Re: [Emu] Potential Notes in EAP-FAST Documents
<Pasi.Eronen@nokia.com> Thu, 05 February 2009 12:52 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF7C23A6BFC; Thu, 5 Feb 2009 04:52:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.572
X-Spam-Level:
X-Spam-Status: No, score=-6.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKuMg-QaxCAG; Thu, 5 Feb 2009 04:52:33 -0800 (PST)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id B4C983A6AAA; Thu, 5 Feb 2009 04:52:33 -0800 (PST)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n15Cpt4t026301; Thu, 5 Feb 2009 06:52:10 -0600
Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 5 Feb 2009 14:51:57 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 5 Feb 2009 14:51:53 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Thu, 5 Feb 2009 13:51:52 +0100
From: Pasi.Eronen@nokia.com
To: glenzorn@comcast.net
Date: Thu, 05 Feb 2009 13:51:52 +0100
Thread-Topic: [Emu] Potential Notes in EAP-FAST Documents
Thread-Index: AcmG/lqa1KgpUF8USwKhyQk7NRQaiAAZKlqQAAcC4gAAAri40A==
Message-ID: <808FD6E27AD4884E94820BC333B2DB7727E78F2B67@NOK-EUMSG-01.mgdnok.nokia.com>
References: <BLU137-W531ACB9BE00127DB8595D993C30@phx.gbl> <808FD6E27AD4884E94820BC333B2DB7727E78F274C@NOK-EUMSG-01.mgdnok.nokia.com> <006c01c98781$5d6b8bf0$1842a3d0$@net>
In-Reply-To: <006c01c98781$5d6b8bf0$1842a3d0$@net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 05 Feb 2009 12:51:53.0169 (UTC) FILETIME=[84E94410:01C98790]
X-Nokia-AV: Clean
Cc: emu@ietf.org, iesg@ietf.org
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2009 12:52:34 -0000
Glen Zorn wrote: > > I would like to remind everyone that these documents did go > > through IETF Last Call, and have already been approved by IESG. > > Given the quality of the documents in question, perhaps that's not > something that you should be bragging about... > > > If folks are opposed to publishing descriptions of deployed EAP > > method when they're less than perfect (or even ugly hacks with bad > > architecture), and may not offer perfect security in all > > circumstances (but accurately document their limitations), they > > should have said so much earlier. > > No offense, but I'm getting the real feeling that you're just not > paying much attention. The major problems I've heard WRT > publication as-is have to do with the misuse of IANA registries, not > ugly hacks or "imperfect security". I am paying attention, thank you. Of the emails on emu@ietf.org about EAP-FAST in the past month or so, less than half of the text seems to be about re-using EAP-GTC/MSCHAPv2 type codes. Your first email (Jan 27) mentions only anonymous provisioning (nothing about EAP type codes), and your second message (Feb 3) first talks about the insecurity of anonymous provisioning, and then about the EAP-GTC type code. The EAP-GTC type code re-use is not a new concern; it was specifically discussed before the IESG approved the document, and the discussion resulted in changes in the document. As far as I can tell, this thread has contained no new information about the topic. It seems you would have preferred that IESG had reached a different decision back then. That's a perfectly valid opinion, but the IETF Last Call would have been the right time to express it. For EAP-MSCHAPv2, I think there has been some new information that wasn't really well considered before IESG approved the document. IESG is proposing solving it basically the same way as for EAP-GTC -- noting that this is bad design, and future design should not do it this way. > > (In hindsight, publishing these via the RFC Editor independent > > submission route, and including the vendor's name in the document > > title, might have been better idea. Since the intent was to > > describe what existing implementations do, the IETF does not > > realistically have much change control...) > > Publishing them as individual submissions would have been a better > idea I don't see how that would solve the IANA problem. BTW, you can look at this either as changing an existing code point, or defining a field (an EAP-FAST TLV "Value" part) that contains either protocol X (normal EAP header with IANA-allocated EAP Type code) or protocol Y (some other stuff). Basically, the change that was made to draft-zhou-emu-fast-gtc says "if this byte contains anything else than 0x06, interprete it as normal EAP Header with IANA-allocated EAP Type number. If it contains 0x06, interprete it as described below." (not using those words, but that's the idea) When some field can contain either X or Y, normally we'd multiplex them by having a separate "type" field outside the field itself. That's the approach used in e.g. RFC5281, which changes MS-CHAPv2 challenge processing in very similar way as draft-cam-winget-eap- fast-provisioning. Another approach is to multiplex by "peeking inside the content"; while this is usually less preferable, it's a choice the protocol designer gets to make when defining a new field (and is used in some IETF specs too; e.g. draft-ietf-avt-dtls-srtp). Choosing this approach to multiplexing the contents of this field certainly was not a good design decision, and the proposed IESG text basically says so (and warns that it probably doesn't exactly simplify implementation either). But I don't think it should alone prevent publishing a description of somewhat widely implemented protocol. *IF* this caused interoperability problems for folks who don't implement this specification (or between folks who do implement this spec and those that don't), I'd be very worried indeed. But that does not seem to be the case. Best regards, Pasi
- Re: [Emu] Potential Notes in EAP-FAST Documents Jari Arkko
- [Emu] Potential Notes in EAP-FAST Documents The IESG
- Re: [Emu] Potential Notes in EAP-FAST Documents Chris Hessing
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Dorothy Stanley
- Re: [Emu] Potential Notes in EAP-FAST Documents David Mitton
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Hao Zhou (hzhou)
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Bernard Aboba
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Jari Arkko
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Jari Arkko
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Pasi.Eronen
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Nancy Cam-Winget (ncamwing)
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Yoshihiro Ohba
- Re: [Emu] Potential Notes in EAP-FAST Documents Tim Polk
- Re: [Emu] Potential Notes in EAP-FAST Documents gabriel montenegro
- Re: [Emu] Potential Notes in EAP-FAST Documents Bernard Aboba
- Re: [Emu] Potential Notes in EAP-FAST Documents Jouni Malinen
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn
- Re: [Emu] Potential Notes in EAP-FAST Documents Hao Zhou (hzhou)
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Bernard Aboba
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Glen Zorn
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Dan Harkins
- Re: [Emu] IANA allocation issue in EAP-FAST Docum… Dan Harkins
- Re: [Emu] Potential Notes in EAP-FAST Documents Jouni Malinen
- Re: [Emu] Potential Notes in EAP-FAST Documents Tim Polk
- Re: [Emu] Potential Notes in EAP-FAST Documents Glen Zorn