IETF Logo Mail Archive

Re: [Emu] Review of draft draft-ms-emu-eaptlscert-02

"Anoop Kumar Pandey" <anoop@cdac.in> Wed, 08 May 2019 11:17 UTC

Return-Path: <anoop@cdac.in>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B527B12008D for <emu@ietfa.amsl.com>; Wed, 8 May 2019 04:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qcq9gfeKmXuM for <emu@ietfa.amsl.com>; Wed, 8 May 2019 04:17:23 -0700 (PDT)
Received: from mailsender.cdac.in (mailsender.cdac.in [196.1.113.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CB4C12009E for <emu@ietf.org>; Wed, 8 May 2019 04:17:21 -0700 (PDT)
Received: from ims.pune.cdac.in (ims.pune.cdac.in [10.208.1.15]) by mailsender.cdac.in (8.14.2/8.13.8) with ESMTP id x48BGwdp003027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 8 May 2019 16:46:58 +0530
Received: from mailgw.pune.cdac.in ([10.208.1.4]) by ims.pune.cdac.in (8.14.4/8.14.4) with ESMTP id x48BGjt7005894; Wed, 8 May 2019 16:46:47 +0530
X-AuthUser: anoop
Received: from DESKTOPV9MK6VP ([223.31.121.170]) (authenticated bits=0) by mailgw.pune.cdac.in (8.14.2/8.13.8) with ESMTP id x48BGfxo004455; Wed, 8 May 2019 16:46:42 +0530
From: Anoop Kumar Pandey <anoop@cdac.in>
To: 'Alan DeKok' <aland@deployingradius.com>
Cc: emu@ietf.org
References: <009e01d503f9$0a9848f0$1fc8dad0$@cdac.in> <77F3AA81-8DF8-4E81-9C03-BA5576A4BB37@deployingradius.com>
In-Reply-To: <77F3AA81-8DF8-4E81-9C03-BA5576A4BB37@deployingradius.com>
Date: Wed, 08 May 2019 16:46:40 +0530
Message-ID: <009301d5058f$84c43110$8e4c9330$@cdac.in>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0094_01D505BD.9E7D5770"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFRvYB/XICbbSBJFWMOULxvu3QdcAGoSJ1ap1pZeSA=
Content-Language: en-in
X-CDAC-PUNE-MailScanner-ID: x48BGjt7005894
X-CDAC-PUNE-MailScanner: Found to be clean, Found to be clean
X-CDAC-PUNE-MailScanner-MCPCheck-IMS: MCP-Clean, MCP-Checker (score=0, required 1)
X-CDAC-PUNE-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.199, required 6, autolearn=disabled, ALL_TRUSTED -1.00, BAYES_50 0.80, URIBL_BLOCKED 0.00), not spam, SpamAssassin (not cached, score=-5.3, required 6, autolearn=disabled, ALL_TRUSTED -1.80, BAYES_00 -3.50)
X-CDAC-PUNE-MailScanner-Information: Please contact npsfhelp@cdac.in/mailadmin@cdac.in for more information
X-MailScanner-ID: x48BGwdp003027
X-CDAC-PUNE-MailScanner-From: anoop@cdac.in
X-CDAC-MailScanner-Spam-Status: No
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/w0JobHwzr_Cfd4MLWApERQYpdgE>
Subject: Re: [Emu] Review of draft draft-ms-emu-eaptlscert-02
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 11:17:26 -0000

> The reality is that there are some organizations who treat certificates as a dumping ground for information.

3 Tier chained certificate with organization validated certificate in DER encoded Binary mode has a size of just 1588 byte (1.55 KB) [Attached].  It has a lot of Information including SANs and OIDs. 

You need to show quantitatively with example the effect of the fields that are responsible for the larger certificate.
(Cross certification and certificate transparency could also help in keeping the chain small or irrelevant)


>> Section 4.2.3 talks about compressing the certificate. This is achievable, however the capability to compress, decompress and performing ECC certificate validation within a small IoT device is questionable. 

 >Again, this applicability is not just for IoT.

The applicability may not be <just> for IoT but may <also> be for IoT and in that case for EAP-TLS to work with certificate compression and ECC, the device should have such capability. 


>The main (well, more or less, the only) reason for that limit on number of round trips is to work around issues where the EAP peer and server ended up in an infinite loop ACKing their messages. I would prefer to change that to be based on whether any real progress has been made during the last round trip or two, i.e., to remove the hard limit and allow as many round trips as it takes to get through the authentication (or whatever else one adds into EAP, e.g., TNC)

> 10 years later, the implementation still just counts exchanges.  It's fine, it works.

Agreed

>And additional reason to forbid longer exchanges is that it could potentially be used for bulk data transfer.  If the exchange is unlimited, then a client and home server can collude to "tunnel" generic IP traffic over EAP.

The protocol designer need to take care of such situation.


>But the biggest reason to limit the exchanges is that there is simply no reason to allow them.  Even in the above situation (64K certificate chain), there's no *technical* reason for such large chains.

Practically large chain certificates are there (though I still haven't come across a 64K certificate), so we can't ignore them. Guidelines can be provided for limiting the information as mentioned in the draft section 4.1.1

 >>Realistically, it can't be increased.  There are probably tens of millions of access points and switches in production.  They are the de-facto standard.  If you publish a new RFC saying "allow up to 128 packets", it won't affect those legacy devices.  The new standard *might* start showing up in new devices, once the standard is published.  Or it might not.  I've seen standards take 10+ years to *start* getting adopted.

This limitation would be with any protocol. If we ask everyone to use ECC or certificate caching or certificate compression, that will also take time. Or if the customer insists or reports, OEM will have to provide firmware upgrade or device replacement with new protocol implemented. 


Regards,
Anoop

-----Original Message-----
From: Alan DeKok [mailto:aland@deployingradius.com] 
Sent: 06 May 2019 05:00 PM
To: Anoop Kumar Pandey <anoop@cdac.in>
Cc: emu@ietf.org
Subject: Re: [Emu] Review of draft draft-ms-emu-eaptlscert-02

On May 6, 2019, at 6:47 AM, Anoop Kumar Pandey <anoop@cdac.in> wrote:
> Section 3 talks about various reasons for a certificate being large. Subject Alternative Name field is typically used for multi-domain or wildcard certificates (fb.com, *.facebook.om, facebook.net, messenger.com) where all domains are protected by same certificate. I doubt that SAN will be a reason in IoT world for larger certificate. 

  EAP-TLS certificates are used in areas other than IoT.

> Similarly key size and signature field is in bits (e.g. 2048 bit key, 2048 bit signature, 224 bit key if ECC is used). So this also shouldn’t contribute to a larger certificate.
> 
> The same can be said about OID and user groups. Key usage is limited to digital signature (80) [just one usage] in an end device certificate.  

  No.  Key usage is in every intermediate certificate.  i.e. if we have CA1 - > CA2 - > CA3 -> certs, then all intermediate certs will have OIDs that allow them to sign subsequent certificates.

> Section 4.1.1 talks about shortening or avoid certain fields in the certificate. Mostly the changes are marginal and the authors have not presented quantitatively, how much saving in certificate size could be achieved with it and will it be sufficient.

  I agree more quantitative numbers would help here.

  The reality is that there are some organizations who treat certificates as a dumping ground for information.  Every intermediate cert has names, address, and anything else they can think of.  Then, the CA chain mirrors the corporate reporting chain.

 The result is a large certificate chain.  This happens in the real world:

http://lists.freeradius.org/pipermail/freeradius-users/2009-February/035621.html

  ... We are testing
WPA2/EAP-TLS authentication, with large certificate chains (just under 64K in PEM format).  Some individual cert sizes in the chain approach 10K in DER format.

  The solution there was "don't use large chains".

> Section 4.2.3 talks about compressing the certificate. This is achievable, however the capability to compress, decompress and performing ECC certificate validation within a small IoT device is questionable. 

 Again, this applicability is not just for IoT.

> P.S: In EAP-TLS, isn’t there clear direction on how many packets exchange are allowed before dropping EAP session. Why do some implementations drop session after 40-50 packets itself? 

  From the above thread, Jouni Malinen (hostap / wpa_supplicant) responds:

http://lists.freeradius.org/pipermail/freeradius-users/2009-February/035654.html

The main (well, more or less, the only) reason for that limit on number of round trips is to work around issues where the EAP peer and server ended up in an infinite loop ACKing their messages. I would prefer to change that to be based on whether any real progress has been made during the last round trip or two, i.e., to remove the hard limit and allow as many round trips as it takes to get through the authentication (or whatever else one adds into EAP, e.g., TNC)

  10 years later, the implementation still just counts exchanges.  It's fine, it works.

  And additional reason to forbid longer exchanges is that it could potentially be used for bulk data transfer.  If the exchange is unlimited, then a client and home server can collude to "tunnel" generic IP traffic over EAP.

  But the biggest reason to limit the exchanges is that there is simply no reason to allow them.  Even in the above situation (64K certificate chain), there's no *technical* reason for such large chains.

> In the standard of EAP-TLS, can the no. of exchange packets be increased? If yes, apart from latency, what other impact could it have?

  Realistically, it can't be increased.  There are probably tens of millions of access points and switches in production.  They are the de-facto standard.  If you publish a new RFC saying "allow up to 128 packets", it won't affect those legacy devices.  The new standard *might* start showing up in new devices, once the standard is published.  Or it might not.  I've seen standards take 10+ years to *start* getting adopted.

  Allowing more packets wouldn't generally increase latency, because 99.99999999% of authentications won't need more packets.

  And realistically, if you can't authenticate someone after exchanging 50K of data, you're likely doing something wrong.

  Alan DeKok.



------------------------------------------------------------------------------------------------------------
[ C-DAC is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
------------------------------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email