Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Tim Cappalli <Tim.Cappalli@microsoft.com> Mon, 28 June 2021 18:21 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11FCC3A1446 for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 11:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.188
X-Spam-Level:
X-Spam-Status: No, score=-2.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2EsWw3j_YEdY for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 11:20:55 -0700 (PDT)
Received: from outbound.mail.eo.outlook.com (mail-oln040093008008.outbound.protection.outlook.com [40.93.8.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E0A33A144B for <emu@ietf.org>; Mon, 28 Jun 2021 11:20:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nc+N9Oe0NhB/NkSSacxpxlnAXxuRqxzjkaf/jadVispjqU/g10FOnWyCHz7GFUkp4miR6qGGFhz9FtpzXZ/5P+OaAO3+VmPFvYNraXmfY8jEySCXNkI4fHQUzNvgC2r3+Ei5TN+b5BnN0oaLKHcVQRnNzRznEYiC8YNnl9cPP+roffjrijtfGUDJATx8mi4etpl8jY0ktg9cdEVP9lmPp8A5rKa2GBvcb8QCRgx4vlfP2kXX9l/2pG/ZqJZMVQiLPFuXGl1nnB5bV2jLxpJyhuH/e66f6ISsedTs2XhjPAs46AiKaBOzsd3TISFQvGohxKeXKIFji0D+sWWH/C97KA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wEaKgTloV6An3zGU8HM5tpfLkJucHbG4ZYJwGb+pFZM=; b=jrdcUMf62Bc2+Xswb+opOVBp+m39NsNrX/6LmqFGRAnwnZw6l/oZXl08US0b+p4Z6wY/Hv2M5PjB5+rEVkvzlWKF+Go3o8G4Muj76eWetedbO02objSBTMmf9H8H5mgUEej+V0yHDCCJm2ifvmrJEmSJAfJulPLOYKCKWIepE7j66JA/W0v2EeQUndnrAI5akeX/P8wfG5Ow/j0CnAKkt20P2HAKLFqOzRGed6fm5omGvTqrfD6+uZA0g3dsMuJIGp6ZJW100B8Dm7aX+tJVO/Y2dsslCXlZ0DQqYhQ7oB2NI7gvkQQSGSow9cXq+u5WjXmFAGgNaa+W2+IkpnMKGA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wEaKgTloV6An3zGU8HM5tpfLkJucHbG4ZYJwGb+pFZM=; b=P4wIxh0rSdTgNwPZn4TNgp7JDJ0igqHapfxpd/Y4vEqkCAeF+oMBnk/deJ7HP7z26Vnj3waR0d2em5fG+mLKnTBPFuaqW7StkwxYI8OvozGYcZkzzbwO+YfYoJRH8co3RZlaV8OX4zx1vyskKqmDBJr3OmmPpPgL/wjZ1+92Tb8=
Received: from SJ0PR00MB1038.namprd00.prod.outlook.com (2603:10b6:a03:2aa::7) by SJ0PR00MB1144.namprd00.prod.outlook.com (2603:10b6:a03:359::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4320.0; Mon, 28 Jun 2021 18:20:50 +0000
Received: from SJ0PR00MB1038.namprd00.prod.outlook.com ([fe80::25eb:c08f:3c51:19ef]) by SJ0PR00MB1038.namprd00.prod.outlook.com ([fe80::25eb:c08f:3c51:19ef%6]) with mapi id 15.20.4322.000; Mon, 28 Jun 2021 18:20:50 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "oleg.pekar.2017@gmail.com" <oleg.pekar.2017@gmail.com>, "aland@deployingradius.com" <aland@deployingradius.com>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Question for draft-ietf-emu-tls-eap-types-03
Thread-Index: AQHXbCCmAlmXzRF/iUeBGw7apIyON6spiYGAgAAx+PE=
Date: Mon, 28 Jun 2021 18:20:50 +0000
Message-ID: <SJ0PR00MB1038767373E0DE9E3D7BE0DA95039@SJ0PR00MB1038.namprd00.prod.outlook.com>
References: <DB6D339A-710C-4EC4-9F8E-4B8602632AE1@deployingradius.com>, <CABXxEz8EBUz_y1FmQTE9C8cpF+3vqy-mPCx8CnyUMZ72pNifAA@mail.gmail.com>
In-Reply-To: <CABXxEz8EBUz_y1FmQTE9C8cpF+3vqy-mPCx8CnyUMZ72pNifAA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-06-28T18:17:33.1150006Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1b15eee1-5d32-480b-18fe-08d93a61759d
x-ms-traffictypediagnostic: SJ0PR00MB1144:
x-microsoft-antispam-prvs: <SJ0PR00MB1144756F3D62EDBFFFB394C795039@SJ0PR00MB1144.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: W+YL/bFPnPHRLUbMXvqlL628yjIrCXgTEqgyeZkoAeiNJmP0TwBdoocRikcqUNbu7hTcboMNX/Zcfm5nE6yuyZf3nknYcuwOMMtOMFxO1Y/Hm+ud9dXZM3wP4Zfeq3xFv46sLCij54ITJMWYm0Y4SgqwxCZui+YaLFtAfu6c+5bsAcFO01uVwcfv2A4RsU9MBEzU5NTrvD+ufnk8xdHEFDhKs62nmDaIt8o+WfPYlVEo2/1UsI7kqD3YI34EgrqOxB1uLiz8fvCXBsM5BSqH2wpvhkg1VjgCmw7bos2gqDBNjc8v7aq+7xduSUF082NP9OiUmmdxYZc7cD3/J7XAIKBYaBjLqhMe/SKaXgXjHCCKxRCYte6dhrZQR7EdC6Se8Ub8JuGKHm0I/CGqVIOD6vBTKZadWPmlCz7MOfa14W0GG9QtbVr31ZGccHK7sgG/ynS4867LLo2fJIIDTKW2a7LnuGo4xsUDlZ9NS+yK9AAyiddtA9CnNMWf2I/mXtMjxMK8i3xKgd9pM8MT7g/g2a4De0rzTIxbtqbKPNn9PP5Me6cgTu5FygJ6YtRlOLT+Lu9HtNrhHN/kjsU/Nx7hTDjaLJAxgFc1p9H9zCWbi6zKSaijqkpAhWusYxiRsb6WDgEBbw+ErJTu54QfTtE4acveWDpfdzUafFeJizD/dICkCY+VYEvle7dPkOJ/9KKwe4vq2E+cD19dUI03fCGoUYNrtFgET3PAQR7TQWuxI/AurvWixxoCJWhCr60KkKH4G2rerm9BbImCBVXnIEmCVA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1038.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(966005)(82950400001)(122000001)(10290500003)(38100700002)(82960400001)(83380400001)(4326008)(53546011)(166002)(9686003)(7696005)(55016002)(33656002)(478600001)(66946007)(91956017)(5660300002)(66476007)(66446008)(2906002)(26005)(8990500004)(52536014)(8676002)(71200400001)(186003)(110136005)(76116006)(6506007)(316002)(8936002)(66556008)(64756008)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?PIKgsfyvN6volCguOHnOfSCVYA2q2LquOlqmmn/XpGpemWwUjqatclHW?= =?Windows-1252?Q?3mx7Mar+hRWPL4Kh278skxJQpoSM6O2Av8FpB/RP76xCCHNmPnEMu7DN?= =?Windows-1252?Q?qPtd7ZH65HkhgXRY0gtS4oyyqON2bedag0v/M8cj40Opke2aOm3JQxOt?= =?Windows-1252?Q?2QgVK0CLimf8vcns8dz8P5jQ6uZzdsTkNPq2CvejeeR4f21ZIhnQIr+9?= =?Windows-1252?Q?C4L1Ap+smUJRrNjehbIytGpLug5UDU8DygABrt0DNeyg+pzDneDTVi8t?= =?Windows-1252?Q?NQmRF8fzGH7UUH9AKxHGfj/IclQbz+qJSjIZgIC1zofO1YAJLatyC28R?= =?Windows-1252?Q?ZB5qejDPwzsPNU3dS5fhZp1NhcNg9NwVcTtx0crUHE1gfMQ267VFJSUF?= =?Windows-1252?Q?Zi1ir5j8Mb7KvWbJb7SNI/D91FfXqseUW4/mBRjQZNOuREpkXkav3DXk?= =?Windows-1252?Q?kMuvpMqok0qBCXozd57UGZQZQ1BhnunCkqonZ02mjNs/j4anNWd6wnwZ?= =?Windows-1252?Q?rjabsms8QiqHANwK2GoMMxShOxmRkZ2f3Zv9JkY4S1nyEros6e5deHHW?= =?Windows-1252?Q?W5FwboizLlDVszadmJHb4gs2oRpdfdKSIx9M3g/UuIez4dRKeN9E0ozl?= =?Windows-1252?Q?X3OEINfX7cbxxGv6aE5BsM1p9rxyLPeRHZgT2H02tmwHnKsKiiCgbjvd?= =?Windows-1252?Q?SHd9HhqJv729in8OO7lr/Qe0KKP5nkEYRU4zX4nJs1GF0tE33GXj8Ba7?= =?Windows-1252?Q?EUNu6Q9MVYRt7A7cTIOBgCTBuOrAfWQC3gU+oT4Sw+gxxifbHzYt3uRc?= =?Windows-1252?Q?Ot6+TAam8fzDVJWaeEb/eFofeQTDSnM7ojVHIqCKPKzFzUYUGwtWYlXN?= =?Windows-1252?Q?bAaDQcenLekflMqvLDpDnRtf8e7DwZDmhwJrWb/0B+lpPz9o40uSsxyx?= =?Windows-1252?Q?j5FTQLHAiYyCRJop6XrmxPvJujOLebR7nBrzG86WfOYb2wwQuaainFR+?= =?Windows-1252?Q?5THTrZuvYNVzIP3Rex9/hf9eZkAZi5YdYL92qRE2Zf3L3mrg8zUTi6XU?= =?Windows-1252?Q?5eUf7NMQwqxfRJAx2fe2tLZqRMs0bTsogcyig+4krlF2nsJ+LtXMR6yc?= =?Windows-1252?Q?xjXou6j/TeteW7wWp7vczet9Q4/8pPn9ee/Opkdlo5FpVZChk0aeVlzs?= =?Windows-1252?Q?Mw/kyB64JVUiYJWG7an4PBc/QHtlZb5Ugh+kqayLSb8Eum96CSJIY5m3?= =?Windows-1252?Q?qyKx816wyyDk8RwZET1NAttOA1zF3gIqVag2N4TlFxTZ56eQiJ2i4dH/?= =?Windows-1252?Q?YvqKUNQmtBfvY1wVForDeTPX2IqreVoxT+dyqUetNnjn03SfYsV1AgTP?= =?Windows-1252?Q?JAS1iX3+P52p5Q=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB1038767373E0DE9E3D7BE0DA95039SJ0PR00MB1038namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1038.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b15eee1-5d32-480b-18fe-08d93a61759d
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2021 18:20:50.7989 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Nn+DoFTdugOIZgKZGnsHzQbhhlK54Dm967ouP9tKfPlQKxNWEXWbcUTuJIFpk9bWqis3pt78wHlODDGGCiuy+A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR00MB1144
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/xkNOcau-ctv9yj2EWqN7sK4Ss5c>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 18:21:00 -0000

The industry is moving away from any hardware identifier being sent off device. I don’t think the physical MAC should ever be used as a device identifier, even for channel binding.

If a strong hardware-bound identifier is required, the organization should use the TPM/SE for private key generation during provisioning/onboarding.


From: Oleg Pekar<mailto:oleg.pekar.2017@gmail.com>
Sent: Monday, June 28, 2021 11:19 AM
To: Alan DeKok<mailto:aland@deployingradius.com>
Cc: EMU WG<mailto:emu@ietf.org>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Alan, agree on the MAC randomization problem. Is there any existing standard or proposal for the network deployments where the Network Access Control server needs to track the device with randomized MAC moving between intranet SSIDs?

About usage of physical MAC address - maybe some client systems will not have access to the physical MAC rather than just to a randomized MAC.

Regards,
Oleg

On Mon, Jun 28, 2021 at 4:21 PM Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> wrote:
  One thing missing in the current document is how to address the modern issue of MAC address randomization.

  i.e. admins would like to ensure that only certain devices access the network.  But with MAC address randomization, it's difficult to have a static device identifier.  Even client certificates can be installed on multiple machines, if they're just sent to the user.

  Would it be worth adding a note that systems SHOULD implement RFC 6677 channel bindings to address this issue?  And that the Calling-Station-Id inside of the channel bindings MUST be the actual physical MAC, and not the public / randomized MAC?

  I've seen this problem more and more in customer deployments.  It's becoming a serious security issue.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=04%7C01%7Ctim.cappalli%40microsoft.com%7Ce5271f5f556b451a09bd08d93a4812ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637604903581345612%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=73wWIXCtD%2BLZz6IEsxzLgHDDUs0Jj64sdyHH56DSFWU%3D&reserved=0>