Re: [Emu] WG last call for draft-ietf-emu-tls-eap-types ?
Joseph Salowey <joe@salowey.net> Tue, 20 September 2022 20:00 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E47C14CF15 for <emu@ietfa.amsl.com>; Tue, 20 Sep 2022 13:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuiP3iZMPpfe for <emu@ietfa.amsl.com>; Tue, 20 Sep 2022 13:00:31 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C27F9C15A720 for <emu@ietf.org>; Tue, 20 Sep 2022 12:58:57 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id a2so5666144lfb.6 for <emu@ietf.org>; Tue, 20 Sep 2022 12:58:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=PshfyZLqHpw0RnBNDzrgTcdLaujEct6+4Amgm8NOAb8=; b=PwsXowlAuK8px5duFAtqrdHX2NOgA7Pc6W6QDzqXfvyFqTV7+cmzMFYGpN0xk4av1W JGXlU3/lDGaDXDTqb0ldwMfnJVIs0NlgNFWlATrUQMeDpB2wVmJrBSbF5HDgqFo1oRfC 049+IPcbJyUU8eiKBd7+tP5blmvMOL2P7rdwgoMUyrWDaPiEa0Rla1dEt5mw/Z+/XCYR Tp1ItRSThI2lkmPS244DESAGGkxBf82KFz4DDbNqN7JtC5fv8sBPy0HkEdDVBD3HERCz YWoiQ/bkxnPIuquHPOIdFwocapukiX+zZgxM7MwcYZj73RB+EwoODvTYRC8NwuI8gjG/ pLCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=PshfyZLqHpw0RnBNDzrgTcdLaujEct6+4Amgm8NOAb8=; b=2Y4wK/cz/Vpcismm9P8Xa6QFhvpMO7hOacrNiFOnXHOTs5YgaaxkozE0aF0t1YM7ve PuaH+jo/o06LCOE0PzTSN03c+W7hY5BKwrUd6gF+tMJLYR71ZR7ZN6XkdmYT0Epeoew3 xih8TDN+JcWM8dbeYn7RV6jx1wTArWY+pcaRIP5edgazZ4kf69Me4YSBJqh774mrC2Lr /ymp1vojLI8z3IicMnIJ49MuWD9zHjpnzrj/7mL16gpGSWzlQD4IMPMV6iNgqvSFiytK xejrYzRnTEP8g2PcU3W9BrSmKLKiMZ3fSTIkNVl1avUBrw9PnfyJtyjjzARvTwFym+pF f3dA==
X-Gm-Message-State: ACrzQf1C4ymcvmNqnQ5W77G2gknWtaAc6B09z7FuQMfppcu4GSbmAmJe bsAtzIUfkc3kUaEZ/zUCoyKRdgtMjE8hziPfsuJjR3ztaFtkQA==
X-Google-Smtp-Source: AMsMyM4HBJd0QgXjM0st2DHJQYZ4KDhUKpFWbnQS2zbxqHuDev2PRkrJb/C37kvMpbZm1k3sMYD8UY0/+8yOiLceT2c=
X-Received: by 2002:a05:6512:230f:b0:499:dcd:2fd2 with SMTP id o15-20020a056512230f00b004990dcd2fd2mr9706356lfu.677.1663703935435; Tue, 20 Sep 2022 12:58:55 -0700 (PDT)
MIME-Version: 1.0
References: <325659CB-E36E-4D18-A59C-B5EA54324201@deployingradius.com> <CAOgPGoAYTe0qtFbJhq7S71FpX+k+1=0Gqqq+pwa+1QnBnQ3wrw@mail.gmail.com> <94154D9C-F880-42DB-B881-38B04F76E196@deployingradius.com> <CAOgPGoBF_8y40oynqQd9rr9PKEy1qNoNae3zMwA+7f7rKN+SUg@mail.gmail.com> <20220910075838.57qeco3egljt7pwp@aineko.digriz.org.uk> <6F86A929-F41A-4C76-8568-8C1DABB0CDEF@deployingradius.com>
In-Reply-To: <6F86A929-F41A-4C76-8568-8C1DABB0CDEF@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 20 Sep 2022 12:58:43 -0700
Message-ID: <CAOgPGoA-pDssvwKL-LeNvZEbDny8rjxkC6-HaQNMffUyvBfFtA@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Alexander Clouter <alex+ietf@coremem.com>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000155d8505e92142e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/_MnaaxZdDdWabgP2RI_tA9xt8jc>
Subject: Re: [Emu] WG last call for draft-ietf-emu-tls-eap-types ?
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2022 20:00:32 -0000
I also notice that the document header says it updates RFC 5247 instead of RFC 4851. On Tue, Sep 20, 2022 at 12:50 PM Alan DeKok <aland@deployingradius.com> wrote: > On Sep 10, 2022, at 3:59 AM, Alexander Clouter <alex+ietf@coremem.com> > wrote: > > I have both implemented EAP-FAST and TEAP, and also slogged through the > interoperability testing of the TLS 1.3 changes proposed here for EAP-TTLS > and PEAP. > > > > This probably qualifies me to chip in here. > > Thanks. > > > Section 2.2 - TEAP > > ------------------ > > I do not think changing the language for the definition of the MAC used > for the Compound MAC was necessary. > > I don't see if changing the definition that much, There's just a > reference to the previous section, which was changed. That definition was > just changed to use TLS-Exporter() instead of TLS-PRF(). > > Are there any other changes which need highlighting (or fixing) ? > > > If any wording changes need to be made, maybe to be more explicit in > stating "the MAC from the handshake" or "cipher_suite from RFC8446 section > 4.1.3"? I find the existing "section 7.1 of RFC 8446" wording unusable to > someone trying to answer "what am I actually meant to do here?" > > Do you have explicit text to suggest? > > > Maybe I am just dumb so someone can help join the dots for me, but as an > implementer it is unclear to me how anyone could get from "look at RFC8446 > section 7.1" to "use SSL_CIPHER_get_handshake_digest()"? > > Perhaps updating it to say: > > For TLS 1.3, the message authentication code (MAC) is computed with > the HMAC algorithm negotiated for HKDF in the key schedule, as per > section 7.1 of RFC 8446. That is, the MAC used is the MAC derived > from the TLS handshake. > > > > Having a deep guru level of knowledge of RFC8446 should never be a > prerequisite to implementing TEAP...or any standard. > > Agreed. > > > Maybe I am the only one here who gets depressed when instructed to look > at a TLS RFC to gain wisdom? > > I'l take the fifth here. > > > Section 2.2.1 - Client Certificates [TEAP] > > ------------------------------------------ > > I think we should remove the unnecessary additional SSL handshake, as > three full handshakes is getting excessive and life is too short for > multi-second WAN authentications. > > I agree that the layered TLS sessions are less than optimal. > > > On a practical note for this type of chained authentication we are > already at the ~25 mark of the default limit of 50 EAP round trips that > some EAP implementations (eg. hostapd and FreeRADIUS) set as the threshold > of "things are now getting silly" and abort the conversion. This may thwart > chaining future EAP methods. > > Agreed. > > > Picking though our options, whilst Identity-Type TLV is needed to > provide the EAP server on what is being authenticated, this TLV is also > permitted as an outer-TLV in RFC7170 section 4.3.1. > > > > RFC7170 being an RFC that relishes in contradiction, section 4.2.3 > states this TLV MUST be passed alongside either an EAP-Payload or > Basic-Password-Auth-{Req,Resp} which themselves are only permitted as > inner-TLVs. > > > > Fortunately section 4.3.1 also states outer-TLVs MUST be marked optional > which I see as the way to break out of this situation. > > > > I would propose allowing an Identity-Type outer-TLV during Phase 1 to > provide the necessary hinting to support machine/user authentication. > > That seems fine. I'll update the section to say: > > However, an implementation may send Identity-Type as an outer-TLV, in > which case a client certificate can be sent in Phase 1, and that > client certificate MUST be associated with the referenced > Identity-Type. > > > > Only if it would help some people on the fence land a decision, I am > willing to do some interoperability testing to verify that sending > outer-TLVs in this manner does not cause any unintended consequences? If > you are that person, let me know. > > I don't see a problem with it. > > > Section 2.3 - EAP-FAST > > ---------------------- > > I think you should be explicit that an implementer should now only look > to session tickets for their PAC provisioning needs. > > > > Maybe something more like: > > > > EAP-FAST previously used a PAC, which is functionally equivalent to > > session tickets provided by TLS 1.3 that contain a pre-shared key (PSK) > > along with other data. As such, the use of a PAC is deprecated for > > EAP-FAST in TLS 1.3. PAC provisioning [RFC5422] is also no longer part > > of EAP-FAST when TLS 1.3 is used. > > Updated, thanks. I'll add similar text for TEAP. > > > Section 2.4 - EAP-TTLS > > ---------------------- > > I know that it is trying to communicate context is empty but it still > looks like a typo, maybe instead: > > > > EAP-TTLS_challenge = TLS-Exporter("ttls challenge", {}, n) > > > > Then highlight 'context={}' means 'empty'/'zero length' as per RFC8446 > Section 7.5? > > The other EAP RFCs just use an empty context, and not {}. So I'm OK > with leaving that alone. > > > Section 2.[45].1 - Client Certificates [EAP-TTLS/PEAP] > > ------------------------------------------ > > I would like to see the "just use EAP-TLS" and "abort when no inner > methods" replicated in the sections covering TEAP and EAP-FAST too. > > > > Alternatively broken out into its own section which I think it deserves > to highlight "this is pointless folks, we have EAP-TLS for this". > > I'll add text to TEAP and FAST. That seem simplest. > > > I do agree with Alan though. Something has to point the direction that > > TEAP/EAP-FAST needs to go in for TLS 1.3 and any inaccuracies can be > resolved through Errata. > > > > The inaccuracies in the RFC7170 and the stalled errata efforts[4] for > TEAP has not prevented hostapd, Windows 11 and FreeRADIUS interoperating. > > That's good news. > > > This document needs to be published with a TEAP and EAP-FAST statement. > > Thanks. > > I've updated the document, and will issue a new I-D shortly. > > Alan DeKok. > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- [Emu] WG last call for draft-ietf-emu-tls-eap-typ… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Joseph Salowey
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Joseph Salowey
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Joseph Salowey
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alexander Clouter
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alexander Clouter
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Joseph Salowey
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Joseph Salowey
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Heikki Vatiainen
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alexander Clouter
- Re: [Emu] WG last call for draft-ietf-emu-tls-eap… Alan DeKok