IETF Logo Mail Archive

Re: [Emu] Review of draft-ietf-emu-eap-tls13-04

John Mattsson <john.mattsson@ericsson.com> Thu, 21 March 2019 07:55 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25BB130F3E for <emu@ietfa.amsl.com>; Thu, 21 Mar 2019 00:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=g9K0jawI; dkim=pass (1024-bit key) header.d=ericsson.com header.b=iLj5BDUR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mh28bFPDJOMA for <emu@ietfa.amsl.com>; Thu, 21 Mar 2019 00:55:38 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C820130F32 for <emu@ietf.org>; Thu, 21 Mar 2019 00:55:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553154935; x=1555746935; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=PHWFL6USXpAZg7vrAhsLjRdtR727ABQONwxYR136sU0=; b=g9K0jawIOjkXAxtBxwwKCjB1uzqmNjj91yGAM0f7OUey097uMhV/G49K0/5JAthL l8XTefmCDGbMGdKUlE7mUN7jJQoMBtU276XV+UP40vuuOIYM3BRMsFgG9EaJ4+Kv FNrEUUoeNNViMaM5JnVc+5zQpmPiHjJcB/9UpAy6TYE=;
X-AuditID: c1b4fb30-fabff7000000355c-c2-5c934377fe34
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 6D.0B.13660.773439C5; Thu, 21 Mar 2019 08:55:35 +0100 (CET)
Received: from ESESBMR506.ericsson.se (153.88.183.202) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 21 Mar 2019 08:55:35 +0100
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESBMR506.ericsson.se (153.88.183.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 21 Mar 2019 08:55:34 +0100
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5 via Frontend Transport; Thu, 21 Mar 2019 08:55:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PHWFL6USXpAZg7vrAhsLjRdtR727ABQONwxYR136sU0=; b=iLj5BDURyj+NJS+QTyeHqwB4GtdI175iVA8Jjb8/VZA1y7pjsM08VP2xuRBMPRfHCYjox2l24uaw43iz5P6KEH2QqbDRRLxtEumMu0Z/oHkgXAlo/ZKxPmaNUNT+wLpqtICjeYLUdLDYIgawk2UtN+yBlC7aLp0Fa6LxLTrplAE=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB4427.eurprd07.prod.outlook.com (20.176.167.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.13; Thu, 21 Mar 2019 07:55:33 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8%3]) with mapi id 15.20.1730.013; Thu, 21 Mar 2019 07:55:33 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>
CC: 'EMU WG' <emu@ietf.org>
Thread-Topic: Review of draft-ietf-emu-eap-tls13-04
Thread-Index: AdTe9V6YsKNpVE3EQ1ynW7YKwTo35gAznhwA
Date: Thu, 21 Mar 2019 07:55:32 +0000
Message-ID: <3AED5AFD-8AFD-4A51-A3B7-3029B791E53B@ericsson.com>
References: <011501d4df04$3147cf80$93d76e80$@augustcellars.com>
In-Reply-To: <011501d4df04$3147cf80$93d76e80$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 240c2b3e-c9b8-465b-134c-08d6add29873
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4427;
x-ms-traffictypediagnostic: HE1PR07MB4427:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-microsoft-antispam-prvs: <HE1PR07MB4427D19BADA95D88282DBFEF89420@HE1PR07MB4427.eurprd07.prod.outlook.com>
x-forefront-prvs: 0983EAD6B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(376002)(346002)(396003)(136003)(51914003)(13464003)(199004)(189003)(6506007)(476003)(6512007)(6436002)(11346002)(33656002)(6486002)(53546011)(97736004)(26005)(58126008)(446003)(2616005)(44832011)(186003)(229853002)(36756003)(66066001)(76176011)(82746002)(316002)(110136005)(5660300002)(2501003)(102836004)(105586002)(99286004)(6116002)(6246003)(305945005)(81166006)(81156014)(25786009)(71190400001)(8936002)(86362001)(8676002)(4326008)(68736007)(486006)(106356001)(83716004)(256004)(14444005)(3846002)(2906002)(7736002)(71200400001)(53936002)(14454004)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4427; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:3;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: xqBRFYe06cNTAvoKk3AST1XTQD3UaSkGhtFkD41uR3hfwQCSVAt2wni4qiINADMbq4AaVaBVczjhs2sP7QVZd+Khwlmb5MPXGNNYqLtlTD5tBHJ5QwKtqJuVj7PuYaNZmVZSpxc3xvmMZ5MtL677zvqAKKthxU/s5WgL19XjwoCgcUChNuoOkA8bvzcjwpsP9qKNfcK4XW1y3xgSFZ6TFD/3s9Cx5nYJ0uMiKelZ4ZUo9iyrp5anqD47Rhnu5iI1fbqK+AFk5prbDjVHXNruzaMPZdidtmbKFkP42h0/Je2hvfEMnC0fXR2yi5roZ8t3gWUwr+Iov7SWAsTH1vn9BZguQ2w8IPyti5r+xv2KFkcwsc7LhWXDJKzxKNw2JQZ5G8u41uj60hdsrLbNze9s4yn7N1sGtt0pM2L4+Xq1Dak=
Content-Type: text/plain; charset="utf-8"
Content-ID: <913A6442905E544191675D5907B59797@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 240c2b3e-c9b8-465b-134c-08d6add29873
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2019 07:55:33.0338 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4427
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTYRTHe+692+7MxeNyeZj24rAPibm5LAwylb5I9DKCJGyRM28qTh27 y7IPIZZQmWW6kJllmmalc2lqpmJoovgeipEmpTQwteyDb0Xl2vYU9O13zv9/OP/z8LC01CyQ s8lpJs6YptMrhB6M5cSLjJ3nDxRqVbbJrWFz9npRWLfNyoRVF60KI+noupIiYXRFxQ9KQ8V6 7Evg9MkZnFG5P84jqdFaKTDUHrlQ0tXPZKGaQ9eRmAUcCtn2XsrFUtyFYL7UyR5OXkEwPVYm IoKzKLDIiVBBwdzSIuMqGJxPw9XcYRFRzBTcqh1CpJhCsNr+3D0vxCq415YlvI5Y1hsbwTF/ 3NWmsS/Y898wLt6I1fCt+z5ysTfeBVeeDIgIq6HqWpfbw+Dt0G6ucmeV4AiYL3iPSLwIeDiy 5GYxjoSRMYfbj/AmWO2rocguH5iwl1LkZgwVbcM0YRnMfloTuFiGldBwc4ohfX/ob3/817MZ RkpzEeHDUDdTLHDdCHgcQe/CbRERAuH16EsRWXwKcnKKBKSfAoMDDiFhP7CNl1Nk+LIQHvVU ivKRsvi/gMXON6LxDrC1KAlGw3KLnjj8wZw7LSp2n+8FvRY78wAJniIZz/HxqYlqdTBnTD7D 8+lpwWmcqR45/0pHw09VM5qdiepEmEUKT0lAX4FWKtBl8JmpnQhYWuEtCQ0v1EolCbrMi5wx /bTxnJ7jO5Evyyh8JL+kXlopTtSZuBSOM3DGfyrFiuVZKLvaXxPzoenr8tveoA3ioS2/7StF jTHmV4lKjWcN46hctxi3be8ly7KX4VmQXrw+vrzgc3iHfE517EatlRMHzK1xHxfUE83NR79n t0ZNjoYm37UezIs30Wczx1RtJ/sLVwyNIRpprGVw95c9OM9PJdPwTTE9ZYm+pf6toXfeVSsY PkkXEkgbed0fHIBM1ScDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/mpzL2rKZ7AbrXnbmn9rsAabd2hE>
Subject: Re: [Emu] Review of draft-ietf-emu-eap-tls13-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 07:55:41 -0000

Thanks for the thorough review Jim!

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Date: Wednesday, 20 March 2019 at 11:03
To: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>
Cc: 'EMU WG' <emu@ietf.org>
Subject: Review of draft-ietf-emu-eap-tls13-04
Resent-From: <alias-bounces@ietf.org>
Resent-To: John Mattsson <john.mattsson@ericsson.com>, <mohit@piuha.net>
Resent-Date: Wednesday, 20 March 2019 at 11:03

    General Comment:  I have a strong tendency to like positive rather than
    negative statements in documents, thus the use of MUST rather than MUST NOT.
    Additionally, I have a general tendency to like to know what should happen
    if a statement is violated.  Thus consider the following from section 2.1.1:

Agree, if possible it is often better with "MUST" statements describing what is happening. The disadvantage with MUST statements are that they rule out things that may be specified in updates to RFC 8446.

    TLS 1.3 introduces early application data; early application data SHALL NOT
    be used with EAP-TLS.
    
    I would prefer to see this as
    
    TLS 1.3 introduced early application data;  if a server receives a client
    hello with early application data it MUST abort the handshake with an
    EAP-Failure.  The server MAY generate a TLS-Alert as well.

In the case of early data, Section 4.2.10 of RFC 8446 states that "A server which receives an "early_data" extension MUST behave in one of three ways:". The three ways are: ignoring early_data, send HelloRetryRequest, and accepting early_data. 

Aborting the handshake would not follow RFC 8446, so I don't think we want that. I would suggest to follow RFC 8446 and specify that the server ignore the early_data extension or replies with HelloRetryRequest. I suggest writing:

TLS 1.3 introduced early application data which is not used in EAP-TLS. A server which receives an "early_data" extension MUST ignore the extension or respond with a HelloRetryRequest as described in Section 4.2.10 of RFC 8446.

This made me realize that draft-ietf-emu-eap-tls13-04 does not mention HelloRetryRequest at all. I think draft-ietf-emu-eap-tls13-04 should mention HelloRetryRequest add add a figure describing the message flow. Alternatively state that HelloRetryRequest MUST NOT be used (or positively that the server MUST respond with ServerHello). 
    
    Section 2.1.2 - The following sentence:
    If the EAP peer did not supply a "key_share" extension
       when offering resumption, the EAP server needs to reject the
       ClientHello and the EAP peer needs to restart a full handshake.
    
    Appears to state that the key share MUST be provided even though the
    previous sentence said that it was only a SHOULD.  Which is it?

Good catch. Definitely something missing in that sentence. Should be SHOULD following RFC 8446. Suggested update:

"If the EAP peer did not supply a "key_share" extension when offering resumption, an EAP server declining resumption needs to reject the ClientHello and force the EAP peer to restart a full handshake.  The message flow in this case is given by Figure 4 followed by Figure 1 or Figure 2."
    
    Section 2.1.3 - I am having a problem understanding why you have Figure 8 in
    the system.

There was an earlier comment from someone requesting more figures describing messages flows for various use cases and errors.

    First, a new session ticket would only be returned if the
    client asked for one to be returned.  Thus the client will never receive one
    that is unexpected.

That is not my understanding of how NewSessionTicket works according to RFC 8446. The session_ticket extension is a far as I understand deprecated in TLS 1.3. The only text I can find in RFC 8446 is that

"At any time after the server has received the client Finished message, it MAY send a NewSessionTicket message."

    Secondly, the authentication has finished and you are
    in a situation where if you had not asked for the ticket everything would be
    fine.  The only possible reason for doing this would be if the client
    suddenly decided that it no longer wanted the ticket and was going to tell
    the server that it did not need to cache the information associated with it.
    However, since this is not a normal flow in TLS that would never happen.  If
    the client decides that it does not want to save the ticket that it
    received, say because it is too big, then it can just not save it but still
    have EAP run to success.

Agree that the client should just most likely just ignore the ticket. Let's remove the figure and the text.
    
    Section 2.1.4 - an EAP-TLS server MUST treat an empty certificate_list as a
    terminal condition when client authentication is required.  Current text
    implies it is always true.

The text in draft-ietf-emu-eap-tls13-04

"For TLS 1.3 this means that the EAP-TLS peer only sends an empty certificate_list if it does not have an appropriate certificate to send, and the EAP-TLS server MAY treat an empty certificate_list as a terminal condition."

follows Section 4.4.2.4 of RFC 8446:

"If the client does not send any certificates (i.e., it sends an empty Certificate message), the server MAY at its discretion either continue the handshake without client authentication or abort the handshake with a "certificate_required" alert."

I do not understand what you mean with " Current text implies it is always true." The term terminal condition came from RFC 5216. Should I rewrite it with text from RFC 8446?

"For TLS 1.3 this means that the EAP-TLS peer only sends an empty certificate_list if it does not have an appropriate certificate to send, and the EAP-TLS server MAY at its discretion either continue the handshake without client authentication or abort the handshake with a "certificate_required" alert."
    
    Section 5.7 para 3 - The term "other authentication information" is
    confusing to me.  You should only be capturing the information from the TLS
    handshake and nothing else.

I think the group need to discuss this more. I think Alan's suggestion was that you capture quite a lot.

    As an example, I would not expect that the
    client would do any additional revocation checking when offering to use a
    session ticket.  If the revocation information is not sufficiently current,
    then the client should not do resumption.  But this does not require
    reevaluation of revocation information or the server certificate chain.  A
    client quite likely to be unable to access a network to check for revocation
    until after the EAP process has finished and thus would be unable in EAP to
    do these checks.

That are very good points. I will update the text based on these suggstions.
    
    Section 5.7 para 7 - Current sentence appears to say that the IP address is
    part of the EAP-Response/Identity.

Ok, let's reformulate

I generally find this entire section
    confusing and think that a large amount should probably be in the main text
    and not here.

Yes, moving some of the information to 2.1.2 seems to make sense

    Jim

v2.23.0 | Report a Bug | By Email