IETF Logo Mail Archive

Re: [Emu] Adoption call for EAP-DPP

Dan Harkins <dharkins@lounge.org> Fri, 19 August 2022 16:41 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CECB3C1522BF for <emu@ietfa.amsl.com>; Fri, 19 Aug 2022 09:41:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5qS0-cRWS4V for <emu@ietfa.amsl.com>; Fri, 19 Aug 2022 09:41:54 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D92B8C1522CB for <emu@ietf.org>; Fri, 19 Aug 2022 09:41:54 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0RGV0UVCVFPURU@wwwlocal.goatley.com> for emu@ietf.org; Fri, 19 Aug 2022 11:41:54 -0500 (CDT)
Received: from [192.168.1.153] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0RGV009AAFPSY3@kitty.bergandi.net> for emu@ietf.org; Fri, 19 Aug 2022 09:41:53 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.60.241] EXTERNAL) (EHLO [192.168.1.153]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Fri, 19 Aug 2022 09:41:53 -0700
Date: Fri, 19 Aug 2022 09:41:52 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAC8QAcdZqcYEoaxVU=G6hWmgkrrgPZO1r-8r=rp38MR5mm5k=w@mail.gmail.com>
To: sarikaya@ieee.org
Cc: emu@ietf.org
Message-id: <11a8bbcf-07ce-036a-cec2-5b49983c9e3b@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_5TrqMpOPXVd1eCM3b2fpYw)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.60.241)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.60.241] (EHLO [192.168.1.153])
References: <01bf01d8b1ac$81233890$8369a9b0$@akayla.com> <CAC8QAcfzQHQg4GQNaqG5k9QJ00-CBCPnwdseLUSYQ=me4rGXEQ@mail.gmail.com> <a9dc5a50-1dbe-614a-1453-63be90286c65@lounge.org> <CAC8QAcdZqcYEoaxVU=G6hWmgkrrgPZO1r-8r=rp38MR5mm5k=w@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [220801a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/lboE_o4OfJJtUL_LA6psIpSuHZs>
Subject: Re: [Emu] Adoption call for EAP-DPP
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 16:41:56 -0000

   Hi Behcet,

On 8/19/22 8:22 AM, Behcet Sarikaya wrote:
> Hi Dan,
>
>
> On Thu, Aug 18, 2022 at 9:54 AM Dan Harkins <dharkins@lounge.org> wrote:
>
>
>       Hi Behcet,
>
>     On 8/17/22 2:36 PM, Behcet Sarikaya wrote:
>>     Hi Peter,
>>
>>     I quickly read this short document and have some comments.
>>
>>     In the informative references section, DPP is listed as Device
>>     Provisioning Profile while it should be Device Provisioning Protocol.
>>     Actually, in the acronyms section the name is correctly given.
>>     However, the DPP acronym is not properly expanded in the first
>>     use of the acronym which is in Section 1. Also the same could be
>>     said of the other acronyms
>
>       Good catch. We'll fix that.
>
>>     Also the date of DPP document seems to be wrong, I think the
>>     version 1.1 was dated 2018.
>
>       I think the Wi-Fi Alliance has released v2. I'll check and we'll
>     fix this if needed.
>
>
> I think there is no v2.

DPP is actually in v3 right now so there is definitely a v2. We just 
need to get
the reference correct.

>>     Probably more seriously though, the document says DPP does not
>>     support wired network access in Section 1 but maybe the authors
>>     are not aware that there is something called wired only DPP which
>>     is defined in another WiFi Alliance document in Section 2.3.5 of
>>
>>     Wi-i Easy ConnectTM Specification v2.0
>>
>>     This document is dated 2020, maybe the authors should reference
>>     this document then the date will be correct 👍🏻.
>
>       The DPP-over-TCP solution will not work. DPP-over-TCP was added
>     to enable centralization
>     of DPP services in devices which might not have an 802.11
>     interface. Think of a central network
>     server that implements a DPP Configurator that is connected to
>     multiple access points in an ESS.
>     The APs will just de-capsulate the 802.11 frames they receive,
>     re-encapsulate them in TCP/IP
>     headers and send them to the central network server who processes
>     them and responds with
>     TCP packets to which the inverse operation is performed by the AP.
>     That said, it is certainly
>     possible for two entities to speak a complete DPP conversation
>     over TCP without the use of
>     802.11. But as I said this won't work here.
>
>       The reason this won't work is the "Onboarding Catch-22" where
>     you need a credential to get
>     on the network but need to get on the network to get a credential.
>     DPP-over-TCP requires an
>     IP address. How do you get an IP address? Well, after "link up" on
>     your wired connection you do
>     EAP and authenticate, and then do DHCP. But how do you do EAP?
>
>
> Yes it is a good question but it is answered in detail in Section 
> 2.3.5 of WiFi Easy Connect Specification. Fig. 9 there on page 40 
> shows the message flow.
> The client there already has an IP address. The issue there is how 
> will the client get IP address of DPP controller.  They propose 
> several solutions including DNS.
> Authentication is based on these three messages exchanged: DPP Auth 
> Req/DPP Aut Res/DPP Auth Conf

   I am well aware of section 2.3.5 of the DPP specification. And I'm 
well aware
of the DPP authentication exchange because I invented it. Thing is, you 
still
need an IP address to do DPP-over-TCP. It's not just figuring out the IP 
address
of the controller, it's your own IP address. How do you get an IP 
address to
query the DNS if the network is secured and you don't have a credential 
to get
on the network?

   The question is not answered in 2.3.5 of the DPP specification. In 
fact, it's
not answered in any part of the DPP specification.

> There is no EAP. EAP in DPP is used in 802.11X with EAP-OL Key  message.

   Yes, there is no EAP in DPP. That's what this proposal is doing! 
Actually,
not really EAP in DPP more like DPP in EAP.

   The use case is a wired device with no, or a limited, user interface. 
How do
you get it on a secure network? Wired security is 802.1X and as soon as you
plug anything into such a port EAPoL starts. What does the device do? It
can't get an IP address to do DPP-over-TCP because it has to finish EAP
in order to get an IP address. So it's stuck.

   We are proposing to solve that issue by using DPP bootstrapping to
authenticate the TLS connection used in TEAP and then use TEAP's existing
enrollment capabilities to provision the device. Make sense?

   Dan.

> Behcet
>
>       regards,
>
>       Dan.
>
>>     Behcet
>>
>>     On Tue, Aug 16, 2022 at 3:12 PM Peter Yee <peter@akayla.com> wrote:
>>
>>         This is an adoption call for EAP-DPP
>>         (draft-friel-tls-eap-dpp-05)[1]. This
>>         document aligns with the charter item to "Define mechanisms
>>         by which EAP
>>         methods can support creation of long-term credentials for the
>>         peer based on
>>         initial limited-use credentials." The latest revision
>>         incorporates feedback
>>         from both the TLS and EMU working groups. Please review and
>>         respond to the
>>         list if you think this document is or is not an appropriate
>>         working group
>>         item for EMU by September 1, 2022.
>>
>>         Thanks,
>>
>>         Peter and Joe
>>
>>         [1] https://datatracker.ietf.org/doc/draft-friel-tls-eap-dpp/
>>
>>
>>         _______________________________________________
>>         Emu mailing list
>>         Emu@ietf.org
>>         https://www.ietf.org/mailman/listinfo/emu
>>
>>
>>     _______________________________________________
>>     Emu mailing list
>>     Emu@ietf.org
>>     https://www.ietf.org/mailman/listinfo/emu
>
>     -- 
>     "The object of life is not to be on the side of the majority, but to
>     escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
>     _______________________________________________
>     Emu mailing list
>     Emu@ietf.org
>     https://www.ietf.org/mailman/listinfo/emu
>

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email