IETF Logo Mail Archive

[radext] Review of draft-winter-radext-populating-eapidentity-01

Bernard Aboba <bernard_aboba@hotmail.com> Mon, 20 July 2015 11:12 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10021A1BD9 for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 04:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmUTJ__5iOrk for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 04:12:43 -0700 (PDT)
Received: from BLU004-OMC2S8.hotmail.com (blu004-omc2s8.hotmail.com [65.55.111.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C075C1A1BD2 for <radext@ietf.org>; Mon, 20 Jul 2015 04:12:42 -0700 (PDT)
Received: from BLU181-W94 ([65.55.111.73]) by BLU004-OMC2S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 20 Jul 2015 04:12:41 -0700
X-TMN: [opSfHrOcvEBenvX35pinwuSR0FQTm+Z6]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl>
Content-Type: multipart/alternative; boundary="_bb9d0580-91aa-46f4-aef7-f0eec784de0e_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radext@ietf.org" <radext@ietf.org>
Date: Mon, 20 Jul 2015 04:12:40 -0700
Importance: Normal
In-Reply-To: <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup>
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup>, <tsllhid84gm.fsf@mit.edu> <BLU181-W6B49664DD504DDAF5CC9F93F40@phx.gbl>, <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup>, <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu>, <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com>, <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl>, <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup>, <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com>, <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Jul 2015 11:12:41.0574 (UTC) FILETIME=[FEB6F060:01D0C2DC]
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/iwUh2mxf89Om1bx9mkqlPyRBQZI>
Subject: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 11:12:45 -0000

One of the fundamental assumptions of this document is that the EAP-Response/Identity is somehow determined from the method-specific identities.  This is not correct, as RFC 3748 Section 5.1 makes clear: 
 
      It is RECOMMENDED that the Identity Response be used primarily for
      routing purposes and selecting which EAP method to use.  EAP
      Methods SHOULD include a method-specific mechanism for obtaining
      the identity, so that they do not have to rely on the Identity
      Response.  Identity Requests and Responses are sent in cleartext,
      so an attacker may snoop on the identity, or even modify or spoof
      identity exchanges.  To address these threats, it is preferable
      for an EAP method to include an identity exchange that supports
      per-packet authentication, integrity and replay protection, and
      confidentiality.  The Identity Response may not be the appropriate
      identity for the method; it may have been truncated or obfuscated
      so as to provide privacy, or it may have been decorated for
      routing purposes.  Where the peer is configured to only accept
      authentication methods supporting protected identity exchanges,
      the peer MAY provide an abbreviated Identity Response (such as
      omitting the peer-name portion of the NAI [RFC2486]).  For further
      discussion of identity protection, see Section 7.3.
 
The above text makes it clear that the EAP-Response/Identity and method-specific Identities used within individual EAP methods are separate and distinct.  The method-specific identities need not be in NAI format, or encoded in UTF-8.  Therefore attempts to convert them to NAI format can frequently fail.  Also, the EAP-Response/Identity is frequently anonymous and is used to prevent a snooping attacker from obtaining the method-specific identities, which are typically encrypted.  For this reason and others described below, it is not advisable for EAP implementations to determine the EAP-Response/Identity based on the method-specific identities. 
 
Most EAP methods created subsequent to RFC 3748 have incorporated their own Identity Exchanges, and those methods are therefore not influenced by the EAP-Response/Identity.   Since the EAP-Response/Identity is distinct from the method-specific identity, the recommendations of Section 4 will not have an effect on EAP authentication, other than perhaps forcing the selection of a different EAP server:   
 
   If an EAP authentication gets rejected, the EAP peer SHOULD re-try the authentication using a
   different EAP-Response/Identity than before.  The EAP peer SHOULD try
   all user identifiers from the entire set of configured EAP types
   before declaring final authentication failure.
 
The advice has a number of major downsides.  Since most authentication failures will be due to mistyping the password, responding to an authentication failure by retrying all conceivable user identities will lead to major delays and very high levels of user annoyance.  By responding to an authentication failure by trying method-specific identities, implementations would divulge identity information that was designed to be kept secret, compromising privacy. Also, an implementation following this advice would utilize method-specific identities that may not be in the appropriate format or character encoding for an EAP-Response/Identity.  
 
   EAP peers need to maintain state on the encoding of the user
   identifiers which are used in their locally configured EAP types.
   When constructing an EAP-Response/Identity from that user identifier,
   they MUST (re-)encode that user identifier as UTF-8 and use the
   resulting value for the EAP-Response/Identity.  If the EAP type is
   configured for the use of anonymous outer identities, the desired
   outer identity MUST also be (re-)encoded in UTF-8 encoding before
   being put into the EAP-Response/Identity.
 
Since RFC 3748 makes it clear that the EAP-Response/Identity is not related to the method-specific identity, constructing the EAP-Response/Identity from the method-specific one is inadvisable.   The re-encoding described above may not be possible for a variety of reasons, including the fact that the method-specific identity need not be in NAI form at all.

v2.23.0 | Report a Bug | By Email