Re: [Gen-art] IETF LC review: draft-funk-eap-ttls-v0-04.txt
"Joel M. Halpern" <jmh@joelhalpern.com> Wed, 26 March 2008 05:37 UTC
Return-Path: <gen-art-bounces@ietf.org>
X-Original-To: ietfarch-gen-art-archive@core3.amsl.com
Delivered-To: ietfarch-gen-art-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D6863A6D52; Tue, 25 Mar 2008 22:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.083
X-Spam-Level:
X-Spam-Status: No, score=-100.083 tagged_above=-999 required=5 tests=[AWL=0.354, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36lA+bi8nSFH; Tue, 25 Mar 2008 22:37:15 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0536D3A67AC; Tue, 25 Mar 2008 22:37:15 -0700 (PDT)
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3D1A3A6BD5 for <gen-art@core3.amsl.com>; Tue, 25 Mar 2008 22:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id necLIY9SQK1w for <gen-art@core3.amsl.com>; Tue, 25 Mar 2008 22:37:12 -0700 (PDT)
Received: from bender-mail.tigertech.net (bender-mail.tigertech.net [64.62.209.30]) by core3.amsl.com (Postfix) with ESMTP id 598763A67AC for <gen-art@ietf.org>; Tue, 25 Mar 2008 22:37:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by bender.tigertech.net (Postfix) with ESMTP id 53F387DEB; Tue, 25 Mar 2008 22:34:53 -0700 (PDT)
Received: from [10.10.10.101] (pool-71-161-50-201.clppva.east.verizon.net [71.161.50.201]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bender.tigertech.net (Postfix) with ESMTP id 386CA7DE2; Tue, 25 Mar 2008 22:34:51 -0700 (PDT)
Message-ID: <47E9E073.4090506@joelhalpern.com>
Date: Wed, 26 Mar 2008 01:34:43 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
References: <F66D7286825402429571678A16C2F5EE02834C94@zrc2hxm1.corp.nortel.com> <47E4443B.5010904@joelhalpern.com> <47E9D805.6060907@qualcomm.com>
In-Reply-To: <47E9D805.6060907@qualcomm.com>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at tigertech.net
Cc: gen-art@ietf.org, Jari Arkko <jari.arkko@piuha.net>, PaulFunk@alum.mit.edu
Subject: Re: [Gen-art] IETF LC review: draft-funk-eap-ttls-v0-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
Thanks. That takes care of most of them. (Including my leaving in a
redundant comment that was a note to myself during the review. Sorry
about that.)
On the AVPs, what I was trying to point out was that the text as written
was unclear as to whether the same AVPs were used in the clear text as
in the TLS exchange, or a different set of AVPs (that were not defined.)
All it would take is one sentence saying that the clear text AVPs
use the same attribute identifiers (same attributes?, take your pick on
the wording) as the AVPs carried in TLS.
My concern on 11.3 and using multiple authentications is that the first
paragraph says that in general it may be desirable to perform multiple
authentications. So when the second paragraph says that this may be
done when using EAP, the reader is not being told, "and only when using
EAP". My suggestion would be to simply add a sentence at the end of the
first paragraph that reads "Multiple authentication is only supported by
this protocol in conjunction with EAP."
Yours,
Joel
Lakshminath Dondeti wrote:
> Hi Joel,
>
> Thank you for your timely and considered review. Paul's responses below.
>
> regards,
> Lakshminath
>
> > > -----Original Message-----
> > > From: Lakshminath Dondeti [mailto:ldondeti@qualcomm.com]
> > > Sent: Tuesday, March 25, 2008 7:06 PM
> > > To: PaulFunk@alum.mit.edu
> > > Subject: [Fwd: Re: [Gen-art] IETF LC review:
> draft-funk-eap-ttls-v0-04.txt]
> > >
> > >
> > >
> > > -------- Original Message --------
> > > Subject: Re: [Gen-art] IETF LC review: draft-funk-eap-ttls-v0-04.txt
> > > Date: Fri, 21 Mar 2008 19:26:51 -0400
> > > From: Joel M. Halpern <jmh@joelhalpern.com>
> > > To: Mary Barnes <mary.barnes@nortel.com>
> > > CC: gen-art@ietf.org, Lakshminath Dondeti <ldondeti@qualcomm.com>,
> > > Jari Arkko <jari.arkko@piuha.net>
> > > References:
> > > <F66D7286825402429571678A16C2F5EE02834C94@zrc2hxm1.corp.nortel.com>
> > >
> > > I have been selected as the General Area Review Team (Gen-ART)
> > > reviewer for this draft (for background on Gen-ART, please see
> > > http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
> > >
> > > Please resolve these comments along with any other Last Call comments
> > > you may receive.
> > >
> > >
> > > Document: EAP Tunneled TLS Authentication Protocol Version 0
> > > Reviewer: Joel M. Halpern
> > > Review Date: 21-March-2008
> > > IETF LC End Date: 2-April-2008
> > > IESG Telechat date: N/A
> > >
> > > Summary: This document is ready for publication as an Informational
> RFC.
> > > If a revision is to be done, it would make sense to consider the
> first
> > > two comments below, and see if the minor comments can be usefully
> addressed.
> > >
> > > Comments:
> > > There are two sets of AVPs defined by this document. One set
> goes in
> > > the EAP-TTLS Start packet from the server to the client. The other
> set
> > > are used in the inner TLS protected exchange. The first set are
> > > referenced in section 9.2. But as far as I can tell, there is no
> > > description of what valid AVPs may appear here. Even if they are the
> > > same AVPs as go inside, some text explaining this in section 9.2 would
> > > be helpful.
>
> [pf] Section 9.2 indicates that AVPs may be sent in the clear in the
> initial Start packet
> from the server. I don't know if any implementation uses this feature.
> Possible uses are
> indicated in the text.
>
> While there is no currently defined use case, the purpose of including
> this text was:
>
> 1 To ensure that receivers understand that there might be data
> following the Start
> indication, so they won't reject the packet on that basis.
>
> 2 To define the format of any such data to prevent overloading and
> consequent
> misinterpretation.
>
> Future specs can define uses for Start packet AVPs, within the confines
> that are currently
> specified.
>
> > > Section 7.2 talks about the application utilizing EAP-TTLS
> specifying
> > > the information to be exchanged. It is not clear to me what is
> meant by
> > > "application" here. Does this mean the different authentication
> > > mechanisms that the client can select? Or something else? (If
> > > something else, how is it known.) A bit of explanatory text would
> > > probably help.
>
> [pf] "Application" here simply means whatever pre-conceived use TTLS is
> being put to, that
> is, a context understood by client and server; e.g. 802.11, WiMA, IKEv2.
> Such
> "applications" are free to specify particular AVP exchanges required to
> enable features of
> the application.
>
> > >
> > > Minor:
> > > The text in section 7.8 talks about the different versions of TLS
> > > that can be used. It would be useful (assuming I have correctly
> > > understood the protocol) if the text noted that these versions are
> > > negotiated by TLS, as part of carrying TLS over TTLS.
>
> [pf] It already does, in the immediately preceding section 7.7.
>
> > > Section 11.3 on multiple authentication methods could use a
> couple
> > > of extra words at the front. Something like "When the client has
> > > selected EAP for authentication, the AAA/H server may request multiple
> > > forms of Authentication." Otherwise, the reader tries to tie this to
> > > the entirety of 11.2 (client specified authentication) and may get
> very
> > > confused before finding at the end of the section the note that this
> > > only applies to EAP. (Leave the note. Just add text at the
> beginning.)
>
> [pf] The first sentence of the second paragraph does say "using EAP",
> indicating that this
> is an EAP-related mechanism. The final note reinforces this.
>
> > >
> > >
> > > I presume I will find out how the communicating parties agree on what
> > > "application" is utilizing EAP-TTLS some time after section 7.2?
>
> [pf] No, "application" is assumed to be implicit. For example, the
> client knows what type
> of network it is authenticating to, and the server either because it is
> deployed to handle
> a particular application or because the carrier protocol tells it (e.g.
> Service-Type in
> RADIUS).
>
> > >
> > >
> > >
>
>
> On 3/21/2008 4:26 PM, Joel M. Halpern wrote:
>> I have been selected as the General Area Review Team (Gen-ART)
>> reviewer for this draft (for background on Gen-ART, please see
>> http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
>>
>> Please resolve these comments along with any other Last Call comments
>> you may receive.
>>
>>
>> Document: EAP Tunneled TLS Authentication Protocol Version 0
>> Reviewer: Joel M. Halpern
>> Review Date: 21-March-2008
>> IETF LC End Date: 2-April-2008
>> IESG Telechat date: N/A
>>
>> Summary: This document is ready for publication as an Informational
>> RFC. If a revision is to be done, it would make sense to consider the
>> first two comments below, and see if the minor comments can be
>> usefully addressed.
>>
>> Comments:
>> There are two sets of AVPs defined by this document. One set goes
>> in the EAP-TTLS Start packet from the server to the client. The other
>> set are used in the inner TLS protected exchange. The first set are
>> referenced in section 9.2. But as far as I can tell, there is no
>> description of what valid AVPs may appear here. Even if they are the
>> same AVPs as go inside, some text explaining this in section 9.2 would
>> be helpful.
>> Section 7.2 talks about the application utilizing EAP-TTLS
>> specifying the information to be exchanged. It is not clear to me
>> what is meant by "application" here. Does this mean the different
>> authentication mechanisms that the client can select? Or something
>> else? (If something else, how is it known.) A bit of explanatory
>> text would probably help.
>>
>> Minor:
>> The text in section 7.8 talks about the different versions of TLS
>> that can be used. It would be useful (assuming I have correctly
>> understood the protocol) if the text noted that these versions are
>> negotiated by TLS, as part of carrying TLS over TTLS.
>> Section 11.3 on multiple authentication methods could use a couple
>> of extra words at the front. Something like "When the client has
>> selected EAP for authentication, the AAA/H server may request multiple
>> forms of Authentication." Otherwise, the reader tries to tie this to
>> the entirety of 11.2 (client specified authentication) and may get
>> very confused before finding at the end of the section the note that
>> this only applies to EAP. (Leave the note. Just add text at the
>> beginning.)
>>
>>
>> I presume I will find out how the communicating parties agree on what
>> "application" is utilizing EAP-TTLS some time after section 7.2?
>>
>>
>>
>>
>>
>
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www.ietf.org/mailman/listinfo/gen-art
- [Gen-art] A *new* batch of IETF LC reviews - 20 M… Mary Barnes
- Re: [Gen-art] IETF LC review: draft-funk-eap-ttls… Joel M. Halpern
- Re: [Gen-art] IETF LC review: draft-funk-eap-ttls… Lakshminath Dondeti
- Re: [Gen-art] IETF LC review: draft-funk-eap-ttls… Joel M. Halpern