[Nea] Minor Comments on PT-EAP
Stephen Hanna <shanna@juniper.net> Mon, 27 August 2012 11:06 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D058021F862A for <nea@ietfa.amsl.com>; Mon, 27 Aug 2012 04:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.568
X-Spam-Level:
X-Spam-Status: No, score=-106.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15rZrAWtPscY for <nea@ietfa.amsl.com>; Mon, 27 Aug 2012 04:05:59 -0700 (PDT)
Received: from exprod7og126.obsmtp.com (exprod7og126.obsmtp.com [64.18.2.206]) by ietfa.amsl.com (Postfix) with ESMTP id C357B21F858A for <nea@ietf.org>; Mon, 27 Aug 2012 04:05:59 -0700 (PDT)
Received: from P-EMHUB03-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob126.postini.com ([64.18.6.12]) with SMTP ID DSNKUDtUlyMsDrfjEoPeEbmC0pJoQ95pFjV5@postini.com; Mon, 27 Aug 2012 04:05:59 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 27 Aug 2012 04:05:10 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Mon, 27 Aug 2012 07:05:09 -0400
From: Stephen Hanna <shanna@juniper.net>
To: "nea@ietf.org" <nea@ietf.org>
Date: Mon, 27 Aug 2012 07:05:08 -0400
Thread-Topic: Minor Comments on PT-EAP
Thread-Index: Ac2EQ9IMC45iMJzjSSC/SkRqm+FlQA==
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AEB916F11BC1@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [Nea] Minor Comments on PT-EAP
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 11:06:00 -0000
I have conducted a detailed review of PT-EAP. I have reviewed the specification many times before but I still found a few minor issues, noted below. I'm surprised that there are still issues, given that this document has been reviewed so many times by so many people (including at least four thorough reviews by me). But I guess there are always a few typos and little errors in every document. Still, there are only a few at this point and the spec overall is quite good. PT-EAP is a valuable specification of high quality. I support sending it to the IESG and on to RFC status. But I'd like to see these minor issues fixed first. Thanks, Steve ----------- Minor Comments on draft-ietf-nea-pt-tls-03.txt * The front page says that the Intended Status is Informational. That should be Standards Track. * Four places in the spec, the phrase "EAP TLS-based tunnel" or "EAP TLS-based tunnel method" appears. This could be misread as a reference to the EAP-TLS method. I think it would be much clearer to change these phrases to "TLS-based EAP tunnel" or "TLS-based EAP tunnel method". * The paragraph immediately before section 1.1 says PT-EAP is designed to be used "under a protected tunnel" such as TEAP, EAP-FAST, or EAP-TTLS. In this phrase, I think the word "under" can be interpreted two ways. Clearly, the authors mean that PT-EAP is used inside a protected tunnel. But the phrase could also mean that PT-EAP is used as a substrate under a protected tunnel. In other words, that the protected tunnel would be encapsulated inside PT-EAP. Clearly, that's nonsense. But this phrase would be much clearer if we replaced the word "under" with "inside". Then it would say PT-EAP is designed to be used "inside a protected tunnel" such as TEAP, EAP-FAST, or EAP-TTLS. * The second paragraph in section 3 says that this section includes "a flow diagram". Actually, there's no flow diagram in that section or anywhere else in the document. I suggest that we remove the words "and a flow diagram" from that paragraph. * The last sentence in that paragraph is missing a word when it says that tls-unique "may be used to PA-TNC exchanges to the EAP tunnel method". I think the word "bind" needs to be added before "PA-TNC" in that sentence. * The words "an PT-EAP" appear in the document three times. Of course, they should be "a PT-EAP". * At the start of section 3.3, the numbers in the message diagram should be one space to the right. They need to line up with the hyphens below, not the plus signs. * At the end of section 3.4, the word "an" should be inserted before the final word "attacker". * The first paragraph of section 4 ends with two periods. One should be enough. Also, the penultimate sentence in that paragraph includes the phrase "do not evaluate". This should be "does not evaluate" to match the singular noun ("this section"). * In sections 4.1.1 and 4.1.2, several bullets start with "Not to". The word "to" should be deleted from those bullets. Otherwise, the bullets are ungrammatical when combined with the text that introduces the bullets. For example, the first bullet when combined with the text before the bullets now reads "The Posture Transport Client is trusted by the Posture Broker Client to [...] Not to observe, fabricate or alter the contents of the PB-TNC batches received from the network". Clearly, the words "Not to" should be simply "Not". * Two bullets in sections 4.1.1 and 4.1.2 start with the words "Deliver properly security protected messages", which are hard to parse. Does this mean "Properly deliver security-protected messages" or "Ensure that messages delivered were properly protected from a security perspective"? Both meanings are sensible and arguably desirable but I think that the first meaning is already covered by the bullet that reads "Not to observe, fabricate or alter the contents of the PB-TNC batches received from the network". While it's clever to include both meanings in this text, I think we're seeking clarity in our text not clever double meanings that might easily be missed by non-native speakers so I suggest rewording these bullets to say "Ensure that PB-TNC batches delivered to and from the network are properly protected from a security perspective while on the network". * In the first full bullet on page 10, I believe that "Posture Transport Client" should be "Posture Broker Client". Otherwise, the bullet makes no sense. Why would the Posture Transport Client need to expose the identity of the Posture Transport Server to the Posture Transport Client (PTC)? We'd have the PTC exposing something to itself. A similar comment applies in section 4.1.2 but in that case "Posture Transport Server" should be "Posture Broker Server". * With respect to the last five bullets in section 4.1.1, I don't think it's safe for the Posture Transport Server to completely trust the Posture Transport Client in these ways. After all, the Posture Transport Client is on an untrusted device. I suggest adding a sentence at the end of section 4.1.1 saying "While the Posture Transport Server expects the Posture Transport Client to follow these expectations, the Posture Transport Server cannot truly trust the Posture Transport Client since it's running on a potentially untrustworthy machine. Therefore, the Posture Transport Server must assume that the Posture Transport Client may be infected and malicious. The Posture Transport Server should protect itself accordingly." A similar argument can be applied to section 4.1.2 but it is not as strong there because the Posture Transport Server is trusted by the Posture Transport Client to some degree since the NEA Server has been authenticated and a decision has been made that it is trusted to receive confidential information about endpoint posture and perhaps to send remediation instructions. Still, I suggest adding the following text at the end of section 4.1.2: While the Posture Transport Client expects the Posture Transport Server to follow these expectations and has inherently placed some trust in the Posture Transport Server by sending information about endpoint security posture to that server, the Posture Transport Client should still protect itself against compromise of the Posture Transport Server or errors in implementation by detecting and protecting against malformed messages and other suspicious behavior on the part of the Posture Transport Server. * In section 4.1.2, the first bullet in the second bulleted list should end in "Posture Transport Client" not "Posture Transport Server". * Section 4.2.2 refers to "fake PT-EAP error codes". There are no PT-EAP error codes. I suggest that we say "malformed PT-EAP messages" instead. * In the first paragraph of section 4.2.4, "the PT-EAP" should be just "PT-EAP". Later in that sentence, the word "are" should be "is" to match the subject of the sentence, "the message exchange". * In section 4.2.5, please add a citation of the NEA Asokan Attack Analysis draft after it is mentioned. That is, add "[I-D.ietf-nea-asokan]". Also, please update the reference in the references section to point to the WG draft version of this document not the individual submission version. And in the first sentence of section 4.2.5, remove the extra period after "3.4". * In the first sentence on top of page 14, change "only known" to "best known". There are other ways to protect against Asokan attacks. For example, one could use behavior analysis to detect an infected machine after it connects to the network. Still, the EMA is by far the best and most effective approach. * The second paragraph of section 4.3 cites EAP-FAST and EAP-TTLS. Please add TEAP. * The third paragraph of section 4.3 cites EAP-TTLS, mentioning that non-EAP authentication is supported. Please change "TTLS" to "EAP-TTLS". Also, please mention TEAP here also since TEAP supports password authentication without using an inner EAP method. * Section 4.3 says "Within each EAP tunnel method will exist a set of inner EAP method [...]". This should be "inner EAP methods" not "inner EAP method". Later in that paragraph, "the outer methods keys" should be "the outer method's keys". * Section 5 refers to the "IETF EAP Method Unification (EMU) working group". The word "Unification" should be "Update" there. Later in that sentence, "the EAP tunnel method" should be "a Standards Track EAP tunnel method". We already have two EAP tunnel methods that are Informational RFCs and satisfy NEA's requirements: EAP-FAST and EAP-TTLS. What's missing is a Standards Track EAP tunnel method. * The first paragraph of section 7 includes a reference to RFC 2434. That RFC has been obsoleted by RFC 5226. We should refer to the newer RFC instead. Also, we should add a period at the end of that paragraph. * Many of the references are not used anywhere in the document. Let's delete them. They are [IEEE], [I-D.ietf-emu-eaptunnel-req], [RFC3478], [RFC5216], [RFC5996], and [TNC-Binding]. Also, [RFC2434] will be unused if you adopt my last suggested change.
- [Nea] Minor Comments on PT-EAP Stephen Hanna