IETF Logo Mail Archive

Re: [HOKEY] ERX issues

Yoshihiro Ohba <yohba@tari.toshiba.com> Tue, 18 March 2008 03:12 UTC

Return-Path: <hokey-bounces@ietf.org>
X-Original-To: ietfarch-hokey-archive@core3.amsl.com
Delivered-To: ietfarch-hokey-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BBED3A6E37; Mon, 17 Mar 2008 20:12:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.31
X-Spam-Level:
X-Spam-Status: No, score=-100.31 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjGY5dsjn5cb; Mon, 17 Mar 2008 20:12:06 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 878053A6A76; Mon, 17 Mar 2008 20:12:06 -0700 (PDT)
X-Original-To: hokey@core3.amsl.com
Delivered-To: hokey@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D18D63A6ACA for <hokey@core3.amsl.com>; Mon, 17 Mar 2008 20:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWux7xYxMu+c for <hokey@core3.amsl.com>; Mon, 17 Mar 2008 20:12:03 -0700 (PDT)
Received: from toshi17.tari.toshiba.com (unknown [IPv6:2001:418:1403:0:20e:7fff:fe65:c513]) by core3.amsl.com (Postfix) with ESMTP id A9C123A6E37 for <hokey@ietf.org>; Mon, 17 Mar 2008 20:12:03 -0700 (PDT)
Received: from steelhead.localdomain (toshi17.tari.toshiba.com [172.30.24.10]) by toshi17.tari.toshiba.com (8.13.1/8.13.1) with ESMTP id m2I39aku034876; Mon, 17 Mar 2008 22:09:38 -0500 (EST) (envelope-from yohba@tari.toshiba.com)
Received: from ohba by steelhead.localdomain with local (Exim 4.69) (envelope-from <yohba@tari.toshiba.com>) id 1JbSCX-0007sd-Ox; Mon, 17 Mar 2008 23:09:21 -0400
Date: Mon, 17 Mar 2008 23:09:20 -0400
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Message-ID: <20080318030920.GG29388@steelhead.localdomain>
References: <47DF077C.300@cs.umd.edu> <47DF2CB6.6060300@qualcomm.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <47DF2CB6.6060300@qualcomm.com>
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
Cc: hokey@ietf.org
Subject: Re: [HOKEY] ERX issues
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: hokey-bounces@ietf.org
Errors-To: hokey-bounces@ietf.org

On Mon, Mar 17, 2008 at 07:45:10PM -0700, Lakshminath Dondeti wrote:
> On 3/17/2008 5:06 PM, Charles Clancy wrote:
> > During IESG evaluation, and at the last WG meeting, the following points 
> > were raised.  I've opened issues to track their progress:
> > 
> > ERX: authorization attack
> > http://www.ltsnet.net:8080/hokey/issue43
> > 
> > ERX document needs text defining behavior when re-authing across AAA DNS 
> > domains, and relate that to key management domains and administrative 
> > domains.  As-is, a re-auth across DNS domains without performing an ERP 
> > bootstrap results in authorization in a new domain with no accounting 
> > record of an initial authentication.  This could lead to fraudulent 
> > charges across AAA domains.

I don't think this captures the problem well.  The problem in my
understanding is that a visiting AAA proxy can request a DSRK even if
the peer did not request it.  As a result, the visited domain can make
extra charge regarding the use of ERX optimization, and the home
domain does not have any evidence about the peer had ever agreed with
use of ERX in the visited domain or requested a DSRK.  I don't
understand how accounting record of an initial authentication can
solve the problem.  The accounting record can show that an initial
authentication happened in the visited domain, but it does not carry
anything about peer consent on the use of ERX with DSRK.

Yoshihiro Ohba

> 
> Any proposed text?  If the domain name changes, there would be a new 
> domain specific key.  Why wouldn't we write in the AAA document that 
> upon ERP bootstrapping, there should be accounting start or equivalent? 
>   In fact, that is what I thought should happen with no changes to ERX.
> 
> Next, procedurally, I haven't seen any AD picking this up as a DISCUSS, 
> so I guess we are doing due diligence as part of the WG process and 
> presumably Tim would support such a change.  Could we make sure that 
> this is ok with him?
> 
> > 
> > 
> > ERX: lower layer support
> > http://www.ltsnet.net:8080/hokey/issue44
> > 
> >  From Jari's DISCUSS.  ERX needs "truth in advertising" with respect to 
> > how existing authenticators may deal with a new EAP code.  See:
> > https://datatracker.ietf.org/idtracker/draft-ietf-hokey-erx/comment/78738/
> > 
> 
> I like Glen's take on this.  Ideally, this should require no text 
> changes.  Jari thinks otherwise.
> 
> regards,
> Lakshminath
> _______________________________________________
> HOKEY mailing list
> HOKEY@ietf.org
> https://www.ietf.org/mailman/listinfo/hokey
> 
_______________________________________________
HOKEY mailing list
HOKEY@ietf.org
https://www.ietf.org/mailman/listinfo/hokey

v2.23.0 | Report a Bug | By Email