Re: [HOKEY] Fwd: [IPsec] HOKEY draft draft-ietf-hokey-rfc5296bis
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 08 March 2011 09:40 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: hokey@core3.amsl.com
Delivered-To: hokey@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 1A0BD3A67EB; Tue, 8 Mar 2011 01:40:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.909
X-Spam-Level:
X-Spam-Status: No,
score=-102.909 tagged_above=-999 required=5 tests=[AWL=-0.310, BAYES_00=-2.599,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSa21PD003ZH;
Tue, 8 Mar 2011 01:40:49 -0800 (PST)
Received: from scss.tcd.ie (hermes.cs.tcd.ie
[IPv6:2001:770:10:200:21b:21ff:fe3a:3d50]) by core3.amsl.com (Postfix) with
ESMTP id 7A2D73A6774; Tue, 8 Mar 2011 01:40:48 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie
(Postfix) with ESMTP id A8D803E4083; Tue, 8 Mar 2011 09:42:01 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h=
content-transfer-encoding:content-type:in-reply-to:references
:subject:mime-version:user-agent:from:date:message-id:received
:received:x-virus-scanned; s=cs; t=1299577321;
bh=6WsKwcIZi+36Vb UytmQh89uSaPLGwKBShvn7V2HWAZY=;
b=o1LYALnmtiX+5AenmRRKm6maxw5vWl
6aUNzKxBEvA9tINHIDS7dL/EbV1tOCepcAiKXyOK2wJqRzWoYUrRa76kuPv7VLwA
5FYdswmnvLr1OsPA0dwcQHhVZ2PTGgP5rEA3L93v7zX5g43zCvcX2FWzTxqCbz0F
E8I/soF3VCX0Qc1YTAj+gRNOUfB5NABClGgu6dTLASujAo2Rdw7hQFe2OW+fXSXR
pswaZoelgpu64ht1OLG3m739pnPWj8lltFrcNftCPKKA5D3Wk0whoqh2KABUAvUb
wkgpmgY/MXId8NYTBb0euyI6P8oGDncn1wwjp8od7B44gU058DLlb+bA==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie
[127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 2F7yZDJqIM9c;
Tue, 8 Mar 2011 09:42:01 +0000 (GMT)
Received: from [10.87.48.7] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by
smtp.scss.tcd.ie (Postfix) with ESMTPSA id 78F943E4080;
Tue, 8 Mar 2011 09:41:58 +0000 (GMT)
Message-ID: <4D75F9E5.7060302@cs.tcd.ie>
Date: Tue, 08 Mar 2011 09:41:57 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: hokey@ietf.org, IPsecme WG <ipsec@ietf.org>
References: <4D73575C.6090808@gmail.com> <4D75B5ED.1050108@net-zen.net>
<4D75DC45.6080309@gmail.com>
In-Reply-To: <4D75DC45.6080309@gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Yoav Nir <ynir@checkpoint.com>,
Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [HOKEY] Fwd: [IPsec] HOKEY draft draft-ietf-hokey-rfc5296bis
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hokey>,
<mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>,
<mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 09:40:51 -0000
In case anyone wonders, my reply to Yaron was basically: "I dunno & will be interested to find out if you're missing something or not" S. On 08/03/11 07:35, Yaron Sheffer wrote: > Hi Glen, > > thank you for your kind words. It is always a pleasure to help a fellow > security working group, and your positive and helpful feedback makes it > doubly so. > > Back to the subject at hand: EAP is one of the rare security protocols > that are truly reusable. And in fact it is used by multiple protocols, > including 802.1X, IKE and the TNC protocols. With success comes > responsibility. If your working group makes significant, architectural > changes to the protocol, it is *your responsibility* to ensure they can > be accommodated by users of the protocol. And in the case of IETF > working groups, it is indeed the job of the Security AD to ensure such > coordination takes place. > > ERP is such a major change because (correct me if I am wrong): > > - Its transport behavior is different from the base EAP, allowing > multiple exchanges to be in flight at the same time. > - ERP peers actually *degrade* the behavior of EAP, because of > timeouts/retransmissions introduced when talking to non-ERP auth > servers, and similarly for ERP auth servers with non-ERP peers (this > behavior is spelled out quite clearly on p. 8 of the bis draft). > > PS: I'm glad to hear that 802.1X-2010 supports ERP. I just wonder why > the bis draft does not recognize this fact. > > Best regards, > > Yaron > > On 03/08/2011 06:51 AM, Glen Zorn wrote: >> On 3/6/2011 4:43 PM, Yaron Sheffer wrote: >>> Hi Stephen, >>> >>> I gather you are the incoming responsible AD for HOKEY. >>> >>> ERP (RFC 5296, now reincarnated as a bis document) is one of HOKEY's >>> principal work items. The document is making major changes to EAP, and >>> seems to have gotten a life of its own, despite the fact that AFAIU >>> neither of its protocol users (802.1X and IKEv2) has been changed to >>> accommodate it. It seems to me at best like wasted effort, more likely a >>> disconnect between the working groups. >> >> >> First of all, I'd like to express my deep appreciation (& I think that I >> can speak for all the members of the hokey WG) for you kind concern for >> the use of our time. It is especially wonderful since AFAIK you have >> heretofore shown no interest at all in our activities; to extend >> yourself in this way for a group with which you have essentially no >> connection is truly magnanimous; and to go straight to the Area >> Director, the one person who might be able to save us from this terrible >> waste of effort & time! I must say that I find it hard to express in >> words how it makes me feel. Nonetheless, I admit to some puzzlement as >> to the rationale for this action: the referenced draft is a chartered >> work item of the hokey WG, adopted after a call for consensus from the >> members. Of course, you could not know about the call since you aren't a >> WG member but it did occur. So while I do appreciate your obviously deep >> and selfless concern, I am inclined to let the actual members of the WG >> decide what (if anything) they deem worthy of effort. But, thanks again! >> >> P.S. >> I'm pretty sure that IEEE 802.1X-2010 supports ERP. >> >>> >>> Am I missing anything? >>> >>> Thanks, >>> Yaron >>> >>> -------- Original Message -------- >>> Subject: [IPsec] HOKEY draft draft-ietf-hokey-rfc5296bis >>> Date: Sun, 6 Mar 2011 11:25:54 +0200 >>> From: Yoav Nir <ynir@checkpoint.com> >>> To: ipsec@ietf.org <ipsec@ietf.org>rg>, >>> draft-ietf-hokey-rfc5296bis@tools.ietf.org >>> <draft-ietf-hokey-rfc5296bis@tools.ietf.org> >>> >>> Hi all >>> >>> I have just read the subject draft, and found this in section 6 (and >>> similar text in the introduction): >>> >>> Note that to support ERP, lower-layer specifications may need to be >>> revised. Specifically, the IEEE802.1x specification must be revised >>> to allow carrying EAP messages of the new codes defined in this >>> document in order to support ERP. Similarly, RFC 4306 must be >>> updated to include EAP code values higher than 4 in order to use ERP >>> with Internet Key Exchange Protocol version 2 (IKEv2). IKEv2 may >>> also be updated to support peer-initiated ERP for optimized >>> operation. Other lower layers may need similar revisions. >>> >>> Note that this is not new text, and it appears pretty much the same way >>> in RFC 5296. >>> >>> There's the obvious nit with this text, that RFC 4306 is not a >>> reference. If it was, the id-nits would warn about this RFC being >>> obsolete. But that's the small problem here. >>> >>> A bigger problem is that this text says that IKEv2 needs to be updated, >>> but there is no draft for this update, nor has there been any message to >>> this list about this proposed change. >>> >>> The simple change they require is to section 3.16: >>> o Code (1 octet) indicates whether this message is a Request (1), >>> Response (2), Success (3), or Failure (4). >>> >>> I think this could be done with an errata or a 1-page draft, if all that >>> was required was pass-through of codes (5) and (6). But I think it's >>> more involved than that. >>> >>> There's peer-initiated ERP (which would require peer-initiated IKE?) and >>> multiple simultaneous operations. I think it may come to a somewhat >>> larger draft. >>> >>> I think there should be at least a work-in-progress reference for 802.1x >>> and IKEv2 before the hokey draft progresses. >>> >>> Yoav >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>> >
- Re: [HOKEY] Fwd: [IPsec] HOKEY draft draft-ietf-h… Glen Zorn
- Re: [HOKEY] Fwd: [IPsec] HOKEY draft draft-ietf-h… Yaron Sheffer
- Re: [HOKEY] Fwd: [IPsec] HOKEY draft draft-ietf-h… Stephen Farrell