IETF Logo Mail Archive

Re: [Emu] Re-charter text

John Mattsson <john.mattsson@ericsson.com> Wed, 21 August 2019 09:43 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58AA21208BD for <emu@ietfa.amsl.com>; Wed, 21 Aug 2019 02:43:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7Ty5VhVqnYe for <emu@ietfa.amsl.com>; Wed, 21 Aug 2019 02:43:44 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10057.outbound.protection.outlook.com [40.107.1.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69EE12087A for <emu@ietf.org>; Wed, 21 Aug 2019 02:43:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQqE7QlZqoEIUvtSZnxNsKovBMoVqHeBDAgDa+PnS93sn9nMhiXF/qFwjamzPpIImiWwp7n/Igr3iVo5BAhiV9SrezQ2xXQl2W4DDh5YJ2G38O2ydyEzRf3gEjBoWjestmF4QfTtgkbAnv2MuFbF88+fTL0OY8DxYV15l/aoiyj/doq+1tBCxrGwM4Z7WRXRaOyFo/jDmPJU+VjEdXjB4H7CLOgdGTCpIBDn8+yAxqFQZrXMUkObwHbdKaJ5tMYiurMzi6jl4ULKMPNvApa5nfMwudiRzX0Ad1HYOIBF7fI18nDBksfJIzTs6ej1xI7TgpZO0pGQ2IkkeRkanWuCqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x3tjy1TxRCvmqaCkdR70jv96vZsfsxdFZP/XiqpN+q4=; b=XfHxpsGEDcIRfPi+cEzNLQ3tL7SkBMsMKqzG6CdDQ24I2NToKeKTWz5mWzP14qPXW6dpfo6eHRNIwUiKT5cda7vdORDvkOmaJ0Ou5KHRCcmjWJeDdj7OlEbVIa11q2oOeSm257JRouCzmD3AZpEyYu06fGLjVoscVEhYncE7rFY9qUP32Q6ttbjWwChj5MYRkRmRmpfIGPFTH57zJ2NFvN+qGkQrq6DIGPdLnEP0vSHpXUCw52XhdF5u00xzcJ4aByYdl+WdpctThTm6M18X72NyytlLW3I0CI8k0QO9No8aQ1f6JPbjGQpqJK1Dpn4HGJd8d7vqbIvM/AJrgxznAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x3tjy1TxRCvmqaCkdR70jv96vZsfsxdFZP/XiqpN+q4=; b=P2o5/QTVuA9ya9O3EM0tiR6bQhCEJDFdm6xUiVqqgl3awJR6wXyK4c383AiII4vGrTYRHyurQqjJ3o9D0eKmLTZqzCn5foTvTtv5YFLvh3XCHAAES5aMQvlCNgYMNnN3pU+OiZluxukWXEVnaHHGAJh+Ej9ZFIR7Lc8Gydy9Cx0=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3388.eurprd07.prod.outlook.com (10.170.247.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.19; Wed, 21 Aug 2019 09:43:41 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1511:109f:e33:47b3]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1511:109f:e33:47b3%7]) with mapi id 15.20.2199.011; Wed, 21 Aug 2019 09:43:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Re-charter text
Thread-Index: AQHVWATqIhLOxs2EFEiusDF3GaVHvA==
Date: Wed, 21 Aug 2019 09:43:41 +0000
Message-ID: <042B48FC-BC9B-4069-814B-B210B17D7051@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.85]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 46452a9b-8824-448b-60dc-08d7261c0ce9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB3388;
x-ms-traffictypediagnostic: HE1PR07MB3388:
x-ms-exchange-purlcount: 1
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR07MB3388197DDC9F818D49E35EBD89AA0@HE1PR07MB3388.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0136C1DDA4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(346002)(366004)(396003)(136003)(189003)(199004)(2616005)(25786009)(81156014)(81166006)(8936002)(44832011)(3846002)(6116002)(790700001)(2501003)(8676002)(58126008)(486006)(2906002)(110136005)(36756003)(76116006)(64756008)(66556008)(66946007)(66476007)(66446008)(186003)(236005)(33656002)(102836004)(6246003)(229853002)(6506007)(99286004)(6512007)(6486002)(6306002)(316002)(26005)(5660300002)(413944005)(966005)(6436002)(54896002)(476003)(14444005)(86362001)(256004)(53936002)(66066001)(478600001)(71190400001)(71200400001)(7736002)(606006)(14454004)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3388; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qUnv9xZj3WkXdyq8oCRBiveMvkcitfo9AvCVgmqBy8rJdzzGSXZpazKFFGgs2VRJNk8I4ZVR93gQwEKqw7lL3L8de3W58B9tOAg15p+Muqnj9ux3jEP+Lh1lROv7cKyYEkOHvTQkw214A03gjdslRUV+use7bC2dddzB5MFCyNyOu5VgKArQX3Wwuoeh+G40zifUdBfbOuwrziKjS0v9VyC9a5l8ffyG1BBNboLiHV+XTS7coCPT+Wy0uFq5pQSWJKx+Ch5nVhbrDk8Hyhdv7UjVNR5WOw/UxzROsjQi24VLqYjYMq8+S2i+j5pD6XM3gN8bVz6HPXYRgG6Ghd7dYdndo+Kf1scUkLWK9U5N6sXSX4DkQjMUG0xzS7hvzacS8f5b/rDZVY45ysIUCZmm7Ci97r1EoYLpKGyt7Yvp4IU=
Content-Type: multipart/alternative; boundary="_000_042B48FCBC9B4069814BB210B17D7051ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 46452a9b-8824-448b-60dc-08d7261c0ce9
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2019 09:43:41.2526 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uW0imqOuzBv+F/oMtPt9MEF3AkWFTdSUZpViwM6ItEotwJkLYmUMhuKtVyG7dEePjKSrvsuRFtdb98SMmoZK5xqWl2C6ziZj0zZHacl52os=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3388
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/cNcSIVb0i2Tc8GQ25D0N-6a9H3Y>
Subject: Re: [Emu] Re-charter text
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 09:43:49 -0000

Dear chairs,

Looks good to me. Some mostly editorial comments:

- "EAP method" vs. "EAP type"

Just noticed that different documents in EMU WG use these two different terms. I any of them preferred?

- "TLS and SIM cards"

"SIM cards" is just one side of AKA. There are several network nodes involved and part of EAP-AKA like SUCI encryption may be done by the ME.

I suggest something like "TLS and Mobile Network AKA"

- "pdate" -> "update"

- "document the implications of using new vs. old TLS versions"

The current document only docuemnt implications of using TLS 1.2 as      draft-ietf-tls-oldversions-deprecate formally forbids use of TLS 1.0 and TLS 1.1 everywhere (including EAP).

- "erratas" -> "errata" (errata is plural of eratum)

- "Define session identifiers for fast re-authentication for EAP-SIM, EAP-AKA, and EAP-AKA’. The lack of this definition is a recently discovered bug in the original RFCs."

Should mention PEAP as well.

"in the context of EAP-TLS (all versions)" -> "in the context of TLS based EAP methods"

- "TLS working group (for EAP-TLS work)" -> "TLS working group (for work on TLS based EAP methods)"

Cheers,
John

From: Emu <emu-bounces@ietf.org> on behalf of Mohit Sethi M <mohit.m.sethi@ericsson.com>
Date: Wednesday, 21 August 2019 at 10:14
To: "emu@ietf.org" <emu@ietf.org>
Subject: [Emu] Re-charter text


Dear all,

Thank you for a productive meeting @ IETF 105. We had discussed the new charter text during the working group session in Montreal. Please find the same text below. This text builds upon our current charter. Feel free to suggest changes. RFC 2418 section 2.2 https://tools.ietf.org/html/rfc2418#section-2.2 says the following about a working group charter:

   2. Specifies the direction or objectives of the working group and

      describes the approach that will be taken to achieve the goals;

Please keep this in mind when suggesting changes. Once the text is ready, we will send it to the IESG for review.

Joe and Mohit

------------------------

The Extensible Authentication Protocol (EAP) [RFC 3748] is a network access authentication framework used, for instance, in VPN and mobile networks. EAP itself is a simple protocol and actual authentication happens in EAP methods. Several EAP methods have been developed at the IETF and support for EAP exists in a broad set of devices. Previous larger EAP-related efforts at the IETF included rewriting the base EAP protocol specification and the development of several standards track EAP methods.

EAP methods are generally based on existing security technologies such as TLS and SIM cards. Our understanding of security threats is continuously evolving. This has driven the evolution of several of these underlying technologies. As an example, IETF has standardized a new and improved version of TLS in RFC 8446. The group will therefore provide guidance and update EAP method specifications where necessary to enable the use of new versions of these underlying technologies.

At the same time, some new use cases for EAP have been identified. EAP is now more broadly in mobile network authentication. The group will update existing EAP methods such as EAP-AKA' to stay in sync with updates to the referenced 3GPP specifications. RFC 7258 notes that pervasive monitoring is an attack. Perfect Forward Secrecy (PFS) is an important security property for modern protocols to thwart pervasive monitoring. The group will therefore work on an extension to EAP-AKA' for providing Perfect Forward Secrecy (PFS).

Out-of-band (OOB) refers to a separate communication channel independent of the primary in-band channel over which the actual network communication takes place. OOB channels are now used for authentication in a variety of protocols and devices (draft-ietf-oauth-device-flow-13, WhatsApp Web, etc.). Many users are accustomed to tapping NFC or scanning QR codes. However, EAP currently does not have any standard methods that support authentication based on OOB channels. The group will therefore work on an EAP method where authentication is based on an out-of-band channel between the peer and the server.

EAP authentication is based on credentials available on the peer and the server. However, some EAP methods use credentials that are time or domain limited (such as EAP-POTP), and there may be a need for creating long term credentials for re-authenticating the peer in a more general context. The group will investigate minimal mechanisms with which limited-use EAP authentication credentials can be used for creating general-use long-term credentials.

In summary, the working group shall produce the following documents:

 - An update to enable the use of TLS 1.3 in the context of EAP-TLS (RFC 5216). This document will pdate the security considerations relating to EAP-TLS, document the implications of using new vs. old TLS versions, add any recently gained new knowledge on vulnerabilities, and discuss the possible implications of pervasive surveillance.

 - Several EAP methods such EAP-TTLS and EAP-FAST use an outer TLS tunnel. Provide guidance or update the relevant specifications explaining how those EAP methods (PEAP/TTLS/TEAP) will work with TLS 1.3. This will also involve maintenance work based on erratas found in published specifications (such as EAP-TEAP).

- Define session identifiers for fast re-authentication for EAP-SIM, EAP-AKA, and EAP-AKA’. The lack of this definition is a recently discovered bug in the original RFCs.

- Update the EAP-AKA' specification (RFC 5448) to ensure that its capability to provide a cryptographic binding to network context stays in sync with updates to the referenced 3GPP specifications. The document will also contain any recently gained new knowledge on vulnerabilities or the possible implications of pervasive surveillance.

- Develop an extension to EAP-AKA' such that Perfect Forward Secrecy can be provided. There may also be privacy improvements that have become feasible with the  introduction of recent identity privacy improvements in 3GPP networks.

- Gather experience regarding the use of large certificates and long certificate chains in the context of EAP-TLS (all versions), as some implementations and access networks may limit the number of EAP packet exchanges that can be handled. Document operational recommendations or other mitigation strategies to avoid issues.

- Define a standard EAP method for mutual authentication between a peer and a server that is based on an out-of-band channel. The method itself shall be independent of the underlying OOB channel and shall support a variety of OOB channels such as NFC, dynamically generated QR codes, audio, and visible light.

- Define mechanisms by which EAP methods can support creation of long-term credentials for the peer based on initial limited-use credentials.

The working group is expected to stay in close collaboration with the EAP deployment community, the TLS working group (for EAP-TLS work), and the 3GPP security architecture group (for EAP-AKA' work)

------------------------

v2.23.0 | Report a Bug | By Email