Re: [Nea] Consensus check on EAP-based PT
Joe Salowey <jsalowey@cisco.com> Wed, 03 August 2011 06:50 UTC
Return-Path: <jsalowey@cisco.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DAC5E8009 for <nea@ietfa.amsl.com>; Tue, 2 Aug 2011 23:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.821
X-Spam-Level:
X-Spam-Status: No, score=-104.821 tagged_above=-999 required=5 tests=[AWL=-2.222, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBUJFle2KTPo for <nea@ietfa.amsl.com>; Tue, 2 Aug 2011 23:50:33 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id A556421F8891 for <nea@ietf.org>; Tue, 2 Aug 2011 23:50:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jsalowey@cisco.com; l=4226; q=dns/txt; s=iport; t=1312354245; x=1313563845; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=NSF2ndwGXndC/PZrwf7Uj4ShksgJ2fDX2zzDlIs4FFg=; b=dAMUfr+EZEZ4LPMCbutbVtIyTZd7SMd+NgrLsN8lFXfzDteuqIoG2iA4 qQf/uHns9uFezBxJ0PEnrB4JK+DIFq38Gfkhbnko3qIaehXVlQbz+i4La dCL9xdyhyAl2cWX4rR3+dC7+qdBxZFDWNFxmm4AFhrDM0bZioyOuRzFJl 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AucAAJ/uOE6rRDoI/2dsb2JhbABCmAWPVneBQAEBAQECAQEBAQ8BJy0HCwUHBAsOAwEDAQEoBycfAwYIBhMJGYdKBKFYAZ5OhWNfBIdaiyGFB4t9
X-IronPort-AV: E=Sophos;i="4.67,309,1309737600"; d="scan'208";a="9106927"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by rcdn-iport-9.cisco.com with ESMTP; 03 Aug 2011 06:50:43 +0000
Received: from [10.33.249.202] ([10.33.249.202]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p736ogJF002620; Wed, 3 Aug 2011 06:50:42 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Joe Salowey <jsalowey@cisco.com>
In-Reply-To: <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net>
Date: Tue, 02 Aug 2011 23:50:28 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A2C9B76-7BC5-48A5-B5DC-C9E99E135B29@cisco.com>
References: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net>
To: Stephen Hanna <shanna@juniper.net>
X-Mailer: Apple Mail (2.1084)
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] Consensus check on EAP-based PT
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 06:50:34 -0000
On Aug 2, 2011, at 3:54 PM, Stephen Hanna wrote: > <WG Chair Hat Off> > > I prefer option 1) PT-EAP. > > My reasoning is that PT-EAP has been thoroughly vetted and widely > implemented over the last five years. Also, it provides the best > foundation for important future extensions such as secure proxy, > as highlighted by Stefan Winter's recent comments on the NEA list. > [Joe] I disagree that the EAP method approach is a good direction to a secure proxy and other extensions. Currently in RADIUS, EAP is carried directly within a RADIUS attribute with no additional protection. For modern EAP methods this is not a problem, since they provide sufficient protection from various forms of attack (as they should since they are used on unprotected links). We have spent a lot of effort moving away from EAP methods such as EAP-GTC and EAP-MD5 that are not strong. PT-EAP is a step backwards in this regard. Implementations will now have to be concerned about the protection communications when an EAP attribute is being carried. Alternatively, if TLVs are used a new RADIUS attribute can be defined to proxy the data if necessary. In addition, this attribute can be designed to provide the protection that is appropriate for NEA data. > Thanks, > > Steve > > <WG Chair Hat On> > >> -----Original Message----- >> From: nea-bounces@ietf.org [mailto:nea-bounces@ietf.org] On Behalf Of >> Susan Thomson (sethomso) >> Sent: Tuesday, August 02, 2011 5:04 PM >> To: nea@ietf.org >> Subject: [Nea] Consensus check on EAP-based PT >> >> At IETF81 and several prior IETF meetings, as well as on the mailing >> list, the WG has evaluated the pros and cons of 2 architectural >> approaches to carrying posture within an EAP tunnel method: >> >> - EAP method >> http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt >> >> - EAP TLV. >> http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt >> >> So far, there has been no WG consensus to adopt one architecture versus >> the other. (At the recent F2F meeting in Quebec City, the consensus >> check at the meeting showed an equal number in favor of each approach.) >> >> This email is a final call to determine WG consensus on the L2 PT >> approach. >> >> The consensus check is to choose one of the following 3 options: >> 1) PT-EAP approach >> 2) NEA-TLV approach >> 3) Neither (please state the reason if you choose this option) >> >> Please respond to the above question by Tues Aug 16 at 5pm PT. Please >> do >> so even if you have already expressed your opinion, either at a WG >> meeting or on the mailing list. The answer can be as brief as selecting >> option 1), 2) or 3). If you would like to add your reasons for your >> choice, that would be appreciated too, especially if you choose option >> 3). >> >> If we have consensus on the mailing list, we will adopt the selected >> approach. >> >> If we still do not have consensus, the WG chairs and AD (Stephen >> Farrell) have agreed that the AD will make a decision. The proponents >> of >> both approaches have agreed to abide by this decision. This resolution >> plan was discussed at the F2F meeting at IETF81. This plan was also >> communicated to the list in an email on Jun 30, 2011. No objections >> have >> been received. >> >> In either case, the individual submission corresponding to the selected >> approach will be adopted as a -00 NEA WG I-D, and we will proceed with >> the normal process of editing the document within the WG. >> >> Thanks >> Susan >> >> ------------------ >> References: >> IETF81 audio session (start at approx 44 mins into session): >> http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3 >> >> IETF81 draft meeting minutes: >> http://tools.ietf.org/wg/nea/minutes >> >> _______________________________________________ >> Nea mailing list >> Nea@ietf.org >> https://www.ietf.org/mailman/listinfo/nea > _______________________________________________ > Nea mailing list > Nea@ietf.org > https://www.ietf.org/mailman/listinfo/nea
- [Nea] Consensus check on EAP-based PT Susan Thomson (sethomso)
- Re: [Nea] Consensus check on EAP-based PT Ira McDonald
- Re: [Nea] Consensus check on EAP-based PT Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Sanchez, Mauricio (HP Networking)
- Re: [Nea] Consensus check on EAP-based PT Hao Zhou
- Re: [Nea] Consensus check on EAP-based PT Frank Yeh Jr
- Re: [Nea] Consensus check on EAP-based PT Alan DeKok
- Re: [Nea] Consensus check on EAP-based PT Andreas Steffen
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Klaas Wierenga
- Re: [Nea] Consensus check on EAP-based PT Lisa Lorenzin
- Re: [Nea] Consensus check on EAP-based PT Marc Linsner
- [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Mike Fratto
- Re: [Nea] Consensus check on EAP-based PT john.willis
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Jouni Malinen
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Nancy Cam-Winget
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT latze@angry-red-pla.net
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Protecting L2 PT when proxying Mike Fratto
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT kaushik narayan
- Re: [Nea] Consensus check on EAP-based PT Paul Sangster
- Re: [Nea] Consensus check on EAP-based PT Stephen McCann