IETF Logo Mail Archive

Re: [radext] New Version Notification for draft-winter-radext-populating-eapidentity-00.txt

Stefan Winter <stefan.winter@restena.lu> Mon, 17 February 2014 09:02 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D1961A0148; Mon, 17 Feb 2014 01:02:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.853
X-Spam-Level:
X-Spam-Status: No, score=0.853 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_57=0.6, RP_MATCHES_RCVD=-0.548, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKl3Z80X3Cp0; Mon, 17 Feb 2014 01:02:46 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id AACFC1A02C3; Mon, 17 Feb 2014 01:02:45 -0800 (PST)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id EC64E10580; Mon, 17 Feb 2014 10:02:41 +0100 (CET)
Received: from [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7] (unknown [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7]) by smtprelay.restena.lu (Postfix) with ESMTPS id D12F91057E; Mon, 17 Feb 2014 10:02:41 +0100 (CET)
Message-ID: <5301D017.8060302@restena.lu>
Date: Mon, 17 Feb 2014 10:02:15 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Alan DeKok <aland@deployingradius.com>
References: <20140214084329.10393.78739.idtracker@ietfa.amsl.com> <52FDDD10.1050306@restena.lu> <52FFF22A.5010802@deployingradius.com>
In-Reply-To: <52FFF22A.5010802@deployingradius.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gJXNFK4E8sxwPulwxeHSp5lmuLGHGXQ4K"
X-Virus-Scanned: ClamAV
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/Jm-U39X9P1fS4i06WW3oofLoufs
Cc: "radext@ietf.org" <radext@ietf.org>, abfab@ietf.org, "dime@ietf.org" <dime@ietf.org>, "<emu@ietf.org>" <emu@ietf.org>
Subject: Re: [radext] New Version Notification for draft-winter-radext-populating-eapidentity-00.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2014 09:02:49 -0000

Hi,

> Section 3:
> 
>    ... EAP-
>    Response/Identity does not carry encoding information itself, so a
>    conversion between a non-UTF-8 encoding and UTF-8 is not possible for
>    the AAA entity doing the EAP-Response/Identity to User-Name copying.
> 
>   I'm unsure about this.  The EAP-Response/Identity field is *supposed*
> to be UTF-8.  So if it's not, the supplicant is non-compliant, and
> anything can happen.

Unfortunately, that is not how I read the EAP spec. RFC3748 section 5.1
on the "Identity" packet does not mention UTF-8 for the *Response* at all.

It mentions that the *request* MAY contain displayable text, which needs
to be UTF-8 if present.

For response, no encoding is mandated. The RFC even mentions weirdnesses
such as an intermediate NUL character followed by "various options" -
but only notes them, they are not forbidden. The use of such a construct
breaks the UTF-8 requirement.

I totally agree that anything besides UTF-8 in the Response is a bad
idea, and these days hopefully a seldom find - but it should be said
someplace that it's outright forbidden.

Which reminds me that my text speaks of SHOULD NOT in the
recommendations (given that I've preliminarily aimed for BCP status, I
found a MUST NOT not to be fitting; but maybe it is more spot on
nontheless).

>   I think the recommendation here for EAP to RADIUS gateways (e.g.
> Access Points) is to do as little translation as possible.  They should
> just copy the Identity blob into the User-Name attribute.

And do what if they find that the blob is not UTF-8? Drop the packet?
Forward anyway?

>   The next paragraph does explain why this is a problem, but the quoted
> text above seems misleading to me.  The AAA entity *can* copy the
> EAP-Response/Identity to User-Name.  It's just data, so that copying is
> always possible.

Sure; but you create a malformed packet with it - so everybody who
consumes that data is at a gamble.

>    Consequence: If an EAP method's username is not encoded in UTF-8, and
> 
>   I would suggest "user identifier", to avoid confusion with User-Name.

Sure, no problem.

>    the EAP peer verbatimly uses that method's notion of a username for
>    its EAP-Response/Identity field, then the AAA entity is forced to
>    violate its own specification because it has to, but can not use
>    UTF-8 for its own User-Name attribute.  This jeopardizes the
>    subsequent EAP authentication as a whole; request routing may fail or
>    lead to a wrong destinationi, or the AAA payload may be discarded by
>    the recipient due to the malformedness of the User-Name attribute.
> 
> 
>   That is all true.  I would note that the EAP-Response/Identity field
> does *not* have to be taken from the EAP methods user identifier field.
>  They can be completely different.

Will do (the completely different content would be the outer identity).

>   That should be noted here.  Where the EAP methods user identifier
> field is *not* UTF-8, the supplicant MUST provide a UTF-8 compatible
> string for the EAP-Response/Identity field.  How it gets that string is
> implementation dependent. :(

Yes, that's why I wrote the (somewhat hollow) statement that it "needs
to maintain state of the encoding used". How it does that... no spec can
mandate.

> Section 4:
> 
>    Where usernames between configured EAP types in an EAP peer differ,
>    the EAP peer can not rely on the EAP type negotiation mechanism alone
>    to provide useful results.  If an EAP authentication gets rejected,
>    the EAP peer SHOULD re-try the authentication using a different EAP-
>    Response/Identity than before.  The EAP peer SHOULD try all usernames
>    from the entire set of configured EAP types before declaring final
>    authentication failure.
> 
>   I see why this can be necessary, but it's ugly.

I totally agree that it's ugly. Adding "Note: That is ugly." to the spec
doesn't provide much added value though :-)

I feel strong about stating the problem though. We had an actual
real-life support case from a device manufacturer whose handset
customers couldn't use eduroam and the manufacturer said our RADIUS
infrastructure is broken, because it always rejects before they can even
try the configured EAP-TTLS that the user sets.

It was totally unthinkable for them that someone would not have a
business relationship with 3GPP and that always trying the same 3GPP
user identifier when starting EAP would lead nowhere.

After a lot of explaining and escalation to some senior engineering, we
could make that clear, and the firmware got a fix. Having this described
in an RFC to point to will certainly help if such states of mind pop up
again someplace in the future.

>    EAP peers need to maintain state on the encoding of the usernames
>    which are used in their locally configured EAP types.  When
>    constructing an EAP-Response/Identity from that username information,
>    they SHOULD (re-)encode that username as UTF-8 and use the resulting
>    value for the EAP-Response/Identity.  If the EAP type is configured
>    for the use of anonymous outer identities, the desired outer identity
>    should also be (re-)encoded in UTF-8 encoding before being put into
>    the EAP-Response/Identity.
> 
>  I would add "or allow the provisioning of an EAP-Response/Identity
> field independent form the EAP method user identifier"

Well... that degree of freedom exists - outer ID *is* independent from
the EAP method's user identifier.

I'm not sure what the effect of this (third!) notion of (non-)identity
could add? The example of the 3GPP vs. realm.example shows that there
may well be *no* common EAP-Response/Identity which actually fits all
configured EAP types.

> Section 5
> 
>   It may be worth noting that supplicants should try the most secure EAP
> methods first (i.e. ones with anonymous outer identity).  If those fail,
> they should proceed to more insecure methods.  This prevents leakage.

Good idea!

>   Also, supplicants could cache information about successful
> authentications.  If the system appears to be "the same" as one where
> EAP method X previously worked, it makes sense to start off with EAP
> method X.
> 
>   How the supplicant determines that this is "the same" system is a
> subject for discussion.

Interesting thought, and a bit complex. I suggest we discuss this when
the draft gets adopted in ... "some" working group. Suggestions welcome :-)

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

v2.23.0 | Report a Bug | By Email