Re: [Reap] [Emu] EAP - TLS 1.3

John Mattsson <john.mattsson@ericsson.com> Fri, 01 December 2017 13:58 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: reap@ietfa.amsl.com
Delivered-To: reap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD97128D44; Fri, 1 Dec 2017 05:58:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67OmPCCPYAby; Fri, 1 Dec 2017 05:58:03 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8CAE126DFE; Fri, 1 Dec 2017 05:58:02 -0800 (PST)
X-AuditID: c1b4fb25-36dff70000000151-99-5a215fe8e754
Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.183.51]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 54.6B.00337.8EF512A5; Fri, 1 Dec 2017 14:58:00 +0100 (CET)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.51) with Microsoft SMTP Server (TLS) id 14.3.352.0; Fri, 1 Dec 2017 14:58:00 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wBP7e2wXgWYJuEPjhW8GLIrK4h7CWHzdC5JeJfxMkkw=; b=m+WK8SmKy8cRwTqOcingu4B7CBVlE87t/hCzu9v0CtMix1CxmeXLfFdzEaVb0vvduKb3pmLxliu04iXGcMU+EF+4aaaFywe6QjPLiLaQ8GpAh5vrT0JITKsBnS8JEOjcP28CLz8GmO/lvTQKwSvg8De7HgO+gLdCV553Gko+YWE=
Received: from DB5PR0701MB2005.eurprd07.prod.outlook.com (10.167.228.147) by DB6PR07MB3270.eurprd07.prod.outlook.com (10.175.233.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.3; Fri, 1 Dec 2017 13:57:58 +0000
Received: from DB5PR0701MB2005.eurprd07.prod.outlook.com ([fe80::cded:d65b:8eb2:a1bd]) by DB5PR0701MB2005.eurprd07.prod.outlook.com ([fe80::cded:d65b:8eb2:a1bd%14]) with mapi id 15.20.0282.006; Fri, 1 Dec 2017 13:57:58 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Bernard Aboba <bernard.aboba@gmail.com>, Jari Arkko <jari.arkko@ericsson.com>, Mohit Sethi M <mohit.m.sethi@ericsson.com>, "reap@ietf.org" <reap@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Reap] [Emu] EAP - TLS 1.3
Thread-Index: AQHTaqxkTIQHAGf0302lfanrf7k7pg==
Date: Fri, 01 Dec 2017 13:57:58 +0000
Message-ID: <8C04ED3B-0D84-443B-8853-3EBD950C1732@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.28.0.171108
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.47.185]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6PR07MB3270; 6:5HLOip5+XrVZJZDUZ1CjEWMO0LpGeCFMC6VUZYeHceutJdfO3CR2L6JqLy0z+1BfxcLFc1sJD4OVUZlYFSbMVIUhxTwc6nWiuzpf5GQjq0SbVIKD4dNQNYsxx2oSYhdk8DjNNVC2ZwfWw4UeTchXekBhA7fwT7snj24D+hsavFikx05giGpi91tDyL34w9orFtMdMxWS1LGdH6EmTU6roOvmNpyGhj7Fwo4/n9IAoHtuf6z0/L1SbZ+7hTGyb+xCBN7Na23CyaSz9b+DgMInncxIJU29piyzceRUXGqqL2u3ICC04JEPjInhloZbg1gO1m4hDZKmwLBokxc/sQFN+ke+TmaM1B1Neda6qJm9esc=; 5:B3wuv4UFVlPPQw8DtuX0nkl5vDq/bdHoVBNeg9Wes9ejMMOsSZL1o1bGbR8YuInpkWKhB+qluzKrr/LJKyToNYJPT/sDAiGBPyF6U5omAKeburQjX0/EThiNk/urB+zpd0QWaPJmBEVRl4Mc/5+kuYrB9ecYXTUF5TiIqTyNnNg=; 24:4uQNMgiKaerJnvXUX5PDkvsKHQh3NkAzafAcdkR+RMoc/hFgtmEOp0jEgOg6Vd9l1HzVVXjJ2tc3odN6nBGhCYiLqqJal0tvw8g6UAHf+J0=; 7:i/27peTXJsQUJ7JQ0Ad84Rmjfr464TVoElD4Zb9px6ibDzSCh69rJYJHouDf+4crXlKEiHCeUPUqjkYb/9vxkApJxMIkbLQRauTLT6dJgtIa06+3ms67aref/9+51JUCYGmPtCIEUUy4xyVjk6RtENaQva4idrTq5o3Gv0YlGq0HnAZgG9QNot959Cm6Vr6IJcpCD+Uye7sQilKvpD7C0Y3Im5FfvLmfOBZLU7WCvuZtqsC3xruIo6gou16q9Qzl
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 685a6b2b-af22-4d4c-f51c-08d538c387a6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603286); SRVR:DB6PR07MB3270;
x-ms-traffictypediagnostic: DB6PR07MB3270:
x-ld-processed: 92e84ceb-fbfd-47ab-be52-080c6b87953f,ExtAddr
x-microsoft-antispam-prvs: <DB6PR07MB32709247F98DFE8173A2E2F989390@DB6PR07MB3270.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231022)(6041248)(20161123564025)(20161123555025)(20161123558100)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(201708071742011); SRVR:DB6PR07MB3270; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DB6PR07MB3270;
x-forefront-prvs: 05087F0C24
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(366004)(346002)(39860400002)(24454002)(51444003)(199003)(189002)(305945005)(8676002)(7736002)(81156014)(68736007)(6486002)(83506002)(229853002)(81166006)(99286004)(6506006)(8936002)(66066001)(14454004)(478600001)(58126008)(110136005)(101416001)(3846002)(5660300001)(2201001)(316002)(54356011)(189998001)(36756003)(6436002)(6116002)(97736004)(102836003)(2501003)(83716003)(3660700001)(2900100001)(3280700002)(53936002)(39060400002)(86362001)(82746002)(5250100002)(106356001)(33656002)(25786009)(6512007)(2906002)(105586002)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR07MB3270; H:DB5PR0701MB2005.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <93E298844DEBA0469B42C7966A02578C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 685a6b2b-af22-4d4c-f51c-08d538c387a6
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2017 13:57:58.7499 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR07MB3270
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNKsWRmVeSWpSXmKPExsUyM2K7se6LeMUog+W7TS027PvPbHFs/VoW i3Mrj7NYTOnvZHJg8dg56y67x5IlP5kCmKK4bFJSczLLUov07RK4MiZ/6mMqOCde0XIjuIGx QbyLkZNDQsBEYvfeS4xdjFwcQgKHGSXWbrrGCpIQEjjOKPGkRR8kwSLQyyxx79o3ZoiqGUwS 85YtZoOoesYocfqyHIjNJmAgMXdPAxtIkYjAE0aJzgX9zCAJYQF1ifX3tjOB2CICGhIPv+9j hLD1JLb+PAO2jkVARWL6/G6wobwC9hLvmhrB6hkFxCS+n1oDZjMLiEs0fVnJCnG3gMSSPeeZ IWxRiZeP/4HFRYFm/tv5Gqo3VqK1dTpUvaLE0qPToGxZiUvzu8F+lhA4xC7x7foiFogE0EET 3zJC2L4SJ5ZsZoEoWsIoMffqDqiElkTH5qtQto3EjO7pUFdkSxxrecIEV3NkFhNE8wJmiQf/ b0NtkJG4vmsv1NSHrBJPnu9lnsCoNwvJe7MYOYBsTYn1u/Qhwh4SJxub2CBsRYkp3Q/ZZ4FD SVDi5MwnLAsYWVcxihanFiflphsZ66UWZSYXF+fn6eWllmxiBCaZg1t+q+5gvPzG8RCjAAej Eg+vjL9ilBBrYllxZe4hRgkOZiUR3lg/oBBvSmJlVWpRfnxRaU5q8SFGaQ4WJXHek568UUIC 6YklqdmpqQWpRTBZJg5OqQZGtt+K7lJ5aoFiBQb7WHu2OTfWK85p3HH0sYpsMk9j3ixPQc/z nBMefTS7f8zhRjxbPl/Lvb+fStQPBbn1vLhnrRm2z97WwvvI7lfrD3U9SDzNmPjp+5WwuVue hGi+fuuUnrKQa6aO3a59xtzvvI9bu/i6qiVtD57wtf4370mz+pP8O+1PqDEosRRnJBpqMRcV JwIAp19PCS4DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/reap/AcVDBOMxvcD5JI_pXTas614TWTc>
Subject: Re: [Reap] [Emu] EAP - TLS 1.3
X-BeenThere: reap@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "REAP \(RENEW\) EAP" <reap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/reap>, <mailto:reap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/reap/>
List-Post: <mailto:reap@ietf.org>
List-Help: <mailto:reap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/reap>, <mailto:reap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 13:58:05 -0000

Hi Bernard,

On Thu, Nov 19, 2017, Bernard Aboba wrote:

>The big question is "Why not create a new EAP method"? 

>The overall intent seems to be to create an pre-shared key EAP method optimized for 5G,
>based on EAP-TLS v1.3.  

I don’t know why you have gotten the idea that the intent is pre-shared key authentication. 3GPP has no interest in EAP-TLS with pre-shared key authentication. 3GPP wants to use EAP-TLS with certificate authentication.

>Since the protocol described will not interoperate with any of the existing 2+ billion
>EAP-TLS devices, why reuse the EAP-TLS code point or EAP-TLS name?   What has been
>described is an entirely distinct authentication method, not a "clarification" to an
>existing specification.

>In fact, from how it has been described, it would appear that the new protocol is only for use
>with new devices supporting 5G and new 5G servers supporting the new method.  In which case,
>if the new method is not for general use on the Internet, why can't 3GPP just define the method >themselves and allocate their own private EAP type code? 

I don’t know why you has come to the conclusion that this would not interoperate with existing EAP-TLS devices. TLS 1.3 e.g. obsoletes TLS 1.2 but still interoperate just fine with all old versions of TLS. 3GPP plans to use EAP-TLS (RFC5216) with current versions of TLS. In the future, 3GPP (and probably many others) would like to use EAP-TLS with TLS 1.3.

3GPP has no special requirements when it comes to using EAP-TLS with TLS 1.3, and would like to be interoperable with all implementations of EAP-TLS with TLS 1.3. The major point with EAP-TLS is to use the TLS version negotiation, defining EAP-TLS with TLS 1.3 as a different code is not a good idea.

My view is that it is not clear how the key derivation is done when EAP-TLS is used with TLS 1.3. Non-interoperable implementations would not be good for the Internet. Furthermore, an implementation of EAP-TLS with TLS 1.3 would break a _large_ amount of MUSTs in RFC5126 as TLS 1.3 changes a lot from TLS 1.0 – 1.2. I think that an update to RFC5215 is needed irrespectively of 3GPP using EAP-TLS or not.

Cheers,
John