[Emu] RE: Revised liaison response for IEEE 802.11u EAP method for emergency calls
"Bernard Aboba" <bernard_aboba@hotmail.com> Mon, 15 October 2007 20:05 UTC
Return-path: <emu-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IhWCD-0001tN-J5; Mon, 15 Oct 2007 16:05:49 -0400
Received: from emu by megatron.ietf.org with local (Exim 4.43) id 1IhWCC-0001sr-1k for emu-confirm+ok@megatron.ietf.org; Mon, 15 Oct 2007 16:05:48 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IhWCB-0001sj-7l for emu@ietf.org; Mon, 15 Oct 2007 16:05:47 -0400
Received: from bay0-omc1-s20.bay0.hotmail.com ([65.54.246.92]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IhWCA-0007Fq-Nu for emu@ietf.org; Mon, 15 Oct 2007 16:05:47 -0400
Received: from hotmail.com ([207.46.8.111]) by bay0-omc1-s20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 15 Oct 2007 13:05:46 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Oct 2007 13:05:46 -0700
Message-ID: <BAY117-F31462A15E540BF50F42E1093A30@phx.gbl>
Received: from 207.46.8.123 by by117fd.bay117.hotmail.msn.com with HTTP; Mon, 15 Oct 2007 20:05:41 GMT
X-Originating-IP: [71.222.79.18]
X-Originating-Email: [bernard_aboba@hotmail.com]
X-Sender: bernard_aboba@hotmail.com
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE504A9DAC1@xmb-sjc-225.amer.cisco.com>
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: jsalowey@cisco.com, emu@ietf.org
Bcc:
Date: Mon, 15 Oct 2007 13:05:41 -0700
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"
X-OriginalArrivalTime: 15 Oct 2007 20:05:46.0218 (UTC) FILETIME=[C5F30CA0:01C80F66]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: ecrit-chairs@tools.ietf.org
Subject: [Emu] RE: Revised liaison response for IEEE 802.11u EAP method for emergency calls
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
Errors-To: emu-bounces@ietf.org
>TTLS (draft-funk-eap-ttls-v0-01.txt) and EAP-FAST (RFC4851) >are TLS based methods that can support server only authentication. It >was also pointed out that EAP-TLS (draft-simon-emu-rfc2716bis-11.txt) >could be modified to create a new EAP method that only requires server >side authentication. In general, in TLS-based EAP methods the TLS client authentication policy is determined by the server. That is, the server decides whether to request a client certificate; RFC 2716 recommends but does not require inclusion of a certificate request in the Server hello message; in the examples in RFC 2716 the certificate-request field is not shown as mandatory. By not including a certificate request, an EAP-TLS server can support anonymous clients. It is my understanding that existing EAP-TLS peer implementations support server-side only authentication. >If the peer can validate the server then it is >possible to mitigate many man-in-the-middle attacks against the >authentication, however if the peer cannot validate the server then this >would leave the protocol open to man-in-the-middle attacks. These TLS >based methods require a significant number of round trips, however this >may not be an issue especially if the emergency authentication is >terminated locally instead of in a home server. > >There were also several questions raised in the working group during the >discussion that might help in further determining the best approach. >These are summarized below: > >1) It is not clear what security properties are desirable. Is it >important for the emergency services network to be authenticated? Is it >possible for the peer to have a trust root for emergency services >network? Is there expected to be an existing profile with a specific >SSID that needs to be authorized? Is there another use for the >authenticated identity? > >2) What regulatory requirements are driving the need for encryption? >This creates some conflicts because encryption without authentication >does not satisfy most useful security requirements. > >3) Will the authentication for emergency services be terminated locally >or in a remote network? What is the tolerance for delay before network >connectivity is established? > >4) PSK was described as having worse DOS resistance properties that EAP. >It seems that in many cases EAP would have worse DOS resistance that >PSK, which cases is EAP better? > >5) It seems that most public access networks already provide an open >access network, why couldn't this network be used for emergency >communication? > >As the 802.11u group is certainly aware, there are other groups within >the IETF that are looking at unauthenticated emergency services. In >particular, the ECRIT group within the IETF has ongoing work in this >area: > >http://tools.ietf.org/html/draft-schulzrinne-ecrit-unauthenticated-acces >s-00 > >We encourage IEEE working group members to continue the discussion with >the IETF in the EMU and the ECRIT working groups. _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
- [Emu] Revised liaison response for IEEE 802.11u E… Joseph Salowey (jsalowey)
- [Emu] RE: Revised liaison response for IEEE 802.1… Bernard Aboba
- [Emu] RE: Revised liaison response for IEEE 802.1… Joseph Salowey (jsalowey)
- [Emu] RE: Revised liaison response for IEEE 802.1… Joseph Salowey (jsalowey)