give a hint to the reader for "Hoob": is this Hash of OoB ? Same
> comment for "Noob".
We expect those familiar with cryptographic protocol notations to 
interpret the H in Hoob as the common symbol for hash and oob as its 
subscript. In Latex, this would be $H_{\text{oob}}$. Similarly, Noob 
consists of the commonly-used symbol N for a nonce and the oob 
subscript: $N_{\text{oob}}$. While we understand your question, 
explaining such origins of the notation in the draft would be confusing. 
Instead, we have tried to make the definition "the secret nonce Noob, 
and the cryptographic fingerprint Hoob" in section 3.2.3 understandable 
to every reader.
> == NITS ==
>
> Global nit: I prefer the use of 'octet' rather than 'byte'.
>
> -- Section 1 --
> Please avoid the use of 'we' as in 'We thus do not support'.
Unless these stylistic issues are a complete show-stopper, we would like 
to avoid such global changes to the document at this stage.
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu