IETF Logo Mail Archive

Re: [Emu] BRSKI-TEAP vs regular connection (was Re: EAP questions ...)

"Eliot Lear (elear)" <elear@cisco.com> Wed, 15 January 2020 15:26 UTC

Return-Path: <elear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC6A9120289 for <emu@ietfa.amsl.com>; Wed, 15 Jan 2020 07:26:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=iCuDKtUM; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=xAh69/am
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mOs_x7fkf7s for <emu@ietfa.amsl.com>; Wed, 15 Jan 2020 07:26:48 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442181200E5 for <emu@ietf.org>; Wed, 15 Jan 2020 07:26:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3154; q=dns/txt; s=iport; t=1579102008; x=1580311608; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=OX8Zwj+05ZNVw3m0pQiMUXbXMdl7z34ovbmUmahJGXo=; b=iCuDKtUMhX4V+SOxgvv3JakNmeKp+CFY5ZaltGhnzCxLSEW0gEG/yZ6W HDnWbpL0Xo9M3VL+fgtRqMvMSPc11e9TKNFRHVSrnChojiUSJ3easWIRV 9UM92zMJY9wjkjnO96RpDBL0/RmZ1fHiTer1Ho3WIPC3mPjcIGBIc8uja c=;
IronPort-PHdr: 9a23:0QjgvBTc8vfQ4Wdq26ohNEGU79psv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESUDdfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH15g640NmhA4RsuMCEn1NvnvOiE+Ec1YfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CUBQCfLh9e/5pdJa1kHAEBAQEBBwEBEQEEBAEBgXuBVFAFgUQgBAsqhA+DRgOKdIJfmA6BQoEQA1QJAQEBDAEBLQIBAYFMgnQCF4FoJDgTAgMNAQEEAQEBAgEFBG2FNwyFXgEBAQECARIREQwBATcBBAsCAQgYAgImAgICMBUQAgQOBSKDBIJLAw4gAZsfAoE4iGF1gTKCfwEBBYJEgl8Ygg0JgQ4ojBgagUE/gREnIIJMPoQyF4MQMoIsjXEZgkaeeAqCOJYwG5puinyeYAIEAgQFAg4BAQWBaSKBWHAVZQGCQVAYDYgBg3OKU3SBKYw3AQE
X-IronPort-AV: E=Sophos;i="5.70,322,1574121600"; d="scan'208";a="405546365"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Jan 2020 15:26:47 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 00FFQlOI030134 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 15 Jan 2020 15:26:47 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 Jan 2020 09:26:46 -0600
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 Jan 2020 09:26:45 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 15 Jan 2020 09:26:45 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DW2KxkivYypAGs6385ZybBCiIpomgnMn+eJmGByhAYXMOeDf2FAtYaJhyBfry6fYTHybWyNnuw/hG9eP8eqPRm6SZFsHU7EYXlemjuRvx39jVZlGqDUXLcHeHnIX/U2H2QQzCrLH+I7a+hZ5pT46hcLahdcAgKy5bpfOwlMk1/3LdSD/ebNdKFopcPf4gjW0jIaggb0GvP2IRXQ9ggZezEC0Vq75YN8QPciAecTejDFjsxasSTtN2OdBTHauPr5TOzLqkB2811HRLNy+fDhYN6zFsMyvWnrGiwkHyKwdGPi2+5+srq6RQ1KKAuzWsJW4cQMpgka/J+ynmWIR87/2Vg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OX8Zwj+05ZNVw3m0pQiMUXbXMdl7z34ovbmUmahJGXo=; b=GnQqjZCWvLBTqq/WnPhaSvEINyBXHSeHBj/nI8+ubhsK18Pap89O4RiBfz0QEFRITjMODaQYlHNgkUYuZx+YrAP6uSKXk4gSAC4aSovtTsSruA7rVh+cfirZAm0pJ+nXrqu8knjkO6unw6ZRuO3cb3E6ck0r57Y2jonAlCsvI1rqPY9o4EkTuGd9apFxRGxtlNXoWgZsqfWUxoS6gD+YM2HOHk6goECw5TaqOMt49RKwkbMUdwhv5P3ke4D5H8ZA3jZ4BT37Yog5EUyrI/Y+P7Y4rJ45uvcExiXDgU5laX8RMhAWsGNo7FoCslY3C/xeEma4T7/ll3jprUEiGvR0UA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OX8Zwj+05ZNVw3m0pQiMUXbXMdl7z34ovbmUmahJGXo=; b=xAh69/amhmKGkKUETLZzmCUcRV/qpt1oReXebIg4wIEs9eJBiG2QzNewJIJdNqkZNRGtF5z/E+rERKf4+2cQVe9bJmtgkr4mf8qCS9OeodwsfsSta5bTI+q4XZRdAADWpZpiFDyBlIay/c+eO/TuxCAODOl+gd93HDj9PQLH+Z4=
Received: from DM6PR11MB3995.namprd11.prod.outlook.com (10.255.61.204) by DM6PR11MB4364.namprd11.prod.outlook.com (52.132.251.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.8; Wed, 15 Jan 2020 15:26:44 +0000
Received: from DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5]) by DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5%7]) with mapi id 15.20.2644.015; Wed, 15 Jan 2020 15:26:44 +0000
From: "Eliot Lear (elear)" <elear@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "emu@ietf.org" <emu@ietf.org>, "Oleg Pekar (olpekar)" <olpekar@cisco.com>
Thread-Topic: [Emu] BRSKI-TEAP vs regular connection (was Re: EAP questions ...)
Thread-Index: AQHVlZ8WCNGz+DKJ+0uIB081NPrYRafr3eMAgABivwCAAASBgA==
Date: Wed, 15 Jan 2020 15:26:44 +0000
Message-ID: <2560B490-A2D7-469B-B508-9D60EFB22D6E@cisco.com>
References: <MN2PR11MB39011F2754371931D1CFF0CCDB780@MN2PR11MB3901.namprd11.prod.outlook.com> <FC4CD2F5-B5E2-4FFB-B81F-A67DC55CD24E@deployingradius.com> <ce3372b5-d418-cb00-70b5-28478423bf55@sandelman.ca> <FB6CE366-5E73-477C-AC3F-98BE35013EC7@cisco.com> <5060.1579101036@localhost>
In-Reply-To: <5060.1579101036@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=elear@cisco.com;
x-originating-ip: [2001:420:c0c0:1006::84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a92e4d46-507e-40af-83be-08d799cf5436
x-ms-traffictypediagnostic: DM6PR11MB4364:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR11MB4364052B003F2E6B08383CA8BF370@DM6PR11MB4364.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02830F0362
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(346002)(136003)(376002)(39860400002)(189003)(199004)(5660300002)(6486002)(316002)(53546011)(6512007)(186003)(66476007)(8676002)(2616005)(478600001)(33656002)(2906002)(54906003)(36756003)(8936002)(91956017)(6506007)(107886003)(81166006)(81156014)(76116006)(64756008)(86362001)(66556008)(66946007)(4326008)(71200400001)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB4364; H:DM6PR11MB3995.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uVN9Jg/Ym4407+WUOmts6Icku8QTZgPMKPiZkql4h6Eqpp3V/oVZZdYY4tqyxB7b1YQpBxSWpAmL6/kMzRJ5FrntLSOw8m8kM+7bN1Mdbs7bqwyxlgn9A9YZ4B53B8ndqrR/dGgDVayUxH2I83OmZeBBEGD55HujNRZg80zXw3bjxf74A+ARPDer88RfFAcTxwry5wE03WlrMa4rGDXiZlRVUj3LWUDd1zyin96PqL/CCi65cdnQkw6VmRHCOuxFjAyYHDZ2SbU5JQHbXJhN2EPXXQW/zZVsLf6CECHgTXBqHcvMjNaMSn4UG5y776z0mXV4NR1st2wN5QJFmozAdQ8NK5/kKJhJrD/RjIG72YcAdYxiFAzG35p/wNcussKIOkrHyDTNcr4lBrPur7qowdGFie7juXQAl9S35og0ir9EXBCOEc3vX+fOg38byoD3
Content-Type: text/plain; charset="utf-8"
Content-ID: <3E405D4FCDE4A246AA09B9B34B8DF9C3@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a92e4d46-507e-40af-83be-08d799cf5436
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2020 15:26:44.4574 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ylVRHSpVmj6dSuwXRAXWX0Sa0dl+N5j4rW61lTguJr+OLMChbfk9icvVex9SLAkd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4364
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fFamfPnH032Ork-xRF_CkCqTwX0>
Subject: Re: [Emu] BRSKI-TEAP vs regular connection (was Re: EAP questions ...)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 15:26:54 -0000


> On 15 Jan 2020, at 16:10, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Eliot Lear (elear) <elear@cisco.com> wrote:
>>> Owen, do we have a need to recognize that a device needs to perform
>>> onboarding again after a movement?
>>> 
>>> i.e. device A enrolls on network 1, gets an LDevID usable on network
>>> 1, uses that with EAP-FOOBAR.
>>> 
>>> device A then is moved to network 2, it tries to use same LDevID,
>>> receives an error and then recognizes that it needs to perform another
>>> enrollment.
> 
>> I think that is up to the device manufacturer and relates to a number
>> of factors, such as whether the device is mobile, whether it has a
>> reset button, the nature of the device, privacy considerations, whether
>> there are federated capabilities on the device, etc.
> 
> I can see that some of these are important to the device.
> The device may have reasons why it would like to enroll again, but I think
> the question is more about when the network recognizes that it does not need
> to enroll again.
> An example would be a device which was originally enrolled with BRSKI-TEAP,
> but is then provided with roaming credentials (EDU-ROAM).
> 
> How would it know it was on network 2?

Ah.  I misread your note the first time.  The example of 2 is precisely eduroam, and this becomes a matter of configuration.  We were talking about this at one point, and there is a need to configure a realm as part of all of this.  That is something that could be easily be included in TEAP but isn’t there today.  It could also be included in DPP in the configuration frame.


> 
>>> What is that error, and is it recognizeable?  Do we need a new error
>>> code to distinguish from "I reject you" from "I reject you but, you
>>> could try enrolling with BRSKI-TEAP"
> 
>> I think that can already be detected in the draft based on the action
>> request frames.
> 
> To clear, it would be doing TEAP (or EAP-TLS) to connect to the network,
> because it is already enrolled.   If there are BRSKI-specific responses
> defined in TEAP, then I'm surprised.

That is what draft-lear-eap-teap-brski is really about.

Eliot

> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email