Re: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Sun, 15 July 2012 03:34 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4966711E8079 for <emu@ietfa.amsl.com>; Sat, 14 Jul 2012 20:34:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.395
X-Spam-Level:
X-Spam-Status: No, score=-6.395 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bud5WFjvYMuF for <emu@ietfa.amsl.com>; Sat, 14 Jul 2012 20:34:17 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC3D11E8072 for <emu@ietf.org>; Sat, 14 Jul 2012 20:34:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29495; q=dns/txt; s=iport; t=1342323298; x=1343532898; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=AIXGxMWWXy4PFnC9I0MWsQIW+LTgbI7Vn2SDrVrEbbY=; b=F+g11Ru0IRFGqaA4dm4iIRVVzlYJUU/9Zu/AEA6ia9h8fkPrr4DwoKWk su26f+X3WQHgrpMO0dJO7JGstu7LVqRaim4cpsOx9qe0QZGz71+W+Xz/5 dpqth42qBEtGD8LO6pyXisyvxe5wex2dGBPvrX4Wzu4LqbjnJrgdDhEzu Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkIFAG45AlCtJV2a/2dsb2JhbABFgkqDH4JgrkeBGYEHgiABAQEDAQEBAQ8BVAUCCwUNAQYCEQMBAiEHBQQlCxQJCAEBBAENBQkZhW+BdgYLmm+NEwiRbYtAFIRYgRYDlTuOIIFmgS2BMoFWAgcc
X-IronPort-AV: E=Sophos; i="4.77,587,1336348800"; d="scan'208,217"; a="98961204"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-9.cisco.com with ESMTP; 15 Jul 2012 03:34:57 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q6F3YvwE027875 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 15 Jul 2012 03:34:57 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.178]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0298.004; Sat, 14 Jul 2012 22:34:56 -0500
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Thread-Topic: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
Thread-Index: Ac1DxWOkmkRq2KB0TF+0RLaL1yQpxQeZKUwA
Date: Sun, 15 Jul 2012 03:34:55 +0000
Message-ID: <CC278222.D688%ncamwing@cisco.com>
In-Reply-To: <OF8FD781D7.20C7280F-ON48257A15.0033086C-48257A15.003318C0@zte.com.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.21.145.162]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19038.004
x-tm-as-result: No--43.179100-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_CC278222D688ncamwingciscocom_"
MIME-Version: 1.0
Cc: "emu@ietf.org" <emu@ietf.org>
Subject: Re: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jul 2012 03:34:19 -0000
Hi Sujing,
I am just getting to update the draft based on received comments. I have further
comments and questions below:
From: "zhou.sujing@zte.com.cn<mailto:zhou.sujing@zte.com.cn>" <zhou.sujing@zte.com.cn<mailto:zhou.sujing@zte.com.cn>>
Date: Wednesday, June 6, 2012 2:18 AM
To: Joseph Salowey <jsalowey@cisco.com<mailto:jsalowey@cisco.com>>
Cc: "emu@ietf.org<mailto:emu@ietf.org>" <emu@ietf.org<mailto:emu@ietf.org>>
Subject: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
Section 1
"The other type of PT, PT-TLS [I-D.ietf-nea-pt-tls], operates before the endpoint gains
any access to the IP network. "
==>should be "after the endpoint have gained access to the IP network"
[NCW] Thank you for catching this! I have updated the draft accordingly.
"PT-EAP is an inner EAP [RFC3748] method designed to be used under a
protected tunnel such as TEAP [I-D.ietf-emu-eap-tunnel-method], EAP-
FAST [RFC4851] or EAP-TTLS [RFC5281]."
==>PEAP is more widely supported.
[NCW] Agreed. But the list is not meant to be exhaustive and admittedly
it was easier to cite used methods for which there are IETF RFC's….as well
as what EMU is adopting.
"Finally, it describes how the tls-unique channel binding [RFC5929] may be used to PA-TNC exchanges
to the EAP tunnel method, defeating MITM attacks such as the Asokan attack [Asokan]."
==>
"Some EAP tunnel methods may provide explicit confirmation of inner method success; others may not. "
[NCW] I am not sure I understand the comment or request. The above sentence is true; in
PT-EAP's case, as it is not an authenticating method, we describe how tls-unique is used
in PT-EAP to address such binding. So, the sentence stands on its own as it is reference
further details to follow.
section 3.4 " Attack Analysis [16], " the reference [16]
[NCW] Fixed the reference (thanks!)
section 4.2.3
"The strong integrity protections (hashing) offered by EAP-TTLS allows the
PT-EAP message recipients to detect message alterations by other
types of network based adversaries. "
===>it is not hashing offering the integrity, but MAC
[NCW] Right, text updated to read "hashing in the MAC" also made the reference general
As it is provided by the EAP TLS based tunnel
section 4.2.4
" the session can be encrypted and hashed to prevent undetected
modification that could create a denial of service situation.
"
===> only MAC, not encryption and hashing can prevent modification
[NCW] In general true, but some modes do both authenticated-encryption
so the reference to both should apply.
section 4.3
"The phase two dialog may include authentication of the user by doing
other EAP methods or in the case of TTLS by using non-EAP
authentication dialogs. PT-EAP is also carried by the phase two
tunnel allowing the NEA assessment to be within an encrypted and
integrity protected transport."
==> TTLS can also use EAP method as inner method.
[NCW] I've clarified that sentence
"These inner methods may perform additional security handshakes including more
granular authentications or exchanges of integrity information (such
as PT-EAP.) "
===> IMO,PT-EAP better be exchanged after the phase two of the EAP tunnel method, so that
the resulted key derived from tunnel and inner authentication method can be used to protect it.
[NCW] Do you mean to enforce an authentication (inner) method prior to PT-EAP?
section 5
"To support countermeasures against NEA Asokan attacks as described in
Section 3.4, the EAP Tunnel Method used with PT-EAP will need to
support the tls-unique channel binding. This should not be a high
bar since all EAP tunnel methods currently support this but not all
implementations of those methods may do so."
====> It seem no current EAP tunnel support tls-unique now.
And Asokan MitM attack is countered by crypto binding, where tunnel method is bound with inner method.
While TLS-unique is limited to the tunnel method to provide binding between TLS and application, I wonder
if there is some confusion in the document.
[NCW] tls-unique is something that will need to be added to those methods that use an EMA….the binding
Is done by having the tls-unique value passed to the EMA for validation. It is specified in section 3.4.
Regards~~~
-Sujing Zhou
Joe Salowey <jsalowey@cisco.com<mailto:jsalowey@cisco.com>>
发件人: emu-bounces@ietf.org<mailto:emu-bounces@ietf.org>
2012-06-06 02:05
收件人
emu@ietf.org<mailto:emu@ietf.org>
抄送
主题
Re: [Emu] [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
June 4 has come and gone and we haven't received any comments. If you have reviewed the document and not found any issues please indicate that on the list. I'll leave the review open until 6/12. If you can commit to review the document, please let me know.
Thanks,
Joe
On May 21, 2012, at 2:01 PM, Joe Salowey wrote:
> The NEA working group has produced a draft for carrying NEA posture methods within EAP. It would be helpful if some EMU working group members reviewed the draft. Please send your comments to the EMU list by June 4, 2012.
>
> Thanks,
>
> Joe
>
> Begin forwarded message:
>
>> From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
>> Date: May 15, 2012 8:36:14 AM PDT
>> To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
>> Cc: nea@ietf.org<mailto:nea@ietf.org>
>> Subject: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Endpoint Assessment Working Group of the IETF.
>>
>> Title : PT-EAP: Posture Transport (PT) Protocol For EAP Tunnel Methods
>> Author(s) : Nancy Cam-Winget
>> Paul Sangster
>> Filename : draft-ietf-nea-pt-eap-02.txt
>> Pages : 20
>> Date : 2012-05-15
>>
>> This document specifies PT-EAP, an EAP based Posture Transport (PT)
>> protocol designed to be used only inside a TLS protected tunnel
>> method. The document also describes the intended applicability of
>> PT-EAP.
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> This Internet-Draft can be retrieved at:
>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt
>>
>> The IETF datatracker page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-nea-pt-eap/
>>
>> _______________________________________________
>> Nea mailing list
>> Nea@ietf.org<mailto:Nea@ietf.org>
>> https://www.ietf.org/mailman/listinfo/nea
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org<mailto:Emu@ietf.org>
> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu
- [Emu] Fwd: [Nea] I-D Action: draft-ietf-nea-pt-ea… Joe Salowey
- Re: [Emu] [Nea] I-D Action: draft-ietf-nea-pt-eap… Joe Salowey
- [Emu] A review Re: [Nea] I-D Action: draft-ietf-n… zhou.sujing
- Re: [Emu] A review Re: [Nea] I-D Action: draft-ie… Sam Hartman
- Re: [Emu] A review Re: [Nea] I-D Action: draft-ie… Joe Salowey
- Re: [Emu] A review Re: [Nea] I-D Action: draft-ie… zhou.sujing
- Re: [Emu] A review Re: [Nea] I-D Action: draft-ie… Sam Hartman
- Re: [Emu] A review Re: [Nea] I-D Action: draft-ie… Nancy Cam-Winget (ncamwing)
- [Emu] 答复: Re: A review Re: [Nea] I-D Action: draf… zhou.sujing
- Re: [Emu] A review Re: [Nea] I-D Action:draft-iet… Nancy Cam-Winget (ncamwing)