Re: [Emu] Review of draft-ietf-emu-eap-tls13
Alan DeKok <aland@deployingradius.com> Tue, 30 March 2021 12:44 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 592863A1079 for <emu@ietfa.amsl.com>; Tue, 30 Mar 2021 05:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNF-kVdmR3pm for <emu@ietfa.amsl.com>; Tue, 30 Mar 2021 05:44:22 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A0F73A1078 for <emu@ietf.org>; Tue, 30 Mar 2021 05:44:22 -0700 (PDT)
Received: from [192.168.46.152] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 59595D6; Tue, 30 Mar 2021 12:44:18 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOgPGoBkAzgvzOp4nqYiqC4jrD7oZ1KP07ZHdUpUu_LZwuTWvg@mail.gmail.com>
Date: Tue, 30 Mar 2021 08:44:16 -0400
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2575C773-7681-4DC0-B6CE-1BF825EF51FA@deployingradius.com>
References: <F9C7F8B8-CC38-4F2D-AFFC-A64B9765D33F@deployingradius.com> <CAOgPGoBkAzgvzOp4nqYiqC4jrD7oZ1KP07ZHdUpUu_LZwuTWvg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/y3d6KGFeImAeSLEqF6XqVMev2Zc>
Subject: Re: [Emu] Review of draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 12:44:27 -0000
On Mar 30, 2021, at 1:01 AM, Joseph Salowey <joe@salowey.net> wrote: > > I went through the review and created issues for the ones that were not covered by existing issues or PRs. Some issues, such as Issue 58 on nits contain several of the comments below. Thanks. > Issues may be discussed on the list or in github issues, however resolutions for any normative or substantial text not discussed on the list are to be posted to the list before resolution. Therefore it would be better to have substantial changes discussed on the mailing list. OK. > [Joe] It seems it would be sufficient to just add "backwards compatible through TLS version negotiation. Yes. It would be good also to note that the changes in this document are only to be applied when TLS 1.3 is used. This limitation means that the old TLS 1.2 state machines are not modified by this specification. > [Joe] I think the best thing to do here is to say the key update MUST NOT be sent and SHOULD be ignored if it is received. Yes. > Section 2.1.9 says: > > Some EAP implementations and access networks may limit the number of > EAP packet exchanges that can be handled. > > This is under-stating the issue rather severely. We know with > absolute certainty that most (if not all) EAP implementations and > access networks limit the number of EAP packet exchanges. Perhaps > update the text to reference implementation and interoperability > experience. > > [Joe] what is the reference? https://github.com/FreeRADIUS/freeradius-server/blob/release_3_0_21/src/modules/rlm_eap/mem.c#L449 https://w1.fi/cgit/hostap/tree/src/eap_peer/eap.c?h=hostap_2_9#n35 Those are stable references to a particular release / tag. So the code shouldn't change. Both sets of code implement a limit on the maximum number of round trips they will support. The limits noted here are both hard-coded to "50". Later versions of hostap take that limit from a configuration parameter. FreeRADIUS still hard-codes it to 50. TBH, I don't really see a compelling reason to change that. Jouni Malinen also has a useful comment here: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/035654.html ... The main (well, more or less, the only) reason for that limit on number of round trips is to work around issues where the EAP peer and server ended up in an infinite loop ACKing their messages. ... Alan DeKok.
- [Emu] Review of draft-ietf-emu-eap-tls13 Alan DeKok
- Re: [Emu] Review of draft-ietf-emu-eap-tls13 Alan DeKok
- Re: [Emu] Review of draft-ietf-emu-eap-tls13 Bernard Aboba
- Re: [Emu] Review of draft-ietf-emu-eap-tls13 Alan DeKok
- Re: [Emu] Review of draft-ietf-emu-eap-tls13 Joseph Salowey
- Re: [Emu] Review of draft-ietf-emu-eap-tls13 Alan DeKok