IETF Logo Mail Archive

Re: [Emu] Provisioning, configuration, etc. and EAP

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 28 March 2022 20:38 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564DF3A191B for <emu@ietfa.amsl.com>; Mon, 28 Mar 2022 13:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.366
X-Spam-Level:
X-Spam-Status: No, score=-0.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYGvUnN15tsx for <emu@ietfa.amsl.com>; Mon, 28 Mar 2022 13:38:35 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8D773A1535 for <emu@ietf.org>; Mon, 28 Mar 2022 13:38:34 -0700 (PDT)
Received: from dooku.sandelman.ca (ipv6.dooku.sandelman.ca [IPv6:2607:f0b0:f:6::1]) by relay.sandelman.ca (Postfix) with ESMTPS id F3FF51F4A2; Mon, 28 Mar 2022 20:38:31 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 226071A02F2; Mon, 28 Mar 2022 15:00:03 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>
In-reply-to: <BC205D3A-DCDD-4C43-AF88-9031622FCAFA@deployingradius.com>
References: <8C03CE4A-B987-4962-9AA3-5DF8FB32ECB5@deployingradius.com> <69280.1648310501@dooku> <BC205D3A-DCDD-4C43-AF88-9031622FCAFA@deployingradius.com>
Comments: In-reply-to Alan DeKok <aland@deployingradius.com> message dated "Sun, 27 Mar 2022 09:58:07 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 28 Mar 2022 15:00:03 +0200
Message-ID: <94640.1648472403@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/vg09c1upu89ZARDSlFHNASjbTnA>
Subject: Re: [Emu] Provisioning, configuration, etc. and EAP
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 20:38:41 -0000

Alan DeKok <aland@deployingradius.com> wrote:
    >> 64K is plenty to run RFC8995.  Probably we can get away with a total
    >> of less than 10K exchanged in the worst case situations, with 2K being
    >> more typical.

    >   That's good, but I still have concerns with the process of using EAP
    > for, well, almost everything.

    >   Anonymous / unauthenticated EAP-TLS exists.  I'd like to know why
    > that's unacceptable for provisioning general-purpose devices.

    >   For example, see any number of device management products.  These
    > products download large amounts of configuration, and even applications
    > to end-user devices.  This process is part of provisioning the device,
    > and can't be done via tunnelling that data in EAP.  So if we're not
    > using EAP for most of that complex provisioning, why not just use the
    > same methods for all of it?

Well, this is not something I'd do as part of onboarding, but rather as part
of _configuration_, and I agree that it would be better to just use IP for that.

    >> The cost is that it has to be setup and available across a potentially
    >> large enterprise situation.  At the small scale of one or two home
    >> routers, it's just not a problem.

    >   I'm not clear how a large enterprise causes any issues.  For my
    > proposal, just put records into DNS, and various data into web pages.
    > Anyone with corporate credentials can then get on the secure WiFi
    > network.

The issue is that new SSIDs have to deployed over hundreds of access points.
This new "LAN" has to have VLANs deployed for it,  and if done wrong, might
need DHCPv4.
There is a limit in air-time for the number of beacons that the APs have time
for as well, but it's not a concern, AFAIK, until you get into the O(10^2) range.

    >   It's 2022... why is it difficult to get onto a friends WiFi network,
    > securely, and easily?

Two out of three?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email