Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[peter]

Based on helpful WGLC feedback on draft-ietf-emu-rfc7170bis, we are now at
version -14. I'm not aware of any outstanding issues (minor errata stuff
aside) and there do not appear to be any objections, sustained or otherwise
at the present time. On that basis, your EMU WG chairs are declaring WG
consensus in support of draft-ietf-emu-rfc7170bis-14.

 

Thank you to everyone who took the time to read through the draft and
comment during WGLC. I genuinely believe the process has improved the
document. Joe and I look forward to its passage through IETF LC and onto
publication.

 

Joe and Peter

 

From: pe...@akayla.com  
Sent: Monday, August 14, 2023 2:23 PM
To: 'emu@ietf.org' 
Subject: WGLC on draft-ietf-emu-rfc7170bis-11

 

Folks,

 

Alan has issued -11 of draft-ietf-emu-rfc7170bis. He
believes it covers all of the outstanding issues that needed to be resolved.
We held up the WGLC until we could have our session at IETF 117. With
post-117 changes incorporated, now's seems like the time for the WGLC to go
forward. Please post your comments to the mailing list by August 28th. Even
a "good to go" is genuinely helpful input.

 

Thanks.

 

Joe and Peter

 

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alexander Clouter]

On Sun, 27 Aug 2023, at 10:57, Heikki Vatiainen wrote:
> Weren't the observed differences against RFC 7170 one the main
> reasons why the draft was needed?

Exactly. In particular it was the use of the EAP-FAST-MSCHAPv2 key derivative 
(reversed upper/lower bits) that triggered this and the fun around 
Identity-Type-TLV and all those empty identities when Windows gets grumpy, ...

> "insider program" refers to this:
> https://www.microsoft.com/en-us/windowsinsider/about-windows-insider-program
>
> That is, it's a public program. No secret handshakes or such was needed to
> get access to TEAP functionality. I'd guess it's also the latest
> implementation of TEAP, not that I've seen information that there are
> differences between versions. Therefore it's likely the best Windows
> version to ensure testing is done against the latest version.

We even got a CVE/bounty for the TEAP work...

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21539

Triggered by bundling the inner EAP Identity request from the server with the 
outer TLS session establishment frame to save a round trip.

hostap looked to include a workaround for this (eap_teap_method_sequence) 
independently before it went public, guess he noticed Windows exploding too...

Should be all fine now with the optimisation...

Cheers

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Sat, 26 Aug 2023 at 21:13, Michael Richardson 
wrote:

>
> Heikki Vatiainen  wrote:
> > Test with Windows 11 and eapol_test - EAP-TLS followed by EAP-MSCHAPv2
>
> Are you saying that Windows 11 also has implemented (accessible via
> "insider
> program" only)?
>

I think TEAP has been generally available with Windows 10 and 11 for some
time now. There are, for example, Youtube videos that show how it's
configured. Weren't the observed differences against RFC 7170 one the main
reasons why the draft was needed?

"insider program" refers to this:
https://www.microsoft.com/en-us/windowsinsider/about-windows-insider-program

That is, it's a public program. No secret handshakes or such was needed to
get access to TEAP functionality. I'd guess it's also the latest
implementation of TEAP, not that I've seen information that there are
differences between versions. Therefore it's likely the best Windows
version to ensure testing is done against the latest version.


> Bernard could you confirm?
>


-- 
Heikki Vatiainen
h...@radiatorsoftware.com
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 26, 2023, at 3:18 PM, Michael Richardson  wrote:
> since some things have been clarified, are we sure then that it's on the side
> of the new text?
> (I'm asking as shepherd to record Implementation Status)

  I won't speak for Microsoft as such.  But all of the implementations do the 
same things, and they all behave as suggested in 7170bis.

  The differences between the doc and implementations are:

* nothing implements Identity-Hint

  That can be fixed on the server side during IETF last call

* nothing implements the PKCS TLVs

  I believe any other differences are minor.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

Alan DeKok  wrote:
> On Aug 26, 2023, at 2:13 PM, Michael Richardson 
> wrote:
>> Are you saying that Windows 11 also has implemented (accessible via
>> "insider program" only)?

>   I believe that TEAP is generally available in Windows 11.

since some things have been clarified, are we sure then that it's on the side
of the new text?
(I'm asking as shepherd to record Implementation Status)

--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 26, 2023, at 2:13 PM, Michael Richardson  wrote:
> Are you saying that Windows 11 also has implemented (accessible via "insider
> program" only)?

  I believe that TEAP is generally available in Windows 11.

  
https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access?tabs=eap-tls%2Cserveruserprompt-eap-tls%2Ceap-sim

  That page indicates everything after Windows 10 build 19041 supports it.

  To the best of my knowledge, only the early EAP-TLS 1.3 tests were done via 
the "insider program".  But that work is now also generally available.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

Heikki Vatiainen  wrote:
> Test with Windows 11 and eapol_test - EAP-TLS followed by EAP-MSCHAPv2

Are you saying that Windows 11 also has implemented (accessible via "insider
program" only)?

Bernard could you confirm?


--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 25, 2023, at 2:10 PM, Heikki Vatiainen  wrote:
> When the outer TLS-based EAP is processed by a different EAP server than the 
> inner EAP-TLS, then the why inner EAP-TLS resumption shouldn't be simply a 
> matter of the EAP peer and the inner EAP server? In this case the outer EAP 
> server wouldn't even know if the inner EAP-TLS does resumption or not, when 
> the inner EAP is proxied through to a next hop server.

  I would say that's fine, and put it under the label of "handing off the inner 
method to someone else".  If the EAP server hands off the inner method to 
another system, then the other system does whatever it wants.

  My concern is "inventive" interpretations of the specs.  I can't think of a 
reasonable use-case where the same server would disallow outer TLS resumption, 
but use inner TLS resumption.  So instead of making the world more complicated, 
we can just ban unreasonable things.

> I'm not saying this can't be made simpler by banning inner TLS resumption. 
> I'm just wondering why this is an issue. It could even complicate 
> implementations when an EAP method in some cases is allowed to do TLS 
> resumption and in some other cases it's forbidden. A simpler way to do this 
> is a reminder that EAP servers can turn off resumption in the part of the 
> configuration that processes inner EAP-TLS.

  If resumption is enabled for the outer TLS session, then the inner methods 
are bypassed completely.  But it's likely worth noting that the if outer 
resumption is allowed, the inner methods should have resumption disabled.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alexander Clouter]

On Fri, 25 Aug 2023, at 19:10, Heikki Vatiainen wrote:
> When the outer TLS-based EAP is processed by a different EAP server than the 
> inner EAP-TLS, then the why inner EAP-TLS resumption shouldn't be simply a 
> matter of the EAP peer and the inner EAP server? In this case the outer EAP 
> server wouldn't even know if the inner EAP-TLS does resumption or not, when 
> the inner EAP is proxied through to a next hop server.
> 
> I'm not saying this can't be made simpler by banning inner TLS resumption. 
> I'm just wondering why this is an issue.

For me, not a technical point, just I perceive it as undermining for me the 
purpose of resumption.

"obliteration of every round trip possible"

Of course I may be in the minority here :)

Allowing inner methods to resume forces you to always resolve the inner 
methods; in lieu of some OOB method to communicate otherwise.

I like to try to line up my ducks so I can use resumption for authorization, 
not just authentication. Yes, I know, dragons lurk there, but I'm cleverer than 
those dragons...definitelyI'm confident in itreallyI am!

Maybe my cavalier tendencies should be ignored though.

> It could even complicate implementations when an EAP method in some cases is 
> allowed to do TLS resumption and in some other cases it's forbidden. A 
> simpler way to do this is a reminder that EAP servers can turn off resumption 
> in the part of the configuration that processes inner EAP-TLS.

I think things actually become *less* complicated when you allow inner 
resumption as now the outer resumption is guaranteed to be decoupled from any 
policies around authorization.

The cost of implementing any form of outer resumption is in the caveats around 
bubbling up invalidations (eg. password changed, account disabled, ...) and 
using account expiry as an upper limit for the validity of the resumption 
keying material.

Here lie all the pains of maintaining a cache. The caching part is easy, 
everyone gets bitten by the invalidation plumbing, even when they know where 
the bodies are buried.

Cheers
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Sun, 20 Aug 2023 at 15:58, Alan DeKok  wrote:

> On Aug 20, 2023, at 5:15 AM, Alexander Clouter 
> wrote:
> >
> > On Fri, 18 Aug 2023, at 01:01, Michael Richardson wrote:
> >> I'm not sure it's sane to use EAP-TLS for Inner method myself.
> >
> > If you mean in the general sense, I can imagine placing the user
> credential on a hardware key whilst the machine credential is either a
> regular software keychain or even more exotic and tied to the TPM.
>
>   Or both user and machine do EAP-TLS.  Only one certificate can be sent
> over TLS in Phase 1.  The other has to be sent in EAP-TLS in Phase 2.
>
>   But I do agree... TLS inside of TLS just seems bad.
>

I thought the justification for inner EAP-TLS with different tunnelling EAP
methods, such as PEAP, is hiding the end user's identity. With TLS 1.3 this
is no longer a problem, but with TLS 1.2 client certificate is not
encrypted.

-- 
Heikki Vatiainen
h...@radiatorsoftware.com
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Sun, 20 Aug 2023 at 12:09, Alexander Clouter 
wrote:

> On Thu, 17 Aug 2023, at 23:33, Alan DeKok wrote:
> >> If I did run EAP-TLS as an Inner method (whether once or twice), could
> I use resumption?
> >
> >   Uh... why didn't anyone mention this before?  TEAP is a near-endless
> > source of surprises and corner cases.
>
> In fairness I think you could have the same problem with TTLS, PEAP and
> FAST too.
>
> TTLS I suppose can be read as this should not be allowed in RFC5281
> section 7.5. MS-PEAP is mentions resumption of Phase 1, but inner methods
> look to just be handwaved to inner TLV methods so I suppose "anything goes".
>
> Shame it missed the boat, would have been nice to slip this into RFC9427
> section 4 which currently does not deny it.
>

When the outer TLS-based EAP is processed by a different EAP server than
the inner EAP-TLS, then the why inner EAP-TLS resumption shouldn't be
simply a matter of the EAP peer and the inner EAP server? In this case the
outer EAP server wouldn't even know if the inner EAP-TLS does resumption or
not, when the inner EAP is proxied through to a next hop server.

I'm not saying this can't be made simpler by banning inner TLS resumption.
I'm just wondering why this is an issue. It could even complicate
implementations when an EAP method in some cases is allowed to do TLS
resumption and in some other cases it's forbidden. A simpler way to do this
is a reminder that EAP servers can turn off resumption in the part of the
configuration that processes inner EAP-TLS.

-- 
Heikki Vatiainen
h...@radiatorsoftware.com
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Thu, 17 Aug 2023 at 22:11, Michael Richardson 
wrote:

>
>  wrote:
> > Alan has issued -11 of draft-ietf-emu-rfc7170bis. He
> > believes it covers all of the outstanding issues that needed to be
> > resolved.  We held up the WGLC until we could have our session at
> IETF
> > 117. With post-117 changes incorporated, now's seems like the time
> for
> > the WGLC to go forward. Please post your comments to the mailing list
> > by August 28th. Even a "good to go" is genuinely helpful input.
>
> If you have, or plan to implement, the document shepherd would like to
> know.
>

We have implemented server side TEAP and tested it with the following inner
methods:

Test with Windows 11 and eapol_test
- EAP-TLS followed by EAP-MSCHAPv2
- EAP-MSCHAPv2 followed by EAP-TLS
- EAP-TLS
- EAP-MSCHAPv2

Tested only with eapol_test:
- PAP
- no inner authentication; the case where TEAP looks like EAP-TLS

The implementation should be up-to-date against draft version -13. Tests
were done over TLS 1.2 and with the same server configuration for Windows
and eapol_test.

Windows 11 is insider program version and eapol_test (wpa_supplicant) is
directly from git for EAP-FAST-MSCHAPv2 and other updates that were added
since the latest wpa_supplicant release 2.10.

-- 
Heikki Vatiainen
h...@radiatorsoftware.com
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Sat, 19 Aug 2023 at 00:26, Michael Richardson  wrote:

> Heikki Vatiainen  wrote:

> > Should it be noted that this provisioning method is only available with
> > TLS 1.2 and earlier because the method requires anonymous ciphersuites?
> > It confirms to the reader that this is the intended case.
>
> If we are talking about an RFC8995 (BRSKI) mechanism then:
>
> a) It requires that the Peer defer validation of the Server's certificate
>until later on when another signed artifact is received (RFC8366 voucher).
> b) The server still validates the Peers' client (IDevID) certificate.
>
> We don't need or want anonymous ciphersuites here.

I had the impression that Server Unauthenticated provisioning requires
anonymous ciphersuites. I now see that this is incorrect. TLS 1.2 RFC
has the following text:

   [near the list of anonymous ciphersuites]
   https://www.rfc-editor.org/rfc/rfc5246#appendix-A.5
   Note that using non-anonymous key exchange without actually verifying
   the key exchange is essentially equivalent to anonymous key exchange,
   and the same precautions apply.

A closer look at the current draft shows that the first paragraph in
"Server Unauthenticated Provisioning Mode" section already includes
text that kind of matches what the RFC 5246 quote above says:
https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-12.html#section-3.10.3

   This includes both cases in which the ciphersuite negotiated
   does not provide authentication and in which the ciphersuite
   negotiated provides the authentication but the peer is unable
   to validate the identity of the server for some reason.

RFC 5422 "Dynamic Provisioning Using EAP-FAST" requires an anonymous
ciphersuite for Server-Unauthenticated Provisioning Mode. This is the
reason I thought the same requirement applies for TEAP's Server
Unauthenticated provisioning mode too.
https://www.rfc-editor.org/rfc/rfc5422.html#section-2

To summarise how I understand this now: In order to choose Server
Unauthenticated Provisioning Mode, all TLS versions can skip server
certificate validation. In addition to this option, TLS 1.2 and
earlier can also make the mode selection clear by using an anonymous
ciphersuite.

-- 
Heikki Vatiainen
h...@radiatorsoftware.com

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Vadim Cargatser (vcargats)]

>>
>> https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-12.html#section-3.5.4
>>
>> Implementations MUST NOT permit resumption for the inner EAP methods
>> such as EAP-TLS.  If the user or machine needs to be authenticated,
>> it should use a full authentication method.  If the user or machine
>> needs to do resumption, it can perform a full authentication once,
>> and then rely on the outer TLS session for resumption.
>>
>>• Are we talking about TLS-based inner methods resumptions only?

> For now, yes.

>> That is not the only case. We can ‘save’ the result of MS-CHAP 
>> authentication for example and then skip the full authentication next time.

  I'm not clear how.  The peer creates a challenge which is unique to each 
authentication session.  Since that can't be cached, I don't see how any 
"resumption" here can skip the full authentication.

>> Although the term ‘resumption’ might not be 100% correct here I’d like to 
>> understand what we are talking about in the RFC.
>>• I think the paragraph is slightly contradictory. The first sentence 
>> says ‘MUST NOT’ and the last sentence concludes with .

>  The paragraph tries to say:

>* inner resumption is disallowed

>* just use resumption in the outer TLS tunnel

I have read again resumption section. What I was trying to achieve and asking 
for is already mentioned in Section 3.4:
If the server agrees to resume the session, Phase 2 is bypassed
entirely.

That is actually it.
Sorry for the confusion.
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 20, 2023, at 11:01 AM, Vadim Cargatser (vcargats)  
wrote:
> 
> https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-12.html#section-3.5.4
>  
> Implementations MUST NOT permit resumption for the inner EAP methods
> such as EAP-TLS.  If the user or machine needs to be authenticated,
> it should use a full authentication method.  If the user or machine
> needs to do resumption, it can perform a full authentication once,
> and then rely on the outer TLS session for resumption.
>  
>   • Are we talking about TLS-based inner methods resumptions only?

  For now, yes.

> That is not the only case. We can ‘save’ the result of MS-CHAP authentication 
> for example and then skip the full authentication next time.

  I'm not clear how.  The peer creates a challenge which is unique to each 
authentication session.  Since that can't be cached, I don't see how any 
"resumption" here can skip the full authentication.

> Although the term ‘resumption’ might not be 100% correct here I’d like to 
> understand what we are talking about in the RFC. 
>   • I think the paragraph is slightly contradictory. The first sentence 
> says ‘MUST NOT’ and the last sentence concludes with .

  The paragraph tries to say:

* inner resumption is disallowed

* just use resumption in the outer TLS tunnel

> To the best of my knowledge inner method resumption is really desirable and 
> widely used. Especially if are discussing all inner methods, not just 
> TLS-based only.

  Where is inner resumption widely used?  I don't recall seeing it.  If I had 
seen it, I would probably have raised this issue earlier, and put text into RFC 
9427 to forbid it.

> The idea of allowing resumption through the outer TEAP tunnel is also great. 
> It is simple.
>  
> The obvious caveat here is that will not be achievable in TLS 1.2 (if tickets 
> are used) since we cannot easily bind the ticket and the result of the inner 
> authentication. But we could sacrifice that for the over whole simplicity… 
> Moreover, I guess it is reasonable to assume most TEAP implementations will 
> have TLS 1.3 in the stack anyway.

  We don't need to bind the ticket to the result of the inner authentication.  
The server simply refuses to allow tickets to be used until the inner 
authentication has completed.  This issue has been known for a while.  RFC9190 
has text on it, for example.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Vadim Cargatser (vcargats)]

https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-12.html#section-3.5.4

Implementations MUST NOT permit resumption for the inner EAP methods
such as EAP-TLS.  If the user or machine needs to be authenticated,
it should use a full authentication method.  If the user or machine
needs to do resumption, it can perform a full authentication once,
and then rely on the outer TLS session for resumption.



  1.  Are we talking about TLS-based inner methods resumptions only? That is 
not the only case. We can ‘save’ the result of MS-CHAP authentication for 
example and then skip the full authentication next time. Although the term 
‘resumption’ might not be 100% correct here I’d like to understand what we are 
talking about in the RFC.
  2.  I think the paragraph is slightly contradictory. The first sentence says 
‘MUST NOT’ and the last sentence concludes with .





To the best of my knowledge inner method resumption is really desirable and 
widely used. Especially if are discussing all inner methods, not just TLS-based 
only.



The idea of allowing resumption through the outer TEAP tunnel is also great. It 
is simple.



The obvious caveat here is that will not be achievable in TLS 1.2 (if tickets 
are used) since we cannot easily bind the ticket and the result of the inner 
authentication. But we could sacrifice that for the over whole simplicity… 
Moreover, I guess it is reasonable to assume most TEAP implementations will 
have TLS 1.3 in the stack anyway.



Vadim



___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 20, 2023, at 5:15 AM, Alexander Clouter  wrote:
> 
> On Fri, 18 Aug 2023, at 01:01, Michael Richardson wrote:
>> I'm not sure it's sane to use EAP-TLS for Inner method myself.
> 
> If you mean in the general sense, I can imagine placing the user credential 
> on a hardware key whilst the machine credential is either a regular software 
> keychain or even more exotic and tied to the TPM.

  Or both user and machine do EAP-TLS.  Only one certificate can be sent over 
TLS in Phase 1.  The other has to be sent in EAP-TLS in Phase 2.

  But I do agree... TLS inside of TLS just seems bad.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 20, 2023, at 5:09 AM, Alexander Clouter  wrote:
> 
> On Thu, 17 Aug 2023, at 23:33, Alan DeKok wrote:
>>> If I did run EAP-TLS as an Inner method (whether once or twice), could I 
>>> use resumption?
>> 
>>  Uh... why didn't anyone mention this before?  TEAP is a near-endless 
>> source of surprises and corner cases.
> 
> In fairness I think you could have the same problem with TTLS, PEAP and FAST 
> too.
> 
> TTLS I suppose can be read as this should not be allowed in RFC5281 section 
> 7.5. MS-PEAP is mentions resumption of Phase 1, but inner methods look to 
> just be handwaved to inner TLV methods so I suppose "anything goes".
> 
> Shame it missed the boat, would have been nice to slip this into RFC9427 
> section 4 which currently does not deny it.

  Yes.  Unfortunately it's too late for that, so I'll make a note of it here.  
Hopefully implementors will apply the TEAP text to other TLS-based EAP versions.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alexander Clouter]

On Fri, 18 Aug 2023, at 01:01, Michael Richardson wrote:
> I'm not sure it's sane to use EAP-TLS for Inner method myself.

If you mean in the general sense, I can imagine placing the user credential on 
a hardware key whilst the machine credential is either a regular software 
keychain or even more exotic and tied to the TPM.

Policy could then be around machine credential dictating if the device is even 
allowed to connect and how (link allowed) whilst the actual type of access 
granted (routes, firewalling, ...) is determined by the user credential.

Cheers

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alexander Clouter]

On Thu, 17 Aug 2023, at 23:33, Alan DeKok wrote:
>> If I did run EAP-TLS as an Inner method (whether once or twice), could I use 
>> resumption?
>
>   Uh... why didn't anyone mention this before?  TEAP is a near-endless 
> source of surprises and corner cases.

In fairness I think you could have the same problem with TTLS, PEAP and FAST 
too.

TTLS I suppose can be read as this should not be allowed in RFC5281 section 
7.5. MS-PEAP is mentions resumption of Phase 1, but inner methods look to just 
be handwaved to inner TLV methods so I suppose "anything goes".

Shame it missed the boat, would have been nice to slip this into RFC9427 
section 4 which currently does not deny it.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Eliot Lear]

https://datatracker.ietf.org/doc/draft-ietf-emu-bootstrapped-tls/

On 19.08.23 21:12, Michael Richardson wrote:

Eliot Lear  wrote:
 >> We don't need or want anonymous ciphersuites here.

 > We should keep the TLS-POK work in mind.

I didn't find an obvious draft about that in the TLS WG.


--
Michael Richardson. o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide






OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

Eliot Lear  wrote:
>> We don't need or want anonymous ciphersuites here.

> We should keep the TLS-POK work in mind.

I didn't find an obvious draft about that in the TLS WG.


--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Eliot Lear]

On 18 Aug 2023, at 23:26, Michael Richardson  wrote:
> 
> If we are talking about an RFC8995 (BRSKI) mechanism then:
> 
> a) It requires that the Peer defer validation of the Server's certificate
>   until later on when another signed artifact is received (RFC8366 voucher).
> b) The server still validates the Peers' client (IDevID) certificate.
> 
> We don't need or want anonymous ciphersuites here.

We should keep the TLS-POK work in mind. 

Eliot
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

Heikki Vatiainen  wrote:
>> On Aug 17, 2023, at 5:02 PM, Michael Richardson
>>  wrote:

>> > section 3.9.: what is "server unauthenticated provisioning" >
>> (sounds like TEAP-BRSKI?)
>>
>> Yes.

> Should it be noted that this provisioning method is only available with
> TLS 1.2 and earlier because the method requires anonymous ciphersuites?
> It confirms to the reader that this is the intended case.

If we are talking about an RFC8995 (BRSKI) mechanism then:

a) It requires that the Peer defer validation of the Server's certificate
   until later on when another signed artifact is received (RFC8366 voucher).
b) The server still validates the Peers' client (IDevID) certificate.

We don't need or want anonymous ciphersuites here.




--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 18, 2023, at 1:29 PM, Heikki Vatiainen  wrote:
> Good find, looks good. Small fix, though. It's section C.5, not C.2.

  Fixed, thanks.

  Alan DeKok.


___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Fri, 18 Aug 2023 at 19:57, Alan DeKok  wrote:

> On Aug 18, 2023, at 12:47 PM, Heikki Vatiainen 
> wrote:
> > Should it be noted that this provisioning method is only available
> > with TLS 1.2 and earlier because the method requires anonymous
> > ciphersuites? It confirms to the reader that this is the intended
> > case.
>
>   How about this:
>
> Note that server unauthenticated provisioning can only use anonymous
> cipher suites in TLS 1.2 and earlier.  These cipher suites have been
> deprecated in TLS 1.3 ({{RFC8446}} Section C.2).  For TLS 1.3, the
> server MUST provide a certificate, and the peer performs server
> unauthenticated provisioning by not validating the certificate chain
> or any of its contents.
>
>
>  The last sentence is suggested by the RFC8446 Section C.2
>

Good find, looks good. Small fix, though. It's section C.5, not C.2.

-- 
Heikki Vatiainen
h...@radiatorsoftware.com
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 18, 2023, at 12:47 PM, Heikki Vatiainen  
wrote:
> Should it be noted that this provisioning method is only available
> with TLS 1.2 and earlier because the method requires anonymous
> ciphersuites? It confirms to the reader that this is the intended
> case.

  How about this:

Note that server unauthenticated provisioning can only use anonymous
cipher suites in TLS 1.2 and earlier.  These cipher suites have been
deprecated in TLS 1.3 ({{RFC8446}} Section C.2).  For TLS 1.3, the
server MUST provide a certificate, and the peer performs server
unauthenticated provisioning by not validating the certificate chain
or any of its contents.


 The last sentence is suggested by the RFC8446 Section C.2

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Heikki Vatiainen]

On Fri, 18 Aug 2023 at 01:34, Alan DeKok  wrote:
>
> On Aug 17, 2023, at 5:02 PM, Michael Richardson  wrote:

> > section 3.9.: what is "server unauthenticated provisioning"
> > (sounds like TEAP-BRSKI?)
>
>   Yes.

Should it be noted that this provisioning method is only available
with TLS 1.2 and earlier because the method requires anonymous
ciphersuites? It confirms to the reader that this is the intended
case.

-- 
Heikki Vatiainen
h...@radiatorsoftware.com

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 17, 2023, at 8:01 PM, Michael Richardson  wrote:
> Alan DeKok  wrote:
>>> section 2; paragraph 2, uses SHOULD several times without obvious
>>> exceptions.  Could be it is MUST?
> 
>>  I don't think we can mandate that the outer EAP identity is an NAI.
> 
> okay, then the exception for the SHOULD needs text.

  Sure.

>>  NULL ciphers suites.  IIRC this is based on a comment from Bernard
>> which pointed this out.
> 
> I think people need to be beat on the head here.

 OK, I'm happy to do that.  

>> All TEAP implementations SHOULD support resumption.  Using resumption
>> can significanly improve the scalability and stability of
>> authentication systems.
> 
> Again, if it's a SHOULD, then there is an exception :-)

  I'll add notes on "your network will catch on fire".

> So, if you consider the case where engineer argues with CTO as to why they
> need to spend the time, and the CTO is clueless, then it being
> blindingly obvious doesn't matter.  If the network will catch fire and die,
> then really, it's a MUST.

  Given I think all implementations will support resumption, I'm happy to make 
it a MUST.

> I'm not sure it's sane to use EAP-TLS for Inner method myself.

  I have similar doubts, but it's implemented in supplicants, so we can't 
really ban it.

  Given various other issues raised here, I'll add a new section "Limitations 
on inner EAP methods".

* don't use TTLS, PEAP, or FAST

* don't use EAP-GTC

* for TLS 1.3, use a client certificate outside of the tunnel in preference to 
EAP-TLS

> I wondered why the method exists, when EAP-PWD seems architecturally simpler.

  Passwords are stored "crypted' in the user DB.  Historically this meant using 
PAP based methods for authentication.  In contrast, MS-CHAP is incompatible 
with crypt'd password stores.

  RFC 8146 permits EAP-PWD to be used with crypted passwords, which seems 
better.

  However, the main reason to allow passwords is for OTP and TOTP based 
methods.   I'll add some text.

>>> section 3.5: I wonder if additional references to RFC6125 and the
>>> UTA-bis version of that might be more clear.  I think that this
>>> section is going to get beat on by security review.  I also suggest
>>> that rather than saying how it is to be matched, I suggest the section
>>> be more prescriptive in how certificates are expected to be formed.
>>> (I recognize that this text has not changed since 7170)
> 
>>  Do you have suggested text?  I'm wary of poking at things in this
>> area.
> 
> I think that you can poke at it now, or during IESG DISCUSS :-)
> I can suggest something, but not today. If you open a github and assign it to
> me, I will remember.

  Done.

https://github.com/emu-wg/rfc7170bis/issues/24

> [ restart ]
>
> I'm trying to understand a situation grave enough to cause a failure, yet not
> grave enough that the end points could essentially try again. (vs restarting
> from scratch, or failing over to another server)

  Exactly.  Suggestions are welcome.

>>> Also, I wonder if the word "peer" above means "Peer", or just either
>>> end.  To that end, I found "Peer" very confusing at times.
> 
>>  It means "TEAP peer", to match the earlier "TEAP server"
> 
> Okay, could it always be "Peer", and never "peer" then?

  I'll just make it explicitly "TEAP peer" to match the use of "TEAP server".

> Sure, but the question is: is it better to have 5 1K things, or
> 1 5K thing?   Assuming that the TEAP level TLVs can be broken up that way.

  The TEAP TLVs can be broken up into multiple TLS fragments.  However, the TLS 
layer ensures that their all of the data is presented to the TEAP application, 
or none of it is.

  i.e. the application should not have to do defragmentation itself.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Eliot Lear]

On 18.08.23 15:31, Alan DeKok wrote:

   I don't see why we would want to_allow_  inner method resumption.  What 
benefit does it bring over just using resumption on the outer TLS session?


+1.  What's the use case?

Eliot

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 18, 2023, at 5:46 AM, Vadim Cargatser (vcargats)  
wrote:
> In TLS 1.2: the ticket is part of the handshake, so we cannot bind that with 
> the successful inner authentication, correct?

  Yes.  However, RFC 9190 goes into detail about "don't send tickets until 
after authentication has completed".  Or "don't allow tickets to be used until 
after authentication has been completed".

  These are issues common to all TLS-based EAP types.  I'm not sure we need to 
call them out here.

> In TLS 1.3: that should be possible to issue a ticket after the handshake, so 
> are we ok with such approach to perform inner methods resumption?

  I don't see why we would want to _allow_ inner method resumption.  What 
benefit does it bring over just using resumption on the outer TLS session?

> Is it worth explaining more on that in the document?

  I'll update it to ban inner method resumption.  I think that's the best 
approach.

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Vadim Cargatser (vcargats)]

Regarding resumptions:

   >>> If I did run EAP-TLS as an Inner method (whether once or twice), could
   >>> I use resumption?

>>   Uh... why didn't anyone mention this before?  TEAP is a near-endless
>> source of surprises and corner cases.

> I'm not sure it's sane to use EAP-TLS for Inner method myself.

>>   My $0.02 is to disallow inner resumption.  It makes zero sense.  If
>> you want faster authentication, resume the outer session.  How about
>> after the added paragraph quoted above:



>> In contrast, TEAP implementations SHOULD NOT perform resumption for
>> inner methods.  If the user or machine needs to be authenticated, it
>> should use a full authentication method.  If the user or machine needs
>> to do resumption, it can perform a full authentication once, and then
>> rely on the outer TLS session for resumption.

> That sounds fine to me.


Since PAC is not used anymore:

In TLS 1.2: the ticket is part of the handshake, so we cannot bind that with 
the successful inner authentication, correct?
In TLS 1.3: that should be possible to issue a ticket after the handshake, so 
are we ok with such approach to perform inner methods resumption?

Is it worth explaining more on that in the document?
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

Alan DeKok  wrote:
>> section 2; paragraph 2, uses SHOULD several times without obvious
>> exceptions.  Could be it is MUST?

>   I don't think we can mandate that the outer EAP identity is an NAI.

okay, then the exception for the SHOULD needs text.

>> Figure 2: should TLV Encapsulation be narrower than TLS, so show that
>> it fits into TLS? Ditto Inner EAP Method fits into TLV.

>   Sure, but then the text doesn't fit into the fields any more.  And
> making the box wider will overflow the line width.  So I think it's not
> terrible, and OK as is.

Agreed, it's not terrible.

>>> be used in the case when the inner method provides mutual
>>> authentication, key generation, and resistance to man-in-the-middle
>>> and dictionary attacks.  TLS ciphersuites that do not provide
>>
>> can you give an example of an inner method that does not do this?

>   NULL ciphers suites.  IIRC this is based on a comment from Bernard
> which pointed this out.

I think people need to be beat on the head here.

>> Section 3.3: it might be useful to reviewers not steeped in EAP and
>> roaming to understand how often *TLS* resumption is used in practice
>> (maybe eduroam have some server stats they could share?), and how it
>> is important when roaming from AP to AP.  (I understand that *TEAP* is
>> not well used in eduroam yet, but EAP-TLS is)

>   How about this:

> All TEAP implementations SHOULD support resumption.  Using resumption
> can significanly improve the scalability and stability of
> authentication systems.

Again, if it's a SHOULD, then there is an exception :-)

>   RFC9190 says systems SHOULD implement resumption, so we probably
> can't make it a MUST here.

You can always turn SHOULD into MUST.  If it's just Quality of implementation
issue, those people ignore MUSTs anyway.

>  I also don't know if it's worth getting into details as to why
> resumption is useful.  It's either blindingly obvious as to why, or
> your network catches fire and dies.

So, if you consider the case where engineer argues with CTO as to why they
need to spend the time, and the CTO is clueless, then it being
blindingly obvious doesn't matter.  If the network will catch fire and die,
then really, it's a MUST.

>> If I did run EAP-TLS as an Inner method (whether once or twice), could
>> I use resumption?

>   Uh... why didn't anyone mention this before?  TEAP is a near-endless
> source of surprises and corner cases.

I'm not sure it's sane to use EAP-TLS for Inner method myself.

>   My $0.02 is to disallow inner resumption.  It makes zero sense.  If
> you want faster authentication, resume the outer session.  How about
> after the added paragraph quoted above:



> In contrast, TEAP implementations SHOULD NOT perform resumption for
> inner methods.  If the user or machine needs to be authenticated, it
> should use a full authentication method.  If the user or machine needs
> to do resumption, it can perform a full authentication once, and then
> rely on the outer TLS session for resumption.

That sounds fine to me.

>> It might be worth saying that 3.4.2 is a TEAP-TLV thing, and not
>> EAP-PWD.

>   I'm not sure why.  EAP-PWD is substantially different, and does a
> crypto exchange.  The TEAP password authentication just sends a bare
> password inside of the TLS tunnel.

Well, it took me a bit to understand.
I wondered why the method exists, when EAP-PWD seems architecturally simpler.

>> section 3.5: I wonder if additional references to RFC6125 and the
>> UTA-bis version of that might be more clear.  I think that this
>> section is going to get beat on by security review.  I also suggest
>> that rather than saying how it is to be matched, I suggest the section
>> be more prescriptive in how certificates are expected to be formed.
>> (I recognize that this text has not changed since 7170)

>   Do you have suggested text?  I'm wary of poking at things in this
> area.

I think that you can poke at it now, or during IESG DISCUSS :-)
I can suggest something, but not today. If you open a github and assign it to
me, I will remember.

>> section 3.6: tls-unique is replaced by TLS Exporter in TLS 1.3.  I
>> think that there is missing TLS 1.3 text here.

>   That text is in RFC9427.  Maybe "For TLS 1.2 and earlier, do this.
> For TLS 1.3, see RFC 9427"

Yes.

>> section 3.7.2:
>>> The EAP-Response packet sent by the peer may encapsulate a TLS
>>> ClientHello handshake message, in which case the TEAP server MAY
>>> allow the TEAP conversation to be restarted, or it MAY contain a TEAP
>>> response with a zero-length message, in which case the server MUST
>>> terminate the conversation with an EAP Failure
>>
>> What are some situations where a peer would expect to do a restart?
>> 

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Alan DeKok]

On Aug 17, 2023, at 5:02 PM, Michael Richardson  wrote:
> Some people might find this URL useful:
> https://author-tools.ietf.org/diff?doc_1=RFC7170_2=draft-ietf-emu-rfc7170bis%2F

  The diff is surprisingly good.

> Reading the document from top-to-bottom for the first time in awhile (to do
> the Shepherd write-up), paragraph two of the Introduction, where EAP-FAST is
> mentioned seems to be aged.  It's from 7170, but given that this is 7170bis, 
> I wonder if the
> history is entirely accurate, or really still timely.

  It's worth removing the text saying "EAP-FAST is widely used", and just 
saying "TEAP is based on EAP-FAST with change"

> section 2; paragraph 2, uses SHOULD several times without obvious exceptions.
> Could be it is MUST?

  I don't think we can mandate that the outer EAP identity is an NAI.

  There is also a discussion of why we can't make the EAP Identity a "MUST NAI" 
in RFC 7542 Section 2.6: 
https://datatracker.ietf.org/doc/html/rfc7542#section-2.6

> }   Upon successful execution of TEAP, the EAP peer and
> }   EAP server both derive strong session key material that can then be
> }   communicated to the network access server (NAS) for use in
> }   establishing a link-layer security association.
> 
> I feel like a reference is in order (but 7170 didn't have one).

  This is the MSK as defined in RFC 3748.  I'll add a reference.

> Figure 2: should TLV Encapsulation be narrower than TLS, so show that it fits
> into TLS? Ditto Inner EAP Method fits into TLV.

  Sure, but then the text doesn't fit into the fields any more.  And making the 
box wider will overflow the line width.  So I think it's not terrible, and OK 
as is.

>>  The TEAP version is not protected by TLS and hence can be modified in
>>  transit.  In order to detect a modification of the TEAP version, the
> 
> I suggest:
> 
>>  The TEAP version is not protected by TLS and hence can be modified in
>>  transit.  In order to detect a bid-down attack, where the TEAP version is 
>> modified, the
> 
> (similar things are done in IKEv2, as well as in TLS; I don't know if a
> reference is worthwhile here)

  I'll change it.  It's probably not worth adding a reference.

>>  be used in the case when the inner method provides mutual
>>  authentication, key generation, and resistance to man-in-the-middle
>>  and dictionary attacks.  TLS ciphersuites that do not provide
> 
> can you give an example of an inner method that does not do this?

  NULL ciphers suites.  IIRC this is based on a comment from Bernard which 
pointed this out.

> Section 3.3: it might be useful to reviewers not steeped in EAP and roaming
>to understand how often *TLS* resumption is used in practice (maybe 
> eduroam
>have some server stats they could share?), and how it is important
>when roaming from AP to AP.
>(I understand that *TEAP* is not well used in eduroam yet, but EAP-TLS 
> is)

  How about this:

All TEAP implementations SHOULD support resumption.  Using resumption
can significanly improve the scalability and stability of
authentication systems.

  RFC9190 says systems SHOULD implement resumption, so we probably can't make 
it a MUST here.

 I also don't know if it's worth getting into details as to why resumption is 
useful.  It's either blindingly obvious as to why, or your network catches fire 
and dies.

> If I did run EAP-TLS as an Inner method (whether once or twice), could I use 
> resumption?

  Uh... why didn't anyone mention this before?  TEAP is a near-endless source 
of surprises and corner cases.

  My $0.02 is to disallow inner resumption.  It makes zero sense.  If you want 
faster authentication, resume the outer session.  How about after the added 
paragraph quoted above:

In contrast, TEAP implementations SHOULD NOT perform resumption for
inner methods.  If the user or machine needs to be authenticated, it
should use a full authentication method.  If the user or machine needs
to do resumption, it can perform a full authentication once, and then
rely on the outer TLS session for resumption.


>>  If a particular authentication method succeeds, the server SHOULD NOT
>>  attempt a subsequent authentication method.  For example, if a user
> 
> this seems to contradict the first paragraph that says that multiple
> authentications are allowed.

  Yes.  It should be:

... subsequent authentication method for the same Identity-Type.

  i.e. don't do "user" authentication twice.  It's dumb.

  IIRC, this text was added based on a corner case Eliot brought up earlier on 
the list.

> It might be worth saying that 3.4.2 is a TEAP-TLV thing, and not EAP-PWD.

  I'm not sure why.  EAP-PWD is substantially different, and does a crypto 
exchange.  The TEAP password authentication just sends a bare password inside 
of the TLS tunnel.

> A most likely thing today for "Password" authentication is to use TOTP
> methods against a hardware token. (X9.9, SecureID, etc.)

  Sure.  I can add a reference to 6238.

> If I 

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

 wrote:
> Alan has issued -11 of draft-ietf-emu-rfc7170bis. He
> believes it covers all of the outstanding issues that needed to be
> resolved.  We held up the WGLC until we could have our session at IETF

Some people might find this URL useful:
https://author-tools.ietf.org/diff?doc_1=RFC7170_2=draft-ietf-emu-rfc7170bis%2F

Reading the document from top-to-bottom for the first time in awhile (to do
the Shepherd write-up), paragraph two of the Introduction, where EAP-FAST is
mentioned seems to be aged.  It's from 7170, but given that this is 7170bis, I 
wonder if the
history is entirely accurate, or really still timely.

section 2; paragraph 2, uses SHOULD several times without obvious exceptions.
Could be it is MUST?

}   Upon successful execution of TEAP, the EAP peer and
}   EAP server both derive strong session key material that can then be
}   communicated to the network access server (NAS) for use in
}   establishing a link-layer security association.

I feel like a reference is in order (but 7170 didn't have one).

Figure 2: should TLV Encapsulation be narrower than TLS, so show that it fits
into TLS? Ditto Inner EAP Method fits into TLV.

>   The TEAP version is not protected by TLS and hence can be modified in
>   transit.  In order to detect a modification of the TEAP version, the

I suggest:

>   The TEAP version is not protected by TLS and hence can be modified in
>   transit.  In order to detect a bid-down attack, where the TEAP version is 
> modified, the

(similar things are done in IKEv2, as well as in TLS; I don't know if a
reference is worthwhile here)

>   be used in the case when the inner method provides mutual
>   authentication, key generation, and resistance to man-in-the-middle
>   and dictionary attacks.  TLS ciphersuites that do not provide

can you give an example of an inner method that does not do this?
I assume EAP-PWD, but which others?

Section 3.3: it might be useful to reviewers not steeped in EAP and roaming
to understand how often *TLS* resumption is used in practice (maybe 
eduroam
have some server stats they could share?), and how it is important
when roaming from AP to AP.
(I understand that *TEAP* is not well used in eduroam yet, but EAP-TLS 
is)

If I did run EAP-TLS as an Inner method (whether once or twice), could I use 
resumption?

>   If a particular authentication method succeeds, the server SHOULD NOT
>   attempt a subsequent authentication method.  For example, if a user

this seems to contradict the first paragraph that says that multiple
authentications are allowed.

It might be worth saying that 3.4.2 is a TEAP-TLV thing, and not EAP-PWD.
A most likely thing today for "Password" authentication is to use TOTP
methods against a hardware token. (X9.9, SecureID, etc.)

If I read correctly, a Crypto-Binding TLV is expected after every successful
authentication method.  If multiple passes occur, I'm unclear what to do with
the multiple bindings.
I think that they ought to be incremental.
They can be checked each time though.

section 3.5: I wonder if additional references to RFC6125 and the UTA-bis 
version of that
might be more clear.  I think that this section is going to get beat on by
security review.  I also suggest that rather than saying how it is to be
matched,  I suggest the section be more prescriptive in how certificates are
expected to be formed.
(I recognize that this text has not changed since 7170)

section 3.6: tls-unique is replaced by TLS Exporter in TLS 1.3.  I think that
there is missing TLS 1.3 text here.

section 3.7.2:
>   The EAP-Response packet sent by the peer may
>   encapsulate a TLS ClientHello handshake message, in which case the
>   TEAP server MAY allow the TEAP conversation to be restarted, or it
>   MAY contain a TEAP response with a zero-length message, in which case
>   the server MUST terminate the conversation with an EAP Failure

What are some situations where a peer would expect to do a restart?
Some kind of temporary resource exhaustion or something?
ENORANDOMNUMBERSLEFTPLEASEWAITFORMORENEUTRINOS ??

Also, I wonder if the word "peer" above means "Peer", or just either end.
To that end, I found "Peer" very confusing at times.

section 3.7.3: maybe reorganize into point form.
It seems like a long if-then-else, and maybe a case-when format would be easier.
The edits since 7170 don't seem sufficient to clarify this section.

section 3.9.: what is "server unauthenticated provisioning"
(sounds like TEAP-BRSKI?)

>   TEAP peers MUST track whether or not server authentication has taken
>   place.  When the server cannot be authenticated, the peer MUST NOT
>   request any services from it.

so, if a TEAP (supplicant) peer can not validate the Server certificate, but
it can get a MSK/EMSK that matches, then it can request "services" from it.
(What are these services, if they aren't things that lead to an MSK? Ah,
subsequent sections.  Forward reference to 3.9.3 please)

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Eliot Lear]

I plan to implement.

On 17.08.23 21:11, Michael Richardson wrote:

 wrote:
 > Alan has issued -11 of draft-ietf-emu-rfc7170bis. He
 > believes it covers all of the outstanding issues that needed to be
 > resolved.  We held up the WGLC until we could have our session at IETF
 > 117. With post-117 changes incorporated, now's seems like the time for
 > the WGLC to go forward. Please post your comments to the mailing list
 > by August 28th. Even a "good to go" is genuinely helpful input.

If you have, or plan to implement, the document shepherd would like to know.

--
Michael Richardson. o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide





___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu


OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[Michael Richardson]

 wrote:
> Alan has issued -11 of draft-ietf-emu-rfc7170bis. He
> believes it covers all of the outstanding issues that needed to be
> resolved.  We held up the WGLC until we could have our session at IETF
> 117. With post-117 changes incorporated, now's seems like the time for
> the WGLC to go forward. Please post your comments to the mailing list
> by August 28th. Even a "good to go" is genuinely helpful input.

If you have, or plan to implement, the document shepherd would like to know.

--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

[Emu] WGLC on draft-ietf-emu-rfc7170bis-11

[peter]

Folks,

 

Alan has issued -11 of draft-ietf-emu-rfc7170bis. He
believes it covers all of the outstanding issues that needed to be resolved.
We held up the WGLC until we could have our session at IETF 117. With
post-117 changes incorporated, now's seems like the time for the WGLC to go
forward. Please post your comments to the mailing list by August 28th. Even
a "good to go" is genuinely helpful input.

 

Thanks.

 

Joe and Peter

 

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu