Re: [Nea] PT-EAP I-D Ready for IESG Evaluation
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Tue, 27 November 2012 03:51 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C2921F8751 for <nea@ietfa.amsl.com>; Mon, 26 Nov 2012 19:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.933
X-Spam-Level:
X-Spam-Status: No, score=-8.933 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_FWDLOOK=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id btnEDuZf9r11 for <nea@ietfa.amsl.com>; Mon, 26 Nov 2012 19:51:33 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 1D62621F8469 for <nea@ietf.org>; Mon, 26 Nov 2012 19:51:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13493; q=dns/txt; s=iport; t=1353988293; x=1355197893; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=27pvg4os2RFrE49llH6dGbYHHN/M4v9AVheuI3QF4VU=; b=PetNQPf6jT185ccj1DJkhUaOjZ6LPFs2YYNfN8v4dWiQu7JWmVBnPkc/ Tx7om3tlbv3jHuWcyE4cWN6jzXaUmIHDP1wu9OFi6o7UxacschO/pBfq5 6TgpD1HKpCgh+6CqN9hd3FuWfAswGlAFLEa68Fy3eZBIJ4PDqkK7Gfrko c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAHY4tFCtJXG//2dsb2JhbABEwCiBCYIgAQQBAQFkBwQHEgEIIksLJQIEAQ0FCIgFDK9+kDQEjDgKg1VhA6ZFgmINgV8CBQIXBhg
X-IronPort-AV: E=McAfee;i="5400,1158,6908"; a="146461389"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by rcdn-iport-7.cisco.com with ESMTP; 27 Nov 2012 03:51:17 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id qAR3pHJg020685 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 27 Nov 2012 03:51:17 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.109]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.02.0318.001; Mon, 26 Nov 2012 21:51:16 -0600
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Susan Thomson (sethomso)" <sethomso@cisco.com>
Thread-Topic: [Nea] PT-EAP I-D Ready for IESG Evaluation
Thread-Index: AQHNwtSZN/2pZMSZSky8DUtOu+QtBZfw3qyAgAwfCAA=
Date: Tue, 27 Nov 2012 03:51:16 +0000
Message-ID: <B80278DF1B7C814184086F4A6ECB3115224B321F@xmb-aln-x02.cisco.com>
In-Reply-To: <50A99D2F.6090109@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.21.71.142]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <C8F3E2563152F443BC9FA36315D74DAC@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] PT-EAP I-D Ready for IESG Evaluation
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2012 03:51:35 -0000
Hi Stephen, Thanks for your prompt and thorough review of the PT-EAP spec. I've reviewed the comments that you sent and have provided further comments/responses below. If we can agree on all the updates/comments, I can churn another version thenŠ. Thanks again, Nancy P.S. The comments were very helpful :-) On 11/18/12 6:45 PM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: > >Hi Susan, all, > >My AD review of this is below. I'm not sure if the >chairs/authors would prefer make changes and/or argue >before IETF LC (either is fine), so I'll mark this as >being in AD eval while we figure that out. [NCW] As Steve mentioned in his earlier email, we'd like to get these straightened out before we go to IETF LC. > >My first (numbered) list of questions are things I >need to see answered before I start IETF LC. I'd say >only question #1 might be tricky and its certainly >ok to say that changes resulting from #2 & #3 will >be put in after IETF LC, if some are needed, so >#1 is (by far) the main deal. > >The other stuff you can consider as just some >random-dude comments to take or leave:-) > >Cheers, >S. > >questions I'd like answered before IETF LC: > >1) Doesn't the non-existence of a standards-track EAP outer >method that meets the needs of NEA (section 5, 2nd para) >mean that this draft ought stay in the RFC editor queue >until TEAP is done, and that TEAP ought be MTI for PT-EAP? >(Which could be easily done if the wg wanted it.) >If the wg's answer to is "no, its ok now", then I'm >confused, since you seem to require a standards track EAP >outer method that does not exist. Wouldn't that imply that >this protocol cannot be implemented as currently specified >and wouldn't that be a bad outcome for the IETF? [NCW] The NEA WG discussed this at length and agreed that the spec should not wait for TEAP to be standardized. There was consensus that the already industry established/used tunnel methods, e.g. EAP-FAST, EAP-TTLS and PEAP met the requirements in section 5 of PT-EAP; while these are not standardized by the IETF, several of them are documented in the IETF as informational RFCs. Further consensus indicated that the group both, did not want to wait for TEAP's standardization and that there would be some benefit if using the NEA protocols with the already existing tunnel methods. > >2) 4.1.1: If the PTS trusts the PTC this way then its >crazy! If this is saying that a PTS ought not include code >to validate syntax then that'd be broken. What's wrong >here? Seems like maybe its a case of putting in too many >words? I think this 2nd bullet list in 4.1.1 might be >better if it disappeared. I also think the last paragraph >on 4.1.1 should also disappear. Is that unreasonable or ok? [NCW] Your rationale makes sense and request is reasonable. I think the intent was to provide a warning to the PTS implementations of malicious PTC behaviors. Should we just include a sentence as such? E.g. "Since the Posture Transport Server can not validate the trustworthiness of the Posture Transport Client; the Posture Transport Server should protect itself accordingly." Since 4.1.2 follows the same template, I presume you'd also like us to follow the same updates as we do for 4.1.1? > >3) 4.2.5, last para: on what basis can one say that an EMA >is effective, other than by definition, which doesn't seem >convincing? I do agree that some EMA implementation might >be effective but not that all things calling themselves an >EMA are effective. It therefore seems wrong to have text >that appears to depend on the effectiveness of all EMAs. [NCW] It is true that it is difficult to guarantee all EMA's implementations to be effective. Since there are some EMA's believed to be effective as well as the charter stating "the protocols developed by the NEA WG must be designed to accommodate emerging technologies for identifying and dealing with lying endpoints", the group felt that a SHOULD clause be included. If there's "text that appears to depend on the effectiveness of all EMAs", could you please point out the exact text so that we can better address your concern? > >----------------- > >"random-dude" comments to take or leave: > >abstract: not sure if EAP needs expanding there or not [NCW] Since it's the first reference, it does make sense to expand itŠso will do. > >abstract: s/tunnel method/EAP tunnel method/ ? [NCW] Thanks for the find! Will doŠ > >intro: why does 1st sentence not use same terminology as >abstract? [NCW] No reason, so we'll make it consistent. > >intro: PB-TNC should be expanded [NCW] OK. We'll also add a pointer to the PB-TNC reference. > >intro: it might be good to briefly explain the terms inner >and outer for EAP methods, but only if that text is not >going to be contentious. [NCW] I don't think it would be contentious. We can put this in the last paragraph of section 1, which is the first place that we use the term "inner EAP method". > >1.5: the forward-looking statement about what TCG might do >in future seems out of place and was modified in the pt-tls >draft I think. The same change seems right here. [NCW] Sounds goodŠ.will do > >section 2: "MUST only" is odd, better would be to either >s/only// or phrase this with a MUST NOT. [NCW] OK, we can just remove "only" > >3.1: is the phrase "round robin exchange" clear or more >confusing? It could be the latter since the term is mostly >used in relation to load-balancing. That sentence is also >pretty unclear, maybe what you mean is that there cannot be >>1 PB-TNC batch in flight at any given time, if so, better >to say so. I don't get the last sentence in the 3rd para >here. [NCW] We can change the sentence with round-robin from: The NEA Client and NEA Server then engage in a round-robin exchange with one PB-TNC batch in flight at a time. to this: The NEA Client and NEA Server then take turns sending a PB-TNC batch. No more than one PB-TNC batch can ever be in flight at any given time. It seems that the sentence you don't understand is this one: This message may be empty (not contain any data) if the NEA Server has just sent the last PB-TNC batch in the PB-TNC exchange. Is that right? The preceding sentence was this one: The data transport phase always ends with an EAP Response message from the NEA Client to the NEA Server. So the last message in the data transport phase goes from the NEA Client to the NEA Server. If the NEA Client doesn't have any PB-TNC batches to send, it just sends a PT-EAP message whose Data field is empty. Does that help you understand what we're trying to say? If so, perhaps we should change that confusing sentence to say: The Data field of this message may have zero length if the NEA Server has just sent the last PB-TNC batch in the PB-TNC exchange. > >3.1: 3rd last and 2nd last paras are hard to get (at first >reading at least). [NCW] Sorry. The 3rd last para is just saying that the success of PT-EAP does not mean that the overall authentication will succeed. Neither does the failure of PT-EAP mean that the overall authentication will fail. That depends on the policy configured by the administrator. Maybe they're just doing a posture check to see which machines are healthy for reporting purposes or maybe they don't keep unhealthy machines off the network but quarantine them. This is not always immediately clear to people when they read these specs. The 2nd last para says that you don't have to continue the PT-EAP exchange to the end. However, different EAP tunnel methods have different ways to stop an inner EAP method prematurely. Any suggestions for wording changes? > >3.1: last para seems unnecessary [NCW] The intent was to ensure that the sequencing is followed (e.g. A MUST). Is that inferred by it being section 3 (e.g. A normative section?). If that's the case, then we can remove the paragraph, otherwise, can you suggest how we can ensure the sequencing if adhered to? > >3.3: It'd be good to give the figures names/captions to >make 'em easier to reference. [NCW] Sure will do (something new to learn in the xml script :-) > >3.3: 1st para, might be nice to name the 4 fields that are >mandated. Also be good to say which of these fields are bog >standard EAP and which are nea-specific, (in case someone >codes up nea stuff to fit into some eap framwork or >something). For example the start bit on p7 could be >pt-eap-specific or not. [NCW] Good point; will do. > >section 4: This entire section seems to fall between two >stools. On the one hand it could be an ab-initio analysis >of threats to a generic PT-EAP, or else if could be a >post-facto analysis of residual threats that need to be >countered given the final PT-EAP design. Its hard to tell >which is intended and I think the text oscilates between >the two. I think making sure that's crystal clear would >help here, in terms of giving the reader an easier time. [NCW] PT-EAP provides NO security protections at all. All of the security is provided by the EAP tunnel method and other components such as the EMA. So this sections attempts to describe the threats relevant to PT-EAP (and the NEA reference model) and translates those into a list of protections that the EAP tunnel method must provide and a few things that the PT-EAP implementer must do (e.g. be wary of data sent by the other side and expose the tls-unique value upward). Can you suggest ways to improve on what's written? > >4.1.1: I don't get what "not observe" means here. How can a >piece of code send out some bytes that it has not >"observed" in some sense? [NCW] How about we change it to "Disclose to unauthorized parties" instead? The intent is to ensure that the PTC and PTS not leak the info. > >4.2, title is odd - what threat or countermeasure is >nothing to do with security? suggest s/Security// in the >title. (Same in 1st para of 4.2 and anywhere else.) [NCW] OKŠwill do. > >4.2.1: I'm not sure what "theft" means in the title here - >presumably is involves a bad actor doing more than just >copying the bytes, but what, in general? Maybe change >title to "message confidentiality"? [NCW] SureŠwill do. > >4.2.1: who is "*the* adversary"? (my emphasis) Maybe >s/the/an/ [NCW] SureŠwill do. > >4.2.1: "housed in" is an odd term likely to be easily >misunderstood e.g. by non-native English speakers, "carried >by" would seem better [NCW] SureŠwill do. > >4.2.1: EAP-FAST and EAP-TTLS could do with references on >first use. (Same later for other methods, e.g. TEAP in >4.2.3.) [NCW] They are already referenced in Section 1; would you like us To repeat them in this section as well? > >4.2.2: What'd it mean to creat a DoS against aspects of >an assessment? I don't get that. [NCW] One example would be to insert a PT-EAP message to tell a NEA Server that the endpoint is totally infected. This could cause the device to be blocked from accessing a critical resource, which would be a denial of service. > >4.2.2: 1st para, malformed octets don't really seem like >message fabrication. [NCW] Would it be better to change it to the example above? > >4.2.2: last sentence - something wrong here, you can't >say that unless you have an MTI outer EAP method that >does guarantee that or else they all do, but do they >all? [NCW] If the EAP tunnel method meets the requirements in section 5, it prevents undetected insertion of PT-EAP messages into a properly authorized exchange. All of the EAP tunnel methods described in section 4.3 meet those requirements. However, it would be inappropriate to make one of them MTI for PT-EAP because none of them is yet specified in a Standards Track RFC. > >4.2.3: last sentence - is this missing a 2119 REQUIRED? [NCW] Some reviewers objected to putting RFC 2119 text into a Security Considerations section. Therefore, we put all of the RFC 2119 requirements on EAP tunnel methods in section 5. > >4.2.4: "encrypted and hashed" is pretty imprecise. [NCW] How about we split the sentence into: "After the cryptographic authentication by the EAP tunnel method, the session can be protected cryptographically to provide confidentiality and source authenticity. Such protection prevents undetected modification that could create a denial of service situation." > >4.3: I think if the use of TLS is significant then you >need a reference to 5246. Maybe also 5280 but that could >be implied by TLS. [NCW] We do have a reference to RFC 5246. In fact, it's Normative. TLS does permit PGP certificates to be used so it seems wrong for us to reference RFC 5280. > >4.3: Is the parenthetic "using TLVs" text here stuff that >ought go away? I think it probably is. [NCW] SureŠwill do. > >section 6: the "MUST NOT observe" here seems like nonsense >and nothing to do with 2119. [NCW] SureŠwill do. > >7.1: is "PT-EAP Versions" a top-level registry or part of >something else? I think you can answer this by saying >what URL you think would be good for accessing this >registry. [NCW] It's Top levee registry. >_______________________________________________ >Nea mailing list >Nea@ietf.org >https://www.ietf.org/mailman/listinfo/nea
- [Nea] PT-EAP I-D Ready for IESG Evaluation Susan Thomson (sethomso)
- Re: [Nea] PT-EAP I-D Ready for IESG Evaluation Stephen Farrell
- Re: [Nea] PT-EAP I-D Ready for IESG Evaluation Stephen Farrell
- Re: [Nea] PT-EAP I-D Ready for IESG Evaluation Stephen Hanna
- Re: [Nea] PT-EAP I-D Ready for IESG Evaluation Stephen Farrell
- Re: [Nea] PT-EAP I-D Ready for IESG Evaluation Nancy Cam-Winget (ncamwing)
- [Nea] MTI EAP outer method (was: Re: PT-EAP I-D R… Stephen Farrell
- Re: [Nea] PT-EAP I-D Ready for IESG Evaluation Stephen Farrell
- Re: [Nea] MTI EAP outer method (was: Re: PT-EAP I… Joseph Salowey (jsalowey)
- Re: [Nea] MTI EAP outer method (was: Re: PT-EAP I… Nancy Cam-Winget (ncamwing)
- Re: [Nea] MTI EAP outer method (was: Re: PT-EAP I… Stephen Hanna
- Re: [Nea] MTI EAP outer method (was: Re: PT-EAP I… Stephen Farrell
- Re: [Nea] MTI EAP outer method (was: Re: PT-EAP I… Joseph Salowey (jsalowey)