IETF Logo Mail Archive

Re: [Emu] Adoption call for eap.arpa

Mohit Sethi <mohit@iki.fi> Thu, 21 March 2024 13:30 UTC

Return-Path: <mohit@iki.fi>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50486C18DB90 for <emu@ietfa.amsl.com>; Thu, 21 Mar 2024 06:30:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rpt8lWbRf6K for <emu@ietfa.amsl.com>; Thu, 21 Mar 2024 06:30:27 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D30E4C18DBAC for <emu@ietf.org>; Thu, 21 Mar 2024 06:30:25 -0700 (PDT)
Received: from [192.168.58.41] (85-76-17-91-nat.elisa-mobile.fi [85.76.17.91]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mohit) by meesny.iki.fi (Postfix) with ESMTPSA id 4V0mY62xJQzySk; Thu, 21 Mar 2024 15:30:17 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1711027821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=38UYoRklWL8ZaWY+RHITBdday61Vxp6/Foax2Xinrgk=; b=Rm2zsOftRoJaghdrS1P10FzFPYBJbSub7xXzJ0CooJ4nJAmfcSegBZK5fERSoMWVzybs1Z PgjEjiltpHpyVgj3a1pBBzTHDUme+iRAXKBNFtSvZmVf5GoQBa0boeiYMICDXPwjygxFOV ZG5v+de58+d9PH32WD69+SVknPLohxM=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1711027821; a=rsa-sha256; cv=none; b=IfaGYKsSjpWQr5eR1FJbl4gG6bqiMffPyULOt8BHfhKQzM9aYMz41l3aO03Iz9eNxiFnky 4aEZ7pEmvrY2M0m7qShpXkbgFtilyqNgh4hbVyRgojnFaY6lV8wwjDTumN6yb3ZLsaJPdo f9rGswOUpIPKja34VFVlYn3jUQ91GkM=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=mohit smtp.mailfrom=mohit@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1711027821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=38UYoRklWL8ZaWY+RHITBdday61Vxp6/Foax2Xinrgk=; b=wfT6Om3Y8QxoeX8978wU/LPjflzqtMGC1gkQjhLl8oERVJYFDvMw8di/NbKnQMyhMXXJVP qr5Fq5KjcbLpjkUAc65n4IobJrcrAXdBnx9geUSTnEQI6tVAHaw0ysWlwv9ZKdP/SsAGk7 cq0aiMIEI6Mu1db6FFTehbajTz36N70=
Message-ID: <6752380a-0155-4ba4-9aee-107162538a4b@iki.fi>
Date: Thu, 21 Mar 2024 19:00:12 +0530
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Peter Yee <peter@akayla.com>, "emu@ietf.org" <emu@ietf.org>, hvn@radiatorsoftware.com, Alan DeKok <aland@deployingradius.com>
References: <F1FD786F-D0B1-494B-B384-95BBB4B7790B@akayla.com>
From: Mohit Sethi <mohit@iki.fi>
In-Reply-To: <F1FD786F-D0B1-494B-B384-95BBB4B7790B@akayla.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/oGuLHVKu-TV8SphqSGxg6u-Xxqs>
Subject: Re: [Emu] Adoption call for eap.arpa
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 13:30:31 -0000

I would like to support the adoption of the document with two caveats 
based on my deployment experience thus far. Obviously, Alan and Heikki 
have much more expertise and experience than me but just providing a 
data point:

1. Instead of servers deciding the EAP method based on the username part 
of the NAI, the EAP method could be decided based on the sub domain 
under eap.arpa in the realm portion of the NAI. Thus a peer wanting to 
be provisioned would use provisioning@noob.eap.arpa or 
provisioning@tls.eap.arpa depending on whether it supports: EAP-NOOB or 
EAP-TLS for provisioning. Leaving the username semantics to individual 
provisioning drafts (example: draft-ietf-emu-bootstrapped-tls) might be 
beneficial in the long run as explained below.

The username part will likely be needed to distinguish, for example, 
initial certificate enrollment during provisioning (NAI 
provisioning@teap.eap.arpa) from later certificate renewal during 
re-provisioning (NAI re-provisioning@teap.eap.arpa). I assume the 
certificates issued will have a limited lifetime and need to be renewed. 
There are other good reasons where the username part is used to indicate 
the provisioning state. For example, if provisioning a certificate and a 
password, the peer may use different username in the NAI: 
phase1@teap.eap.arpa for provisioning the certificate and 
phase2@teap.eap.arpa for provisioning the password. There have been 
proposals in the past about provisioning different types of credentials: 
https://datatracker.ietf.org/doc/draft-pala-tian-eap-creds-spp/

I have already created a pull request for such a change should this be 
amenable to Alan and others in the working group: 
https://github.com/FreeRADIUS/eap-arpa/pull/1

2. It may beneficial to not limit the provisioning to a local network 
only. First, while developing EAP-NOOB, there was a specific request 
from Rhys Smith and Josh Howlett from JISC. Their use case wanted to 
support provisioning of student IoT devices when they were on an 
exchange semester in a visiting university. See slide 8 onward: 
https://datatracker.ietf.org/meeting/106/materials/slides-106-emu-slides-106-draft-aura-eap-noob-00. 


There are other legitimate reasons for avoiding such limitation. For 
example, a network owner wants to outsource the provisioning of a new 
device to the device vendor. Such scenarios were briefly discussed a 
while back: 
https://datatracker.ietf.org/doc/html/draft-st-t2trg-nw-access-01 and 
there was support from Hannes Tschofenig and others. It was later 
covered in the media as well so I presume there was some interest: 
https://www.theregister.com/2018/07/25/internet_draft_iot_security/.

Finally, there are situations where the device vendor installs the 
device at the customer site and uses the the customer network for 
Internet-connectivity but is still responsible for the device 
provisioning, lifecycle management, services, maintenance, etc. For 
example, a bunch of elevators installed at customer premises using 
customer network for sending back maintenance requests. Here again, the 
customer intentionally wants the device to be provisioned and managed by 
a remote vendor server.

I don't think all these scenarios need to be described in this draft. 
Just removing the limitation is sufficient. My pull request already 
includes such a change, should this amenable to Alan and others in the 
working group: https://github.com/FreeRADIUS/eap-arpa/pull/1

If the working group finds these requests amenable and my pull requests 
are useful, I'd also volunteer to co-author and help drive
this document to the RFC editor queue.

Also, at some later point, if volunteers are needed for the IANA expert 
registry or something else, I'd be available.

--Mohit

PS: There was also an issue that the current draft recommends Expert 
Review for assignment of new values but then also expects RFCs: "The 
intention is that any non-prefix allocation will be accompanied by a 
published RFC.". I think it will be beneficial to have "Specification 
Required". Note "Expert Review" and "RFC Required" are separate things 
in RFC 8126.

On 3/8/24 04:08, Peter Yee wrote:
> This is an adoption call for the eap.arpa Internet-Draft
> (draft-dekok-emu-eap-arpa). This is an ancillary draft that Alan
> DeKok briefed during the Prague (IETF 118) meeting. Seeing as
> it primarily exists as a forward-looking extraction of certain
> descriptive material and IAB .arpa domanrequests from other
> EMU documents, we consider it within the scope of the WG
> charter. Alan did a recent minor update to the document and
> will speak briefly about it during IETF 119.
>
> With that said, your WG chairs would appreciate hearing your
> feedback on whether this document is adopted or not. While
> it's not critical to adopt, it really simplifies the domain
> registration for things like TLS-POK and would have been
> great back when we did EAP-NOOB.
>
> We are particularly interested in hearing from parties who are
> willing to review the specification. So, if you've got interest in
> seeing the work adopted, please formalize that by responding
> to the EMU mailing list with your position.
>
> The deadline for feedback is March 21st. Yes, that's during IETF
> 119 but after the EMU time slot, so hopefully you will have
> formed an opinion by then, if not sooner. We hope to hear
> from lots of you!
>
> Joe and Peter
>
> 1) https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dekok-emu-eap-arpa%2F&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C58eafed9abd249bdf0c208dc3ef75f7c%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638454479714860779%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7C%7C&sdata=xOYgXpp9COroHW62xnagFFC3Z%2FYzFJM3zGnzaWF4oH0%3D&reserved=0
>
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C58eafed9abd249bdf0c208dc3ef75f7c%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638454479714868956%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7C%7C&sdata=NTbWAghCVLWjPxv6zRImDYLq0qDWgz65V21jF88I%2FAA%3D&reserved=0

v2.23.0 | Report a Bug | By Email