IETF Logo Mail Archive

Re: [Emu] Potential Notes in EAP-FAST Documents

"Glen Zorn" <glenzorn@comcast.net> Thu, 12 February 2009 01:26 UTC

Return-Path: <glenzorn@comcast.net>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C32AB3A6A42 for <emu@core3.amsl.com>; Wed, 11 Feb 2009 17:26:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBdAOlyUle61 for <emu@core3.amsl.com>; Wed, 11 Feb 2009 17:26:45 -0800 (PST)
Received: from QMTA06.emeryville.ca.mail.comcast.net (qmta06.emeryville.ca.mail.comcast.net [76.96.30.56]) by core3.amsl.com (Postfix) with ESMTP id AF0C13A69EE for <emu@ietf.org>; Wed, 11 Feb 2009 17:26:45 -0800 (PST)
Received: from OMTA04.emeryville.ca.mail.comcast.net ([76.96.30.35]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id EcUl1b0090lTkoCA6pSrmq; Thu, 12 Feb 2009 01:26:51 +0000
Received: from gwzPC ([124.120.218.181]) by OMTA04.emeryville.ca.mail.comcast.net with comcast id EpSE1b0053vQyGU8QpSPoE; Thu, 12 Feb 2009 01:26:46 +0000
From: Glen Zorn <glenzorn@comcast.net>
To: 'Tim Polk' <tim.polk@nist.gov>
References: <BLU137-W531ACB9BE00127DB8595D993C30@phx.gbl> <808FD6E27AD4884E94820BC333B2DB7727E78F274C@NOK-EUMSG-01.mgdnok.nokia.com> <006c01c98781$5d6b8bf0$1842a3d0$@net> <808FD6E27AD4884E94820BC333B2DB7727E78F2B67@NOK-EUMSG-01.mgdnok.nokia.com> <003201c9880d$e8160780$b8421680$@net> <DF99D1BF-7A3A-41C6-B161-FD609410DE59@nist.gov>
In-Reply-To: <DF99D1BF-7A3A-41C6-B161-FD609410DE59@nist.gov>
Date: Thu, 12 Feb 2009 08:25:52 +0700
Message-ID: <000601c98cb0$ec00add0$c4020970$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcmMVJwMzzog0lbHRfqquijymYv/lQAWnzkg
Content-Language: en-us
Cc: iesg@ietf.org, emu@ietf.org
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 01:26:46 -0000

Tim Polk [mailto:tim.polk@nist.gov] writes:

> Folks,
> 
> As the AD that sponsored publication of the EAP-FAST documents under
> discussion,
> I have been trying to find the best way forward.  I believe that the
> best course of action
> involves some clarifications to draft-cam-winget-eap-fast-
> provisioning to distinguish
> the modified and unmodified use of EAP-MSCHAPv2, and IESG notes to
> ensure these
> publications do not establish precedent for future reuse of EAP type
> codes with
> different semantics.

I'm sure that the IESG views its essentially invertebrate response to this
outrageous behavior as stern but fair.  If this pirating of IANA allocated
parameters is actually allowed (as it appears that it will be), I suggest
that you keep this stern warning around (perhaps as a form-letter template
so you can easily fill in the blanks); even better, publish it (suitably
modified for generality) as an RFC so the next few hundred "designers" who
can't be bothered with IANA can just reference it.

> 
> First, I support revising draft-cam-winget-eap-fast-provisioning so
> that the modified
> form of EAP-MSCHAPv2 is consistently referred to as EAP-FAST-
> MSCHAPv2.  The
> authors offered to make this change earlier in the thread, and I have
> seen some
> support and no opposition to this suggestion.
> 
> Second, I will be offering the following text for IESG notes on both
> documents.  The
> notes clearly state the drawbacks for EAP type code reuse and define
> an acceptable
> path for future protocol developers.
> 
> ------ draft-cam-winget-eap-fast-provisioning -----
> 
>      EAP-FAST has been implemented by many vendors and it is used in
> the
>      Internet.  Publication of this specification is intended to
> promote
>      interoperability by documenting current use of existing EAP
> methods
>      within EAP-FAST.
> 
>      The EAP method EAP-FAST-MSCHAPv2 reuses the EAP type code
> assigned to
>      EAP-MSCHAPv2 (26) for authentication within an anonymous TLS
> tunnel.  In
>      order to minimize the risk associated with an anonymous tunnel,
> changes
>      to the method were made that are not interoperable with EAP-
> MSCHAPv2.
>      Since EAP-MSCHAPv2 does not support method-specific version
> negotiation,
>      the use of EAP-FAST-MSCHAPv2 is implied by the use of an anonymous
>      EAP-FAST tunnel.  This behavior may cause problems in
> implementations
>      where the use of unaltered EAP-MSCHAPv2 is needed inside an
> anonymous
>      EAP-FAST tunnel.  Since such support requires special case
> execution of
>      a method within a  tunnel, it also complicates implementations
> that use
>      the same method code both within and outside of the tunnel
> method. If
>      EAP-FAST  were to be designed today, these difficulties could be
> avoided
>      by utilization of unique EAP Type codes. Given these issues,
> assigned
>      method types must not be re-used with different meaning inside
> tunneled
>      methods in the future.
> 
> ----  draft-zhou-emu-fast-gtc  ------
> 
>      EAP-FAST has been implemented by many vendors and it is used in
> the
>      Internet.  Publication of this specification is intended to
> promote
>      interoperability by documenting current use of existing EAP
> methods
>      within EAP-FAST.
> 
>      The EAP method EAP-FAST-GTC reuses the EAP type code assigned to
>      EAP-GTC (6).  The reuse of previously assigned EAP Type Codes is
>      incompatible with EAP method negotiation as defined in RFC
> 3748.  Since
>      EAP-GTC does not support method-specific version negotiation,
> the use of
>      EAP-FAST-GTC is implied when used inside the EAP-FAST tunnel
> during
>      authentication. This behavior may cause problems in
> implementations where
>      the use of another vendor's EAP-GTC is required.  Since such
> support requires
>      special case execution of a method within a tunnel, it also
> complicates
>      implementations that use the same method code both within and
> outside of
>      the tunnel method. If EAP-FAST were to be designed today, these
>      difficulties could be avoided by utilization of unique EAP Type
> codes.
>      Given these issues, assigned method types must not be re-used with
>      different meaning inside tunneled methods in the future.
> 
> I am not under the illusion that this text will be entirely
> satisfactory to anyone,
> but I believe that it is an *appropriate* resolution to the problem.
> 
> Thanks,
> 
> Tim Polk
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email