[Gen-art] Gen ART review of draft-nystrom-eap-potp-05.txt
Black_David@emc.com Sat, 01 July 2006 01:01 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FwTrz-0005iD-Hq; Fri, 30 Jun 2006 21:01:59 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FwTry-0005i8-KQ for gen-art@ietf.org; Fri, 30 Jun 2006 21:01:58 -0400
Received: from mexforward.lss.emc.com ([128.222.32.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FwTrx-00005N-7K for gen-art@ietf.org; Fri, 30 Jun 2006 21:01:58 -0400
Received: from mailhub.lss.emc.com (sesha.lss.emc.com [10.254.144.12]) by mexforward.lss.emc.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k6111qAM025415; Fri, 30 Jun 2006 21:01:54 -0400 (EDT)
Received: from MAHO3MSX2.corp.emc.com (maho3msx2.corp.emc.com [128.221.11.32]) by mailhub.lss.emc.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k6111gH0005687; Fri, 30 Jun 2006 21:01:48 -0400 (EDT)
Received: by maho3msx2.corp.emc.com with Internet Mail Service (5.5.2653.19) id <MTJPVZF3>; Fri, 30 Jun 2006 21:01:42 -0400
Message-ID: <F222151D3323874393F83102D614E05502B66F2F@CORPUSMX20A.corp.emc.com>
From: Black_David@emc.com
To: gen-art@ietf.org, magnus@rsasecurity.com
Date: Fri, 30 Jun 2006 21:01:39 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.4.0.264935, Antispam-Data: 2006.6.30.173432
X-PerlMx-Spam: Gauge=, SPAM=0%, Reason='EMC_BODY_1+ -3, EMC_FROM_0+ -2, NO_REAL_NAME 0, __C230066_P5 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __IMS_MSGID 0, __IMS_MUA 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __STOCK_CRUFT 0'
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 29dc808194f5fb921c09d0040806d6eb
Cc: housley@vigilsec.com, jari.arkko@piuha.net, Black_David@emc.com
Subject: [Gen-art] Gen ART review of draft-nystrom-eap-potp-05.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Magnus,
I am the assigned Gen-ART reviewer for draft-nystrom-eap-potp-05.txt
For background on Gen-ART, please see the FAQ at
<http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html>.
Please resolve these comments along with any other
Last Call comments you may receive.
This draft is on the right track but has open issues,
described in the review.
The draft is generally well written, and reasonably clear.
Everything I found is minor, but a couple of the concerns
rise to the level of open issues that deserve attention.
---------- Issues ----------
(A) Page 31: the definition of "msg_hash" in running text is dense,
informal and mixes the algorithm for computing the hash input
with a description of the design rationale for the algorithm. The
result may be error-prone for an implementer.
This should be separated to explicitly specify the algorithm step by
step, and then explain why the algorithm is the way it is. At a high
level, the algorithm has two basic steps:
1) Concatenate specified messages excluding retransmissions.
2) Remove a list of fields and TLVs from the concatenation,
shortening it.
The explanation of the algorithm should explain why step 2) is a
"remove" step instead of a "set contents to zero" step. The
description of "msg_hash'" on p.33 needs to point back to this
algorithm, as do the descriptions of "msg_hash2" and "msg_hash2'"
on p.40. The same is probably the case for the description of
"msg_hash" on p.45, but I'm not sure about that one - it's an
example of an ambiguity that could cause interoperability problems.
It may also be useful to look at Section 3.3.3 of RFC 4302 for
an example of a well-specified similar calculation (the AH ICV).
This may look like a nit, but this sort of sloppiness leads to
interoperability problems caused by subtle differences in the hash
inputs across implementations, hence it's tagged as an open issue.
(B) Section 4.10.7 requires that Vendor-Specific TLVs always be
Mandatory (M bit is always 1). That's a formula for lack of
interoperability where vendor A's implementations always issue
a mandatory vendor-specific TLV that only vendor A's implementations
understand, thereby preventing interoperation with vendor B's
implementations that don't understand that TLV.
This is deja vu for me, as I've recently been through a long
discussion of this issue in the context of another draft. In the
hope of avoiding a repeat of that discussion, here are the
conclusions, as expressed in extracts from two email messages
authored by IETF Area Directors:
-----
The problem we're trying to avoid is Company C shipping a box
that sends a vendor private extension that requires implementations
that do not understand the extension to error, while company J doesn't
implement the extension. If C's products always send this extension,
they will not interoperate with J's products, even though both comply
with the spec. Thus, the spec does not provide sufficient
requirements to guarantee interoperability.
[Hence] ... there must be a configuration in which no mandatory
vendor private extensions are sent
----
It seems to me that there are two ways to deal with vendor
private extensions, and still allow interoperability:
- One way is to allow use of the vendor private extension to be
turned off via configuration.
- Another way is to ensure that if an system sends a
vendor-private extension, and the other system doesn't understand
it, then it responds in a well-defined way (which I believe that the
spec already does), and the first system is REQUIRED to continue
in a way that makes sense (ie, follows the defined standard and
stops using the vendor-private extension, or at least stops relying
on it).
----
Please select one or both of the approaches in the second message
and add text to the draft to require it/them.
(C) If this were a standards-track RFC, the identifiers for the hash,
encryption and MAC algorithms defined in Section 4.10.16 would go into
an IANA registry. Instead the document says that any addition of
algorithms requires a new RFC. That's probably ok, but I would
advise double-checking this with Jari Arkko and/or Russ Housley.
---------- Nits ----------
(1) Page 30:
- For dial-up, "auth_id" SHALL either be the empty string
or the phone number called by the peer. The phone number
SHALL be specified in the form of a URL conformant with
RFC 2806 ([8]), e.g. "tel:+1234567890". Processing of
received phone numbers SHALL be conformant with RFC 2806.
That's not a good example phone number, try +16175550101 - see
Section 3, subsection 6 of http://www.ietf.org/ID-Checklist.html
(2) Page 30:
- For IP-based EAP, "auth_id" SHALL either be the empty
string or the IPv4 or IPv6 address of the authenticator
as seen by the peer and in binary format (4 respectively
16 octets). As an example, the IPv4 address
"10.129.13.15" would be represented as (in hex) 0A 81 0D
0F, whereas the IPv6 address "0A0A:0B0B:0C0C:0D0D:0E0E:
0F0F:1010:1111" would be represented as (in hex) 0A 0A 0B
0B 0C 0C 0D 0D 0E 0E 0F 0F 10 10 11 11.
Similar problem - bad example IP addresses. 192.0.2.5 and 2001:DB8::101
would be ok. See same reference as phone number issue above. The same
issue occurs on p.31 at:
auth_id = "10.129.13.1", iteration_count = 2000, and
Unfortunately, this affects the example calculation used, so its results
will need to be recalculated.
(3) p.32
Note: To save on storage space, each EAP entity may hash
messages as they are sent and received. This reduces the
amount of state needed for this purpose to the state
required for the negotiated hash algorithm.
"hash" is not the right verb, but it's close. Read literally, the
result over 3 messages could be H(msg3 | H(msg2 | H (msg1))) which
is not equivalent to the correct H(msg1 | msg2 | msg3). The text
should be rewritten to talk about partial evaluation of the hash as
messages are sent and received so that the internal state of the
hash function is stored instead of the contents of all previous
messages (and the word "internal" is important).
Thanks,
--David
p.s. And please note that Magnus didn't get a free pass, even
though my employer (EMC) just announced that it's buying
his employer (RSA Security) ;-).
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA 01748
+1 (508) 293-7953 FAX: +1 (508) 293-7786
black_david@emc.com Mobile: +1 (978) 394-7754
----------------------------------------------------
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art