[radext] Review of draft-winter-radext-populating-eapidentity-01
Bernard Aboba <bernard_aboba@hotmail.com> Mon, 20 July 2015 11:12 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10021A1BD9 for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 04:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmUTJ__5iOrk for <radext@ietfa.amsl.com>; Mon, 20 Jul 2015 04:12:43 -0700 (PDT)
Received: from BLU004-OMC2S8.hotmail.com (blu004-omc2s8.hotmail.com [65.55.111.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C075C1A1BD2 for <radext@ietf.org>; Mon, 20 Jul 2015 04:12:42 -0700 (PDT)
Received: from BLU181-W94 ([65.55.111.73]) by BLU004-OMC2S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 20 Jul 2015 04:12:41 -0700
X-TMN: [opSfHrOcvEBenvX35pinwuSR0FQTm+Z6]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl>
Content-Type: multipart/alternative; boundary="_bb9d0580-91aa-46f4-aef7-f0eec784de0e_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radext@ietf.org" <radext@ietf.org>
Date: Mon, 20 Jul 2015 04:12:40 -0700
Importance: Normal
In-Reply-To: <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup>
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup>, <tsllhid84gm.fsf@mit.edu> <BLU181-W6B49664DD504DDAF5CC9F93F40@phx.gbl>, <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup>, <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu>, <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com>, <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl>, <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup>, <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com>, <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Jul 2015 11:12:41.0574 (UTC) FILETIME=[FEB6F060:01D0C2DC]
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/iwUh2mxf89Om1bx9mkqlPyRBQZI>
Subject: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 11:12:45 -0000
One of the fundamental assumptions of this document is that the EAP-Response/Identity is somehow determined from the method-specific identities. This is not correct, as RFC 3748 Section 5.1 makes clear: It is RECOMMENDED that the Identity Response be used primarily for routing purposes and selecting which EAP method to use. EAP Methods SHOULD include a method-specific mechanism for obtaining the identity, so that they do not have to rely on the Identity Response. Identity Requests and Responses are sent in cleartext, so an attacker may snoop on the identity, or even modify or spoof identity exchanges. To address these threats, it is preferable for an EAP method to include an identity exchange that supports per-packet authentication, integrity and replay protection, and confidentiality. The Identity Response may not be the appropriate identity for the method; it may have been truncated or obfuscated so as to provide privacy, or it may have been decorated for routing purposes. Where the peer is configured to only accept authentication methods supporting protected identity exchanges, the peer MAY provide an abbreviated Identity Response (such as omitting the peer-name portion of the NAI [RFC2486]). For further discussion of identity protection, see Section 7.3. The above text makes it clear that the EAP-Response/Identity and method-specific Identities used within individual EAP methods are separate and distinct. The method-specific identities need not be in NAI format, or encoded in UTF-8. Therefore attempts to convert them to NAI format can frequently fail. Also, the EAP-Response/Identity is frequently anonymous and is used to prevent a snooping attacker from obtaining the method-specific identities, which are typically encrypted. For this reason and others described below, it is not advisable for EAP implementations to determine the EAP-Response/Identity based on the method-specific identities. Most EAP methods created subsequent to RFC 3748 have incorporated their own Identity Exchanges, and those methods are therefore not influenced by the EAP-Response/Identity. Since the EAP-Response/Identity is distinct from the method-specific identity, the recommendations of Section 4 will not have an effect on EAP authentication, other than perhaps forcing the selection of a different EAP server: If an EAP authentication gets rejected, the EAP peer SHOULD re-try the authentication using a different EAP-Response/Identity than before. The EAP peer SHOULD try all user identifiers from the entire set of configured EAP types before declaring final authentication failure. The advice has a number of major downsides. Since most authentication failures will be due to mistyping the password, responding to an authentication failure by retrying all conceivable user identities will lead to major delays and very high levels of user annoyance. By responding to an authentication failure by trying method-specific identities, implementations would divulge identity information that was designed to be kept secret, compromising privacy. Also, an implementation following this advice would utilize method-specific identities that may not be in the appropriate format or character encoding for an EAP-Response/Identity. EAP peers need to maintain state on the encoding of the user identifiers which are used in their locally configured EAP types. When constructing an EAP-Response/Identity from that user identifier, they MUST (re-)encode that user identifier as UTF-8 and use the resulting value for the EAP-Response/Identity. If the EAP type is configured for the use of anonymous outer identities, the desired outer identity MUST also be (re-)encoded in UTF-8 encoding before being put into the EAP-Response/Identity. Since RFC 3748 makes it clear that the EAP-Response/Identity is not related to the method-specific identity, constructing the EAP-Response/Identity from the method-specific one is inadvisable. The re-encoding described above may not be possible for a variety of reasons, including the fact that the method-specific identity need not be in NAI form at all.
- [radext] Start of Call for Adoption for draft-win… lionel.morand
- Re: [radext] Start of Call for Adoption for draft… Sam Hartman
- Re: [radext] Start of Call for Adoption for draft… Bernard Aboba
- Re: [radext] Start of Call for Adoption for draft… Sam Hartman
- Re: [radext] Start of Call for Adoption for draft… Alan DeKok
- Re: [radext] Start of Call for Adoption for draft… lionel.morand
- Re: [radext] Start of Call for Adoption for draft… Bernard Aboba
- Re: [radext] Start of Call for Adoption for draft… Sam Hartman
- Re: [radext] Start of Call for Adoption for draft… Alan DeKok
- Re: [radext] Start of Call for Adoption for draft… Bernard Aboba
- Re: [radext] Start of Call for Adoption for draft… lionel.morand
- Re: [radext] Start of Call for Adoption for draft… Alan DeKok
- Re: [radext] Start of Call for Adoption for draft… lionel.morand
- [radext] Review of draft-winter-radext-populating… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… lionel.morand
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… lionel.morand
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Stefan Winter
- Re: [radext] Review of draft-winter-radext-popula… Stefan Winter
- Re: [radext] Review of draft-winter-radext-popula… Stefan Winter
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Sam Hartman
- Re: [radext] Review of draft-winter-radext-popula… Alan DeKok
- Re: [radext] Review of draft-winter-radext-popula… Bernard Aboba
- Re: [radext] Review of draft-winter-radext-popula… Alan DeKok