IETF Logo Mail Archive

Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes

Brian Haberman <brian@innovationslab.net> Thu, 08 May 2014 16:33 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: netext@ietfa.amsl.com
Delivered-To: netext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56F1D1A0081 for <netext@ietfa.amsl.com>; Thu, 8 May 2014 09:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHqlgG6BTu6X for <netext@ietfa.amsl.com>; Thu, 8 May 2014 09:32:59 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) by ietfa.amsl.com (Postfix) with ESMTP id 300BA1A007D for <netext@ietf.org>; Thu, 8 May 2014 09:32:59 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id DC749880D1; Thu, 8 May 2014 09:32:54 -0700 (PDT)
Received: from 1025238232.rudm2.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 574991368071; Thu, 8 May 2014 09:32:54 -0700 (PDT)
Message-ID: <536BB1A7.80205@innovationslab.net>
Date: Thu, 08 May 2014 12:32:39 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Rajeev Koodli <rajeev.koodli@gmail.com>
References: <536A5721.8000100@innovationslab.net> <CF8FF739.CE9%rajeev.koodli@intel.com> <536B91F2.3080607@innovationslab.net> <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com>
In-Reply-To: <CAB_pk7A2_rn84v+jY8N=rjvnKanJaQnQ7m54RzG9hrFJK3CPUg@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="kxkMkxC7LEq6Q68Fmsnlqh4vFkdwEwcGC"
Archived-At: http://mailarchive.ietf.org/arch/msg/netext/zA-M25L1lq1IEEz8PdeqeBMaA-U
Cc: "Koodli, Rajeev" <rajeev.koodli@intel.com>, Basavaraj Patil <bpatil1@gmail.com>, "draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes@tools.ietf.org>, "netext@ietf.org" <netext@ietf.org>
Subject: Re: [netext] AD Evaluation: draft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: netext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for discusion of extensions to network mobility protocol, i.e PMIP6. " <netext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netext>, <mailto:netext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netext/>
List-Post: <mailto:netext@ietf.org>
List-Help: <mailto:netext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netext>, <mailto:netext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 16:33:02 -0000

Hi Rajeev,

On 5/8/14 12:28 PM, Rajeev Koodli wrote:
> Hi Brian,
> 
> 
> On Thu, May 8, 2014 at 7:17 AM, Brian Haberman <brian@innovationslab.net>wrote:
> 
>>> The encoding would follow 3GPP TS 23.003 as do the attributes in RFC
>> 4187.
>>> Will mention this.
>>>
>>
>> I see a single reference to ASCII encoding for the username string in
>> 4187.  Is ASCII encoding assumed here as well?
>>
>>
> Rajeev> Yes, and I would refer to 3GPP TS 23.003 (as 4187 does).
> 
> 

That works.


>>>>
>>>> 14. The Security Considerations section tells me nothing.  Are there new
>>>> threats with these new pieces of information flowing across the network?
>>>> What are the privacy implications of these messages?  Can any of the
>>>> possible threat vectors be minimized?
>>>
>>> We are basically following RFC 4187 here. The relevant part is 12.7 which
>>> refers to new attribute types:
>>>
>>>
>>> "As described in Section 8, EAP-AKA allows the protocol to be extended
>>>    by defining new attribute types.  When defining such attributes, it
>>>    should be noted that any extra attributes included in
>>>    EAP-Request/AKA-Identity or EAP-Response/AKA-Identity packets are not
>>> included in the MACs later on, and thus some other precautions must
>>>    be taken to avoid modifications to them.²
>>>
>>>
>>> We do not have attributes that fit this requirement ( I¹ll double check
>>> again).
>>> In any case, we can refer to this text.
>>
>> The security considerations in 4187 are quite detailed in some
>> instances.  I think it would be good to document any potential
>> security/privacy issues that could arise if these new attributes are
>> abused in some way.
>>
>>
> 4187 is extensive because the attributes there have to do with the EAP-AKA
> mechanism itself.
> 
> The attributes here are not related to the EAP-AKA itself, but extensions
> carried along with the EAP-AKA messages.
> 
> Let me think about this further.

Sure.  I want to make sure we head off any late issues when the Sec-Dir
review occurs.

Regards,
Brian

v2.23.0 | Report a Bug | By Email