[Nea] Protecting L2 PT when proxying
Stephen Hanna <shanna@juniper.net> Wed, 03 August 2011 14:30 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DE2921F8828 for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 07:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.59
X-Spam-Level:
X-Spam-Status: No, score=-106.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffa3hrUVAu9O for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 07:30:35 -0700 (PDT)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by ietfa.amsl.com (Postfix) with ESMTP id 9D18821F8853 for <nea@ietf.org>; Wed, 3 Aug 2011 07:30:33 -0700 (PDT)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKTjlblRCtZ/fCIWGTO5WF2iERnZ8bzuIi@postini.com; Wed, 03 Aug 2011 07:30:46 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.2.254.0; Wed, 3 Aug 2011 07:28:02 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::8002:d3e7:4146:af5f]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Wed, 3 Aug 2011 10:28:02 -0400
From: Stephen Hanna <shanna@juniper.net>
To: Joe Salowey <jsalowey@cisco.com>
Date: Wed, 03 Aug 2011 10:28:00 -0400
Thread-Topic: Protecting L2 PT when proxying
Thread-Index: AcxRqeQGhMG5kgrNQ9O37CGj/GaDKAANQdAw
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AEB6D09699E9@EMBX01-WF.jnpr.net>
References: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net> <5A2C9B76-7BC5-48A5-B5DC-C9E99E135B29@cisco.com>
In-Reply-To: <5A2C9B76-7BC5-48A5-B5DC-C9E99E135B29@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: [Nea] Protecting L2 PT when proxying
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 14:30:36 -0000
Joe, I have changed the subject line since we're pursuing a different topic now. We talked about this at length in the WG meeting last week. I think we all agreed that both of the L2 PT proposals MUST be carried in an EAP tunnel method or equivalent protection. This will need to be an explicit requirement in the spec. The same requirements should apply to proxying PT beyond the end of the EAP tunnel method. For PT-EAP, the obvious choice is to use RADSEC (RADIUS/TLS). For EAP-TLV, a new RADIUS attribute could be created to solve the problem, as you suggest. Or RADSEC could be used. But neither L2 PT proposal is suitable for unprotected conveyance over an untrusted network. I suppose we could revise the proposals to include their own security measures so that they could be carried without external protections. But this was never a design goal for NEA. I don't see any reason to add it now, especially in the middle of a consensus check. Thanks, Steve > -----Original Message----- > From: Joe Salowey [mailto:jsalowey@cisco.com] > Sent: Wednesday, August 03, 2011 2:50 AM > To: Stephen Hanna > Cc: nea@ietf.org > Subject: Re: [Nea] Consensus check on EAP-based PT > > > On Aug 2, 2011, at 3:54 PM, Stephen Hanna wrote: > > > <WG Chair Hat Off> > > > > I prefer option 1) PT-EAP. > > > > My reasoning is that PT-EAP has been thoroughly vetted and widely > > implemented over the last five years. Also, it provides the best > > foundation for important future extensions such as secure proxy, > > as highlighted by Stefan Winter's recent comments on the NEA list. > > > [Joe] I disagree that the EAP method approach is a good direction to a > secure proxy and other extensions. Currently in RADIUS, EAP is > carried directly within a RADIUS attribute with no additional > protection. For modern EAP methods this is not a problem, since they > provide sufficient protection from various forms of attack (as they > should since they are used on unprotected links). We have spent a lot > of effort moving away from EAP methods such as EAP-GTC and EAP-MD5 that > are not strong. PT-EAP is a step backwards in this regard. > Implementations will now have to be concerned about the protection > communications when an EAP attribute is being carried. Alternatively, > if TLVs are used a new RADIUS attribute can be defined to proxy the > data if necessary. In addition, this attribute can be designed to > provide the protection that is appropriate for NEA data. > > > Thanks, > > > > Steve > > > > <WG Chair Hat On> > > > >> -----Original Message----- > >> From: nea-bounces@ietf.org [mailto:nea-bounces@ietf.org] On Behalf > Of > >> Susan Thomson (sethomso) > >> Sent: Tuesday, August 02, 2011 5:04 PM > >> To: nea@ietf.org > >> Subject: [Nea] Consensus check on EAP-based PT > >> > >> At IETF81 and several prior IETF meetings, as well as on the mailing > >> list, the WG has evaluated the pros and cons of 2 architectural > >> approaches to carrying posture within an EAP tunnel method: > >> > >> - EAP method > >> http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt > >> > >> - EAP TLV. > >> http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt > >> > >> So far, there has been no WG consensus to adopt one architecture > versus > >> the other. (At the recent F2F meeting in Quebec City, the consensus > >> check at the meeting showed an equal number in favor of each > approach.) > >> > >> This email is a final call to determine WG consensus on the L2 PT > >> approach. > >> > >> The consensus check is to choose one of the following 3 options: > >> 1) PT-EAP approach > >> 2) NEA-TLV approach > >> 3) Neither (please state the reason if you choose this option) > >> > >> Please respond to the above question by Tues Aug 16 at 5pm PT. > Please > >> do > >> so even if you have already expressed your opinion, either at a WG > >> meeting or on the mailing list. The answer can be as brief as > selecting > >> option 1), 2) or 3). If you would like to add your reasons for your > >> choice, that would be appreciated too, especially if you choose > option > >> 3). > >> > >> If we have consensus on the mailing list, we will adopt the selected > >> approach. > >> > >> If we still do not have consensus, the WG chairs and AD (Stephen > >> Farrell) have agreed that the AD will make a decision. The > proponents > >> of > >> both approaches have agreed to abide by this decision. This > resolution > >> plan was discussed at the F2F meeting at IETF81. This plan was also > >> communicated to the list in an email on Jun 30, 2011. No objections > >> have > >> been received. > >> > >> In either case, the individual submission corresponding to the > selected > >> approach will be adopted as a -00 NEA WG I-D, and we will proceed > with > >> the normal process of editing the document within the WG. > >> > >> Thanks > >> Susan > >> > >> ------------------ > >> References: > >> IETF81 audio session (start at approx 44 mins into session): > >> http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3 > >> > >> IETF81 draft meeting minutes: > >> http://tools.ietf.org/wg/nea/minutes > >> > >> _______________________________________________ > >> Nea mailing list > >> Nea@ietf.org > >> https://www.ietf.org/mailman/listinfo/nea > > _______________________________________________ > > Nea mailing list > > Nea@ietf.org > > https://www.ietf.org/mailman/listinfo/nea
- [Nea] Consensus check on EAP-based PT Susan Thomson (sethomso)
- Re: [Nea] Consensus check on EAP-based PT Ira McDonald
- Re: [Nea] Consensus check on EAP-based PT Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Sanchez, Mauricio (HP Networking)
- Re: [Nea] Consensus check on EAP-based PT Hao Zhou
- Re: [Nea] Consensus check on EAP-based PT Frank Yeh Jr
- Re: [Nea] Consensus check on EAP-based PT Alan DeKok
- Re: [Nea] Consensus check on EAP-based PT Andreas Steffen
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Klaas Wierenga
- Re: [Nea] Consensus check on EAP-based PT Lisa Lorenzin
- Re: [Nea] Consensus check on EAP-based PT Marc Linsner
- [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Mike Fratto
- Re: [Nea] Consensus check on EAP-based PT john.willis
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Jouni Malinen
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Nancy Cam-Winget
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT latze@angry-red-pla.net
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Protecting L2 PT when proxying Mike Fratto
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT kaushik narayan
- Re: [Nea] Consensus check on EAP-based PT Paul Sangster
- Re: [Nea] Consensus check on EAP-based PT Stephen McCann