[Emu] AD Review of draft-ietf-emu-eap-session-id-02

Roman Danyliw <rdd@cert.org> Wed, 13 May 2020 20:26 UTC

Return-Path: <rdd@cert.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B4CC63A08EF for <emu@ietfa.amsl.com>; Wed, 13 May 2020 13:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id qIVc-OaKnloi for <emu@ietfa.amsl.com>; Wed, 13 May 2020 13:26:06 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB713A08EC for <emu@ietf.org>; Wed, 13 May 2020 13:26:06 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu []) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04DKQ3lE032107 for <emu@ietf.org>; Wed, 13 May 2020 16:26:03 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 04DKQ3lE032107
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1589401563; bh=epfS8o+85cAkgHv+Zif+GQCp6Z3DtEv86OEqeuIcoYs=; h=From:To:Subject:Date:From; b=J3arcLPT+HCx5t8RQ5V4XWsRxLmtxQfjIj6ky0HHfhrj6BMWAY9Lezfz+xRjY0I6+ qvDoB06d0BIzOUkAI43CGfG1l+28dCB3AmD//sCANVtBb9I3xZjZxsgJdiJFQ+2gw6 1OH8a/561xvi+pP94bDYmO+36IZIKSQiqzTS6tic=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu []) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04DKPo8k017722 for <emu@ietf.org>; Wed, 13 May 2020 16:25:55 -0400
Received: from MURIEL.ad.sei.cmu.edu ( by CASSINA.ad.sei.cmu.edu ( with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 13 May 2020 16:25:49 -0400
Received: from MORRIS.ad.sei.cmu.edu ( by MURIEL.ad.sei.cmu.edu ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Wed, 13 May 2020 16:25:49 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Wed, 13 May 2020 16:25:49 -0400
From: Roman Danyliw <rdd@cert.org>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: AD Review of draft-ietf-emu-eap-session-id-02
Thread-Index: AdYpZHLD5jVuxVmPSSWjhtLxHLXvjg==
Date: Wed, 13 May 2020 20:25:49 +0000
Message-ID: <644056d44c184bc4bac07286519e0847@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/gQip_VaqjpG_GZ5xK7Lj8_u1dlk>
Subject: [Emu] AD Review of draft-ietf-emu-eap-session-id-02
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 20:26:09 -0000


I conducted my AD review of draft-ietf-emu-eap-session-id-02.  The document is in good shape.  I have largely editorial feedback below that can be handled with IETF LC input.

(1) Section 1.  Editorial.  COMMENTs often come up in IESG review the it isn't clear up front what exactly is being updated.  I recommend something like ...

We correct that deficiency here.
We correct these deficiencies here by updating [RFC5247] with the Session-Id derivation during fast-authentication exchange for EAP-SIM and EAP-AKA; and defining Session-Id derivation for PEAP.

(2) Section 1. Editorial.  Per ..., it would be important to get this resolved with a clearly defined and agreed derivation rules to allow fast re- authentication cases to be used to derive ERP key hierarchy", I'm not sure this additional explanation is needed and this is a run-on sentence from the previous text.

(3) Section 2.2.  Editorial.

Similarly for EAP-SIM, it says:
Similarly, for EAP-SIM, [RFC5247] Appendix A says:

(4) Section 2.2.  Editorial.  Why not the explicit symmetry in language in EAP-SIM as was used in EAP AKA?

EAP-SIM is defined in [RFC4186].  The EAP-SIM Session-Id is the  ...
EAP-SIM is defined in [RFC4186].  When using full authentication, the EAP-SIM Session-Id is the  ...

(5) Section 2.2.  Recommend defining RAND1, RAND2 and RAND3 explicitly since RFC4186 only has it in the test vector section.  Perhaps something like:

"RAND1, RAND2 and RAND3 correspond to the RAND value from the first, second and third GSM triplet respectively."

(6) Section 3.  It would be useful to describe the prior work in Security Considerations.  Specifically, "These updates to not modify the Security Considerations outlined in RFC5247."