[Emu] Review: draft-ietf-emu-pqc-eapaka-01 and draft-ietf-emu-hybrid-pqc-eapaka-01
Heikki Vatiainen <hvn@radiatorsoftware.com> Tue, 14 October 2025 19:37 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: emu@mail2.ietf.org
Delivered-To: emu@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3B6FE737960F for <emu@mail2.ietf.org>; Tue, 14 Oct 2025 12:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekU3_F6ecasH for <emu@mail2.ietf.org>; Tue, 14 Oct 2025 12:37:35 -0700 (PDT)
Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 454927379608 for <emu@ietf.org>; Tue, 14 Oct 2025 12:37:35 -0700 (PDT)
Received: by mail-wm1-x342.google.com with SMTP id 5b1f17b1804b1-46e6c8bc46eso38488335e9.3 for <emu@ietf.org>; Tue, 14 Oct 2025 12:37:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1760470654; x=1761075454; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Wd00/rILstzFkkW4zh33iIv9f7lVbE20mYSTxwS1yNQ=; b=QiV5FIoBeyObPMKsLIasea3UH6xErjoQU1dB6VVZ83dco0FcgQC6tMRF/gLBlIRgzb u6up5PM6S60Bbh31QQ3kzTkq2IPTZd812jVrjfBfTPlYHdn2nvaPL5Gilav7RoNM0lq7 rEMNXRSTyOMyd09s7olvSjQEU7h/WIEj+3mwCO8l+5jKdSd2GOsYyoFYEJXO0dHTrY+p T6cf1BuKHxtvHeRRdmrK3wY1pL5nRja8zOkoiydgdHTMbmzQfXUZzvyV+tLi1xrkm0KO WqYS1Az1ppkx+tLZYukc0vjtvet4mE6aElzO7qj4o/TjtmtzUlPgnKY78W2cOvbtSr9f rMJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760470654; x=1761075454; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Wd00/rILstzFkkW4zh33iIv9f7lVbE20mYSTxwS1yNQ=; b=No6PDEu2vJs40ffhbnJJCkZhO1uLpJfYuGhT4g3l7STdKXwnzECdWBE+5m3Ml8caCC Sgbt/NmsjHQF0I2YYvSFIEaZDchZ9WYzpjhd+4A48ramwFJ4pIAdj/R/MgqOAmPtNhXi juZqiBcJ3hHpdAyTo9BDKXKeP2lGRjq05kqnwWBx7yVc8Am+dRcxVU1LWqa2LJH1Aa5G 7HR0VoUi6gLulO4/c7vxWigRZfaRBlUPD3oeFJCIDM4p9jnysmj6O/NWctCtUmI1Hee2 A0J0QiTnpbZam2VaC+1q+GHHe2+d0Olz2ER3opQK2ttgJprI2mUPIHzIndOONK1guO+P oA4A==
X-Gm-Message-State: AOJu0YyfNQE+rnQZsqdsckwmEvjeWNeXX5IuEZkETh7hAHjYOThourLn C7vRB7di+S7TkqfLLojmd1LLpwMKZAvQxUsWxelerS4cL2vS9/JGzGcAYwBryXJAUirc89Xc2ze edfJzcpSDhAYtwI8XmpGwKGe/YDalCB4MWbFncgTbRLttMl8oC+PW3i+1b/M=
X-Gm-Gg: ASbGncuE22cwA9VtLNsYS+WjJyMhGJh5vgwIlJO5nDpVUbp90tjPnK91gF3wCGYH/Mv j9IpC+u3T+S6ISJu9LGo2qTVqcIYaiLWaza5t75gJO/4E3VEBdHBVIe7dUiVB/But/e210UZmfr zBtC7Ddyn3jdjSGgROiPv76NWBTzRRTKTP0RAneqG4NMPCqB1S/GFSPzSvFIQbrLVQ6WvtpU5OQ zTEjGif8Uc06Mq3tY6pui2CAUqwCLzgaGxaq0XFvjpYjlSp/Hd00GIHqUPPT/kLqU2lNQ==
X-Google-Smtp-Source: AGHT+IE5XCYc3BHYa16jn8az9DID8Z8eaJ/VhYyAjsEk2chqrY4nS0JX7s1XODWEF6CSXp9Fsi3RGhWpzaEZt3e0iVY=
X-Received: by 2002:a05:600c:3d8b:b0:45b:7ce0:fb98 with SMTP id 5b1f17b1804b1-46fa9a9456fmr164287165e9.5.1760470653699; Tue, 14 Oct 2025 12:37:33 -0700 (PDT)
MIME-Version: 1.0
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Tue, 14 Oct 2025 22:37:16 +0300
X-Gm-Features: AS18NWBVyDBvx07m6Ao775vJ3OrgLIemP3meLPvqRLwBCBBhBQR4fitQ0Nlkfp0
Message-ID: <CAA7Lko8U-1JQ2K6GZznN-5WT4sXW+eix8viBVqVOovQpeR4EpA@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f39c8506412383d6"
Message-ID-Hash: SDMFKEXBNQIGHSVAOP2UMR6LGBFEW3RC
X-Message-ID-Hash: SDMFKEXBNQIGHSVAOP2UMR6LGBFEW3RC
X-MailFrom: hvn@radiatorsoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-emu.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Emu] Review: draft-ietf-emu-pqc-eapaka-01 and draft-ietf-emu-hybrid-pqc-eapaka-01
List-Id: "EAP Methods Update (EMU)" <emu.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fhXlbdpXjCZ50HbWQxaI4tkjR4o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Owner: <mailto:emu-owner@ietf.org>
List-Post: <mailto:emu@ietf.org>
List-Subscribe: <mailto:emu-join@ietf.org>
List-Unsubscribe: <mailto:emu-leave@ietf.org>
Hello Aritra, Hello Tirumaleswar, please find below my review of your two drafts from an implementation point of view. This includes considering how the protocol updates affect existing EAP-AKA implementation and how they co-exist with the existing SIM based EAP methods. First, as a reminder to the list members and to make it easier myself to refer to what already exists, here's a short overview of the current SIM-based EAP methods, their updates and relationships. 1. EAP-SIM and EAP-AKA - the first SIM based EAP methods - RFC 4186 defines EAP-SIM - RFC 4187 defines EAP-AKA EAP-SIM and EAP-AKA are similar, up to a point. They share the same IANA registry: https://www.iana.org/assignments/eapsimaka-numbers/eapsimaka-numbers.xhtml EAP-SIM has not received updates since the first publication. 2. EAP-AKA' - also know as EAP-AKA Prime - RFC 5448 defines EAP-AKA' - Has a separate EAP type from EAP-AKA - Updated, but not obsoleted, by RFC 9048 Quoting RFC 5448: "[EAP-AKA'] is a small revision of the EAP-AKA'". EAP-AKA' also uses the aforementioned IANA registry Quoting RFC 9048: 'This document does not obsolete RFC 5448; however, this document is the most recent and fully backwards-compatible specification' 3. EAP-AKA' FS - where FS is for Forward Secrecy - RFC 9678 updates, but does not obsolete, RFCs 9048 and 5448 - Does not have its own EAP type Quoting RFC 9678: 'This document updates RFC 9048, [cut], and its predecessor RFC 5448 with an optional extension providing ephemeral key exchange' 4. The current EMU drafts to make EAP-AKA' safe against cryptographically-relevant quantum computers: - draft-ietf-emu-pqc-eapaka - draft-ietf-emu-hybrid-pqc-eapaka First, I think it's better to have the two drafts separate. They can then focus to their own thing and simply say that they are mutually exclusive. >From what I've seen from other documents, this can avoid the text that does always need to say something along 'if you do A they don't B and if you do B they don't do A'. This construct then repeats over and over making it harder to follow the main topic. Second, the both drafts define new attributes that is needed with post quantum safe algorithms. These attributes are from the skippable range making the functionality in the drafts compatible with the existing implementations. Third, because the new attributes need to exchange large amounts of data between the EAP peer and server, the both drafts purpose to use a different encoding with their new attributes. The main change is that length field would now be 2 octets instead of one octet. This change would break any existing EAP-AKA' implementation that is not aware of the different encoding. Even the use of skippable range doesn't help, because the implementation still needs to know how many octets to skip. In addition to this, EAP-AKA RFC 4187 has the following restrictions: https://datatracker.ietf.org/doc/html/rfc4187#section-8 Section 'Protocol Extensibility', second paragraph states: When specifying new attributes, it should be noted that EAP-AKA does not support message fragmentation. Hence, the sizes of the new extensions MUST be limited so that the maximum transfer unit (MTU) of the underlying lower layer is not exceeded. According to [RFC3748], lower layers must provide an EAP MTU of 1020 bytes or greater, so any extensions to EAP-AKA SHOULD NOT exceed the EAP MTU of 1020 bytes. One option to handle this could be to use two rounds of EAP-Request/AKA'-Challenge - EAP-Response/AKA'-Challenge pairs. The long values could be split to two, not necessarily equal length, values and sent with separate AKA'-Challenge messages. RFC 9678 provides a precedent for this. https://www.rfc-editor.org/rfc/rfc9678.html#section-6.2-12 Quote: '... the Server re-sends the EAP-Response/AKA'-Challenge message, ...' Adding a one more EAP round trip still keeps the maximum number of EAP messages well below what some very common EAP methods already use. For example, PEAP and EAP-TLS often do well over ten(s) of round trip because of certificates and CA chains they use. Most likely the extra round trip, or even more round trips, is better for compatibility, than causing fragmentation and using MTU exceeding EAP messages. Existing EAP authenticators and other nodes that are part of the authentication dialogue, may not handle long messages gracefully. -- Heikki Vatiainen hvn@radiatorsoftware.com
- [Emu] Review: draft-ietf-emu-pqc-eapaka-01 and dr… Heikki Vatiainen