Re: [secdir] secdir review odraft-ietf-netext-wifi-epc-eap-attributes

"Koodli, Rajeev" <rajeev.koodli@intel.com> Wed, 09 July 2014 16:16 UTC

Return-Path: <rajeev.koodli@intel.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27FF01A040B; Wed, 9 Jul 2014 09:16:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFBv0P0um-S6; Wed, 9 Jul 2014 09:16:58 -0700 (PDT)
Received: from mga03.intel.com (mga03.intel.com [143.182.124.21]) by ietfa.amsl.com (Postfix) with ESMTP id 97DFD1A009E; Wed, 9 Jul 2014 09:16:57 -0700 (PDT)
Received: from azsmga001.ch.intel.com ([10.2.17.19]) by azsmga101.ch.intel.com with ESMTP; 09 Jul 2014 09:16:56 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.01,632,1400050800"; d="scan'208";a="455025778"
Received: from fmsmsx106.amr.corp.intel.com ([10.19.9.37]) by azsmga001.ch.intel.com with ESMTP; 09 Jul 2014 09:16:52 -0700
Received: from fmsmsx102.amr.corp.intel.com (10.19.9.53) by FMSMSX106.amr.corp.intel.com (10.19.9.37) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 9 Jul 2014 09:16:52 -0700
Received: from fmsmsx105.amr.corp.intel.com ([169.254.5.225]) by FMSMSX102.amr.corp.intel.com ([169.254.2.147]) with mapi id 14.03.0123.003; Wed, 9 Jul 2014 09:16:51 -0700
From: "Koodli, Rajeev" <rajeev.koodli@intel.com>
To: Leif Johansson <leifj@sunet.se>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Thread-Topic: [secdir] secdir review odraft-ietf-netext-wifi-epc-eap-attributes
Thread-Index: AQHPmtBxgT3VMa/gaUKZ1gsnr5fLR5uWv+aAgADh04CAAAxjgIAAPqeA
Date: Wed, 9 Jul 2014 16:16:51 +0000
Message-ID: <CFE2B8EE.1683%rajeev.koodli@intel.com>
References: <53BA57E3.8080300@sunet.se> <CFE03243.1594%rajeev.koodli@intel.com> <53BBF2A5.10506@sunet.se> <CFE160D4.1613%rajeev.koodli@intel.com> <298C55D6-7F96-4BB5-9313-BA02A2B4D2F2@cisco.com> <53BC2779.70506@sunet.se> <CFE1BBCA.166F%rajeev.koodli@intel.com> <3C10F572-C486-4D3D-8BFF-AB5507831B24@cisco.com> <616EA2AC-8CF2-4014-88F8-E1560BB268F4@sunet.se>
In-Reply-To: <616EA2AC-8CF2-4014-88F8-E1560BB268F4@sunet.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.71.165]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <9591FF21F4D02B4BB3C02482AD7516C6@intel.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/zajDHJtsXiu3Y2rylReKoxJ2iYA
Cc: "draft-ietf-netext-wifi-epc-eap-attributes.all@tools.ietf.org" <draft-ietf-netext-wifi-epc-eap-attributes.all@tools.ietf.org>, IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review odraft-ietf-netext-wifi-epc-eap-attributes
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 16:16:59 -0000

Fine with me.

Thanks.

-Rajeev


On 7/8/14, 10:32 PM, "Leif Johansson" <leifj@sunet.se>; wrote:

>
>
>> 9 jul 2014 kl. 06:48 skrev "Joseph Salowey (jsalowey)"
>><jsalowey@cisco.com>;:
>> 
>> 
>>> On Jul 8, 2014, at 3:20 PM, Koodli, Rajeev <rajeev.koodli@intel.com>;
>>>wrote:
>>> 
>>> 
>>> RFC 4187:
>>> 
>>> "8.2 Protocol Extensibility
>>> 
>>>  EAP-AKA can be extended by specifying new attribute types.  If
>>>  skippable attributes are used, it is possible to extend the protocol
>>>  without breaking old implementations.  As specified in Section 10.13,
>>>  if new attributes are specified for EAP-Request/AKA-Identity or
>>>  EAP-Response/AKA-Identity, then the AT_CHECKCODE MUST be used to
>>>  integrity protect the new attributes.²
>> 
>> [Joe]  Makes sense.  Although it is redundant with RFC4187, It might be
>>worth mentioning in the security considerations section that
>>AT_CHECKCODE protects the attributes in the EAP/AKA-Identity messages
>>once it has be verified by a valid AT_MAC.   This would help clarify
>>that the attributes are protected and at what point they are
>>authenticated.  It might also help remind implementers that they need to
>>implement AT_CHECKCODE.
>
>agree!
>
>> 
>>> 
>>> So, this applies for the attribute in question.
>>> 
>>> -Rajeev
>>> 
>>> 
>>> 
>>>> On 7/8/14, 10:16 AM, "Leif Johansson" <leifj@sunet.se>; wrote:
>>>> 
>>>> 
>>>>> 
>>>>> [Joe] Is the attribute in question protected by AT_MAC?  If not, its
>>>>> possible that it could be modified in transit.
>>>> 
>>>> yeah what Joe said
>>