IETF Logo Mail Archive

Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes

Rajeev Koodli <rajeev.koodli@gmail.com> Tue, 10 June 2014 16:19 UTC

Return-Path: <rajeev.koodli@gmail.com>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10EFC1B2829 for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 09:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCc84Bffh86v for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 09:19:53 -0700 (PDT)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24931B280E for <netext@ietf.org>; Tue, 10 Jun 2014 09:19:52 -0700 (PDT)
Received: by mail-wg0-f42.google.com with SMTP id z12so4008506wgg.1 for <netext@ietf.org>; Tue, 10 Jun 2014 09:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UnWyXcWv7keFb1iI/OREUX197acfkd89ubo0gk2QZBw=; b=Qt01iWwNGemFID6+i/cjKj4oqWviz52Vng+GYGcEtuwvMdwQHQXkbLeo8oFK8EgB1m uAk3wl8upr8TcmGafw1UqvdnrFso7cGFr5bAFPvBqHd5rQGPaLmYKpCBq92KUusKOneU u+AwK+MdcSDKzFNG6d/WHiWPNPBm4okgjPPssSsSu744SKWPUxAkX+ilqr/8JRdiw1aU 8ppGgv7WY8lS6nEN8mi8MzZgX0Tbi4VfKfbEl2gQA2iKvnM5pG/SMebA2zpQjrGELHlE djmlCOO05k5MIN4sGFzX7hFuWsV2OxcT/TEv4IgQuBxjKe2sOt1TzuWfeENAJKnWF1Fq hZOQ==
MIME-Version: 1.0
X-Received: by 10.180.105.72 with SMTP id gk8mr39314148wib.32.1402417190923; Tue, 10 Jun 2014 09:19:50 -0700 (PDT)
Received: by 10.195.11.132 with HTTP; Tue, 10 Jun 2014 09:19:50 -0700 (PDT)
In-Reply-To: <536BB1A7.80205@innovationslab.net>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net> <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com> <536BB1A7.80205@innovationslab.net>
Date: Tue, 10 Jun 2014 09:19:50 -0700
Message-ID: <CAB_pk7C-tEzfHEbhmiZVO+YTjYVDq04HxMKv1iSaF5hO+zE__g@mail.gmail.com>
From: Rajeev Koodli <rajeev.koodli@gmail.com>
To: Brian Haberman <brian@innovationslab.net>
Content-Type: multipart/alternative; boundary="f46d0442685a7e072304fb7db2e2"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/7tXLsmkcsHyIn3c_bWQZcvM5DlY
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 16:19:57 -0000

Hi Brian,

we have submitted a new version reflecting the comments/conversation.

http://www.ietf.org/internet-drafts/draft-ietf-netext-wifi-epc-eap-attributes-08.txt

I have revised the draft based on what we agreed on.

- introduced a new registry for various sub-types
- expanded security considerations
- clarified multiple issues
- fixed ID nits

I have left the AT_HANDOVER_SESSION_ID as is, since combining it with
HANDOVER_INDICATION introduces clumsy header logic.

Please have a look.

Thanks.

-Rajeev



On Thu, May 8, 2014 at 9:32 AM, Brian Haberman <brian@innovationslab.net>
wrote:

> Hi Rajeev,
>
> On 5/8/14 12:28 PM, Rajeev Koodli wrote:
> > Hi Brian,
> >
> >
> > On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net
> >wrote:
> >
> >>> The encoding would follow 3GPP TS 23.003 as do the attributes in RFC
> >> 4187.
> >>> Will mention this.
> >>>
> >>
> >> I see a single reference to ASCII encoding for the username string in
> >> 4187.  Is ASCII encoding assumed here as well?
> >>
> >>
> > Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does).
> >
> >
>
> That works.
>
>
> >>>>
> >>>> 14. The Security Considerations section tells me nothing.  Are there
> new
> >>>> threats with these new pieces of information flowing across the
> network?
> >>>> What are the privacy implications of these messages?  Can any of the
> >>>> possible threat vectors be minimized?
> >>>
> >>> We are basically following RFC 4187 here. The relevant part is 12.7
> which
> >>> refers to new attribute types:
> >>>
> >>>
> >>> "As described in Section 8, EAP-AKA allows the protocol to be extended
> >>>    by defining new attribute types.  When defining such attributes, it
> >>>    should be noted that any extra attributes included in
> >>>    EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are
> not
> >>> included in the MACs later on, and thus some other precautions must
> >>>    be taken to avoid modifications to them.²
> >>>
> >>>
> >>> We do not have attributes that fit this requirement ( I¹ll double check
> >>> again).
> >>> In any case, we can refer to this text.
> >>
> >> The security considerations in 4187 are quite detailed in some
> >> instances.  I think it would be good to document any potential
> >> security/privacy issues that could arise if these new attributes are
> >> abused in some way.
> >>
> >>
> > 4187 is extensive because the attributes there have to do with the
> EAP-AKA
> > mechanism itself.
> >
> > The attributes here are not related to the EAP-AKA itself, but extensions
> > carried along with the EAP-AKA messages.
> >
> > Let me think about this further.
>
> Sure.  I want to make sure we head off any late issues when the Sec-Dir
> review occurs.
>
> Regards,
> Brian
>
>
>

v2.23.0 | Report a Bug | By Email