Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
"Hoeper Katrin-QWKN37" <khoeper@motorola.com> Tue, 02 March 2010 16:20 UTC
Return-Path: <khoeper@motorola.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D59283A8B8F for <emu@core3.amsl.com>; Tue, 2 Mar 2010 08:20:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jVRKzJqcss3V for <emu@core3.amsl.com>; Tue, 2 Mar 2010 08:20:50 -0800 (PST)
Received: from mail119.messagelabs.com (mail119.messagelabs.com [216.82.241.195]) by core3.amsl.com (Postfix) with ESMTP id B9BB53A7851 for <emu@ietf.org>; Tue, 2 Mar 2010 08:20:49 -0800 (PST)
X-VirusChecked: Checked
X-Env-Sender: khoeper@motorola.com
X-Msg-Ref: server-7.tower-119.messagelabs.com!1267546845!36650485!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [136.182.1.14]
Received: (qmail 15916 invoked from network); 2 Mar 2010 16:20:47 -0000
Received: from motgate4.mot.com (HELO motgate4.mot.com) (136.182.1.14) by server-7.tower-119.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Mar 2010 16:20:47 -0000
Received: from il27exr04.cig.mot.com (il27exr04.mot.com [10.17.196.73]) by motgate4.mot.com (8.14.3/8.14.3) with ESMTP id o22GKjP5017288 for <emu@ietf.org>; Tue, 2 Mar 2010 09:20:45 -0700 (MST)
Received: from az10vts04.mot.com (il27vts04.cig.mot.com [10.17.196.88]) by il27exr04.cig.mot.com (8.13.1/Vontu) with SMTP id o22GKi4Y010908 for <emu@ietf.org>; Tue, 2 Mar 2010 10:20:44 -0600 (CST)
Received: from de01exm68.ds.mot.com (de01exm68.am.mot.com [10.176.8.24]) by il27exr04.cig.mot.com (8.13.1/8.13.0) with ESMTP id o22GKiCo010892 for <emu@ietf.org>; Tue, 2 Mar 2010 10:20:44 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CABA24.42846368"
Date: Tue, 02 Mar 2010 11:20:23 -0500
Message-ID: <3A241A6B234BE948B8B474D261FEBC2F07239E11@de01exm68.ds.mot.com>
In-Reply-To: <BLU137-W182D9A30E81347A3BA9513938F0@phx.gbl>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
Thread-Index: Acp3tEkmaVtItajyQiq5v5I673IdNRCbNlig
References: <BLU137-W182D9A30E81347A3BA9513938F0@phx.gbl>
From: Hoeper Katrin-QWKN37 <khoeper@motorola.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>, emu@ietf.org
X-CFilter-Loop: Reflected
Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 16:20:59 -0000
Bernard, Thank you for your detailed comments. It is true that channel bindings as described in the draft can accomplish two different things in Enterprise networks and Service Provide networks, respectively. To what degree the "lying provider" problem can be solved heavily depends on the kind of data available to the home network. This data enables the home network to verify the consistency between the offered services and the services that were agreed on in contractual agreements. What's included in contractual agreements and which of this data can be made available to the home network varies heavily depending on particular implementations. For this reason the specifics of the data are outside the scope of the draft. This is a good thing because the channel binding protocol in this draft enables to verify WHATEVER data is relevant & available and make sure that the data presented to a peer is consistent with the data known to the home network. The draft describes the protocol to exchange this information. Another draft describes what containers can be used to exchange this information. What somebody wants to verify as part of the channel bindings is up to the implementers. The draft only explains the two general problems it addresses and outlines a few examples. If you think the current examples are too deprived, I would like to ask you to suggest some more "reasonable" examples that we can include. Best regards, Katrin ________________________________ From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of Bernard Aboba Sent: Monday, December 07, 2009 9:12 PM To: emu@ietf.org Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1) I agree with Yaron that this document is not ready to be advanced. Aside from whether the document is appropriate for publication on the Standards Track (I believe that Informational would be a better choice), I'd suggest that the document has a more basic problem in that it doesn't do a very good job of defining the problem it is trying to solve or demonstrating that the solution offered actually solves that problem or can be practically implemented. For example, early on the document makes the following statement: This document defines and implements EAP channel bindings to solve the lying NAS and the lying provider problems, using a process in which the EAP peer provides information about the characteristics of the service provided by the authenticator to the AAA server protected within the EAP method. This allows the server to verify the authenticator is providing information to the peer that is consistent with the information received from this authenticator as well as the information stored about this authenticator. "AAA Payloads" defined in [I-D.clancy-emu-aaapay] proposes a mechanism to carry this information. However, as noted in Section 3: In service provider networks, global knowledge is infeasible due to indirection via roaming. When a peer is outside its home administrative domain, the goal is to ensure that the level of service received by the peer is consistent with the contractual agreement between the two service providers. Unfortunately the term "level of service" is not well enough defined here to give a good sense of what is possible and what is not. As noted above, in general the home AAA server does not have enough information to independently verify AAA attributes provided to it by roaming partners. The problem is not just lack of "global knowledge"; even if it were possible for a home AAA server to have perfect global knowledge, if that knowledge were obtained from the providers themselves (where else could it come from?) then if those providers were untrustworthy, then how could it be used in channel binding verification? As a result, I'd suggest that some careful analysis is needed to describe in detail the threats that the "lying provider" solution really can mitigate. As noted later: In other words, channel bindings enable the detection of inconsistencies in the information from a visited network, but cannot determine which entity is lying. Given that it is not really possible to determine whether a provider is actually lying or not, how does the offered solution actually solve the "lying provider" problem? The service provider attacks described in Section 3, which attempt to make the case for the utility of channel bindings are not very convincing: a. Inappropriate billing. In this scenario, it's not clear to me how Channel Bindings would be helpful Today rates are not advertised in Beacons, and if accounting fraud is suspected, wouldn't this be best verified by computing the expected billed amounts against the actual ones, based on RADIUS accounting data? b. Transmit power boost. Detecting inappropriate levels of transmit power seems like something beyond the capability of channel bindings (and more in the jurisdiction of regulatory agencies like the FCC). Even if the geolocation were to be transmitted along with the power measurement, detecting an inappropriate transmit power level would involve some fairly complex modeling with lots of variables (e.g. precise tower location, absorption along the line of sight, etc.). At a minimum, I'd suggest that the document needs to come up with some more plausible service provider scenarios.
- Re: [Emu] Working Group Last Call for draft-ietf-… Bernard Aboba
- Re: [Emu] Working Group Last Call for draft-ietf-… Hoeper Katrin-QWKN37