subject:"\[Emu\] More COmments 2 on eap\-tunnel\-method"

Re: [Emu] More COmments 2 on eap-tunnel-method

2012-10-09 Thread Hao Zhou (hzhou)

Agree. We will clarify that.

On 10/8/12 1:11 AM, Jim Schaad i...@augustcellars.com wrote:

 -Original Message-
 From: Hao Zhou (hzhou) [mailto:hz...@cisco.com]
 Sent: Thursday, October 04, 2012 3:06 PM
 To: Jim Schaad; emu@ietf.org; draft-ietf-emu-eap-tunnel-
 met...@tools.ietf.org
 Subject: Re: [Emu] More COmments 2 on eap-tunnel-method

 Jim:

 Please see comments below.

 On 10/1/12 1:10 PM, Jim Schaad i...@augustcellars.com wrote:

 I found two that I forgot to include in the last message

 1.  When exporting the user-id, does there need to be a way to
 distinguish at export time between the different types of ids that are
 authenticated by the server?  This does not seem to be an issue on the
 peer as it will only do mutual authentication to servers and thus only
 have server ids, however a server may authenticate to different types
 of identities on the peer.  At the moment we have identified user and
 machines as types of entities to be identified, I suppose in the future
 we could add Ewoks as a different type of entity that could be
 identified.  However the export function of user-ids does not make a
 distinction between the different types of authenticated entities.
 Should it do so or should it just export user authentications?
 [HZ] It helps to export the identities as well as the corresponding
identity
 types (from the Identity Type TLV). Will add text.

 2.  Is there a map of TLVs that should not be sent together or need to
 be processed in a specific order?  The case I was looking at was for
 the Identity TLV and the EAP TLV.  Is there a difference in how a peer
 should react for the following?

   Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP
 type
 XX)
   EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine
 Identity)

 Or should these two TLVs never occur in a single message?
 [HZ] We had some discussion in WG and take the design principal of TLV
 ordering should not matter. We disallow simultaneous EAP inner methods
 and/or with Basic Password Authentication, so rest of the TLVs order
should
 not matter. If it does matter, it should be a nested TLV, as in Result
TLV
and
 Request-Action TLV. Need to add text to disallow Inner EAP method with
 parallel Basic Password Authentication TLV.

[JLS]  If order of TLVs does not matter, then there is an implied order
that
the TLVs should be processed.  That is one should always process the
Identity TLV before processing the EAP TLV as the identity TLV is a hint
to
the type of identity that is to be used in the EAP method.  Conversely it
might be that these two TLVs should never occur in the same message.

Ditto with the Basic Password Authentication TLV and the Identity TLV.

Jim

 Jim

 ___
 Emu mailing list
 Emu@ietf.org
 https://www.ietf.org/mailman/listinfo/emu

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] More COmments 2 on eap-tunnel-method

2012-10-08 Thread Joseph Salowey (jsalowey)

On Oct 7, 2012, at 10:11 PM, Jim Schaad wrote:

 -Original Message-
 From: Hao Zhou (hzhou) [mailto:hz...@cisco.com]
 Sent: Thursday, October 04, 2012 3:06 PM
 To: Jim Schaad; emu@ietf.org; draft-ietf-emu-eap-tunnel-
 met...@tools.ietf.org
 Subject: Re: [Emu] More COmments 2 on eap-tunnel-method

 Jim:

 Please see comments below.

 On 10/1/12 1:10 PM, Jim Schaad i...@augustcellars.com wrote:

 I found two that I forgot to include in the last message

 1.  When exporting the user-id, does there need to be a way to
 distinguish at export time between the different types of ids that are
 authenticated by the server?  This does not seem to be an issue on the
 peer as it will only do mutual authentication to servers and thus only
 have server ids, however a server may authenticate to different types
 of identities on the peer.  At the moment we have identified user and
 machines as types of entities to be identified, I suppose in the future
 we could add Ewoks as a different type of entity that could be
 identified.  However the export function of user-ids does not make a
 distinction between the different types of authenticated entities.
 Should it do so or should it just export user authentications?
 [HZ] It helps to export the identities as well as the corresponding
 identity
 types (from the Identity Type TLV). Will add text.

 2.  Is there a map of TLVs that should not be sent together or need to
 be processed in a specific order?  The case I was looking at was for
 the Identity TLV and the EAP TLV.  Is there a difference in how a peer
 should react for the following?

 Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP
 type
 XX)
 EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine
 Identity)

 Or should these two TLVs never occur in a single message?
 [HZ] We had some discussion in WG and take the design principal of TLV
 ordering should not matter. We disallow simultaneous EAP inner methods
 and/or with Basic Password Authentication, so rest of the TLVs order
 should
 not matter. If it does matter, it should be a nested TLV, as in Result TLV
 and
 Request-Action TLV. Need to add text to disallow Inner EAP method with
 parallel Basic Password Authentication TLV.

 [JLS]  If order of TLVs does not matter, then there is an implied order that
 the TLVs should be processed.  That is one should always process the
 Identity TLV before processing the EAP TLV as the identity TLV is a hint to
 the type of identity that is to be used in the EAP method.  Conversely it
 might be that these two TLVs should never occur in the same message.

 Ditto with the Basic Password Authentication TLV and the Identity TLV.

[Joe]  That makes sense.  An implementation should check for an identity TLV to 
provide a hint when determining what identity to use for and EAP or password 
authentication.

 Jim

 Jim

 ___
 Emu mailing list
 Emu@ietf.org
 https://www.ietf.org/mailman/listinfo/emu

 ___
 Emu mailing list
 Emu@ietf.org
 https://www.ietf.org/mailman/listinfo/emu

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] More COmments 2 on eap-tunnel-method

2012-10-07 Thread Jim Schaad

 -Original Message-
 From: Hao Zhou (hzhou) [mailto:hz...@cisco.com]
 Sent: Thursday, October 04, 2012 3:06 PM
 To: Jim Schaad; emu@ietf.org; draft-ietf-emu-eap-tunnel-
 met...@tools.ietf.org
 Subject: Re: [Emu] More COmments 2 on eap-tunnel-method

 Jim:

 Please see comments below.

 On 10/1/12 1:10 PM, Jim Schaad i...@augustcellars.com wrote:

 I found two that I forgot to include in the last message

 1.  When exporting the user-id, does there need to be a way to
 distinguish at export time between the different types of ids that are
 authenticated by the server?  This does not seem to be an issue on the
 peer as it will only do mutual authentication to servers and thus only
 have server ids, however a server may authenticate to different types
 of identities on the peer.  At the moment we have identified user and
 machines as types of entities to be identified, I suppose in the future
 we could add Ewoks as a different type of entity that could be
 identified.  However the export function of user-ids does not make a
 distinction between the different types of authenticated entities.
 Should it do so or should it just export user authentications?
 [HZ] It helps to export the identities as well as the corresponding
identity
 types (from the Identity Type TLV). Will add text.

 2.  Is there a map of TLVs that should not be sent together or need to
 be processed in a specific order?  The case I was looking at was for
 the Identity TLV and the EAP TLV.  Is there a difference in how a peer
 should react for the following?

   Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP
 type
 XX)
   EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine
 Identity)

 Or should these two TLVs never occur in a single message?
 [HZ] We had some discussion in WG and take the design principal of TLV
 ordering should not matter. We disallow simultaneous EAP inner methods
 and/or with Basic Password Authentication, so rest of the TLVs order
should
 not matter. If it does matter, it should be a nested TLV, as in Result TLV
and
 Request-Action TLV. Need to add text to disallow Inner EAP method with
 parallel Basic Password Authentication TLV.

[JLS]  If order of TLVs does not matter, then there is an implied order that
the TLVs should be processed.  That is one should always process the
Identity TLV before processing the EAP TLV as the identity TLV is a hint to
the type of identity that is to be used in the EAP method.  Conversely it
might be that these two TLVs should never occur in the same message.

Ditto with the Basic Password Authentication TLV and the Identity TLV.

Jim

 Jim

 ___
 Emu mailing list
 Emu@ietf.org
 https://www.ietf.org/mailman/listinfo/emu

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] More COmments 2 on eap-tunnel-method

2012-10-04 Thread Hao Zhou (hzhou)

Jim:

Please see comments below.

On 10/1/12 1:10 PM, Jim Schaad i...@augustcellars.com wrote:

I found two that I forgot to include in the last message

1.  When exporting the user-id, does there need to be a way to distinguish
at export time between the different types of ids that are authenticated
by
the server?  This does not seem to be an issue on the peer as it will only
do mutual authentication to servers and thus only have server ids,
however a
server may authenticate to different types of identities on the peer.  At
the moment we have identified user and machines as types of entities to be
identified, I suppose in the future we could add Ewoks as a different type
of entity that could be identified.  However the export function of
user-ids
does not make a distinction between the different types of authenticated
entities.  Should it do so or should it just export user authentications?
[HZ] It helps to export the identities as well as the corresponding
identity types (from the Identity Type TLV). Will add text.

2.  Is there a map of TLVs that should not be sent together or need to be
processed in a specific order?  The case I was looking at was for the
Identity TLV and the EAP TLV.  Is there a difference in how a peer should
react for the following?

  Identity TLV (Send me a machine Identity), EAP TLV (Start the EAP type
XX)
  EAP TLV (Start EAP type XXX), Identity TLV (Send me a machine Identity)

Or should these two TLVs never occur in a single message?
[HZ] We had some discussion in WG and take the design principal of TLV
ordering should not matter. We disallow simultaneous EAP inner methods
and/or with Basic Password Authentication, so rest of the TLVs order
should not matter. If it does matter, it should be a nested TLV, as in
Result TLV and Request-Action TLV. Need to add text to disallow Inner EAP
method with parallel Basic Password Authentication TLV.

Jim


___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] More COmments 2 on eap-tunnel-method

Re: [Emu] More COmments 2 on eap-tunnel-method

Re: [Emu] More COmments 2 on eap-tunnel-method

Re: [Emu] More COmments 2 on eap-tunnel-method

4 matches

Site Navigation

Mail list logo

Footer information