IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Joseph Salowey <joe@salowey.net> Fri, 29 January 2021 22:00 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F1273A11A1 for <tls@ietfa.amsl.com>; Fri, 29 Jan 2021 14:00:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngEhrYt6Q_qD for <tls@ietfa.amsl.com>; Fri, 29 Jan 2021 14:00:28 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C34363A10E7 for <tls@ietf.org>; Fri, 29 Jan 2021 14:00:27 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id a12so14582305lfb.1 for <tls@ietf.org>; Fri, 29 Jan 2021 14:00:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D0MsckdKZ7Sb0AoIUx3cbSVBE+o0WOLsFZ4wH85Hu6s=; b=lCqBQDSTkmZZeTHaOcjfeRG2U0IRXg1lyOUKvB+aHuiUi5cCRpu0RO/qKG/xKrVAId F6Q6davjrZFveX2sU8K+Q96Xgfuwd2eWxmaOGxFEfsOiJrHFhUl8rIMT3sopE9D0kx59 o+WvuPP6ThweYzYORRNPhFMwz8Ie2lO0SKqxEjT1cuLkWoxRom93qRfthjhgADPLkAfM zVRwWJkqGTkWs5quwJRRjIG0wh0441GL6AurUYXQ4JkLmL/f1CHjPhBC84S5T/UbyMzo drMw7v6mLwtVRx+Y5VpfTudjeOyXZX4Gj92xULxNZFq6D1WSuqQnkWe45kXsuH4Y2yf5 X0bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D0MsckdKZ7Sb0AoIUx3cbSVBE+o0WOLsFZ4wH85Hu6s=; b=B0zTsyZsmgt0Feg5PzGuE6a/IqFKzNJ/5CgImOTWQNnI0GbwCKcmodi0bNwPa5ed0j 7GLK3cHdRWBeI+zFvHYAUgkrXkmV0Pgv4E8wk4JlY+JgKVXdLy6F8xEla/kCXC2jvmwM zDmXuhFR03L1V7WPRFtOMKJ7qOQtd0JjcW2Y5OvFeoSTldOn13KkaZlZZNbQahMWfLVd Kx0fGfKMZmcA76RCyEZiTHLSCLSFacj32qMe3Cmipy/p4olkZEmTSgbSHyRtv2cmmWhD /fJNfo5VJUeuQuuPtf2+F/ZsZVfxnXxDs6GJAbd+TsmmGGBsNb6mfdJPykDn2QaI3eaF laLg==
X-Gm-Message-State: AOAM5307lvGofuzDXqALwu3Rc7eFBcr4CY+2dIKqrcKH/8vazHvC2Typ EmC6GkzUnjhDaGVXUgVPZ8Adg9Uxk5GOWQdkq8C18g==
X-Google-Smtp-Source: ABdhPJyz/KcKLTaBh9iwbkSAZDgYS+kKBr1xqwZk4ISfTYMFk4nKWLeEnmlfDhrBn7vFkuXrYuDEn5zZtNsYQkuDERo=
X-Received: by 2002:a05:6512:ad3:: with SMTP id n19mr3177767lfu.328.1611957625703; Fri, 29 Jan 2021 14:00:25 -0800 (PST)
MIME-Version: 1.0
References: <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com> <ca4c526e-79a0-4fa7-abda-2b626795f068@www.fastmail.com> <3409F71E-4CE4-46BB-8079-BFBE9BE83C9A@deployingradius.com> <66157321-55DC-4831-8EF2-D75934D9024C@deployingradius.com> <20210129183220.GI21@kduck.mit.edu> <1A830492-3404-4BCC-844B-D7D950458BD9@deployingradius.com>
In-Reply-To: <1A830492-3404-4BCC-844B-D7D950458BD9@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Fri, 29 Jan 2021 14:00:13 -0800
Message-ID: <CAOgPGoAoFL0aL8-g2waWny=BCod4tN9R==jR_N3kuLPFzvNGOg@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "<tls@ietf.org>" <tls@ietf.org>, Martin Thomson <mt@lowentropy.net>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac6a9d05ba11217e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zc9X4xG_pC5hwpTlLj9wxRAJgNY>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2021 22:00:30 -0000

HI Alan,

THanks for this message, comments inline below:

On Fri, Jan 29, 2021 at 12:02 PM Alan DeKok <aland@deployingradius.com>
wrote:

>   This is a new message to summarize history, requirements, etc. for
> EAP-TLS and TLS 1.3.  The focus here is the requirements for EAP-TLS, and
> how the 0x00 commitment message versus CloseNotify meets those.  I'll
> ignore the exporter changes here, as those are less controversial.
>
>   The original proposal in the EAP-TLS draft was to send a zero-length
> application data message in order to signal that no more post-handshake
> messages were needed.  From the -05 version:
>
>    When an EAP server has sent its last handshake message (Finished or a
>    Post-Handshake), it commits to not sending any more handshake
>    messages by appending an empty application data record (i.e. a TLS
>    record with TLSPlaintext.type = application_data and
>    TLSPlaintext.length = 0) to the last handshake record.  After sending
>    an empty application data record, the EAP server may only send an
>    EAP-Success, an EAP-Failure, or an EAP-Request with a TLS Alert
>    Message.
>
>   However, the OpenSSL APIs (among others) do not allow for sending zero
> octets of application data.  The proposal was then changed to send a 0x00
> octet.
>
>  There was discussion that CloseNotify could achieve the same goals.  But
> CloseNotify requires an additional round trip.  There are strong opinions
> that additional round trips are bad.
>
>   In addition, CloseNotify prevents the TLS layer from sending a TLS Fatal
> Alert:  https://www.mail-archive.com/emu@ietf.org/msg03092.html
>
>   i.e. there would be no TLS layer signalling for the following situations:
>
>    bad_certificate,  unsupported_certificate,  certificate_revoked,
> certificate_expired, certificate_unknown,  illegal_parameter, unknown_ca,
> access_denied, etc
>
>   This limitation would be an unmitigated disaster for EAP-TLS.  Those
> messages are required by people deploying EAP-TLS.  Without those messages,
> it will be near impossible to debug configuration issues.
>
>   As a result, we cannot use CloseNotify to signal "no more handshake
> messages" from the server.
>
>   There is a related issue, in that TLS 1.3 separates Session Tickets from
> TLS handshakes.  So it's still possible for the EAP state machine to send a
> 0x00 octet, and then the TLS state machines sends that *before* a Session
> Ticket.
>
>   In addition, RFC 8446 Figure 1 shows that application data can be sent
> by the server to the client, *before* the client certificate is sent to the
> server.  So sending this octet in EAP-TLS does not prove that the client
> certificate has been validated.
>
> DISCUSS: the EAP-TLS draft should explain that the 0x00 byte is NOT a
> positive signal of either "finished TLS", or "successful authentication".
>
> [Joe] It would be good to be clear about the purpose of the message.


> DISCUSS: the EAP-TLS draft should also explain that session tickets may be
> sent either before or after the 0x00 octet.  Does the packet flow look any
> different for the two cases?  If so, what does that mean?
>
> [Joe] I believe the flow of the message flights would be the same, but the
on-the-wire format of those flights could be reversed.  I don't think this
will necessarily cause a problem since the application data is consumed by
the EAP TLS and the NewSessionTicket is consumed by TLS,  However I think
the draft should be clear that this can happen.


> DISCUSS: We have interoperable implementations of -13.  Does this mean
> that the EAP state machines *implicitly* work with the TLS state machines?
> There is no *explicit* requirement in the draft about ordering, and no
> discussion thereof.  I suspect that this means the implementations work in
> part by accident, instead of by design.  So updates to TLS libraries *may*
> break EAP-TLS.  It would be best to make any assumptions explicit.  And /
> or to recommend to implementors that they be flexible with respect to
> changing order of the 0x00 octet vs session tickets.
>
> [Joe] Yes we should be clear about this.


>
>   In situations where resumption is not needed, figure 1 of
> https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-13 is correct.
> There are 3.5 rounds, which is about as low as possible.  Adding resumption
> here would *increase* there number of rounds to 4.5, which is worse!
>
> DISCUSS: the EAP-TLS draft Section 2.1.1 should be updated to note that
> this examples does not include Session Tickets.  Section 2.1.2 should be
> updated to note that there are more rounds than for the previous section.
>
>
[Joe] Yes.  It might be helpful to say that the commitment message may be
sent before or after the client authentication is verified, but in the case
that resumption is used it will always be after.


>
>   In situations where the certificate chain is longer, the initial
> authentication will be >=4.5 round trips, and session tickets are perhaps
> more useful.
>
> DISCUSS: the EAP-TLS draft should be updated to better explain the costs /
> benefits of using resumption
>
>
>   I hope that this summary clarifies the issues and requirements.  The
> 0x00 octet is intended as a promise that no more handshake messages are
> sent.  I leave it to others to discuss whether or not that promise is
> useful.
>
>   As for what to do, my $0.02 is that the behaviour described in -13 is
> fine.  The 0x00 octet is useful.  The key exporters are perhaps odd, but
> not problematic.  We have multiple inter-operable implementations.
>
>   The remaining question is this:
>
> DISCUSS: other than word-smithing the above points, are there serious
> objections to the behaviour documented in -13?  i.e. does the IETF want to
> recommend that EAP-TLS alpha testing begins *now*, or should it wait until
> 2022?
>
> [Joe]  If we are going to make a change in the key derivation we should do
it now.  Personally, I think we should update the key derivation to
separate the MSK and EMSK, but it is workable as is.
I think there are potential issues around the ordering of the 0x00 octet
and other messages, but I don't think this will require changes to
implementations in the short term, but the spec needs to clarify this.

I would like to start "alpha" testing ASAP, if we find problems in the
alpha test, it could result in implementation changes



>   The only advice I offer here is that we *cannot* rev EAP-TLS, as there
> is no "version" flag in the EAP-TLS header.  See
> https://tools.ietf.org/html/rfc5216#section-3.1
>
>   So if we later discover that EAP-TLS is flawed, we can only deprecated
> EAP-TLS, and create a new EAP-TLS "prime", with a new EAP type code.
>
> [Joe] Perhaps we could use an expanded EAP-Type for the alpha? Or perhaps
experimental or a temporary experimental allocation could be made (not sure
if that would be possible).



>   Alan DeKok.
>
>
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email