IETF Logo Mail Archive

RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.

"Joseph Salowey \(jsalowey\)" <jsalowey@cisco.com> Thu, 21 June 2007 16:47 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I1PoL-0005T1-SX; Thu, 21 Jun 2007 12:47:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I1PoK-0005Sq-7Q for tls@ietf.org; Thu, 21 Jun 2007 12:47:08 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I1PoH-0003j5-Hz for tls@ietf.org; Thu, 21 Jun 2007 12:47:08 -0400
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-5.cisco.com with ESMTP; 21 Jun 2007 09:47:05 -0700
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAAAGNIekarR7PEh2dsb2JhbACPJAIJDiw
X-IronPort-AV: i="4.16,448,1175497200"; d="scan'208"; a="163690021:sNHT28457289"
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id l5LGl4l1011277; Thu, 21 Jun 2007 09:47:04 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l5LGl4XP029435; Thu, 21 Jun 2007 16:47:04 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 21 Jun 2007 09:47:03 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
Date: Thu, 21 Jun 2007 09:47:07 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE50402DE9F@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE5035D58F1@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
Thread-Index: AcdcO18dYchwt6jARjGQj1RE7JzOdgDN6srAFSwQT8A=
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, Jan Nordqvist <jnordqvist@alcatel-lucent.com>, tls@ietf.org
X-OriginalArrivalTime: 21 Jun 2007 16:47:03.0879 (UTC) FILETIME=[CBC37D70:01C7B423]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2957; t=1182444424; x=1183308424; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@cisco.com> |Subject:=20RE=3A=20[TLS]=20Stateless=20TLS=20Session=20Resumption=20exte nsion=20and=20EAP-FAST. |Sender:=20; bh=vlSpvlg271vM63qu4WQqkXEbrUowboorYeg1cUepKI0=; b=D3RJmr+df/sK3LUT1Xm2esde3cquASp7oHFmHTlwzJf9DcngPO9F4cCezXaA0vNBWDl5nUJ9 WQlQZAX5dez0D2cGWr/wb+G8QJpFmIuco4RpLdBFG1RhmXJFvbamwD9z;
Authentication-Results: sj-dkim-4; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

We have submitted a draft for an RFC4507bis to correct this problem.  It
can be found at 

http://www.ietf.org/internet-drafts/draft-salowey-tls-rfc4507bis-00.txt

Please take this opportunity to review the draft correction as we would
like to submit the draft for publication soon.

Thanks,

Joe

> -----Original Message-----
> From: Joseph Salowey (jsalowey) 
> Sent: Monday, March 05, 2007 2:18 PM
> To: Jan Nordqvist; tls@ietf.org
> Subject: RE: [TLS] Stateless TLS Session Resumption extension 
> and EAP-FAST.
> 
> Hi Jan,
> 
> You are correct, there is an issue with current 
> implementation.  Thanks for pointing this out.  Details follow:
> 
> Current EAP-FAST implementations do not format the extension 
> correctly as to spec.  They leave out one of the length fields.
> 
> EAP-FAST implementation:
> 
>       struct {
>   	   uint16 extensionType 	
>  	   opaque ticket<0..2^16-1>
>       } SessionTicketExtension
> 
> Example encoding: 00 23 LL LL TT TT TT ...
> 
> LL - ticket length
> TT - ticket
> 
> RFC4507:
> 
> >     struct {
> >        opaque ticket<0..2^16-1>;
> >     } SessionTicket;
> >
> >    struct {
> >  	   uint16 extensionType 	
> > 	   opaque SessionTicket<0..2^16-1>
> >    } SessionTicketExtension
> >
> 
> Example encoding: 00 23 LN LN LL LL TT TT TT....
> 
> LN - length of ticket + 2-bytes
> 
> Joe 
> 
> > -----Original Message-----
> > From: Jan Nordqvist [mailto:jnordqvist@alcatel-lucent.com]
> > Sent: Thursday, March 01, 2007 11:52 AM
> > To: tls@ietf.org
> > Subject: [TLS] Stateless TLS Session Resumption extension and 
> > EAP-FAST.
> > 
> > I apologize if this gets duplicated, I had the wrong address
> > registered:
> > 
> > During some recent work incorporating EAP-FAST support into our TLS 
> > stack I have discovered that the devices we use for testing are 
> > violating the format of the stateless session ticket extension 
> > definition per RFC-4507. In all instances I have seen, the whole 
> > SessionTicket is preceded by a two-byte 'type' field, i.e. the 
> > definition is really
> > 
> > struct {
> >     uint16 type;
> >     opaque ticket<0..2^16-1>;
> > } SessionTicket;
> > 
> > I don't know the size of deployments of EAP-FAST devices 
> versus other 
> > implementations using the session ticket extension, but it 
> seems that 
> > either RFC-4507 needs to be updated to reflect what is actually 
> > implemented or perhaps the extension should be split into two.
> > 
> > Regards,
> > Jan Nordqvist
> > 
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@lists.ietf.org
> > https://www1.ietf.org/mailman/listinfo/tls
> > 
> 
> _______________________________________________
> TLS mailing list
> TLS@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls
> 

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email