Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
Brian Haberman <brian@innovationslab.net> Thu, 08 May 2014 14:17 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F06191A03A5 for <netext@ietfa.amsl.com>; Thu, 8 May 2014 07:17:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CacDryvEG7S9 for <netext@ietfa.amsl.com>; Thu, 8 May 2014 07:17:34 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) by ietfa.amsl.com (Postfix) with ESMTP id C09651A03F1 for <netext@ietf.org>; Thu, 8 May 2014 07:17:33 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 868D8880CE; Thu, 8 May 2014 07:17:29 -0700 (PDT)
Received: from 1025238232.rudm2.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 7DC291368071; Thu, 8 May 2014 07:17:28 -0700 (PDT)
Message-ID: <536B91F2.3080607@innovationslab.net>
Date: Thu, 08 May 2014 10:17:22 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Koodli, Rajeev" <rajeev.koodli@intel.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>, Basavaraj Patil <bpatil1@gmail.com>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com>
In-Reply-To: <CF8FF739.CE9%rajeev.koodli@intel.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="V9f1rnQEJbel3TowwVWBVwVRsC4pnq4Pn"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/8P0QyBxsM0MRZiG03NP1FdBDqXY
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 14:17:38 -0000
Hi Rajeev, Snipping down to just the open questions/issues... On 5/7/14 7:53 PM, Koodli, Rajeev wrote: > > On 5/7/14, 8:54 AM, "Brian Haberman" <brian@innovationslab.net> wrote: > >> >> 2. The document states that these new EAP attributes can be used in WiFi >> networks. Later, it talks about networks that employ 802.1X. Please be >> more specific as to what is covered under the generic WiFi in the >> context of this specification. > > > Reference to 802.1X is illustrative as in WiFi networks. The new EAP > attributes are applicable for trusted non-3GPP networks in general, but to > WiFi in particular. > I think that it would be good to clarify that in the Introduction. >> >> 8. Several of the attributes include strings in the data. What is the >> encoding for these strings? > > The encoding would follow 3GPP TS 23.003 as do the attributes in RFC 4187. > Will mention this. > I see a single reference to ASCII encoding for the username string in 4187. Is ASCII encoding assumed here as well? >> >> 10. Are the sub-types and types in 5.2, 5.3, 5.5, & 5.6 set in stone? >> Could new ones be defined in the future? If so, you will want to >> consider if they should be IANA registries. Otherwise, future RFCs will >> need to update this spec to extend the type/sub-type values supported. > > > This is a good point. AFAIK, there is no existing registry for these kinds > of sub-types and types. > Wondering pros and cons of creating a new registry..Thoughts? > It depends on how much the authors/WG think this spec will be extended. If you don't envision much change to these (sub-)types, the registry isn't useful. If there is potential to see new values (e.g., new connectivity types for AT_CONNECTIVITY_TYPE), a registry minimizes the need to have future RFCs update this one. I would suggest an analysis of potential new (sub-)type values coming along in the future. > >> >> 11. I am confused by the relationship between the attributes defined in >> sections 5.4 and 5.5. Would the AT_HANDOVER_SESSION_ID attribute ever >> be used without the AT_HANDOVER_INDICATION? If not, why have the >> session id in a separate attribute? It seems straightforward to include >> the session id info in the AT_HANDOVER_INDICATION attribute if Type=1. >> Am I missing something? > > AT_HANDOVER_SESSION_ID also includes the Access Technology in addition to > the Session Id. > > > We can do this by embedding Access Technology into the existing Pad field > for Type = 1. > (So, Pad if Type = 0, Access Technology if Type = 1). If this seems okay, > I don¹t mind combining the two. > Combining them makes sense if AT_HANDOVER_SESSION_ID is never sent without the corresponding AT_HANDOVER_INDICATION. >> >> 14. The Security Considerations section tells me nothing. Are there new >> threats with these new pieces of information flowing across the network? >> What are the privacy implications of these messages? Can any of the >> possible threat vectors be minimized? > > We are basically following RFC 4187 here. The relevant part is 12.7 which > refers to new attribute types: > > > "As described in Section 8, EAP-AKA allows the protocol to be extended > by defining new attribute types. When defining such attributes, it > should be noted that any extra attributes included in > EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are not > included in the MACs later on, and thus some other precautions must > be taken to avoid modifications to them.² > > > We do not have attributes that fit this requirement ( I¹ll double check > again). > In any case, we can refer to this text. The security considerations in 4187 are quite detailed in some instances. I think it would be good to document any potential security/privacy issues that could arise if these new attributes are abused in some way. Regards, Brian
- [netext] AD Evaluation: draft-ietf-netext-wifi-ep… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman