Re: [Emu] AD Review of draft-ietf-emu-eap-session-id-02
Alan DeKok <aland@deployingradius.com> Wed, 13 May 2020 21:12 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1D93A0929 for <emu@ietfa.amsl.com>; Wed, 13 May 2020 14:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWNxbw9Oc9Or for <emu@ietfa.amsl.com>; Wed, 13 May 2020 14:12:27 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E10F33A0927 for <emu@ietf.org>; Wed, 13 May 2020 14:12:26 -0700 (PDT)
Received: from [192.168.46.130] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 448ED8BF; Wed, 13 May 2020 21:12:24 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <644056d44c184bc4bac07286519e0847@cert.org>
Date: Wed, 13 May 2020 17:12:22 -0400
Cc: "emu@ietf.org" <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F05E49D-B181-495F-AFC3-55A73844F01F@deployingradius.com>
References: <644056d44c184bc4bac07286519e0847@cert.org>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/pzjP2n_tEbR5tuur8aAieh3UEEk>
Subject: Re: [Emu] AD Review of draft-ietf-emu-eap-session-id-02
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 21:12:29 -0000
On May 13, 2020, at 4:25 PM, Roman Danyliw <rdd@cert.org> wrote: > > Hi! > > I conducted my AD review of draft-ietf-emu-eap-session-id-02. The document is in good shape. I have largely editorial feedback below that can be handled with IETF LC input. > > (1) Section 1. Editorial. COMMENTs often come up in IESG review the it isn't clear up front what exactly is being updated. I recommend something like ... > > OLD > We correct that deficiency here. > NEW > We correct these deficiencies here by updating [RFC5247] with the Session-Id derivation during fast-authentication exchange for EAP-SIM and EAP-AKA; and defining Session-Id derivation for PEAP. Fixed. > (2) Section 1. Editorial. Per ..., it would be important to get this resolved with a clearly defined and agreed derivation rules to allow fast re- authentication cases to be used to derive ERP key hierarchy", I'm not sure this additional explanation is needed and this is a run-on sentence from the previous text. How about: The IEEE is defining FILS authentication [FILS], which needs the EAP Session-Id in order for the EAP Re-authentication Protocol (ERP) [RFC6696] to work. It is therefore important to address the existing deficiencies in the definition of EAP Session-Id. > (3) Section 2.2. Editorial. > > OLD > Similarly for EAP-SIM, it says: > NEW > Similarly, for EAP-SIM, [RFC5247] Appendix A says: Fixed. > (4) Section 2.2. Editorial. Why not the explicit symmetry in language in EAP-SIM as was used in EAP AKA? > > OLD > EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is the ... > NEW > EAP-SIM is defined in [RFC4186]. When using full authentication, the EAP-SIM Session-Id is the ... Fixed. > (5) Section 2.2. Recommend defining RAND1, RAND2 and RAND3 explicitly since RFC4186 only has it in the test vector section. Perhaps something like: > > "RAND1, RAND2 and RAND3 correspond to the RAND value from the first, second and third GSM triplet respectively." Fixed. > (6) Section 3. It would be useful to describe the prior work in Security Considerations. Specifically, "These updates to not modify the Security Considerations outlined in RFC5247." Fixed. I'll publish a new version shortly. Alan DeKok.
- [Emu] AD Review of draft-ietf-emu-eap-session-id-… Roman Danyliw
- Re: [Emu] AD Review of draft-ietf-emu-eap-session… Alan DeKok
- Re: [Emu] AD Review of draft-ietf-emu-eap-session… Roman Danyliw