IETF Logo Mail Archive

Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes

Brian Haberman <brian@innovationslab.net> Tue, 10 June 2014 17:52 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E30E21A0239 for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 10:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBfNszH0AvKi for <netext@ietfa.amsl.com>; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCBD21A0260 for <netext@ietf.org>; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id BD11088119; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Received: from 102523818.rudm2.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 2D24C71C0002; Tue, 10 Jun 2014 10:52:20 -0700 (PDT)
Message-ID: <539745CA.10602@innovationslab.net>
Date: Tue, 10 Jun 2014 13:52:10 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Rajeev Koodli <rajeev.koodli@gmail.com>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net> <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com> <536BB1A7.80205@innovationslab.net> <CAB_pk7C-tEzfHEbhmiZVO+YTjYVDq04HxMKv1iSaF5hO+zE__g@mail.gmail.com>
In-Reply-To: <CAB_pk7C-tEzfHEbhmiZVO+YTjYVDq04HxMKv1iSaF5hO+zE__g@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="9PpTw56hmIO7OvL1cPMMK55fLMFF82OUM"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/N1UTa6M8T2CI3nl-QzN6UF4lGa0
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 17:52:25 -0000

Hi Rajeev,
    The changes look reasonable.  I will start IETF Last Call shortly.

Regards,
Brian


On 6/10/14 12:19 PM, Rajeev Koodli wrote:
> Hi Brian,
> 
> we have submitted a new version reflecting the comments/conversation.
> 
> http://www.ietf.org/internet-drafts/draft-ietf-netext-wifi-epc-eap-attributes-08.txt
> 
> I have revised the draft based on what we agreed on.
> 
> - introduced a new registry for various sub-types
> - expanded security considerations
> - clarified multiple issues
> - fixed ID nits
> 
> I have left the AT_HANDOVER_SESSION_ID as is, since combining it with
> HANDOVER_INDICATION introduces clumsy header logic.
> 
> Please have a look.
> 
> Thanks.
> 
> -Rajeev
> 
> 
> 
> On Thu, May 8, 2014 at 9:32 AM, Brian Haberman <brian@innovationslab.net>
> wrote:
> 
>> Hi Rajeev,
>>
>> On 5/8/14 12:28 PM, Rajeev Koodli wrote:
>>> Hi Brian,
>>>
>>>
>>> On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net
>>> wrote:
>>>
>>>>> The encoding would follow 3GPP TS 23.003 as do the attributes in RFC
>>>> 4187.
>>>>> Will mention this.
>>>>>
>>>>
>>>> I see a single reference to ASCII encoding for the username string in
>>>> 4187.  Is ASCII encoding assumed here as well?
>>>>
>>>>
>>> Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does).
>>>
>>>
>>
>> That works.
>>
>>
>>>>>>
>>>>>> 14. The Security Considerations section tells me nothing.  Are there
>> new
>>>>>> threats with these new pieces of information flowing across the
>> network?
>>>>>> What are the privacy implications of these messages?  Can any of the
>>>>>> possible threat vectors be minimized?
>>>>>
>>>>> We are basically following RFC 4187 here. The relevant part is 12.7
>> which
>>>>> refers to new attribute types:
>>>>>
>>>>>
>>>>> "As described in Section 8, EAP-AKA allows the protocol to be extended
>>>>>    by defining new attribute types.  When defining such attributes, it
>>>>>    should be noted that any extra attributes included in
>>>>>    EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are
>> not
>>>>> included in the MACs later on, and thus some other precautions must
>>>>>    be taken to avoid modifications to them.²
>>>>>
>>>>>
>>>>> We do not have attributes that fit this requirement ( I¹ll double check
>>>>> again).
>>>>> In any case, we can refer to this text.
>>>>
>>>> The security considerations in 4187 are quite detailed in some
>>>> instances.  I think it would be good to document any potential
>>>> security/privacy issues that could arise if these new attributes are
>>>> abused in some way.
>>>>
>>>>
>>> 4187 is extensive because the attributes there have to do with the
>> EAP-AKA
>>> mechanism itself.
>>>
>>> The attributes here are not related to the EAP-AKA itself, but extensions
>>> carried along with the EAP-AKA messages.
>>>
>>> Let me think about this further.
>>
>> Sure.  I want to make sure we head off any late issues when the Sec-Dir
>> review occurs.
>>
>> Regards,
>> Brian
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email