Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
"Hoeper Katrin-QWKN37" <khoeper@motorola.com> Thu, 04 March 2010 23:03 UTC
Return-Path: <khoeper@motorola.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 54D743A8994 for <emu@core3.amsl.com>; Thu, 4 Mar 2010 15:03:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AeE5B73G0pMr for <emu@core3.amsl.com>; Thu, 4 Mar 2010 15:03:49 -0800 (PST)
Received: from mail119.messagelabs.com (mail119.messagelabs.com [216.82.241.195]) by core3.amsl.com (Postfix) with ESMTP id 4735A3A8714 for <emu@ietf.org>; Thu, 4 Mar 2010 15:03:49 -0800 (PST)
X-VirusChecked: Checked
X-Env-Sender: khoeper@motorola.com
X-Msg-Ref: server-7.tower-119.messagelabs.com!1267743829!36741578!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [129.188.136.8]
Received: (qmail 1907 invoked from network); 4 Mar 2010 23:03:50 -0000
Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-7.tower-119.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 4 Mar 2010 23:03:50 -0000
Received: from il06exr04.mot.com (il06exr04.mot.com [129.188.137.134]) by motgate8.mot.com (8.14.3/8.14.3) with ESMTP id o24N3nrx013737 for <emu@ietf.org>; Thu, 4 Mar 2010 16:03:49 -0700 (MST)
Received: from il06vts01.mot.com (il06vts01.mot.com [129.188.137.141]) by il06exr04.mot.com (8.13.1/Vontu) with SMTP id o24N3nGD005890 for <emu@ietf.org>; Thu, 4 Mar 2010 17:03:49 -0600 (CST)
Received: from de01exm68.ds.mot.com (de01exm68.am.mot.com [10.176.8.24]) by il06exr04.mot.com (8.13.1/8.13.0) with ESMTP id o24N3m9c005887 for <emu@ietf.org>; Thu, 4 Mar 2010 17:03:49 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 04 Mar 2010 18:03:26 -0500
Message-ID: <3A241A6B234BE948B8B474D261FEBC2F07295D50@de01exm68.ds.mot.com>
In-Reply-To: <aa885e5541e79c1f133340f5b517d4cd.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] review of draft-ietf-emu-eaptunnel-req-04
Thread-Index: Acq76jRCdKWJMX0zQJWTuGMSZVGKmwABG2WA
References: <mailman.918.1267675512.4805.emu@ietf.org><7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05CB5865@il-ex01.ad.checkpoint.com><AC1CFD94F59A264488DC2BEC3E890DE509BD3F5F@xmb-sjc-225.amer.cisco.com><47fdacab7df0a9d6cde83883bb01e93a.squirrel@www.trepanning.net> <AC1CFD94F59A264488DC2BEC3E890DE509BD40A3@xmb-sjc-225.amer.cisco.com> <3A241A6B234BE948B8B474D261FEBC2F07295C9A@de01exm68.ds.mot.com> <aa885e5541e79c1f133340f5b517d4cd.squirrel@www.trepanning.net>
From: Hoeper Katrin-QWKN37 <khoeper@motorola.com>
To: Dan Harkins <dharkins@lounge.org>
X-CFilter-Loop: Reflected
Cc: emu@ietf.org, Yaron Sheffer <yaronf@checkpoint.com>
Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 23:03:51 -0000
MUST NOT be mandatory in combination with SHOULD be supported...sounds a little bit odd to me! We have good reasons to have the MUST NOT be mandatory. Again, support is not excluded by this statement. Katrin > -----Original Message----- > From: Dan Harkins [mailto:dharkins@lounge.org] > Sent: Thursday, March 04, 2010 4:30 PM > To: Hoeper Katrin-QWKN37 > Cc: Joseph Salowey; Dan Harkins; emu@ietf.org; Yaron Sheffer > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > > > Who said anything about making them mandatory? I just said SHOULD. > > Yes, Joe pointed out that the current MUST NOT language does not > necessarily bar anyone from supporting them, but how do you then jump > to the conclusion that saying they SHOULD be supported makes them > mandatory? > > RFC 2119 says of SHOULD: "there may exist valid reasons in particular > circumstances [like the points I have been making] to ignore a > particular item [like the admonitions to do server-side authentication], > but the full implications [potential loss of privacy] must be understood > and carefully weighed before choosing a different course." It does not > indicate an absolute or mandatory requirement. > > Dan. > > On Thu, March 4, 2010 1:30 pm, Hoeper Katrin-QWKN37 wrote: > > I am absolutely against adding a SHOULD requirement for anonymous > > tunnels. > > > > Dan you made your point that there are use cases where servers don't > > have a certificate and don't use secret key credentials supported by > > TLS. > > > > To make anonymous tunnels *mandatory* to support these corner cases > > seems a bit far fetched considering that it would require a whole list > > of additional security requirements on the inner method. > > > > As Joe pointed out the current draft does not prohibit anonymous > > tunnels, it just doesn't make them mandatory. > > > > I agree, that an extension to the base protocol is a much better place > > to discuss these use cases and the required additional limitations on > > the inner methods. > > > > Katrin > > > >> -----Original Message----- > >> From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of > >> Joseph Salowey (jsalowey) > >> Sent: Thursday, March 04, 2010 1:10 PM > >> To: Dan Harkins > >> Cc: emu@ietf.org; Yaron Sheffer > >> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > >> > >> I don't think it's appropriate to add a SHOULD for implementing > >> anonymous cipher suites in this document. > >> > >> It is true that there is a MUST requirement for extensibility, but I > >> don't think we want to define the extensions in the base > > specification. > >> I don't think the current text limits what can be done in extensions. > >> > >> Joe > >> > >> > -----Original Message----- > >> > From: Dan Harkins [mailto:dharkins@lounge.org] > >> > Sent: Thursday, March 04, 2010 8:50 AM > >> > To: Joseph Salowey (jsalowey) > >> > Cc: Yaron Sheffer; emu@ietf.org > >> > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > >> > > >> > > >> > Hi Joe, > >> > > >> > Section 3.8 has a MUST for "extensibility" which is explained as: > >> > > >> > "One example of a application for extensibility is credential > >> > provisioning. When a peer has authenticated with EAP, this is > > a > >> > convenient time to distribute credentials to that peer that may > >> be > >> > used for later authentication exchanges." > >> > > >> > Now I believe EAP-FAST does this sort of thing for it's PAC > >> provisioning > >> > but it does anonymous TLS then EAP-MSCHAPv2 which has obvious > >> problems. > >> > So the need to do this sort of thing exists. > >> > > >> > I know that one can do server-side authentication with some > >> previously > >> > installed certificate (and I know EAP-FAST has this as an option > > too) > >> but > >> > _in practice_ that doesn't work so well which is why the most > > popular > >> > desktop and laptop operating system has a "do not verify server > > cert" > >> > check box on its EAP-TLS configuration GUI. > >> > > >> > As I mentioned earlier security is about risk management and if > > you > >> > try to tell some guy deploying product that no he can't do what he > >> wants > >> > to do because the authors of the IETF standard decided that it > > wasn't > >> > in his best interests he will find ways around those authors, like > >> instead > >> > of installing a trusted cert he'll check the box to not verify the > >> server > >> > cert that the authors said he has to use if he wants to use this > >> product. > >> > It would be much better to give him a tool that serves his > > legitimate > >> > needs and is easy for him to deploy and still maintains security > >> (albeit > >> > with a potential loss of privacy). > >> > > >> > Would it be possible to add a reference in 4.2.1.1.3 that one > > SHOULD > >> > optionally implement an anonymous cipher suite? > >> > > >> > Dan. > >> > > >> > On Thu, March 4, 2010 7:11 am, Joseph Salowey (jsalowey) wrote: > >> > >> Joe, what Dan is proposing is a reasonable way to use a one-time > >> > > password > >> > >> for the initial provisioning of a trust anchor. Initial > >> provisioning > >> > > is > >> > >> important for many types of deployments. Does the document allow > > an > >> > >> alternative secure way to do that? > >> > >> > >> > > [Joe] Initial provisioning is not currently in the scope of the > >> document > >> > > for the base method. I agree that using anonymous cipher suites > > in > >> the > >> > > way Dan proposes can be used in a provisioning mechanism, however > >> there > >> > > are other ways provisioning can be achieved with or without the > > use > >> of > >> > > EAP. > >> > > > >> > >> Dan, I suspect that for this specific use case (one time use, no > >> need > >> > > for > >> > >> confidentiality), resistance against dictionary attack is not > > very > >> > >> important. So EAP-GPSK inside the tunnel will do just as well. > >> > >> > >> > >> Thanks, > >> > >> Yaron > >> > >> > >> > >> > Date: Wed, 3 Mar 2010 20:05:09 -0800 > >> > >> > From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> > >> > >> > Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 > >> > >> > To: "Dan Harkins" <dharkins@lounge.org>, "Hoeper > > Katrin-QWKN37" > >> > >> > <khoeper@motorola.com> > >> > >> > Cc: emu@ietf.org > >> > >> > Message-ID: > >> > >> > <AC1CFD94F59A264488DC2BEC3E890DE509BD3EBA@xmb-sjc- > >> > >> > 225.amer.cisco.com> > >> > >> > Content-Type: text/plain; charset="us-ascii" > >> > >> > > >> > >> > Hi Dan, > >> > >> > > >> > >> > The document currently states anonymous cipher suites MUST NOT > > be > >> > >> > mandatory to implement for the tunnel method. I think the is > > the > >> > >> > appropriate stance for the document to take for the base tunnel > >> > > method. > >> > >> > I also do not think this prevents a follow-on specification > >> defining > >> > >> > how > >> > >> > to use anonymous tunnel securely. > >> > >> > > >> > >> > Cheers, > >> > >> > > >> > >> > Joe > >> > >> > > >> > >> > >> > >> _______________________________________________ > >> > >> Emu mailing list > >> > >> Emu@ietf.org > >> > >> https://www.ietf.org/mailman/listinfo/emu > >> > > _______________________________________________ > >> > > Emu mailing list > >> > > Emu@ietf.org > >> > > https://www.ietf.org/mailman/listinfo/emu > >> > > > >> > > >> > >> _______________________________________________ > >> Emu mailing list > >> Emu@ietf.org > >> https://www.ietf.org/mailman/listinfo/emu > > >
- [Emu] review of draft-ietf-emu-eaptunnel-req-04 Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Yaron Sheffer
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Alan DeKok
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Yaron Sheffer
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Alan DeKok
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Yaron Sheffer
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37