Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
Brian Haberman <brian@innovationslab.net> Thu, 08 May 2014 16:33 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56F1D1A0081 for <netext@ietfa.amsl.com>; Thu, 8 May 2014 09:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHqlgG6BTu6X for <netext@ietfa.amsl.com>; Thu, 8 May 2014 09:32:59 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) by ietfa.amsl.com (Postfix) with ESMTP id 300BA1A007D for <netext@ietf.org>; Thu, 8 May 2014 09:32:59 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id DC749880D1; Thu, 8 May 2014 09:32:54 -0700 (PDT)
Received: from 1025238232.rudm2.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 574991368071; Thu, 8 May 2014 09:32:54 -0700 (PDT)
Message-ID: <536BB1A7.80205@innovationslab.net>
Date: Thu, 08 May 2014 12:32:39 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Rajeev Koodli <rajeev.koodli@gmail.com>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net> <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com>
In-Reply-To: <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="kxkMkxC7LEq6Q68Fmsnlqh4vFkdwEwcGC"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/zA-M25L1lq1IEEz8PdeqeBMaA-U
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 16:33:02 -0000
Hi Rajeev, On 5/8/14 12:28 PM, Rajeev Koodli wrote: > Hi Brian, > > > On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net>wrote: > >>> The encoding would follow 3GPP TS 23.003 as do the attributes in RFC >> 4187. >>> Will mention this. >>> >> >> I see a single reference to ASCII encoding for the username string in >> 4187. Is ASCII encoding assumed here as well? >> >> > Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does). > > That works. >>>> >>>> 14. The Security Considerations section tells me nothing. Are there new >>>> threats with these new pieces of information flowing across the network? >>>> What are the privacy implications of these messages? Can any of the >>>> possible threat vectors be minimized? >>> >>> We are basically following RFC 4187 here. The relevant part is 12.7 which >>> refers to new attribute types: >>> >>> >>> "As described in Section 8, EAP-AKA allows the protocol to be extended >>> by defining new attribute types. When defining such attributes, it >>> should be noted that any extra attributes included in >>> EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are not >>> included in the MACs later on, and thus some other precautions must >>> be taken to avoid modifications to them.² >>> >>> >>> We do not have attributes that fit this requirement ( I¹ll double check >>> again). >>> In any case, we can refer to this text. >> >> The security considerations in 4187 are quite detailed in some >> instances. I think it would be good to document any potential >> security/privacy issues that could arise if these new attributes are >> abused in some way. >> >> > 4187 is extensive because the attributes there have to do with the EAP-AKA > mechanism itself. > > The attributes here are not related to the EAP-AKA itself, but extensions > carried along with the EAP-AKA messages. > > Let me think about this further. Sure. I want to make sure we head off any late issues when the Sec-Dir review occurs. Regards, Brian
- [netext] AD Evaluation: draft-ietf-netext-wifi-ep… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Rajeev Koodli
- Re: [netext] AD Evaluation: draft-ietf-netext-wif… Brian Haberman