Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579:
Bernard Aboba <bernard.aboba@gmail.com> Thu, 31 March 2022 20:40 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75EEB3A0D75; Thu, 31 Mar 2022 13:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ET1GsDkLF0Vv; Thu, 31 Mar 2022 13:40:49 -0700 (PDT)
Received: from mail-vk1-xa36.google.com (mail-vk1-xa36.google.com [IPv6:2607:f8b0:4864:20::a36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD1723A0D61; Thu, 31 Mar 2022 13:40:48 -0700 (PDT)
Received: by mail-vk1-xa36.google.com with SMTP id l184so489410vkh.0; Thu, 31 Mar 2022 13:40:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cqrcQgbze6B6+cuFjBuFu4ya2VgmByBKUFp2ZT234xE=; b=fdRZu3ykWR12ia3GQEmEh/sJbxyUtHahQP2Ds0rMMBhpts+BcFs5CYS4gO02JPsWKB YdVjfcnDNukylYtJkQ10x+jpMuXjsunSbx6875IB/o+ijBoNZVm+XnDLXH54JPN3I78w uP4SAt0XUqU5PWDByvi9yETkmt7u8zjqqzF2QqrLb91jus3n+DdR2rqU9w8jH1KBQPlz oDwKMbH7kxJnPSLs0L5MQ0TlRmgIlChDzlc17USIvK4ytVOPz5WLQLwjy30UoKm6Fxg7 ip+ox1fILFJCm4ntEmXSrGUDOYyjDFGq24yfWmH75OjVqH20bH9Oxf42YM0DJr4RYVOG 7MQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cqrcQgbze6B6+cuFjBuFu4ya2VgmByBKUFp2ZT234xE=; b=pBoWWXsiRxNGDDC/rMuauxJf4QX4SQcRqNMpOfAecJz888TbfVWlJfrCOdFKss8dpZ yj1cdJPmcCwl0qdi4vRR6B9eg5kcFk4cA3d8+M8BkaOUKafq+IP+wvpM81dcbtWUWuZQ LHtV0FFFpnTnX6+LCi7Oa4HNu6K3ZerC1EVppt1n7RtHUPMod2dftrtbvygzKwnth3BO 9ur6wL0SOk81sRFfjIedJimT4GHExMyXbshc/0ZB4QahzFjcbdzJwY9ciYkJ0YcCHgDZ tmiweq1H/T5xji9cTX0A6hvWoYBMNrgKYgBGvETs+Y7duoCf3KwzeZKqy/Ou9Y8rDovx V66A==
X-Gm-Message-State: AOAM532l2FY9KAVHt1MfKmXRx4T6cS/EsRaLhd7l9j+Ml9emwsi7CMln K/qwVRISlpxTuwj4YsrBaU2KHbZa/xqcjaYhkJ1Bd4vz8r8=
X-Google-Smtp-Source: ABdhPJxHU6YhyOWCZ3Wdvk9HZGbEmmfYveXDk+k2OYiHXGkSoUlZMPcsUrErq7iHO1fRdpkX1jmB3nRKgAiUQ/xgsd8=
X-Received: by 2002:a1f:9b85:0:b0:32d:4d56:cf64 with SMTP id d127-20020a1f9b85000000b0032d4d56cf64mr2851746vke.31.1648759247345; Thu, 31 Mar 2022 13:40:47 -0700 (PDT)
MIME-Version: 1.0
References: <fbc6e33a-fa6a-ba2c-0840-700116a6a182@rfc-editor.org> <CAOW+2dvuh2r-qbKM0h-qohTOpCiUy_U58vi22nNiXJs4cOjUBA@mail.gmail.com> <7FEC9E12-846B-4218-8F29-F6839243B8C2@deployingradius.com>
In-Reply-To: <7FEC9E12-846B-4218-8F29-F6839243B8C2@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Thu, 31 Mar 2022 13:40:36 -0700
Message-ID: <CAOW+2dudRkygc8PPobWgUNZd7n5v6YsJGVJjRZDoM_pwvnxFOg@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>, radext@ietf.org, EMU WG <emu@ietf.org>, emu-ads@ietf.org
Content-Type: multipart/alternative; boundary="000000000000421c6105db89add2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/-vNkjpdztqXeDR_02-7LrdzRYbg>
Subject: Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579:
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 20:40:55 -0000
Alan suggested: " EAP-Start is indicated by sending an EAP-Message attribute with a length of 3. The single byte of data SHOULD be set to zero on transmission and MUST be ignored on receipt. RADIUS clients MUST NOT send EAP-Message attributes of length 2, as attributes with no value are not permitted in RADIUS. However, for historical reasons and for compatibility with existing practice, RADIUS servers MUST accept EAP-Messages of length 2, and treat them as EAP-Start. Just checking the source I have locally, the server accepts zero-length EAP-Message (or any other text/string attribute, for that matter). So that's fine." [BA] This suggested errata text looks good. Alan said: " Then the text needs more work, I think. A naive reading of the text is that the peer is NAKing type A, and asking for type B, which it doesn't implement. That doesn't make much sense. And the NAK is also sent by EAP servers, when the peer requests a type that the server does not respond." [BA] "not implemented locally" means "not implemented locally on the NAS". The use case is: "a NAS suggests EAP-MD5 by default and the peer wants to use a key-generating EAP method instead (like EAP-TLS or TTLS), so it sends a Nak." Suggestion: " Where the initial EAP-Request sent by the NAS is for an authentication Type (4 or greater), the peer MAY respond with a Nak indicating that it would prefer another authentication method that is implemented by the RADIUS server, and not by the NAS. In this case, the NAS SHOULD send an Access-Request encapsulating the received EAP-Response/Nak." [BA] This text is better. The implicit assumption here is that the NAS is sending an EAP-Request with a locally implemented EAP type, without talking to the RADIUS server. Of course, the same thing could happen if the RADIUS server uses an inappropriate default type. So perhaps this might work: " Where the initial EAP-Request sent by the NAS is for an authentication Type (4 or greater), the peer MAY respond with a Nak indicating that it would prefer another authentication method. In this case, the NAS should send an Access-Request encapsulating the received EAP-Response/Nak. This allows a peer to suggest another EAP method where the NAS is configured to send a default EAP type (such as MD5-Challenge) which may not be appropriate." On Thu, Mar 31, 2022 at 7:59 AM Alan DeKok <aland@deployingradius.com> wrote: > On Mar 31, 2022, at 10:29 AM, Bernard Aboba <bernard.aboba@gmail.com> > wrote: > > > > I am CC'ing the RADEXT WG mailing list, since the errata relates to a > widely implemented RADIUS specification. > > > > Errata 6154: > > > > While Alan is correct that a RADIUS attribute with no data is not > permitted by RFC 2865, and RFC 3579 is ambiguous about the length, I am > concerned about the potential backward compatibility impact of this > change. In practice, is the EAP-Start being sent with a length of 2 or 3? > Suggesting it be sent with a length of 3 is fine, but I'd suggest adding > language stating that RADIUS servers should be aware of existing practice > (e.g. be able to deal with a length of 2 if it is received). We want to be > careful not to break existing RADIUS clients. > > Existing practice is all over the place. I agree that the text should > be clear that the RADIUS server should accept whatever is sent. But also > state that sending EAP-Message of zero length is not allowed. > > Perhaps the new text should say: > > EAP-Start is indicated by sending an EAP-Message attribute with a > length of 3. The single byte of data SHOULD be set to zero on > transmission and MUST be ignored on receipt. RADIUS clients MUST NOT > send EAP-Message attributes of length 2, as attributes with no value > are not permitted in RADIUS. However, for historical reasons and for > compatibility with existing practice, RADIUS servers MUST accept > EAP-Messages > of length 2, and treat them as EAP-Start. > > Just checking the source I have locally, the server accepts zero-length > EAP-Message (or any other text/string attribute, for that matter). So > that's fine. > > However, it won't encode zero-length EAP-Message. So if the server is > asked to proxy zero-length EAP-Message attributes, that attribute will get > silently dropped from the proxied packet. > > Looking at the code, that encoding limit has been there since 2005. > I've never heard anyone complaining about it. So I think it's safe to say > that there are few, if any, RADIUS clients which send EAP-Message with > length==2. > > > Errata 6259: > > > > I believe the original text is correct here. EAP method types 1-3 > (Identity, Notification, Nak) are typically implemented locally on the NAS, > so that the device (e.g. an 802.11 access point) can handle these methods > without interacting with the RADIUS server. In some cases, an EAP Type of > 4 (MD5-Challenge) was also implemented on the NAS (e.g. for 802.1X on > Ethernet) and would be set as the default method. If the peer did not wish > to use the default method, it would need to send a NAK. > > Then the text needs more work, I think. A naive reading of the text is > that the peer is NAKing type A, and asking for type B, which it doesn't > implement. That doesn't make much sense. And the NAK is also sent by EAP > servers, when the peer requests a type that the server does not respond. > > The original text is: > > Where the initial EAP-Request sent by the NAS is for an > authentication Type (4 or greater), the peer MAY respond with a Nak > indicating that it would prefer another authentication method that is > not implemented locally. In this case, the NAS SHOULD send > Access-Request encapsulating the received EAP-Response/Nak. > > It could be updated to: > > a) replace "locally" with explicit names > > b) add missing "an" to make the second sentence a bit more grammatical. :) > > Where the initial EAP-Request sent by the NAS is for an > authentication Type (4 or greater), the peer MAY respond with a Nak > indicating that it would prefer another authentication method that is > implemented by the RADIUS server, and not by the NAS. In this case, > the NAS SHOULD send an Access-Request encapsulating the received > EAP-Response/Nak. > > I hope that addresses all concerns. > > Alan DeKok. > > >
- Re: [radext] EAP Erratum 6154 on RFC 3579: Bernard Aboba
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Bernard Aboba
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Independent Submissions Editor (Eliot Lear)
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Independent Submissions Editor (Eliot Lear)
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Bernard Aboba
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Independent Submissions Editor (Eliot Lear)
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Eliot Lear
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Oleg Pekar