IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Eliot Lear <lear@cisco.com> Fri, 01 November 2019 13:14 UTC

Return-Path: <lear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9725120125; Fri, 1 Nov 2019 06:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txQyW4GLR9a6; Fri, 1 Nov 2019 06:14:56 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4FB41200F1; Fri, 1 Nov 2019 06:14:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3678; q=dns/txt; s=iport; t=1572614096; x=1573823696; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=jvQnWUZl91fntIKVNpUPR5vMiPUNRHpdosUsvk60JHA=; b=H9lajSMFbdqurjx+Pa5vNainxFabj0/hOxwpcwuauf/QBXfH0YuaOL8n TInqy754eozgp7iZUSsYbSKH4irxDG73m1ifIbv7YbT5rVYiuj33BL7IQ xWSQruzKHFFd4XWEDi3zPMCwi6OakIGVE8G3uddTk3x992N5+A71CLLzz I=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BsAACdL7xd/xbLJq1cCRkBAQEBAQEBAQEBAQEBAQEBAREBAQEBAQEBAQEBAYF9g2ABIBIqhCiJA4gYmT6BZwIHAQEBCQMBAS8BAYRAAoQfOBMCAwsBAQQBAQECAQUEbYVDhVEBAQEBAgEjVgULCxgqAgJXBhODIgGCVyCxKnWBMoVOhHYQgTaBU4pWgX+BEScfgkw+hBIBCAoBCQaDIDKCLASVWWGXOIIugjOBE5FvG4I8i2SLRZAAlH2DFwIEBgUCFYFpImdxMxoIGxVlAYJBPhIRFJFLAkADMIw8gjABAQ
X-IronPort-AV: E=Sophos;i="5.68,255,1569283200"; d="asc'?scan'208";a="18643820"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Nov 2019 13:14:35 +0000
Received: from [10.61.230.56] ([10.61.230.56]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id xA1DEX9a032723 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Nov 2019 13:14:34 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <DC5F266C-9E4A-4A77-82C2-2F91B313B999@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_BE0325C9-B529-4B1C-BE5C-B16699E394F1"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 01 Nov 2019 14:14:33 +0100
In-Reply-To: <B6D9A341-AF9B-40BA-BF33-5EF4D34CD1C5@deployingradius.com>
Cc: John Mattsson <john.mattsson@ericsson.com>, Joseph Salowey <joe@salowey.net>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr@sandelman.ca>, EMU WG <emu@ietf.org>
To: Alan DeKok <aland@deployingradius.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com> <575D1FD8-9C81-4DA7-B542-71B6D78E7BAC@deployingradius.com> <35D3B09D-B540-4465-BA4F-8EB3C34A167B@ericsson.com> <3D27AB0E-508E-479D-81A5-42566F166647@deployingradius.com> <257044BF-5F82-4A08-861B-71F58100981C@cisco.com> <B6D9A341-AF9B-40BA-BF33-5EF4D34CD1C5@deployingradius.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.230.56, [10.61.230.56]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/bnZWb1W148yBDBp9ln3vawKYVn4>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 13:14:59 -0000

Hi!

> On 1 Nov 2019, at 13:05, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Nov 1, 2019, at 7:53 AM, Eliot Lear <lear@cisco.com> wrote:
>> 
>>> The EAP Identity used in resumption SHOULD be the same EAP Identity as was used during the original authentication. This requirement allows EAP packets to be routable through an AAA infrastructure to the same destination as the original authentication.
>> 
>> Just a question: why SHOULD and not MUST?
> 
>  I'm happy to have it a MUST.
> 
>  I'm prepared for some people to say it can be different, i.e a different AAA server can be used for resumed sessions.  But I don't see that as important.
> 
>>> The alternative is to derive the EAP Identity from the identity used inside of TLS. This derivation is common practice when using certificates, and works because the "common name" field in the certificate is typically compatible with EAP, and it contains a routable identifier such as an email address. This practice cannot be used for resumption, as the PSK identity may be a binary blob, and it might not contain a routable realm as suggested by RFC 7542.
>>> 
>>> In some cases, the PSK identity is derived by the underlying TLS implementation, and cannot be controlled by the EAP authenticator. These limitations make the PSK identity unsuitable for use as the EAP Identity.
>> 
>> Ok, so this sort of impacts the other drafts as well (NOOB and TEAP) for federated realms (we may both have this wrong).  My presumption here is that an anonymous NAI is always used, but that the realm is what people would key off of, and this would always be present.
> 
>  As the EAP Identity, yes.
> 
>> But that presumption doesn’t hold true with the current TEAP update that we’re working on and that may be problematic.  In any case, this means that that at least the externalized identity can be used to route, and that normal TLS semantics can be used for authenticating.  It does require that tickets be managed on both ends.
> 
>  If the authentications are performed within a constrained system, it's fine to skip using NAIs.  I would suggest that for device bootstrapping you want to ensure that the authentications *aren't* routed outside of the current network.  So they *shouldn't* use a realm.


Ok.  Got it.  I think we have to be quite careful about use of the realm, then, and mechanism selection must be done exclusively with EAP-Request/Type.  I think it’s okay for federations to bootstrap; although we needn’t define that here.

I’ll be updating our draft accordingly.

Eliot

v2.23.0 | Report a Bug | By Email