Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
Rajeev Koodli <rajeev.koodli@gmail.com> Thu, 08 May 2014 16:28 UTC
Return-Path: <rajeev.koodli@gmail.com>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 808781A0095 for <netext@ietfa.amsl.com>; Thu, 8 May 2014 09:28:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ut6QIgz9NAk for <netext@ietfa.amsl.com>; Thu, 8 May 2014 09:28:54 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) by ietfa.amsl.com (Postfix) with ESMTP id 51A3A1A0074 for <netext@ietf.org>; Thu, 8 May 2014 09:28:54 -0700 (PDT)
Received: by mail-wi0-f180.google.com with SMTP id hi2so3408462wib.7 for <netext@ietf.org>; Thu, 08 May 2014 09:28:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rJf3keZQTCfm/ae3xgnmdhbd85vmTXxSsYdOgTdmBso=; b=IWV8Ydn3BGRNXENM+8SqjomzKKuKpTeCw5Df7R+6dh5qVwHcRpxGUOaiIsHL20AX4+ Yxz/jyCvVviufaJUhc+fbHDidwyixdYUu8q2syUEq0Kfp46NF0gsLBsNUkWKBIy9i/ez 8eCbN52F8+B4Trb+lvJN9Ny32GkvuSbnMrkciKwvvVNZju+NxNZ+9tS3Z5BIOA3jr6m3 Qo+mnG/TzvcdHDzzmfRyifnEK/8WplSuMnH7WvaYDvw6OKofkUBA76sjVkclqigrelqP Gc9gSNWSJp7d7j94aRoFO+MsFWcd+LhE9rMahi9ykBRwWAQcwKhpdavtqWa48pD8oBnQ B29A==
MIME-Version: 1.0
X-Received: by 10.180.105.72 with SMTP id gk8mr13760843wib.32.1399566529254; Thu, 08 May 2014 09:28:49 -0700 (PDT)
Received: by 10.194.178.162 with HTTP; Thu, 8 May 2014 09:28:49 -0700 (PDT)
In-Reply-To: <536B91F2.3080607@innovationslab.net>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net>
Date: Thu, 08 May 2014 09:28:49 -0700
Message-ID: <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com>
From: Rajeev Koodli <rajeev.koodli@gmail.com>
To: Brian Haberman <brian@innovationslab.net>
Content-Type: multipart/alternative; boundary="f46d0442685ad0e87104f8e5f959"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/Wxwu4kFkb0huxc5wxTgrJJIsSu4
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 16:28:56 -0000
Hi Brian, On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net>wrote: > > The encoding would follow 3GPP TS 23.003 as do the attributes in RFC > 4187. > > Will mention this. > > > > I see a single reference to ASCII encoding for the username string in > 4187. Is ASCII encoding assumed here as well? > > Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does). > >> > >> 10. Are the sub-types and types in 5.2, 5.3, 5.5, & 5.6 set in stone? > >> Could new ones be defined in the future? If so, you will want to > >> consider if they should be IANA registries. Otherwise, future RFCs will > >> need to update this spec to extend the type/sub-type values supported. > > > > > > This is a good point. AFAIK, there is no existing registry for these > kinds > > of sub-types and types. > > Wondering pros and cons of creating a new registry..Thoughts? > > > > It depends on how much the authors/WG think this spec will be extended. > If you don't envision much change to these (sub-)types, the registry > isn't useful. If there is potential to see new values (e.g., new > connectivity types for AT_CONNECTIVITY_TYPE), a registry minimizes the > need to have future RFCs update this one. I would suggest an analysis > of potential new (sub-)type values coming along in the future. > > ok. > > > >> > >> 11. I am confused by the relationship between the attributes defined in > >> sections 5.4 and 5.5. Would the AT_HANDOVER_SESSION_ID attribute ever > >> be used without the AT_HANDOVER_INDICATION? If not, why have the > >> session id in a separate attribute? It seems straightforward to include > >> the session id info in the AT_HANDOVER_INDICATION attribute if Type=1. > >> Am I missing something? > > > > AT_HANDOVER_SESSION_ID also includes the Access Technology in addition to > > the Session Id. > > > > > > We can do this by embedding Access Technology into the existing Pad field > > for Type = 1. > > (So, Pad if Type = 0, Access Technology if Type = 1). If this seems okay, > > I don¹t mind combining the two. > > > > Combining them makes sense if AT_HANDOVER_SESSION_ID is never sent > without the corresponding AT_HANDOVER_INDICATION. > > Yes, I understand. > >> > >> 14. The Security Considerations section tells me nothing. Are there new > >> threats with these new pieces of information flowing across the network? > >> What are the privacy implications of these messages? Can any of the > >> possible threat vectors be minimized? > > > > We are basically following RFC 4187 here. The relevant part is 12.7 which > > refers to new attribute types: > > > > > > "As described in Section 8, EAP-AKA allows the protocol to be extended > > by defining new attribute types. When defining such attributes, it > > should be noted that any extra attributes included in > > EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are not > > included in the MACs later on, and thus some other precautions must > > be taken to avoid modifications to them.² > > > > > > We do not have attributes that fit this requirement ( I¹ll double check > > again). > > In any case, we can refer to this text. > > The security considerations in 4187 are quite detailed in some > instances. I think it would be good to document any potential > security/privacy issues that could arise if these new attributes are > abused in some way. > > 4187 is extensive because the attributes there have to do with the EAP-AKA mechanism itself. The attributes here are not related to the EAP-AKA itself, but extensions carried along with the EAP-AKA messages. Let me think about this further. Regards, -Rajeev > Regards, > Brian > > >
- [netext] AD Evaluation: draft-ietf-netext-wifi-ep… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman