[Emu] EAP onboarding at ANIMA WG

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 11 July 2022 17:52 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 045D9C157B4C; Mon, 11 Jul 2022 10:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.706
X-Spam-Status: No, score=-6.706 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sandelman.ca
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WPXilYIFiwfH; Mon, 11 Jul 2022 10:52:28 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19E6CC157B42; Mon, 11 Jul 2022 10:52:28 -0700 (PDT)
Received: from localhost (localhost []) by tuna.sandelman.ca (Postfix) with ESMTP id 10D9118836; Mon, 11 Jul 2022 14:09:49 -0400 (EDT)
Received: from tuna.sandelman.ca ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id 6MLmt-yPmjCN; Mon, 11 Jul 2022 14:09:47 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B96E318151; Mon, 11 Jul 2022 14:09:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1657562987; bh=/DKVniUFjrpQ+LfhoB6uiTAd1L/6ndr6wXxJlZdnMbI=; h=From:To:CC:Subject:In-Reply-To:References:Date:From; b=cu3wVCe+4TUd7tfrK16pE/y4yJI9czwJLiruf04gUuONd/ov+ntzn8oObp9ou5bPl GLtuMHojHVNW2LIxCv7Bb02sT/e1bjKI2nxSXd2QcWBvSyuKGyM+Fs49fJbOhqGchs OK2tzd3sojdNKQhx1N4EpZejDsxBjV9b+ik6Xznmt5Rb2h8UKgxTLs4JX6Mjtl+wJx KLTV3b0Cch4QJOmh47h/obrAjKbNeeEiNG+EvKcPUZ7681AcP9MjWvEa7zkHs43WVC FAQTVzLJBmIw/cusyUm/1h2VBl/StJ3rAex4HD0Fu0KgIm4OFGr/+zVeObURxyGtsd JIASLezBHviJA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C431D59; Mon, 11 Jul 2022 13:52:25 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Sheng Jiang <shengjiang@gmail.com>, anima@ietf.org, anima-chairs@ietf.org
CC: emu@ietf.org
In-Reply-To: <CAL6Yo0LYGGrNv7bue2np4Px=8Pe5+M=bXQ_YEKtwONoCe5PUww@mail.gmail.com>
References: <CAL6Yo0LYGGrNv7bue2np4Px=8Pe5+M=bXQ_YEKtwONoCe5PUww@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Mon, 11 Jul 2022 13:52:25 -0400
Message-ID: <1972.1657561945@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/Wag3DQ7eAEtxc210Ysx2KijkKkg>
Subject: [Emu] EAP onboarding at ANIMA WG
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 17:52:33 -0000

Topic/Title:  EAP defaults for devices that need to onboard
Name of Presenter(s): Michael Richardson (with Alan DeKok)
Length of time requested: 5 minutes (new work)
Document If applicable:

Alan and I have written a -00 document (just posted), on using
unauthenticated EAP-TLS (no client-side certificate) to allow a supplicant (a
pledge) to get enough IP connectivity in order to run an authenticated
onboarding solution, such BRSKI (RFC8995).

As described in the document, the network would put these clients onto a (L2)
quarantined network, much as it would if a device was found that did not pass
it's remote attestation process (cf: RFC 5209 and friends).

While there are proposals to run BRSKI over EAP using TEAP, etc, the
challenges of MTU, limited amount of traffic that can travel over EAP, and
the hassle of implementing yet-another mechanism seem excessive to us.

Enterprise networks already have quarantine/captive-portal (V)LANs with full
isolation between hosts.  Smaller networks can easily afford to add such
things, and there are projects to isolate every single IoT device into it's
own L2 domain until it proves it needs to communicate.

We are working on code.

I'm happy to present at EMU as well. EMU may wish to adopt this document.
But first, I think that the ANIMA WG, as a consumer of this,  may like to say
if it satifies a need.

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide