Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
Brian Haberman <brian@innovationslab.net> Tue, 10 June 2014 17:52 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E30E21A0239 for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 10:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBfNszH0AvKi for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCBD21A0260 for <netext@ietf.org>; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id BD11088119; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Received: from 102523818.rudm2.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 2D24C71C0002; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Message-ID: <539745CA.10602@innovationslab.net>
Date: Tue, 10 Jun 2014 13:52:10 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Rajeev Koodli <rajeev.koodli@gmail.com>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net> <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com> <536BB1A7.80205@innovationslab.net> <CAB_pk7C-tEzfHEbhmiZVO+YTjYVDq04HxMKv1iSaF5hO+zE__g@mail.gmail.com>
In-Reply-To: <CAB_pk7C-tEzfHEbhmiZVO+YTjYVDq04HxMKv1iSaF5hO+zE__g@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="9PpTw56hmIO7OvL1cPMMK55fLMFF82OUM"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/N1UTa6M8T2CI3nl-QzN6UF4lGa0
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 17:52:25 -0000
Hi Rajeev, The changes look reasonable. I will start IETF Last Call shortly. Regards, Brian On 6/10/14 12:19 PM, Rajeev Koodli wrote: > Hi Brian, > > we have submitted a new version reflecting the comments/conversation. > > http://www.ietf.org/internet-drafts/draft-ietf-netext-wifi-epc-eap-attributes-08.txt > > I have revised the draft based on what we agreed on. > > - introduced a new registry for various sub-types > - expanded security considerations > - clarified multiple issues > - fixed ID nits > > I have left the AT_HANDOVER_SESSION_ID as is, since combining it with > HANDOVER_INDICATION introduces clumsy header logic. > > Please have a look. > > Thanks. > > -Rajeev > > > > On Thu, May 8, 2014 at 9:32 AM, Brian Haberman <brian@innovationslab.net> > wrote: > >> Hi Rajeev, >> >> On 5/8/14 12:28 PM, Rajeev Koodli wrote: >>> Hi Brian, >>> >>> >>> On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net >>> wrote: >>> >>>>> The encoding would follow 3GPP TS 23.003 as do the attributes in RFC >>>> 4187. >>>>> Will mention this. >>>>> >>>> >>>> I see a single reference to ASCII encoding for the username string in >>>> 4187. Is ASCII encoding assumed here as well? >>>> >>>> >>> Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does). >>> >>> >> >> That works. >> >> >>>>>> >>>>>> 14. The Security Considerations section tells me nothing. Are there >> new >>>>>> threats with these new pieces of information flowing across the >> network? >>>>>> What are the privacy implications of these messages? Can any of the >>>>>> possible threat vectors be minimized? >>>>> >>>>> We are basically following RFC 4187 here. The relevant part is 12.7 >> which >>>>> refers to new attribute types: >>>>> >>>>> >>>>> "As described in Section 8, EAP-AKA allows the protocol to be extended >>>>> by defining new attribute types. When defining such attributes, it >>>>> should be noted that any extra attributes included in >>>>> EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are >> not >>>>> included in the MACs later on, and thus some other precautions must >>>>> be taken to avoid modifications to them.² >>>>> >>>>> >>>>> We do not have attributes that fit this requirement ( I¹ll double check >>>>> again). >>>>> In any case, we can refer to this text. >>>> >>>> The security considerations in 4187 are quite detailed in some >>>> instances. I think it would be good to document any potential >>>> security/privacy issues that could arise if these new attributes are >>>> abused in some way. >>>> >>>> >>> 4187 is extensive because the attributes there have to do with the >> EAP-AKA >>> mechanism itself. >>> >>> The attributes here are not related to the EAP-AKA itself, but extensions >>> carried along with the EAP-AKA messages. >>> >>> Let me think about this further. >> >> Sure. I want to make sure we head off any late issues when the Sec-Dir >> review occurs. >> >> Regards, >> Brian >> >> >> >
- [netext] AD Evaluation: draft-ietf-netext-wifi-ep… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman