Re: [secdir] secdir review odraft-ietf-netext-wifi-epc-eap-attributes

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Wed, 09 July 2014 04:48 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13BC91A0341; Tue, 8 Jul 2014 21:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Level:
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpQkFohn2S0Q; Tue, 8 Jul 2014 21:48:22 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB1301A033B; Tue, 8 Jul 2014 21:48:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1376; q=dns/txt; s=iport; t=1404881306; x=1406090906; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=v6th8TU6KbzyLyLxgD3ALnK86wn+gU7GGxxvZSI7EmM=; b=monASJMUFuW3adRUoyfJzkKcaIm6R7MPUMKH5lSL26TZrfFfBm/cwnVJ l06gXv2MiD5wfN8vHUbcXwahve2uHLa+OudOqzjEv+3gS+e3U/PdEd1lm xmvbPfN27MV/KsalLajCGKwcnd8yBYAd3X9wyV0W77WzWslxQzfPGsd4w Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAC/IvFOtJA2M/2dsb2JhbABRCYMOgSzGcgGBGBZ1hAMBAQEDAXkQAgEIGC4yJQIEDgWIOgjIQBeOZygzB4MtgRYBBIoXkF+UDINDgjA
X-IronPort-AV: E=Sophos;i="5.01,630,1400025600"; d="scan'208";a="59325428"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-6.cisco.com with ESMTP; 09 Jul 2014 04:48:25 +0000
Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id s694mLxE030627 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 9 Jul 2014 04:48:21 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.143]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.03.0123.003; Tue, 8 Jul 2014 23:48:20 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "Koodli, Rajeev" <rajeev.koodli@intel.com>
Thread-Topic: [secdir] secdir review odraft-ietf-netext-wifi-epc-eap-attributes
Thread-Index: AQHPmvvKKnDgmCmS9UGIfsPwnOgiRJuXf+WA
Date: Wed, 9 Jul 2014 04:48:19 +0000
Message-ID: <3C10F572-C486-4D3D-8BFF-AB5507831B24@cisco.com>
References: <53BA57E3.8080300@sunet.se> <CFE03243.1594%rajeev.koodli@intel.com> <53BBF2A5.10506@sunet.se> <CFE160D4.1613%rajeev.koodli@intel.com> <298C55D6-7F96-4BB5-9313-BA02A2B4D2F2@cisco.com> <53BC2779.70506@sunet.se> <CFE1BBCA.166F%rajeev.koodli@intel.com>
In-Reply-To: <CFE1BBCA.166F%rajeev.koodli@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.44]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <A5C807E4833FFD4A9D9BD185AC856D9F@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/QjoNpf7jIrU3aTFBUVTge-Ktxis
Cc: IESG <iesg@ietf.org>, "draft-ietf-netext-wifi-epc-eap-attributes.all@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review odraft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 04:48:33 -0000

On Jul 8, 2014, at 3:20 PM, Koodli, Rajeev <rajeev.koodli@intel.com>; wrote:

> 
> RFC 4187:
> 
> "8.2 Protocol Extensibility
> 
>   EAP-AKA can be extended by specifying new attribute types.  If
>   skippable attributes are used, it is possible to extend the protocol
>   without breaking old implementations.  As specified in Section 10.13,
>   if new attributes are specified for EAP-Request/AKA-Identity or
>   EAP-Response/AKA-Identity, then the AT_CHECKCODE MUST be used to
>   integrity protect the new attributes.²
> 

[Joe]  Makes sense.  Although it is redundant with RFC4187, It might be worth mentioning in the security considerations section that AT_CHECKCODE protects the attributes in the EAP/AKA-Identity messages once it has be verified by a valid AT_MAC.   This would help clarify that the attributes are protected and at what point they are authenticated.  It might also help remind implementers that they need to implement AT_CHECKCODE.  

> 
> So, this applies for the attribute in question.
> 
> -Rajeev
> 
> 
> 
> On 7/8/14, 10:16 AM, "Leif Johansson" <leifj@sunet.se>; wrote:
> 
>> 
>>>> 
>>> 
>>> [Joe] Is the attribute in question protected by AT_MAC?  If not, its
>>> possible that it could be modified in transit.
>>> 
>> 
>> yeah what Joe said
>> 
>> 
>