IETF Logo Mail Archive

Re: [Nea] Consensus check on EAP-based PT

Joe Salowey <jsalowey@cisco.com> Wed, 03 August 2011 06:50 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DAC5E8009 for <nea@ietfa.amsl.com>; Tue, 2 Aug 2011 23:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.821
X-Spam-Level:
X-Spam-Status: No, score=-104.821 tagged_above=-999 required=5 tests=[AWL=-2.222, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBUJFle2KTPo for <nea@ietfa.amsl.com>; Tue, 2 Aug 2011 23:50:33 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id A556421F8891 for <nea@ietf.org>; Tue, 2 Aug 2011 23:50:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jsalowey@cisco.com; l=4226; q=dns/txt; s=iport; t=1312354245; x=1313563845; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=NSF2ndwGXndC/PZrwf7Uj4ShksgJ2fDX2zzDlIs4FFg=; b=dAMUfr+EZEZ4LPMCbutbVtIyTZd7SMd+NgrLsN8lFXfzDteuqIoG2iA4 qQf/uHns9uFezBxJ0PEnrB4JK+DIFq38Gfkhbnko3qIaehXVlQbz+i4La dCL9xdyhyAl2cWX4rR3+dC7+qdBxZFDWNFxmm4AFhrDM0bZioyOuRzFJl 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AucAAJ/uOE6rRDoI/2dsb2JhbABCmAWPVneBQAEBAQECAQEBAQ8BJy0HCwUHBAsOAwEDAQEoBycfAwYIBhMJGYdKBKFYAZ5OhWNfBIdaiyGFB4t9
X-IronPort-AV: E=Sophos;i="4.67,309,1309737600"; d="scan'208";a="9106927"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by rcdn-iport-9.cisco.com with ESMTP; 03 Aug 2011 06:50:43 +0000
Received: from [10.33.249.202] ([10.33.249.202]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p736ogJF002620; Wed, 3 Aug 2011 06:50:42 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Joe Salowey <jsalowey@cisco.com>
In-Reply-To: <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net>
Date: Tue, 02 Aug 2011 23:50:28 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A2C9B76-7BC5-48A5-B5DC-C9E99E135B29@cisco.com>
References: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net>
To: Stephen Hanna <shanna@juniper.net>
X-Mailer: Apple Mail (2.1084)
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] Consensus check on EAP-based PT
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 06:50:34 -0000

On Aug 2, 2011, at 3:54 PM, Stephen Hanna wrote:

> <WG Chair Hat Off>
> 
> I prefer option 1) PT-EAP.
> 
> My reasoning is that PT-EAP has been thoroughly vetted and widely
> implemented over the last five years. Also, it provides the best
> foundation for important future extensions such as secure proxy,
> as highlighted by Stefan Winter's recent comments on the NEA list.
> 
[Joe] I disagree that the EAP method approach is a good direction to a secure proxy and other extensions.   Currently in RADIUS, EAP is carried directly within a RADIUS attribute with no additional protection.  For modern EAP methods this is not a problem, since they provide sufficient protection from various forms of attack (as they should since they are used on unprotected links).  We have spent a lot of effort moving away from EAP methods such as EAP-GTC and EAP-MD5 that are not strong.  PT-EAP is a step backwards in this regard.  Implementations will now have to be concerned about the protection communications when an EAP attribute is being carried. Alternatively, if TLVs are used a new RADIUS attribute can be defined to proxy the data if necessary.  In addition, this attribute can be designed to provide the protection that is appropriate for NEA data.  

> Thanks,
> 
> Steve
> 
> <WG Chair Hat On>
> 
>> -----Original Message-----
>> From: nea-bounces@ietf.org [mailto:nea-bounces@ietf.org] On Behalf Of
>> Susan Thomson (sethomso)
>> Sent: Tuesday, August 02, 2011 5:04 PM
>> To: nea@ietf.org
>> Subject: [Nea] Consensus check on EAP-based PT
>> 
>> At IETF81 and several prior IETF meetings, as well as on the mailing
>> list, the WG has evaluated the pros and cons of 2 architectural
>> approaches to carrying posture within an EAP tunnel method:
>> 
>> - EAP method
>> http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt
>> 
>> - EAP TLV.
>> http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt
>> 
>> So far, there has been no WG consensus to adopt one architecture versus
>> the other. (At the recent F2F meeting in Quebec City, the consensus
>> check at the meeting showed an equal number in favor of each approach.)
>> 
>> This email is a final call to determine WG consensus on the L2 PT
>> approach.
>> 
>> The consensus check is to choose one of the following 3 options:
>> 1) PT-EAP approach
>> 2) NEA-TLV approach
>> 3) Neither (please state the reason if you choose this option)
>> 
>> Please respond to the above question by Tues Aug 16 at 5pm PT. Please
>> do
>> so even if you have already expressed your opinion, either at a WG
>> meeting or on the mailing list. The answer can be as brief as selecting
>> option 1), 2) or 3). If you would like to add your reasons for your
>> choice, that would be appreciated too, especially if you choose option
>> 3).
>> 
>> If we have consensus on the mailing list, we will adopt the selected
>> approach.
>> 
>> If we still do not have consensus, the WG chairs and AD (Stephen
>> Farrell) have agreed that the AD will make a decision. The proponents
>> of
>> both approaches have agreed to abide by this decision. This resolution
>> plan was discussed at the F2F meeting at IETF81. This plan was also
>> communicated to the list in an email on Jun 30, 2011. No objections
>> have
>> been received.
>> 
>> In either case, the individual submission corresponding to the selected
>> approach will be adopted as a -00 NEA WG I-D, and we will proceed with
>> the normal process of editing the document within the WG.
>> 
>> Thanks
>> Susan
>> 
>> ------------------
>> References:
>> IETF81 audio session (start at approx 44 mins into session):
>> http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3
>> 
>> IETF81 draft meeting minutes:
>> http://tools.ietf.org/wg/nea/minutes
>> 
>> _______________________________________________
>> Nea mailing list
>> Nea@ietf.org
>> https://www.ietf.org/mailman/listinfo/nea
> _______________________________________________
> Nea mailing list
> Nea@ietf.org
> https://www.ietf.org/mailman/listinfo/nea

v2.23.0 | Report a Bug | By Email