IETF Logo Mail Archive

Re: [Nea] Consensus check on EAP-based PT

Nancy Cam-Winget <ncamwing@cisco.com> Thu, 04 August 2011 01:26 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C05821F8A96 for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 18:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7jtmOMzRdqR for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 18:26:07 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id E663121F8A95 for <nea@ietf.org>; Wed, 3 Aug 2011 18:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=ncamwing@cisco.com; l=10034; q=dns/txt; s=iport; t=1312421180; x=1313630780; h=date:subject:from:to:message-id:in-reply-to:mime-version; bh=SdEtA9ZBUmIN6+7JU1jURTlryn1Rh5ORrp/WJYvwNCg=; b=InrUdZOAUWkTaZeJw+PAwJIjfkhaTamHTi3XJOjpwPIfVBfMgEkKfbsO lgmmyNNzUL0KtDY4n9XQ+3bSscsf081OO9iRXdqtGnF7FJXYUQihlon6X B+CgeLQNI/WDdSmWfbmF/AvgAXF08oyRyaU9OptR8w/HkiNlWyeNi/BVh Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAAr1OU6rRDoH/2dsb2JhbAA5CYJNnHGHN213gUABAQEBAgEBAQEPASoxEA0BCA4EWyIOAQEEARIJGYdKBKF0AZ5ygyWDHQSHWoshhRCLdA
X-IronPort-AV: E=Sophos;i="4.67,313,1309737600"; d="scan'208,217";a="9487370"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by rcdn-iport-7.cisco.com with ESMTP; 04 Aug 2011 01:26:18 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p741QIXx015394 for <nea@ietf.org>; Thu, 4 Aug 2011 01:26:18 GMT
Received: from xmb-sjc-21e.amer.cisco.com ([171.70.151.156]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 3 Aug 2011 18:26:18 -0700
Received: from 10.21.79.229 ([10.21.79.229]) by xmb-sjc-21e.amer.cisco.com ([171.70.151.156]) with Microsoft Exchange Server HTTP-DAV ; Thu, 4 Aug 2011 01:26:17 +0000
User-Agent: Microsoft-Entourage/12.28.0.101117
Date: Wed, 03 Aug 2011 18:26:16 -0700
From: Nancy Cam-Winget <ncamwing@cisco.com>
To: Susan Thomson <sethomso@cisco.com>, nea@ietf.org
Message-ID: <CA5F4348.D0BC%ncamwing@cisco.com>
Thread-Topic: [Nea] Consensus check on EAP-based PT
Thread-Index: AcxRV8K12t9ayfNhRg2m5tY+ll6mrAA7b5yt
In-Reply-To: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3395240777_65247"
X-OriginalArrivalTime: 04 Aug 2011 01:26:18.0349 (UTC) FILETIME=[828E59D0:01CC5245]
Subject: Re: [Nea] Consensus check on EAP-based PT
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 01:26:08 -0000

I prefer the EAP-TLV approach.

While there may be implementations that are close to the EAP-PT proposal,
 there are also similar implementations of the EAP-TLV.

Several EAP-PT issues and concerns were raised that for me, outweigh
 the "benefits of already having code":
 - the goal for NEA is to define a transport for data.  EAP is designed
 and defined to be an authentication framework.  To "only carry data",
 issues for how the design must now accommodate the "no authentication"
 must now be compensated for...  For instance: how does the state machine
 know that the intent is for it to carry NEA data only and not
authentication?
 The two main issues of violations for using an authentication framework
(EAP)
 for not doing authentication is in the generation of an identity and the
 creation of keys. 

 - code and configuration updates are going to be needed regardless of
 whether we adopt EAP-PT or EAP-TLV.  While it may be perceived to "be
simpler" as some vendors allow for ease of adding EAP methods....these
 interfaces were intended to be defined for adding new authentication
 methods, not "methods that only carry data".

 - the above raises one of my security concerns that if we were to allow
 for "lets just add another EAP method", there is the danger that EAP-PT
 can be used as a standalone method which we have discussed as being
 insecure.  As Joe succinctly states, while we can make special cases
 for EAP-PT....but more importantly, I think we are setting a bad precedence
 in defining a "non authenticating" EAP method and opening the door for
 defining other things as EAP methods too.....

   Nancy.


On 8/2/11 2:04 PM, "Susan Thomson" <sethomso@cisco.com> wrote:

> At IETF81 and several prior IETF meetings, as well as on the mailing
> list, the WG has evaluated the pros and cons of 2 architectural
> approaches to carrying posture within an EAP tunnel method:
> 
> - EAP method
> http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt
> 
> - EAP TLV.
> http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt
> 
> So far, there has been no WG consensus to adopt one architecture versus
> the other. (At the recent F2F meeting in Quebec City, the consensus
> check at the meeting showed an equal number in favor of each approach.)
> 
> This email is a final call to determine WG consensus on the L2 PT
> approach.
> 
> The consensus check is to choose one of the following 3 options:
> 1) PT-EAP approach
> 2) NEA-TLV approach
> 3) Neither (please state the reason if you choose this option)
> 
> Please respond to the above question by Tues Aug 16 at 5pm PT. Please do
> so even if you have already expressed your opinion, either at a WG
> meeting or on the mailing list. The answer can be as brief as selecting
> option 1), 2) or 3). If you would like to add your reasons for your
> choice, that would be appreciated too, especially if you choose option
> 3).
> 
> If we have consensus on the mailing list, we will adopt the selected
> approach.
> 
> If we still do not have consensus, the WG chairs and AD (Stephen
> Farrell) have agreed that the AD will make a decision. The proponents of
> both approaches have agreed to abide by this decision. This resolution
> plan was discussed at the F2F meeting at IETF81. This plan was also
> communicated to the list in an email on Jun 30, 2011. No objections have
> been received.
> 
> In either case, the individual submission corresponding to the selected
> approach will be adopted as a -00 NEA WG I-D, and we will proceed with
> the normal process of editing the document within the WG.
> 
> Thanks
> Susan
> 
> ------------------
> References:
> IETF81 audio session (start at approx 44 mins into session):
> http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3
> 
> IETF81 draft meeting minutes:
> http://tools.ietf.org/wg/nea/minutes
> 
> _______________________________________________
> Nea mailing list
> Nea@ietf.org
> https://www.ietf.org/mailman/listinfo/nea
>

v2.23.0 | Report a Bug | By Email