IETF Logo Mail Archive

Re: [radext] Review of draft-winter-radext-populating-eapidentity-01

Stefan Winter <stefan.winter@restena.lu> Tue, 21 July 2015 19:38 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6081B2B28 for <radext@ietfa.amsl.com>; Tue, 21 Jul 2015 12:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lt_ZdPdEUEBR for <radext@ietfa.amsl.com>; Tue, 21 Jul 2015 12:38:44 -0700 (PDT)
Received: from smtp.restena.lu (legolas.restena.lu [IPv6:2001:a18:1::34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96BB11A883F for <radext@ietf.org>; Tue, 21 Jul 2015 12:38:44 -0700 (PDT)
Received: from viper.local (unknown [158.64.15.195]) by smtp.restena.lu (Postfix) with ESMTPSA id 57F0BBB73F for <radext@ietf.org>; Tue, 21 Jul 2015 21:38:43 +0200 (CEST)
To: radext@ietf.org
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup> <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup> <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu> <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com> <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl> <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup> <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com> <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup> <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl> <tslzj2r5aoj.fsf@mit.edu> <6155_1437393977_55ACE439_6155_10573_1_6B7134B31289DC4FAF731D844122B36E01CCA3D4@OPEXCLILM43.corporate.adroot.infra.ftgroup> <BLU406-EAS922E8820069F5C62F8D5E193850@phx.gbl>
From: Stefan Winter <stefan.winter@restena.lu>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66
Message-ID: <55AE9FC2.7060807@restena.lu>
Date: Tue, 21 Jul 2015 21:38:42 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <BLU406-EAS922E8820069F5C62F8D5E193850@phx.gbl>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="E8ivhjjnUmsnm4h1Ev7oW5PWS11pGLwwL"
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/F6VPj-a1RaBlz5xXG5wUPjwMOLE>
Subject: Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 19:38:47 -0000

Hi,

> The point is that the document's recommendations are based on using method specific identities to determine the EAP-Response/Identity. This is fundamentally broken because those identities are unrelated and the two identities  need not use the same formats or encodings - and as a result the advice based on this incorrect assumption would result in authentication failures, unacceptable delays and worse.
>
> The document itself points this out - but does not recognize that the problem itself results from a false assumption.

The "assumption" comes from observing the implemented reality of a vast
multitude of supplicants, be those fundamentally broken or not. Since
we're aiming at a BCP document, I think we should take reality into account.

Greetings,

Stefan Winter

>
>
>> On Jul 20, 2015, at 14:06, lionel.morand@orange.com wrote:
>>
>> Hi Bernard,
>>
>> I tend to agree with Sam. I will review again the draft based on your comment. However I understand that the point is WHEN "Identity Response be used primarily for routing purposes ", there is some considerations to take into account to use it as user-name identity in RADIUS and Diameter. Everything else related to method-specific EAP identity (format, use, etc.) is out of scope of this document. At least it is my current understanding.
>>
>> Lionel
>>
>> -----Message d'origine-----
>> De : radext [mailto:radext-bounces@ietf.org] De la part de Sam Hartman
>> Envoyé : lundi 20 juillet 2015 13:30
>> À : Bernard Aboba
>> Cc : radext@ietf.org
>> Objet : Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
>>
>>>>>>> "Bernard" == Bernard Aboba <bernard_aboba@hotmail.com> writes:
>>    Bernard>    One of the fundamental assumptions of this document is
>>    Bernard> that the EAP-Response/Identity is somehow determined from
>>    Bernard> the method-specific identities.  This is not correct, as
>>    Bernard> RFC 3748 Section 5.1 makes clear:
>>
>> Hi.  I was very confused to read this paragraph, because we've discussed this issue several times and I think we're all in agreement that the method-specific identities are not directly related to the eap response/identity.  I think that as the text you cite from RFC 3748 points out, the EAP response is often used for routing, so in many deployments there is some relation.
>>
>> I stopped reading your review after this first paragraph, because I think that this disconnect colors the entire review.  I'd really appreciate it if you would explain why you think the document is assuming that the eap-response/identity is determined from method identities.
>> I know that was not our intent.
>>
>> I do think it's true that implementations sometimes derive both the eap response/identity and the method-specific identities from a common principal.
>> Other implementations request both identities from the user.
>> However, I don't know anything that tries to map back from a method identity to an eap response.
>>
>> --Sam
>>
>> _______________________________________________
>> radext mailing list
>> radext@ietf.org
>> https://www.ietf.org/mailman/listinfo/radext
>>
>> _________________________________________________________________________________________________________________________
>>
>> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
>> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>
>> This message and its attachments may contain confidential or privileged information that may be protected by law;
>> they should not be distributed, used or copied without authorisation.
>> If you have received this email in error, please notify the sender and delete this message and its attachments.
>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>> Thank you.
>>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email