Re: [Nea] Protecting L2 PT when proxying
Stephen Hanna <shanna@juniper.net> Thu, 04 August 2011 00:47 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56F6611E80C2 for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 17:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.591
X-Spam-Level:
X-Spam-Status: No, score=-106.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WMMxSo4Wyg6C for <nea@ietfa.amsl.com>; Wed, 3 Aug 2011 17:47:34 -0700 (PDT)
Received: from exprod7og115.obsmtp.com (exprod7og115.obsmtp.com [64.18.2.217]) by ietfa.amsl.com (Postfix) with ESMTP id 5804F11E80B7 for <nea@ietf.org>; Wed, 3 Aug 2011 17:47:33 -0700 (PDT)
Received: from P-EMHUB03-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob115.postini.com ([64.18.6.12]) with SMTP ID DSNKTjnsMjNFFahHMSf5ViOpgclrQGJj4w6I@postini.com; Wed, 03 Aug 2011 17:47:47 PDT
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.2.254.0; Wed, 3 Aug 2011 17:47:46 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Wed, 3 Aug 2011 20:47:45 -0400
From: Stephen Hanna <shanna@juniper.net>
To: Joe Salowey <jsalowey@cisco.com>
Date: Wed, 03 Aug 2011 20:47:43 -0400
Thread-Topic: Protecting L2 PT when proxying
Thread-Index: AcxSH65cYWZlQZqFTuy3p7NaqTy88QAACggQ
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AEB7286BF210@EMBX01-WF.jnpr.net>
References: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D0969659@EMBX01-WF.jnpr.net> <5A2C9B76-7BC5-48A5-B5DC-C9E99E135B29@cisco.com> <AC6674AB7BC78549BB231821ABF7A9AEB6D09699E9@EMBX01-WF.jnpr.net> <CB0D88DA-97CA-42E8-8C5E-B6E46F8F67F8@cisco.com>
In-Reply-To: <CB0D88DA-97CA-42E8-8C5E-B6E46F8F67F8@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] Protecting L2 PT when proxying
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 00:47:35 -0000
My comments are inline below. Joe Salowey wrote: > On Aug 3, 2011, at 7:28 AM, Stephen Hanna wrote: > > We talked about this at length in the WG meeting last week. > > I think we all agreed that both of the L2 PT proposals MUST > > be carried in an EAP tunnel method or equivalent protection. > > This will need to be an explicit requirement in the spec. > > > > The same requirements should apply to proxying PT beyond > > the end of the EAP tunnel method. > > [Joe] If you follow the above mandate then you would not expose PT-EAP > outside the tunnel method. I believe this is the appropriate > requirement if using PT-EAP. I don't agree. You should be able to use RADSEC to proxy PT-EAP from an EAP server that terminates the EAP tunnel and authenticates the user to a NEA Server that performs the posture assessment. > > For PT-EAP, the obvious > > choice is to use RADSEC (RADIUS/TLS). For EAP-TLV, a new > > RADIUS attribute could be created to solve the problem, > > as you suggest. Or RADSEC could be used. But neither L2 PT > > proposal is suitable for unprotected conveyance over an > > untrusted network. I suppose we could revise the proposals > > to include their own security measures so that they could > > be carried without external protections. But this was never > > a design goal for NEA. I don't see any reason to add it > > now, especially in the middle of a consensus check. > > > [Joe] The problem here is that the EAP RADIUS attribute in general > does not require additional protection. PT-EAP introduces a new > special case in which it does. This creates a situation in which > implementations need to check the EAP type code in order to change > their behavior. While this may seem harmless, it adds complexity and > conspires against the extensible framework that EAP and AAA are built > upon. I agree that there are multiple ways to protect an attribute. > When proxying NEA data as an EAP method you are overloading an existing > attribute with new meaning and requirements, but with a TLV you would > create a new attribute with its own protection requirements and > possibly its own protection mechanism. You can also create an > attribute to carry PT data even if you are using PT-EAP, which would be > my preferred approach if we are going to expose NEA data outside the > tunnel. PT-EAP is no more a special case than any of the other EAP methods that cannot safely be used without protections. You may consider this to be difficult to implement but several implementers have already spoken out on the NEA list saying that they found an EAP- based PT easier to implement than an attribute-based PT. I don't question that PT-EAP might be harder for your employer to implement since you've designed your architecture around using TLVs to carry posture but apparently this does not hold for other implementations. Thanks, Steve > >> -----Original Message----- > >> From: Joe Salowey [mailto:jsalowey@cisco.com] > >> Sent: Wednesday, August 03, 2011 2:50 AM > >> To: Stephen Hanna > >> Cc: nea@ietf.org > >> Subject: Re: [Nea] Consensus check on EAP-based PT > >> > >> > >> On Aug 2, 2011, at 3:54 PM, Stephen Hanna wrote: > >> > >>> <WG Chair Hat Off> > >>> > >>> I prefer option 1) PT-EAP. > >>> > >>> My reasoning is that PT-EAP has been thoroughly vetted and widely > >>> implemented over the last five years. Also, it provides the best > >>> foundation for important future extensions such as secure proxy, > >>> as highlighted by Stefan Winter's recent comments on the NEA list. > >>> > >> [Joe] I disagree that the EAP method approach is a good direction to > a > >> secure proxy and other extensions. Currently in RADIUS, EAP is > >> carried directly within a RADIUS attribute with no additional > >> protection. For modern EAP methods this is not a problem, since > they > >> provide sufficient protection from various forms of attack (as they > >> should since they are used on unprotected links). We have spent a > lot > >> of effort moving away from EAP methods such as EAP-GTC and EAP-MD5 > that > >> are not strong. PT-EAP is a step backwards in this regard. > >> Implementations will now have to be concerned about the protection > >> communications when an EAP attribute is being carried. > Alternatively, > >> if TLVs are used a new RADIUS attribute can be defined to proxy the > >> data if necessary. In addition, this attribute can be designed to > >> provide the protection that is appropriate for NEA data. > >> > >>> Thanks, > >>> > >>> Steve > >>> > >>> <WG Chair Hat On> > >>> > >>>> -----Original Message----- > >>>> From: nea-bounces@ietf.org [mailto:nea-bounces@ietf.org] On Behalf > >> Of > >>>> Susan Thomson (sethomso) > >>>> Sent: Tuesday, August 02, 2011 5:04 PM > >>>> To: nea@ietf.org > >>>> Subject: [Nea] Consensus check on EAP-based PT > >>>> > >>>> At IETF81 and several prior IETF meetings, as well as on the > mailing > >>>> list, the WG has evaluated the pros and cons of 2 architectural > >>>> approaches to carrying posture within an EAP tunnel method: > >>>> > >>>> - EAP method > >>>> http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt > >>>> > >>>> - EAP TLV. > >>>> http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv- > 03.txt > >>>> > >>>> So far, there has been no WG consensus to adopt one architecture > >> versus > >>>> the other. (At the recent F2F meeting in Quebec City, the > consensus > >>>> check at the meeting showed an equal number in favor of each > >> approach.) > >>>> > >>>> This email is a final call to determine WG consensus on the L2 PT > >>>> approach. > >>>> > >>>> The consensus check is to choose one of the following 3 options: > >>>> 1) PT-EAP approach > >>>> 2) NEA-TLV approach > >>>> 3) Neither (please state the reason if you choose this option) > >>>> > >>>> Please respond to the above question by Tues Aug 16 at 5pm PT. > >> Please > >>>> do > >>>> so even if you have already expressed your opinion, either at a WG > >>>> meeting or on the mailing list. The answer can be as brief as > >> selecting > >>>> option 1), 2) or 3). If you would like to add your reasons for > your > >>>> choice, that would be appreciated too, especially if you choose > >> option > >>>> 3). > >>>> > >>>> If we have consensus on the mailing list, we will adopt the > selected > >>>> approach. > >>>> > >>>> If we still do not have consensus, the WG chairs and AD (Stephen > >>>> Farrell) have agreed that the AD will make a decision. The > >> proponents > >>>> of > >>>> both approaches have agreed to abide by this decision. This > >> resolution > >>>> plan was discussed at the F2F meeting at IETF81. This plan was > also > >>>> communicated to the list in an email on Jun 30, 2011. No > objections > >>>> have > >>>> been received. > >>>> > >>>> In either case, the individual submission corresponding to the > >> selected > >>>> approach will be adopted as a -00 NEA WG I-D, and we will proceed > >> with > >>>> the normal process of editing the document within the WG. > >>>> > >>>> Thanks > >>>> Susan > >>>> > >>>> ------------------ > >>>> References: > >>>> IETF81 audio session (start at approx 44 mins into session): > >>>> http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3 > >>>> > >>>> IETF81 draft meeting minutes: > >>>> http://tools.ietf.org/wg/nea/minutes > >>>> > >>>> _______________________________________________ > >>>> Nea mailing list > >>>> Nea@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/nea > >>> _______________________________________________ > >>> Nea mailing list > >>> Nea@ietf.org > >>> https://www.ietf.org/mailman/listinfo/nea > >
- [Nea] Consensus check on EAP-based PT Susan Thomson (sethomso)
- Re: [Nea] Consensus check on EAP-based PT Ira McDonald
- Re: [Nea] Consensus check on EAP-based PT Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Sanchez, Mauricio (HP Networking)
- Re: [Nea] Consensus check on EAP-based PT Hao Zhou
- Re: [Nea] Consensus check on EAP-based PT Frank Yeh Jr
- Re: [Nea] Consensus check on EAP-based PT Alan DeKok
- Re: [Nea] Consensus check on EAP-based PT Andreas Steffen
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Klaas Wierenga
- Re: [Nea] Consensus check on EAP-based PT Lisa Lorenzin
- Re: [Nea] Consensus check on EAP-based PT Marc Linsner
- [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Mike Fratto
- Re: [Nea] Consensus check on EAP-based PT john.willis
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Jouni Malinen
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Nancy Cam-Winget
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT latze@angry-red-pla.net
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Protecting L2 PT when proxying Mike Fratto
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT kaushik narayan
- Re: [Nea] Consensus check on EAP-based PT Paul Sangster
- Re: [Nea] Consensus check on EAP-based PT Stephen McCann