IETF Logo Mail Archive

Re: [Emu] Potential Notes in EAP-FAST Documents

gabriel montenegro <g_e_montenegro@yahoo.com> Wed, 11 February 2009 18:21 UTC

Return-Path: <g_e_montenegro@yahoo.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4454D3A6A24 for <emu@core3.amsl.com>; Wed, 11 Feb 2009 10:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JV8HDJldgEFm for <emu@core3.amsl.com>; Wed, 11 Feb 2009 10:21:34 -0800 (PST)
Received: from web82606.mail.mud.yahoo.com (web82606.mail.mud.yahoo.com [68.142.201.123]) by core3.amsl.com (Postfix) with SMTP id 059463A680E for <emu@ietf.org>; Wed, 11 Feb 2009 10:21:30 -0800 (PST)
Received: (qmail 36479 invoked by uid 60001); 11 Feb 2009 18:14:55 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=bgPKUDq6wU5vd3AvRR8P0NUkAofRY4zeNUUlVM+yKtUINuD75fxS0s18XsppRUNI7sRdKZLQ9j69Q8TAR3TebK+47XGggG2sUJ9uxIo7QGox7+WfIfnAaM5d0L/gZvFTm5xIJdyLeyRPCVxQeLh0vtWSEvkkrqzZzNKfiB/Mo8I=;
X-YMail-OSG: gugvQ5MVM1lUYH46yRNS8QbljnVYB.epXAq7rJ4o.5JM43oG369m05OhziTxlg.WZOlN9.RZ_RTloArAqmGYAf2.sOPiq8epkRefyTF4N7QYko0JS19_nNkmDFYB3HhuUbRGb3fFUZZBPMq3DSYsKmcSH4pprk2mnd_U_Hj1ivvh8TKqrl5i9goXsG9ZRZsPFD1V3YIGq0Ya
Received: from [24.16.92.42] by web82606.mail.mud.yahoo.com via HTTP; Wed, 11 Feb 2009 10:14:55 PST
X-Mailer: YahooMailRC/1155.45 YahooMailWebService/0.7.260.1
References: <BLU137-W531ACB9BE00127DB8595D993C30@phx.gbl> <808FD6E27AD4884E94820BC333B2DB7727E78F274C@NOK-EUMSG-01.mgdnok.nokia.com> <006c01c98781$5d6b8bf0$1842a3d0$@net> <808FD6E27AD4884E94820BC333B2DB7727E78F2B67@NOK-EUMSG-01.mgdnok.nokia.com> <003201c9880d$e8160780$b8421680$@net> <DF99D1BF-7A3A-41C6-B161-FD609410DE59@nist.gov>
Date: Wed, 11 Feb 2009 10:14:55 -0800
From: gabriel montenegro <g_e_montenegro@yahoo.com>
To: Tim Polk <tim.polk@nist.gov>, emu@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <899331.35411.qm@web82606.mail.mud.yahoo.com>
Cc: "iesg@ietf.orgIESG" <iesg@ietf.org>
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2009 18:21:34 -0000

This looks like a good resolution. Thanks Tim.

Gabriel



----- Original Message ----
> From: Tim Polk <tim.polk@nist.gov>
> To: emu@ietf.org
> Cc: "iesg@ietf.org IESG" <iesg@ietf.org>
> Sent: Wednesday, February 11, 2009 6:26:14 AM
> Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
> 
> Folks,
> 
> As the AD that sponsored publication of the EAP-FAST documents under discussion,
> I have been trying to find the best way forward.  I believe that the best course 
> of action
> involves some clarifications to draft-cam-winget-eap-fast-provisioning to 
> distinguish
> the modified and unmodified use of EAP-MSCHAPv2, and IESG notes to ensure these
> publications do not establish precedent for future reuse of EAP type codes with
> different semantics.
> 
> First, I support revising draft-cam-winget-eap-fast-provisioning so that the 
> modified
> form of EAP-MSCHAPv2 is consistently referred to as EAP-FAST-MSCHAPv2.  The
> authors offered to make this change earlier in the thread, and I have seen some
> support and no opposition to this suggestion.
> 
> Second, I will be offering the following text for IESG notes on both documents.  
> The
> notes clearly state the drawbacks for EAP type code reuse and define an 
> acceptable
> path for future protocol developers.
> 
> ------ draft-cam-winget-eap-fast-provisioning -----
> 
>     EAP-FAST has been implemented by many vendors and it is used in the
>     Internet.  Publication of this specification is intended to promote
>     interoperability by documenting current use of existing EAP methods
>     within EAP-FAST.
> 
>     The EAP method EAP-FAST-MSCHAPv2 reuses the EAP type code assigned to
>     EAP-MSCHAPv2 (26) for authentication within an anonymous TLS tunnel.  In
>     order to minimize the risk associated with an anonymous tunnel, changes
>     to the method were made that are not interoperable with EAP-MSCHAPv2.
>     Since EAP-MSCHAPv2 does not support method-specific version negotiation,
>     the use of EAP-FAST-MSCHAPv2 is implied by the use of an anonymous
>     EAP-FAST tunnel.  This behavior may cause problems in implementations
>     where the use of unaltered EAP-MSCHAPv2 is needed inside an anonymous
>     EAP-FAST tunnel.  Since such support requires special case execution of
>     a method within a  tunnel, it also complicates implementations that use
>     the same method code both within and outside of the tunnel method. If
>     EAP-FAST  were to be designed today, these difficulties could be avoided
>     by utilization of unique EAP Type codes. Given these issues, assigned
>     method types must not be re-used with different meaning inside tunneled
>     methods in the future.
> 
> ----  draft-zhou-emu-fast-gtc  ------
> 
>     EAP-FAST has been implemented by many vendors and it is used in the
>     Internet.  Publication of this specification is intended to promote
>     interoperability by documenting current use of existing EAP methods
>     within EAP-FAST.
> 
>     The EAP method EAP-FAST-GTC reuses the EAP type code assigned to
>     EAP-GTC (6).  The reuse of previously assigned EAP Type Codes is
>     incompatible with EAP method negotiation as defined in RFC 3748.  Since
>     EAP-GTC does not support method-specific version negotiation,  the use of
>     EAP-FAST-GTC is implied when used inside the EAP-FAST tunnel during
>     authentication. This behavior may cause problems in implementations where
>     the use of another vendor's EAP-GTC is required.  Since such support 
> requires
>     special case execution of a method within a tunnel, it also complicates
>     implementations that use the same method code both within and outside of
>     the tunnel method. If EAP-FAST were to be designed today, these
>     difficulties could be avoided by utilization of unique EAP Type codes.
>     Given these issues, assigned method types must not be re-used with
>     different meaning inside tunneled methods in the future.
> 
> I am not under the illusion that this text will be entirely satisfactory to 
> anyone,
> but I believe that it is an *appropriate* resolution to the problem.
> 
> Thanks,
> 
> Tim Polk
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email