Re: [Nea] Consensus check on EAP-based PT
Nancy Cam-Winget <ncamwing@cisco.com> Thu, 04 August 2011 01:26 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C05821F8A96 for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 18:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7jtmOMzRdqR for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 18:26:07 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id E663121F8A95 for <nea@ietf.org>; Wed, 3 Aug 2011 18:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=ncamwing@cisco.com; l=10034; q=dns/txt; s=iport; t=1312421180; x=1313630780; h=date:subject:from:to:message-id:in-reply-to:mime-version; bh=SdEtA9ZBUmIN6+7JU1jURTlryn1Rh5ORrp/WJYvwNCg=; b=InrUdZOAUWkTaZeJw+PAwJIjfkhaTamHTi3XJOjpwPIfVBfMgEkKfbsO lgmmyNNzUL0KtDY4n9XQ+3bSscsf081OO9iRXdqtGnF7FJXYUQihlon6X B+CgeLQNI/WDdSmWfbmF/AvgAXF08oyRyaU9OptR8w/HkiNlWyeNi/BVh Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAAr1OU6rRDoH/2dsb2JhbAA5CYJNnHGHN213gUABAQEBAgEBAQEPASoxEA0BCA4EWyIOAQEEARIJGYdKBKF0AZ5ygyWDHQSHWoshhRCLdA
X-IronPort-AV: E=Sophos;i="4.67,313,1309737600"; d="scan'208,217";a="9487370"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by rcdn-iport-7.cisco.com with ESMTP; 04 Aug 2011 01:26:18 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p741QIXx015394 for <nea@ietf.org>; Thu, 4 Aug 2011 01:26:18 GMT
Received: from xmb-sjc-21e.amer.cisco.com ([171.70.151.156]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 3 Aug 2011 18:26:18 -0700
Received: from 10.21.79.229 ([10.21.79.229]) by xmb-sjc-21e.amer.cisco.com ([171.70.151.156]) with Microsoft Exchange Server HTTP-DAV ; Thu, 4 Aug 2011 01:26:17 +0000
User-Agent: Microsoft-Entourage/12.28.0.101117
Date: Wed, 03 Aug 2011 18:26:16 -0700
From: Nancy Cam-Winget <ncamwing@cisco.com>
To: Susan Thomson <sethomso@cisco.com>, nea@ietf.org
Message-ID: <CA5F4348.D0BC%ncamwing@cisco.com>
Thread-Topic: [Nea] Consensus check on EAP-based PT
Thread-Index: AcxRV8K12t9ayfNhRg2m5tY+ll6mrAA7b5yt
In-Reply-To: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3395240777_65247"
X-OriginalArrivalTime: 04 Aug 2011 01:26:18.0349 (UTC) FILETIME=[828E59D0:01CC5245]
Subject: Re: [Nea] Consensus check on EAP-based PT
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 01:26:08 -0000
I prefer the EAP-TLV approach. While there may be implementations that are close to the EAP-PT proposal, there are also similar implementations of the EAP-TLV. Several EAP-PT issues and concerns were raised that for me, outweigh the "benefits of already having code": - the goal for NEA is to define a transport for data. EAP is designed and defined to be an authentication framework. To "only carry data", issues for how the design must now accommodate the "no authentication" must now be compensated for... For instance: how does the state machine know that the intent is for it to carry NEA data only and not authentication? The two main issues of violations for using an authentication framework (EAP) for not doing authentication is in the generation of an identity and the creation of keys. - code and configuration updates are going to be needed regardless of whether we adopt EAP-PT or EAP-TLV. While it may be perceived to "be simpler" as some vendors allow for ease of adding EAP methods....these interfaces were intended to be defined for adding new authentication methods, not "methods that only carry data". - the above raises one of my security concerns that if we were to allow for "lets just add another EAP method", there is the danger that EAP-PT can be used as a standalone method which we have discussed as being insecure. As Joe succinctly states, while we can make special cases for EAP-PT....but more importantly, I think we are setting a bad precedence in defining a "non authenticating" EAP method and opening the door for defining other things as EAP methods too..... Nancy. On 8/2/11 2:04 PM, "Susan Thomson" <sethomso@cisco.com> wrote: > At IETF81 and several prior IETF meetings, as well as on the mailing > list, the WG has evaluated the pros and cons of 2 architectural > approaches to carrying posture within an EAP tunnel method: > > - EAP method > http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt > > - EAP TLV. > http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt > > So far, there has been no WG consensus to adopt one architecture versus > the other. (At the recent F2F meeting in Quebec City, the consensus > check at the meeting showed an equal number in favor of each approach.) > > This email is a final call to determine WG consensus on the L2 PT > approach. > > The consensus check is to choose one of the following 3 options: > 1) PT-EAP approach > 2) NEA-TLV approach > 3) Neither (please state the reason if you choose this option) > > Please respond to the above question by Tues Aug 16 at 5pm PT. Please do > so even if you have already expressed your opinion, either at a WG > meeting or on the mailing list. The answer can be as brief as selecting > option 1), 2) or 3). If you would like to add your reasons for your > choice, that would be appreciated too, especially if you choose option > 3). > > If we have consensus on the mailing list, we will adopt the selected > approach. > > If we still do not have consensus, the WG chairs and AD (Stephen > Farrell) have agreed that the AD will make a decision. The proponents of > both approaches have agreed to abide by this decision. This resolution > plan was discussed at the F2F meeting at IETF81. This plan was also > communicated to the list in an email on Jun 30, 2011. No objections have > been received. > > In either case, the individual submission corresponding to the selected > approach will be adopted as a -00 NEA WG I-D, and we will proceed with > the normal process of editing the document within the WG. > > Thanks > Susan > > ------------------ > References: > IETF81 audio session (start at approx 44 mins into session): > http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3 > > IETF81 draft meeting minutes: > http://tools.ietf.org/wg/nea/minutes > > _______________________________________________ > Nea mailing list > Nea@ietf.org > https://www.ietf.org/mailman/listinfo/nea >
- [Nea] Consensus check on EAP-based PT Susan Thomson (sethomso)
- Re: [Nea] Consensus check on EAP-based PT Ira McDonald
- Re: [Nea] Consensus check on EAP-based PT Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Sanchez, Mauricio (HP Networking)
- Re: [Nea] Consensus check on EAP-based PT Hao Zhou
- Re: [Nea] Consensus check on EAP-based PT Frank Yeh Jr
- Re: [Nea] Consensus check on EAP-based PT Alan DeKok
- Re: [Nea] Consensus check on EAP-based PT Andreas Steffen
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Klaas Wierenga
- Re: [Nea] Consensus check on EAP-based PT Lisa Lorenzin
- Re: [Nea] Consensus check on EAP-based PT Marc Linsner
- [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Mike Fratto
- Re: [Nea] Consensus check on EAP-based PT john.willis
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Jouni Malinen
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Nancy Cam-Winget
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT latze@angry-red-pla.net
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Protecting L2 PT when proxying Mike Fratto
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT kaushik narayan
- Re: [Nea] Consensus check on EAP-based PT Paul Sangster
- Re: [Nea] Consensus check on EAP-based PT Stephen McCann