Re: [Emu] Adoption call for eap.arpa
Mohit Sethi <mohit@iki.fi> Thu, 21 March 2024 13:30 UTC
Return-Path: <mohit@iki.fi>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50486C18DB90 for <emu@ietfa.amsl.com>; Thu, 21 Mar 2024 06:30:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rpt8lWbRf6K for <emu@ietfa.amsl.com>; Thu, 21 Mar 2024 06:30:27 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D30E4C18DBAC for <emu@ietf.org>; Thu, 21 Mar 2024 06:30:25 -0700 (PDT)
Received: from [192.168.58.41] (85-76-17-91-nat.elisa-mobile.fi [85.76.17.91]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mohit) by meesny.iki.fi (Postfix) with ESMTPSA id 4V0mY62xJQzySk; Thu, 21 Mar 2024 15:30:17 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1711027821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=38UYoRklWL8ZaWY+RHITBdday61Vxp6/Foax2Xinrgk=; b=Rm2zsOftRoJaghdrS1P10FzFPYBJbSub7xXzJ0CooJ4nJAmfcSegBZK5fERSoMWVzybs1Z PgjEjiltpHpyVgj3a1pBBzTHDUme+iRAXKBNFtSvZmVf5GoQBa0boeiYMICDXPwjygxFOV ZG5v+de58+d9PH32WD69+SVknPLohxM=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1711027821; a=rsa-sha256; cv=none; b=IfaGYKsSjpWQr5eR1FJbl4gG6bqiMffPyULOt8BHfhKQzM9aYMz41l3aO03Iz9eNxiFnky 4aEZ7pEmvrY2M0m7qShpXkbgFtilyqNgh4hbVyRgojnFaY6lV8wwjDTumN6yb3ZLsaJPdo f9rGswOUpIPKja34VFVlYn3jUQ91GkM=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=mohit smtp.mailfrom=mohit@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1711027821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=38UYoRklWL8ZaWY+RHITBdday61Vxp6/Foax2Xinrgk=; b=wfT6Om3Y8QxoeX8978wU/LPjflzqtMGC1gkQjhLl8oERVJYFDvMw8di/NbKnQMyhMXXJVP qr5Fq5KjcbLpjkUAc65n4IobJrcrAXdBnx9geUSTnEQI6tVAHaw0ysWlwv9ZKdP/SsAGk7 cq0aiMIEI6Mu1db6FFTehbajTz36N70=
Message-ID: <6752380a-0155-4ba4-9aee-107162538a4b@iki.fi>
Date: Thu, 21 Mar 2024 19:00:12 +0530
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Peter Yee <peter@akayla.com>, "emu@ietf.org" <emu@ietf.org>, hvn@radiatorsoftware.com, Alan DeKok <aland@deployingradius.com>
References: <F1FD786F-D0B1-494B-B384-95BBB4B7790B@akayla.com>
From: Mohit Sethi <mohit@iki.fi>
In-Reply-To: <F1FD786F-D0B1-494B-B384-95BBB4B7790B@akayla.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/oGuLHVKu-TV8SphqSGxg6u-Xxqs>
Subject: Re: [Emu] Adoption call for eap.arpa
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 13:30:31 -0000
I would like to support the adoption of the document with two caveats based on my deployment experience thus far. Obviously, Alan and Heikki have much more expertise and experience than me but just providing a data point: 1. Instead of servers deciding the EAP method based on the username part of the NAI, the EAP method could be decided based on the sub domain under eap.arpa in the realm portion of the NAI. Thus a peer wanting to be provisioned would use provisioning@noob.eap.arpa or provisioning@tls.eap.arpa depending on whether it supports: EAP-NOOB or EAP-TLS for provisioning. Leaving the username semantics to individual provisioning drafts (example: draft-ietf-emu-bootstrapped-tls) might be beneficial in the long run as explained below. The username part will likely be needed to distinguish, for example, initial certificate enrollment during provisioning (NAI provisioning@teap.eap.arpa) from later certificate renewal during re-provisioning (NAI re-provisioning@teap.eap.arpa). I assume the certificates issued will have a limited lifetime and need to be renewed. There are other good reasons where the username part is used to indicate the provisioning state. For example, if provisioning a certificate and a password, the peer may use different username in the NAI: phase1@teap.eap.arpa for provisioning the certificate and phase2@teap.eap.arpa for provisioning the password. There have been proposals in the past about provisioning different types of credentials: https://datatracker.ietf.org/doc/draft-pala-tian-eap-creds-spp/ I have already created a pull request for such a change should this be amenable to Alan and others in the working group: https://github.com/FreeRADIUS/eap-arpa/pull/1 2. It may beneficial to not limit the provisioning to a local network only. First, while developing EAP-NOOB, there was a specific request from Rhys Smith and Josh Howlett from JISC. Their use case wanted to support provisioning of student IoT devices when they were on an exchange semester in a visiting university. See slide 8 onward: https://datatracker.ietf.org/meeting/106/materials/slides-106-emu-slides-106-draft-aura-eap-noob-00. There are other legitimate reasons for avoiding such limitation. For example, a network owner wants to outsource the provisioning of a new device to the device vendor. Such scenarios were briefly discussed a while back: https://datatracker.ietf.org/doc/html/draft-st-t2trg-nw-access-01 and there was support from Hannes Tschofenig and others. It was later covered in the media as well so I presume there was some interest: https://www.theregister.com/2018/07/25/internet_draft_iot_security/. Finally, there are situations where the device vendor installs the device at the customer site and uses the the customer network for Internet-connectivity but is still responsible for the device provisioning, lifecycle management, services, maintenance, etc. For example, a bunch of elevators installed at customer premises using customer network for sending back maintenance requests. Here again, the customer intentionally wants the device to be provisioned and managed by a remote vendor server. I don't think all these scenarios need to be described in this draft. Just removing the limitation is sufficient. My pull request already includes such a change, should this amenable to Alan and others in the working group: https://github.com/FreeRADIUS/eap-arpa/pull/1 If the working group finds these requests amenable and my pull requests are useful, I'd also volunteer to co-author and help drive this document to the RFC editor queue. Also, at some later point, if volunteers are needed for the IANA expert registry or something else, I'd be available. --Mohit PS: There was also an issue that the current draft recommends Expert Review for assignment of new values but then also expects RFCs: "The intention is that any non-prefix allocation will be accompanied by a published RFC.". I think it will be beneficial to have "Specification Required". Note "Expert Review" and "RFC Required" are separate things in RFC 8126. On 3/8/24 04:08, Peter Yee wrote: > This is an adoption call for the eap.arpa Internet-Draft > (draft-dekok-emu-eap-arpa). This is an ancillary draft that Alan > DeKok briefed during the Prague (IETF 118) meeting. Seeing as > it primarily exists as a forward-looking extraction of certain > descriptive material and IAB .arpa domanrequests from other > EMU documents, we consider it within the scope of the WG > charter. Alan did a recent minor update to the document and > will speak briefly about it during IETF 119. > > With that said, your WG chairs would appreciate hearing your > feedback on whether this document is adopted or not. While > it's not critical to adopt, it really simplifies the domain > registration for things like TLS-POK and would have been > great back when we did EAP-NOOB. > > We are particularly interested in hearing from parties who are > willing to review the specification. So, if you've got interest in > seeing the work adopted, please formalize that by responding > to the EMU mailing list with your position. > > The deadline for feedback is March 21st. Yes, that's during IETF > 119 but after the EMU time slot, so hopefully you will have > formed an opinion by then, if not sooner. We hope to hear > from lots of you! > > Joe and Peter > > 1) https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-dekok-emu-eap-arpa%2F&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C58eafed9abd249bdf0c208dc3ef75f7c%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638454479714860779%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7C%7C&sdata=xOYgXpp9COroHW62xnagFFC3Z%2FYzFJM3zGnzaWF4oH0%3D&reserved=0 > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C58eafed9abd249bdf0c208dc3ef75f7c%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638454479714868956%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7C%7C&sdata=NTbWAghCVLWjPxv6zRImDYLq0qDWgz65V21jF88I%2FAA%3D&reserved=0
- [Emu] Adoption call for eap.arpa Peter Yee
- Re: [Emu] Adoption call for eap.arpa Michael Richardson
- Re: [Emu] Adoption call for eap.arpa Jan-Frederik Rieckers
- Re: [Emu] Adoption call for eap.arpa Alexander Clouter
- Re: [Emu] Adoption call for eap.arpa Yanlei(Ray)
- Re: [Emu] Adoption call for eap.arpa Alexander Clouter
- Re: [Emu] Adoption call for eap.arpa Jan-Frederik Rieckers
- Re: [Emu] Adoption call for eap.arpa Alexander Clouter
- Re: [Emu] Adoption call for eap.arpa Michael Richardson
- Re: [Emu] Adoption call for eap.arpa Alan DeKok
- Re: [Emu] Adoption call for eap.arpa Heikki Vatiainen
- Re: [Emu] Adoption call for eap.arpa Mohit Sethi
- Re: [Emu] Adoption call for eap.arpa Alan DeKok
- Re: [Emu] Adoption call for eap.arpa Mohit Sethi
- Re: [Emu] Adoption call for eap.arpa Michael Richardson
- Re: [Emu] Adoption call for eap.arpa Alan DeKok
- Re: [Emu] Adoption call for eap.arpa Michael Richardson
- Re: [Emu] Adoption call for eap.arpa Mohit Sethi