IETF Logo Mail Archive

Re: [Emu] EAP and Fragmentation

Mohit Sethi M <mohit.m.sethi@ericsson.com> Thu, 14 February 2019 13:38 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A25813106D for <emu@ietfa.amsl.com>; Thu, 14 Feb 2019 05:38:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=L6cFH4eD; dkim=pass (1024-bit key) header.d=ericsson.com header.b=Ab3cprbj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pRI3LnqeivVI for <emu@ietfa.amsl.com>; Thu, 14 Feb 2019 05:38:29 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 271D112D84D for <emu@ietf.org>; Thu, 14 Feb 2019 05:38:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1550151507; x=1552743507; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6euhWJfR7q0W5vHwKgX7s3xRmJEK04ulxQw3XnZIGHU=; b=L6cFH4eDzVKuEXnpnFdd3wAMqohq1URTYJhJLz9tuyzZg01+CzTUWlo+Rzy4W0eG KV4l111q1399xJBfXXHaRYZyz++aSirOQl4dHlCTogw/E+yA4bXgcZpeAbf1k7IC byU4ISReaMRsukaqr/mB69Hq973EaUC/76/hEwcAia4=;
X-AuditID: c1b4fb25-da1ff70000005ff7-99-5c656f53f4e1
Received: from ESESBMB501.ericsson.se (Unknown_Domain [153.88.183.114]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 6F.22.24567.35F656C5; Thu, 14 Feb 2019 14:38:27 +0100 (CET)
Received: from ESESBMR505.ericsson.se (153.88.183.201) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 14 Feb 2019 14:38:26 +0100
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESBMR505.ericsson.se (153.88.183.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 14 Feb 2019 14:38:26 +0100
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 14 Feb 2019 14:38:26 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6euhWJfR7q0W5vHwKgX7s3xRmJEK04ulxQw3XnZIGHU=; b=Ab3cprbj21A/LHFzYL3E7gLQd97C6K3XHjkS1evTNCPz+Kd/3FG4zmRMYi2/kFNZOzjJlQiRs3ZtI4exSt+Pu7SLaQ/QLeeBpp7pYSOTJR4LCu11+r599Wy+XkAafQdyj6bzom6oHSPs+N1PTDQ+tArXHv5TsegbUpOv5Z2XLws=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2188.eurprd07.prod.outlook.com (10.168.29.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.7; Thu, 14 Feb 2019 13:38:25 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::1cbb:43e1:d406:1a0a]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::1cbb:43e1:d406:1a0a%6]) with mapi id 15.20.1643.004; Thu, 14 Feb 2019 13:38:25 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: slon v sobstvennom palto <slonvpalto@gmail.com>
CC: "Dr. Pala" <director@openca.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] EAP and Fragmentation
Thread-Index: AQHUxFwPnkPBm43f0kqflrUiCzSSKKXfSVAAgAADEgA=
Date: Thu, 14 Feb 2019 13:38:25 +0000
Message-ID: <38861eaf-4134-5225-fd41-c80b7eaa875e@ericsson.com>
References: <f7548f45-e9ed-3c96-fd55-d87006c5ce70@openca.org> <b5a2a434-b631-6edc-840d-0b3b9b78f27e@ericsson.com> <CABe6AHgnOJUoNuLsD6oJUZMg4q2c3aa+PpM=6s24xE4gugtt9w@mail.gmail.com>
In-Reply-To: <CABe6AHgnOJUoNuLsD6oJUZMg4q2c3aa+PpM=6s24xE4gugtt9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
x-originating-ip: [89.166.49.243]
x-clientproxiedby: HE1PR05CA0282.eurprd05.prod.outlook.com (2603:10a6:3:fc::34) To HE1PR0701MB2905.eurprd07.prod.outlook.com (2603:10a6:3:57::18)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 844b8012-8ad6-439d-99f0-08d69281b1a5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020); SRVR:HE1PR0701MB2188;
x-ms-traffictypediagnostic: HE1PR0701MB2188:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;HE1PR0701MB2188;23:vYpoiHu1MOKh8Vwz6aO1+D3AtKSU27vWwRLYJTsbVFZgEQdvvkAFglFBKRXtS9vki+frATNuSSgICIunqIUU1e6uLk1AhltXmDIjCX4Mpdslv8BDzbAOzCgat0rDuVq02s2r45SFcjNz16kMBjn5wU/5H2UTpxccvHgCjVKrf9FHRopYaHKiNR0iOknXNCw790tCnqA9FZ7Aldiq94qjZV3sAxAexrxOKPs+vApuQzwhwIPlBXnU++lt1caogfFo40TuEfPPnjyRzfIEXxgx6oUN5NPMZet53PaWr9LSUDYv6U0KZikCjA337b4FpYohBAyVT+Qo/KzOL9ImflWze5DJOrhJSn2cF6/+nFTI3SBtb4eJ6RofLa0AmjjuoN2ORePtPprOsC4F+YoAhnc7FMfHt8Q2VrLaXT4OKPagZOr0DfgjlbrtoRf1hghvzIx6ZzQkzlm00/8GbVNG233RHtc1OYKMr+am756kK9pEBxY4/zwKh3B4SjdDBrj3D1w0QVTyTCIbY5CvuHWcCICHz062x+EViC+MImosqIrwu3fINAJklJ9GsQhFumSK4blmrhpkh4bXbb1OA6l9TAW/DuNXVyU3ttZ/j88cug8cvJZwxcyA2TiTnbYz9I4NM/xoOQiMywQbHet3qLKqSlv/sMS79VswE5zyIEc4wt1Y5wDkHNs0dNyMPNPPsh6A3sI78KgQDtyw+2O1uEsEzTZ/SRjVykvk7PBIqWK1XXnmXr3kRxC5f8/LCfT7ovG3StEMZLWV9NlSCbyEO3HxLrgRlzvEmx5meznvL7XOTyD4lP2cVZBimyTuNgJpqD+3lk191j5xFpwZeYV3MzFrD5dtOWUDzNlm5bNySG0UoEAjFUtVpyzdG3LIUeCbxoq9l55bySuSJaL4bW+xxwLVHmPNddCw59JxlyIL3kfOCBBEmC5ug0g03olw7nrv1ey9W8WXLj4O9xNEBUNA0CkC0A0MwWiMUoPIp/Lovt7Z+NyS9tlfIuI3UsDwVC6b1rD0gfPCtdJt5nmyCK5Z5K4+fpfYT+DDbRZl3lDjz2+yuBtjrWO4gz5x6BdEnt1goLeylGRbbHNJmIfxedoICDW6RVmT8qe778VI/cUiWxeZIfVLCXl/oCyKUravX0v0dKuSIRAp5E6cYya1cHuV0igfvWZryuOUXXGTovsjKnS3RlgXFV2Mel4ZervJ9q6BlvUZuDBe+ugp3xKmr0X0j3y6pG4cpJLRRyO9D6WRoxfeyjcE6e0YPF6JT2R+vg6Cg7UaY5G7zM7DYUOfi3bnGBHf3ATLDBCZgdajnJX8rdkwC4+JlQ64f9MqBAzIaHjuEDnOKxdyo59KtJfbqmADDT6ru0r3+sIKJoIY2S88QWCFdqulCDOf4/KfV2UyQxu3t4TDnryKUWkrbAeol0VUbSx1hmdg/ZG5rUYLR+ve+VnwJLMUyAvE3XjClcq0LAFQrkHBFpb22vBUHKwyOII8QKk++4BOoHMb7XD6RCFpmeJcoYSCJaMOna/61wXdTzNHFdWhc+MgaxiANbvnDJ0P4iwxfATDa0ChJIHHY2U99dfEZfL3iAY=
x-microsoft-antispam-prvs: <HE1PR0701MB2188743CCE06EDA70B5E197CD0670@HE1PR0701MB2188.eurprd07.prod.outlook.com>
x-forefront-prvs: 09480768F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(396003)(366004)(136003)(346002)(53754006)(199004)(189003)(6246003)(64126003)(54906003)(316002)(58126008)(256004)(36756003)(25786009)(5070765005)(4326008)(14444005)(2906002)(1411001)(31686004)(31696002)(86362001)(6916009)(26005)(106356001)(105586002)(186003)(476003)(2616005)(11346002)(446003)(65826007)(486006)(347775010)(966005)(561944003)(14454004)(68736007)(478600001)(3846002)(6116002)(97736004)(606006)(6486002)(7736002)(76176011)(99286004)(71190400001)(71200400001)(6506007)(53546011)(6436002)(8936002)(386003)(8676002)(733005)(81166006)(81156014)(66066001)(6306002)(52116002)(53936002)(6512007)(54896002)(102836004)(236005)(65806001)(65956001)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2188; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: IquTv0AIWnCRs2oc5y3G6pOvEfzwhJPJnv0WKY5wr8QfemEwypIUinYwQObc+yXuIEuSsbmx/t8eB0WcMrP/gLj13tEkAUw7bBaN1rVi8i7cHXme8DsW/HJqJp5MMP9hul3oiKBDihFGxMCcJ5i2bProx/HlLcmK+ySnHYipRxCLhbZK2oR3nuReCsz1eNQA62yNpfC/qZx+Sps5LTLaoyghESbz2x3hi0Q9FcTqlqbOutRrKlLXpBGVkcO/Oyu91zr/pncxY0EMZTnozs3M4h9Yy4OtLtSKDi1GOvvsQ6WOfQvgjRuTsBUuGG/SY1qyHmQgdLvUU8VHm+eLlsg225K64WF3vv3+GuigID0UELD4Jv81OZNt3/rhKmGLAYrPO2okxFmt23qt5D0aLv623pOy4IN3e3wDaf5uvno5Waw=
Content-Type: multipart/alternative; boundary="_000_38861eaf41345225fd41c80b7eaa875eericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 844b8012-8ad6-439d-99f0-08d69281b1a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2019 13:38:24.5528 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2188
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrAKsWRmVeSWpSXmKPExsUyM2J7kW5wfmqMwY7jvBb7N/hYHFu/lsXi 2Z6D7A7MHjtn3WX3WLLkJ5PH9In3WQKYo7hsUlJzMstSi/TtErgyPnw7xlawZyNjxaEpNQ2M 99cwdjFyckgImEjsmbiHvYuRi0NI4AijxMtJXcwQzjdGiQOrN7HAOQ9OnmeCcJYwSXx70soI 4rAITGCWaL5wnhlkmJDANCaJtjOuEFXPGCV2r3/JBJJgEzCQmDxlBdAWDg4RAWOJS7f8QcLM AtYSN+4vBjtEWEBDYu60o2wgtoiApsTZI1uZIWwriavvP7GC2CwCqhLfpxwFs3kF7CUWXHjI CrFrF9CueXPAGjgFAiUu7p8ItpdRQEzi+6k1TBDLxCVuPZnPBPG1gMSSPRBHSwiISrx8/A9s qKhAhMS6b4egIaMocfbdQ7CXJQSmMkq0985hgxgaK/Hhfz/UIB2Js9efQDXISlya3w1l+0q8 mD+dDaL5NqPErlM/2WAabr94xgJhS0mcuHiUdQKj4SwkB0LYyRJNqy8wzgL7VFDi5MwnLLOA gccMDJn1u/QhShQlpnQ/ZIewNSRa58yFsj0kTjcdZUNWs4CRYxWjaHFqcVJuupGxXmpRZnJx cX6eXl5qySZGYLo6uOW36g7Gy28cDzEKcDAq8fC+TkmNEWJNLCuuzD3EKMHBrCTC+yUJKMSb klhZlVqUH19UmpNafIhRmoNFSZz3j5BgjJBAemJJanZqakFqEUyWiYNTqoHRM1tm1eZaI7W4 zfO49Z5b/5UpsDIr3al1wedlQ6+orE+8q9IC56ueWVzqCW+f3fC9G9zw2nDJ0yXbvhtIbRT4 1Pu5hTc80DTi3ap7SzXXcy6benGSSmXWlkWFq7tmXBaOsw5cZ/T2lVhc1P6S262HVNZ4Rd0J ujTlB1fKzIvSj99E59Xs1lBWYinOSDTUYi4qTgQAcM5svVMDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/U_9IdpN2ESUwoenKYZfyt-ZsOWs>
Subject: Re: [Emu] EAP and Fragmentation
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 13:38:33 -0000

Hi Oleg,

You are warmly welcome.

Not all methods use a TLS outer tunnel. For example: EAP-pwd has the following text:

EAP-pwd fragmentation support is provided through the addition of
   flags within the EAP-Response and EAP-Request packets, as well as a
   Total-Length field of two octets.  Flags include the Length included
   (L) and More fragments (M) bits.  The L flag is set to indicate the
   presence of the two-octet Total-Length field, and MUST be set for the
   first fragment of a fragmented EAP-pwd message or set of messages.
   The M flag is set on all but the last fragment.  The Total-Length
   field is two octets, and provides the total length of the EAP-pwd
   message or set of messages that is being fragmented; this simplifies
   buffer allocation.

As I said, having a method independent mechanism that could be re-used safely would make sense.

And thanks for pointing out L bit ambiguity in EAP-TLS. We should indeed fix this.

--Mohit

On 2/14/19 3:27 PM, slon v sobstvennom palto wrote:
Hi all,
These are my first steps in this group so please correct me if I don't follow the rules.

Per my experience the existing fragmentation method described in EAP-TLS RFC 5216 serves good for all fragmentation needs. The method is reused by PEAP, EAP-FAST, TEAP and EAP-TTLS. There's an ambiguity in EAP-TLS RFC that doesn't specify whether a not-fragmented message should have the L bit and the 4 octets length field so different peers treat it differently. However, for example, EAP-TTLS RFC closed it tightly saying that even a single-fragment message should have it nevertheless on its redundancy.

~Oleg

On Thu, Feb 14, 2019 at 1:54 PM Mohit Sethi M <mohit.m.sethi@ericsson.com<mailto:mohit.m.sethi@ericsson.com>> wrote:

Dear Dr. Pala,

On 2/12/19 7:36 PM, Dr. Pala wrote:

Hi all,

I am working on a draft for credentials management via EAP. When looking at the different specifications, it seems a bit weird that EAP does not provide Fragmentation control and requires each method to define their own way.

This, led me to my first question: is there a de-facto "standard" way to add Fragmentation support we can just use (without having to re-invent the wheel all the time) ? If we had such a mechanism, then we could just say "implement the mechanism as defined in ... ". This would definitely help developers that could safely re-use code/libraries. The other approach would be to modify EAP to add Fragmentation support there. The main reason to have a standard behavior is to have also better management for ack and nak packets. As far as the solution goes, the main ones I looked at are the ones mentioned in EAP-TTLS and EAP-TEAP. They are both practically the same, active ACK-based - are there other methods that have been implemented ? Has anybody ever looked at how fragmentation is handled in practice and if there are better solutions than others ?

No hat: I think having a standard mechanism for supporting large messages and fragmentation independently of any particular EAP method would definitely be something useful. As you said, it would allow developers to safely re-use code. If you have a draft proposal, I would be happy to review it. Perhaps we could start by looking at existing mechanisms used by EAP-Pwd/EAP-TTLS.

--Mohit

Further thinking let me to my second question: the method we are going to propose requires some form of authentication for the server, therefore I can see its use mainly as a tunneled method where the communication with the server is assumed to be already secure. If we go down the route of requiring the use of an outer method that provides authenticity and, optionally, confidentiality we would also not need to provide support for Fragmentation control, since the records would be encapsulated within the outer-method messages that already provide fragmentation support. Would this be acceptable ? Or should the method not have such assumptions and provide support for explicit fragmentation control ? What would be the preferred path here ? I personally would like to have a method that could be used independently, but I would also like to focus on simplicity of implementation so that if you already have EAP-TTLS/EAP-TEAP support, adding support for EAP-CREDS would be very simple.

Looking forward to some great guidance and advice :D Also, if you would like to collaborate/contribute, please let me know!

--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
[OpenCA Logo]



_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu


_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email