IETF Logo Mail Archive

Re: [Nea] Protecting L2 PT when proxying

Joe Salowey <jsalowey@cisco.com> Wed, 03 August 2011 20:55 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5550411E807D for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 13:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Level:
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVnC1w7tvI4q for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 13:55:15 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 4734711E807C for <nea@ietf.org>; Wed, 3 Aug 2011 13:55:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jsalowey@cisco.com; l=6936; q=dns/txt; s=iport; t=1312404928; x=1313614528; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=5n9ytdTvgVLjQJCDH+dGmKOjD4ZOtv/r+VNu/0IAyjQ=; b=JNutuiZmwDOuhXb+wlpvdbuFHqB8dfQmrtZSuUUWyjA3SXAuV1v9F7jK htVw26lMkiYMHoQUBy3+QDzw5jyRTPIKjJYo7QmkzYr1+3PkJREcn5m+k S6NOBfZ8qQeitaqNKF1XUwQoGkjuBy5uiSIaE/4DlAFoJJGGrcgO6Am7t k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AusAAAe1OU6rRDoH/2dsb2JhbABCmAePWneBQAEBAQECAQEBAQ8BJy0HCwUHBAsOAwEDAQEBJwcnHwMGCAYTCRmHSgSiJwGeaoVjXwSHWoshhQeLfQ
X-IronPort-AV: E=Sophos;i="4.67,312,1309737600"; d="scan'208";a="9409815"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by rcdn-iport-5.cisco.com with ESMTP; 03 Aug 2011 20:55:27 +0000
Received: from [10.33.249.202] ([10.33.249.202]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p73KtQTB021402; Wed, 3 Aug 2011 20:55:26 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Joe Salowey <jsalowey@cisco.com>
In-Reply-To: <AC6674AB7BC78549BB231821ABF7A9AEB6D09699E9@EMBX01-WF.jnpr.net>
Date: Wed, 03 Aug 2011 13:55:20 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB0D88DA-97CA-42E8-8C5E-B6E46F8F67F8@cisco.com>
References: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net> <5A2C9B76-7BC5-48A5-B5DC-C9E99E135B29@cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D09699E9@EMBX01-WF.jnpr.net>
To: Stephen Hanna <shanna@juniper.net>
X-Mailer: Apple Mail (2.1084)
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] Protecting L2 PT when proxying
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 20:55:16 -0000

On Aug 3, 2011, at 7:28 AM, Stephen Hanna wrote:

> Joe,
> 
> I have changed the subject line since we're pursuing a
> different topic now.
> 
> We talked about this at length in the WG meeting last week.
> I think we all agreed that both of the L2 PT proposals MUST
> be carried in an EAP tunnel method or equivalent protection.
> This will need to be an explicit requirement in the spec.
> 
> The same requirements should apply to proxying PT beyond
> the end of the EAP tunnel method.

[Joe] If you follow the above mandate then you would not expose PT-EAP outside the tunnel method.  I believe this is the appropriate requirement if using PT-EAP.  

> For PT-EAP, the obvious
> choice is to use RADSEC (RADIUS/TLS). For EAP-TLV, a new
> RADIUS attribute could be created to solve the problem,
> as you suggest. Or RADSEC could be used. But neither L2 PT
> proposal is suitable for unprotected conveyance over an
> untrusted network. I suppose we could revise the proposals
> to include their own security measures so that they could
> be carried without external protections. But this was never
> a design goal for NEA. I don't see any reason to add it
> now, especially in the middle of a consensus check.
> 
[Joe]  The problem here is that the EAP RADIUS attribute in general does not require additional protection.  PT-EAP introduces a new special case in which it does.  This creates a situation in which implementations need to check the EAP type code in order to change their behavior.    While this may seem harmless, it adds complexity and conspires against the extensible framework that EAP and AAA are built upon.   I agree that there are multiple ways to protect an attribute.  When proxying NEA data as an EAP method you are overloading an existing attribute with new meaning and requirements, but with a TLV you would create a new attribute with its own protection requirements and possibly its own protection mechanism.   You can also create an attribute to carry PT data even if you are using PT-EAP, which would be my preferred approach if we are going to expose NEA data outside the tunnel.  



> Thanks,
> 
> Steve
> 
>> -----Original Message-----
>> From: Joe Salowey [mailto:jsalowey@cisco.com]
>> Sent: Wednesday, August 03, 2011 2:50 AM
>> To: Stephen Hanna
>> Cc: nea@ietf.org
>> Subject: Re: [Nea] Consensus check on EAP-based PT
>> 
>> 
>> On Aug 2, 2011, at 3:54 PM, Stephen Hanna wrote:
>> 
>>> <WG Chair Hat Off>
>>> 
>>> I prefer option 1) PT-EAP.
>>> 
>>> My reasoning is that PT-EAP has been thoroughly vetted and widely
>>> implemented over the last five years. Also, it provides the best
>>> foundation for important future extensions such as secure proxy,
>>> as highlighted by Stefan Winter's recent comments on the NEA list.
>>> 
>> [Joe] I disagree that the EAP method approach is a good direction to a
>> secure proxy and other extensions.   Currently in RADIUS, EAP is
>> carried directly within a RADIUS attribute with no additional
>> protection.  For modern EAP methods this is not a problem, since they
>> provide sufficient protection from various forms of attack (as they
>> should since they are used on unprotected links).  We have spent a lot
>> of effort moving away from EAP methods such as EAP-GTC and EAP-MD5 that
>> are not strong.  PT-EAP is a step backwards in this regard.
>> Implementations will now have to be concerned about the protection
>> communications when an EAP attribute is being carried. Alternatively,
>> if TLVs are used a new RADIUS attribute can be defined to proxy the
>> data if necessary.  In addition, this attribute can be designed to
>> provide the protection that is appropriate for NEA data.
>> 
>>> Thanks,
>>> 
>>> Steve
>>> 
>>> <WG Chair Hat On>
>>> 
>>>> -----Original Message-----
>>>> From: nea-bounces@ietf.org [mailto:nea-bounces@ietf.org] On Behalf
>> Of
>>>> Susan Thomson (sethomso)
>>>> Sent: Tuesday, August 02, 2011 5:04 PM
>>>> To: nea@ietf.org
>>>> Subject: [Nea] Consensus check on EAP-based PT
>>>> 
>>>> At IETF81 and several prior IETF meetings, as well as on the mailing
>>>> list, the WG has evaluated the pros and cons of 2 architectural
>>>> approaches to carrying posture within an EAP tunnel method:
>>>> 
>>>> - EAP method
>>>> http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt
>>>> 
>>>> - EAP TLV.
>>>> http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt
>>>> 
>>>> So far, there has been no WG consensus to adopt one architecture
>> versus
>>>> the other. (At the recent F2F meeting in Quebec City, the consensus
>>>> check at the meeting showed an equal number in favor of each
>> approach.)
>>>> 
>>>> This email is a final call to determine WG consensus on the L2 PT
>>>> approach.
>>>> 
>>>> The consensus check is to choose one of the following 3 options:
>>>> 1) PT-EAP approach
>>>> 2) NEA-TLV approach
>>>> 3) Neither (please state the reason if you choose this option)
>>>> 
>>>> Please respond to the above question by Tues Aug 16 at 5pm PT.
>> Please
>>>> do
>>>> so even if you have already expressed your opinion, either at a WG
>>>> meeting or on the mailing list. The answer can be as brief as
>> selecting
>>>> option 1), 2) or 3). If you would like to add your reasons for your
>>>> choice, that would be appreciated too, especially if you choose
>> option
>>>> 3).
>>>> 
>>>> If we have consensus on the mailing list, we will adopt the selected
>>>> approach.
>>>> 
>>>> If we still do not have consensus, the WG chairs and AD (Stephen
>>>> Farrell) have agreed that the AD will make a decision. The
>> proponents
>>>> of
>>>> both approaches have agreed to abide by this decision. This
>> resolution
>>>> plan was discussed at the F2F meeting at IETF81. This plan was also
>>>> communicated to the list in an email on Jun 30, 2011. No objections
>>>> have
>>>> been received.
>>>> 
>>>> In either case, the individual submission corresponding to the
>> selected
>>>> approach will be adopted as a -00 NEA WG I-D, and we will proceed
>> with
>>>> the normal process of editing the document within the WG.
>>>> 
>>>> Thanks
>>>> Susan
>>>> 
>>>> ------------------
>>>> References:
>>>> IETF81 audio session (start at approx 44 mins into session):
>>>> http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3
>>>> 
>>>> IETF81 draft meeting minutes:
>>>> http://tools.ietf.org/wg/nea/minutes
>>>> 
>>>> _______________________________________________
>>>> Nea mailing list
>>>> Nea@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/nea
>>> _______________________________________________
>>> Nea mailing list
>>> Nea@ietf.org
>>> https://www.ietf.org/mailman/listinfo/nea
>

v2.23.0 | Report a Bug | By Email