Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
Rajeev Koodli <rajeev.koodli@gmail.com> Tue, 10 June 2014 16:19 UTC
Return-Path: <rajeev.koodli@gmail.com>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10EFC1B2829 for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 09:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCc84Bffh86v for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 09:19:53 -0700 (PDT)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24931B280E for <netext@ietf.org>; Tue, 10 Jun 2014 09:19:52 -0700 (PDT)
Received: by mail-wg0-f42.google.com with SMTP id z12so4008506wgg.1 for <netext@ietf.org>; Tue, 10 Jun 2014 09:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UnWyXcWv7keFb1iI/OREUX197acfkd89ubo0gk2QZBw=; b=Qt01iWwNGemFID6+i/cjKj4oqWviz52Vng+GYGcEtuwvMdwQHQXkbLeo8oFK8EgB1m uAk3wl8upr8TcmGafw1UqvdnrFso7cGFr5bAFPvBqHd5rQGPaLmYKpCBq92KUusKOneU u+AwK+MdcSDKzFNG6d/WHiWPNPBm4okgjPPssSsSu744SKWPUxAkX+ilqr/8JRdiw1aU 8ppGgv7WY8lS6nEN8mi8MzZgX0Tbi4VfKfbEl2gQA2iKvnM5pG/SMebA2zpQjrGELHlE djmlCOO05k5MIN4sGFzX7hFuWsV2OxcT/TEv4IgQuBxjKe2sOt1TzuWfeENAJKnWF1Fq hZOQ==
MIME-Version: 1.0
X-Received: by 10.180.105.72 with SMTP id gk8mr39314148wib.32.1402417190923; Tue, 10 Jun 2014 09:19:50 -0700 (PDT)
Received: by 10.195.11.132 with HTTP; Tue, 10 Jun 2014 09:19:50 -0700 (PDT)
In-Reply-To: <536BB1A7.80205@innovationslab.net>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net> <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com> <536BB1A7.80205@innovationslab.net>
Date: Tue, 10 Jun 2014 09:19:50 -0700
Message-ID: <CAB_pk7C-tEzfHEbhmiZVO+YTjYVDq04HxMKv1iSaF5hO+zE__g@mail.gmail.com>
From: Rajeev Koodli <rajeev.koodli@gmail.com>
To: Brian Haberman <brian@innovationslab.net>
Content-Type: multipart/alternative; boundary="f46d0442685a7e072304fb7db2e2"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/7tXLsmkcsHyIn3c_bWQZcvM5DlY
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 16:19:57 -0000
Hi Brian, we have submitted a new version reflecting the comments/conversation. http://www.ietf.org/internet-drafts/draft-ietf-netext-wifi-epc-eap-attributes-08.txt I have revised the draft based on what we agreed on. - introduced a new registry for various sub-types - expanded security considerations - clarified multiple issues - fixed ID nits I have left the AT_HANDOVER_SESSION_ID as is, since combining it with HANDOVER_INDICATION introduces clumsy header logic. Please have a look. Thanks. -Rajeev On Thu, May 8, 2014 at 9:32 AM, Brian Haberman <brian@innovationslab.net> wrote: > Hi Rajeev, > > On 5/8/14 12:28 PM, Rajeev Koodli wrote: > > Hi Brian, > > > > > > On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net > >wrote: > > > >>> The encoding would follow 3GPP TS 23.003 as do the attributes in RFC > >> 4187. > >>> Will mention this. > >>> > >> > >> I see a single reference to ASCII encoding for the username string in > >> 4187. Is ASCII encoding assumed here as well? > >> > >> > > Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does). > > > > > > That works. > > > >>>> > >>>> 14. The Security Considerations section tells me nothing. Are there > new > >>>> threats with these new pieces of information flowing across the > network? > >>>> What are the privacy implications of these messages? Can any of the > >>>> possible threat vectors be minimized? > >>> > >>> We are basically following RFC 4187 here. The relevant part is 12.7 > which > >>> refers to new attribute types: > >>> > >>> > >>> "As described in Section 8, EAP-AKA allows the protocol to be extended > >>> by defining new attribute types. When defining such attributes, it > >>> should be noted that any extra attributes included in > >>> EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are > not > >>> included in the MACs later on, and thus some other precautions must > >>> be taken to avoid modifications to them.² > >>> > >>> > >>> We do not have attributes that fit this requirement ( I¹ll double check > >>> again). > >>> In any case, we can refer to this text. > >> > >> The security considerations in 4187 are quite detailed in some > >> instances. I think it would be good to document any potential > >> security/privacy issues that could arise if these new attributes are > >> abused in some way. > >> > >> > > 4187 is extensive because the attributes there have to do with the > EAP-AKA > > mechanism itself. > > > > The attributes here are not related to the EAP-AKA itself, but extensions > > carried along with the EAP-AKA messages. > > > > Let me think about this further. > > Sure. I want to make sure we head off any late issues when the Sec-Dir > review occurs. > > Regards, > Brian > > >
- [netext] AD Evaluation: draft-ietf-netext-wifi-ep… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman