IETF Logo Mail Archive

Re: [Emu] WG last call for draft-ietf-emu-tls-eap-types ?

Joseph Salowey <joe@salowey.net> Tue, 20 September 2022 20:00 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E47C14CF15 for <emu@ietfa.amsl.com>; Tue, 20 Sep 2022 13:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuiP3iZMPpfe for <emu@ietfa.amsl.com>; Tue, 20 Sep 2022 13:00:31 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C27F9C15A720 for <emu@ietf.org>; Tue, 20 Sep 2022 12:58:57 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id a2so5666144lfb.6 for <emu@ietf.org>; Tue, 20 Sep 2022 12:58:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=PshfyZLqHpw0RnBNDzrgTcdLaujEct6+4Amgm8NOAb8=; b=PwsXowlAuK8px5duFAtqrdHX2NOgA7Pc6W6QDzqXfvyFqTV7+cmzMFYGpN0xk4av1W JGXlU3/lDGaDXDTqb0ldwMfnJVIs0NlgNFWlATrUQMeDpB2wVmJrBSbF5HDgqFo1oRfC 049+IPcbJyUU8eiKBd7+tP5blmvMOL2P7rdwgoMUyrWDaPiEa0Rla1dEt5mw/Z+/XCYR Tp1ItRSThI2lkmPS244DESAGGkxBf82KFz4DDbNqN7JtC5fv8sBPy0HkEdDVBD3HERCz YWoiQ/bkxnPIuquHPOIdFwocapukiX+zZgxM7MwcYZj73RB+EwoODvTYRC8NwuI8gjG/ pLCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=PshfyZLqHpw0RnBNDzrgTcdLaujEct6+4Amgm8NOAb8=; b=2Y4wK/cz/Vpcismm9P8Xa6QFhvpMO7hOacrNiFOnXHOTs5YgaaxkozE0aF0t1YM7ve PuaH+jo/o06LCOE0PzTSN03c+W7hY5BKwrUd6gF+tMJLYR71ZR7ZN6XkdmYT0Epeoew3 xih8TDN+JcWM8dbeYn7RV6jx1wTArWY+pcaRIP5edgazZ4kf69Me4YSBJqh774mrC2Lr /ymp1vojLI8z3IicMnIJ49MuWD9zHjpnzrj/7mL16gpGSWzlQD4IMPMV6iNgqvSFiytK xejrYzRnTEP8g2PcU3W9BrSmKLKiMZ3fSTIkNVl1avUBrw9PnfyJtyjjzARvTwFym+pF f3dA==
X-Gm-Message-State: ACrzQf1C4ymcvmNqnQ5W77G2gknWtaAc6B09z7FuQMfppcu4GSbmAmJe bsAtzIUfkc3kUaEZ/zUCoyKRdgtMjE8hziPfsuJjR3ztaFtkQA==
X-Google-Smtp-Source: AMsMyM4HBJd0QgXjM0st2DHJQYZ4KDhUKpFWbnQS2zbxqHuDev2PRkrJb/C37kvMpbZm1k3sMYD8UY0/+8yOiLceT2c=
X-Received: by 2002:a05:6512:230f:b0:499:dcd:2fd2 with SMTP id o15-20020a056512230f00b004990dcd2fd2mr9706356lfu.677.1663703935435; Tue, 20 Sep 2022 12:58:55 -0700 (PDT)
MIME-Version: 1.0
References: <325659CB-E36E-4D18-A59C-B5EA54324201@deployingradius.com> <CAOgPGoAYTe0qtFbJhq7S71FpX+k+1=0Gqqq+pwa+1QnBnQ3wrw@mail.gmail.com> <94154D9C-F880-42DB-B881-38B04F76E196@deployingradius.com> <CAOgPGoBF_8y40oynqQd9rr9PKEy1qNoNae3zMwA+7f7rKN+SUg@mail.gmail.com> <20220910075838.57qeco3egljt7pwp@aineko.digriz.org.uk> <6F86A929-F41A-4C76-8568-8C1DABB0CDEF@deployingradius.com>
In-Reply-To: <6F86A929-F41A-4C76-8568-8C1DABB0CDEF@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 20 Sep 2022 12:58:43 -0700
Message-ID: <CAOgPGoA-pDssvwKL-LeNvZEbDny8rjxkC6-HaQNMffUyvBfFtA@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Alexander Clouter <alex+ietf@coremem.com>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000155d8505e92142e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/_MnaaxZdDdWabgP2RI_tA9xt8jc>
Subject: Re: [Emu] WG last call for draft-ietf-emu-tls-eap-types ?
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2022 20:00:32 -0000

I also notice that the document header says it updates RFC 5247 instead of
RFC 4851.



On Tue, Sep 20, 2022 at 12:50 PM Alan DeKok <aland@deployingradius.com>
wrote:

> On Sep 10, 2022, at 3:59 AM, Alexander Clouter <alex+ietf@coremem.com>
> wrote:
> > I have both implemented EAP-FAST and TEAP, and also slogged through the
> interoperability testing of the TLS 1.3 changes proposed here for EAP-TTLS
> and PEAP.
> >
> > This probably qualifies me to chip in here.
>
>   Thanks.
>
> > Section 2.2 - TEAP
> > ------------------
> > I do not think changing the language for the definition of the MAC used
> for the Compound MAC was necessary.
>
>   I don't see if changing the definition that much,  There's just a
> reference to the previous section, which was changed.  That definition was
> just changed to use TLS-Exporter() instead of TLS-PRF().
>
>   Are there any other changes which need highlighting (or fixing) ?
>
> > If any wording changes need to be made, maybe to be more explicit in
> stating "the MAC from the handshake" or "cipher_suite from RFC8446 section
> 4.1.3"? I find the existing "section 7.1 of RFC 8446" wording unusable to
> someone trying to answer "what am I actually meant to do here?"
>
>   Do you have explicit text to suggest?
>
> > Maybe I am just dumb so someone can help join the dots for me, but as an
> implementer it is unclear to me how anyone could get from "look at RFC8446
> section 7.1" to "use SSL_CIPHER_get_handshake_digest()"?
>
>   Perhaps updating it to say:
>
> For TLS 1.3, the message authentication code (MAC) is computed with
> the HMAC algorithm negotiated for HKDF in the key schedule, as per
> section 7.1 of RFC 8446.  That is, the MAC used is the MAC derived
> from the TLS handshake.
>
>
> > Having a deep guru level of knowledge of RFC8446 should never be a
> prerequisite to implementing TEAP...or any standard.
>
>   Agreed.
>
> > Maybe I am the only one here who gets depressed when instructed to look
> at a TLS RFC to gain wisdom?
>
>   I'l take the fifth here.
>
> > Section 2.2.1 - Client Certificates [TEAP]
> > ------------------------------------------
> > I think we should remove the unnecessary additional SSL handshake, as
> three full handshakes is getting excessive and life is too short for
> multi-second WAN authentications.
>
>   I agree that the layered TLS sessions are less than optimal.
>
> > On a practical note for this type of chained authentication we are
> already at the ~25 mark of the default limit of 50 EAP round trips that
> some EAP implementations (eg. hostapd and FreeRADIUS) set as the threshold
> of "things are now getting silly" and abort the conversion. This may thwart
> chaining future EAP methods.
>
>   Agreed.
>
> > Picking though our options, whilst Identity-Type TLV is needed to
> provide the EAP server on what is being authenticated, this TLV is also
> permitted as an outer-TLV in RFC7170 section 4.3.1.
> >
> > RFC7170 being an RFC that relishes in contradiction, section 4.2.3
> states this TLV MUST be passed alongside either an EAP-Payload or
> Basic-Password-Auth-{Req,Resp} which themselves are only permitted as
> inner-TLVs.
> >
> > Fortunately section 4.3.1 also states outer-TLVs MUST be marked optional
> which I see as the way to break out of this situation.
> >
> > I would propose allowing an Identity-Type outer-TLV during Phase 1 to
> provide the necessary hinting to support machine/user authentication.
>
>   That seems fine.  I'll update the section to say:
>
> However, an implementation may send Identity-Type as an outer-TLV, in
> which case a client certificate can be sent in Phase 1, and that
> client certificate MUST be associated with the referenced
> Identity-Type.
>
>
> > Only if it would help some people on the fence land a decision, I am
> willing to do some interoperability testing to verify that sending
> outer-TLVs in this manner does not cause any unintended consequences? If
> you are that person, let me know.
>
>   I don't see a problem with it.
>
> > Section 2.3 - EAP-FAST
> > ----------------------
> > I think you should be explicit that an implementer should now only look
> to session tickets for their PAC provisioning needs.
> >
> > Maybe something more like:
> >
> >  EAP-FAST previously used a PAC, which is functionally equivalent to
> >  session tickets provided by TLS 1.3 that contain a pre-shared key (PSK)
> >  along with other data. As such, the use of a PAC is deprecated for
> >  EAP-FAST in TLS 1.3. PAC provisioning [RFC5422] is also no longer part
> >  of EAP-FAST when TLS 1.3 is used.
>
>   Updated, thanks.  I'll add similar text for TEAP.
>
> > Section 2.4 - EAP-TTLS
> > ----------------------
> > I know that it is trying to communicate context is empty but it still
> looks like a typo, maybe instead:
> >
> >  EAP-TTLS_challenge = TLS-Exporter("ttls challenge", {}, n)
> >
> > Then highlight 'context={}' means 'empty'/'zero length' as per RFC8446
> Section 7.5?
>
>   The other EAP RFCs just use an empty context, and not {}.  So I'm OK
> with leaving that alone.
>
> > Section 2.[45].1 - Client Certificates [EAP-TTLS/PEAP]
> > ------------------------------------------
> > I would like to see the "just use EAP-TLS" and "abort when no inner
> methods" replicated in the sections covering TEAP and EAP-FAST too.
> >
> > Alternatively broken out into its own section which I think it deserves
> to highlight "this is pointless folks, we have EAP-TLS for this".
>
>   I'll add text to TEAP and FAST.  That seem simplest.
>
> > I do agree with Alan though. Something has to point the direction that
> > TEAP/EAP-FAST needs to go in for TLS 1.3 and any inaccuracies can be
> resolved through Errata.
> >
> > The inaccuracies in the RFC7170 and the stalled errata efforts[4] for
> TEAP has not prevented hostapd, Windows 11 and FreeRADIUS interoperating.
>
>   That's good news.
>
> > This document needs to be published with a TEAP and EAP-FAST statement.
>
>   Thanks.
>
>   I've updated the document, and will issue a new I-D shortly.
>
>   Alan DeKok.
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email