IETF working group for EAP Methods Update (EMU)

Sam Hartman | 13 Feb 2010 01:34

Picon

Proposed bar BOF on federated authentication for non-web applications at IETF 77


I've been working with JaNet(UK) on providing a federation solution for
client applications such as mail readers, filesystem clients,
XMPP clients and the like.  There are fairly good solutions such as Open
ID, Information Card and SAML for web applications.  Within an
enterprise, you have Kerberos.  

JaNet(UK) runs one of the world's largest SAML federations.  As their
customers are beginning to take advantage of federated access for web
applications they are also asking how they can gain the same flexibility
for client-server applications.  This customer demand appears to have
traction across the entire European academic community.  I suspect that
it may find traction within enterprises and other environments.

We'd like to have a bar BOF at IETF 77 in California with a goal of an
actual BOF this summer in Europe at IETF 78.  We invite you to join our
mailing list at
https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=moonshot-community  where
we can discuss timing.

We plan to discuss the general problem and a proposed solution at the
bar BOF.  I've already prepared a feasibility analysis for JaNet(UK)'s
solution; the analysis does discuss the problem some, gives an outline
of the solution and discusses technical issues and required standards
work in detail.  By IETF we'll have a use case paper, an internet draft
on the solution,and a slide set.

we look forward to your input.  You can find a bit more detail on my
blog at http://www.painless-security.com/blog/2010/02/12/moonshot1 
You can find the feasibility analysis at

(Continue reading)

Alan DeKok | 24 Feb 2010 10:30

Call for agenda items

  We have a 1 hour slot on Wednesday.  We currently have a few agenda
items, and want to ensure we don't miss any.

  Please send agenda requests to Joe && myself.

  Alan DeKok.

Joseph Salowey (jsalowey | 2 Mar 2010 06:52

Picon

Tunnel Method Requirements - mandatory attributes

Alan commented that section 4.3.3 dealing with mandatory attributes
should better define what is meant by mandatory attributes.  I agree
with this.  Alan provided some text which describes behavior that may be
too specific for a requirements document.  For example, I'm not sure it
is appropriate for a NAK to result in a failed authentication in all
cases. Alan's text is copied below.  Are folks happy with this text or
is there other specific text that should go in this document.  

" 4.3.3.  Mandatory and Optional Attributes

   The payload MUST support marking of mandatory and optional
   attributes, as well as a "NAK" attribute used to communicate
   disagreements about received attributes.

   Mandatory attributes are attributes that a receiver MUST process as
   per the specification.  Optional attributes are attributes that a
   receiver MAY ignore.

   A receiver MUST process mandatory attributes before optional ones.
   After an attribute has been processed, it SHOULD be marked as no
   longer being mandatory.  If a receiver does not process a mandatory
   attribute, it MUST ignore everything else in a request, and it MUST
   send a NAK attribute in response.  Similarly, if a receiver expects
   a mandatory attribute and does not receive one in a request, it MUST
   send a NAK attribute in the response that contains the set of
   attributes it expected to receive.

   A peer that either sends or receives a NAK attribute MUST treat
   the session as failing authentication.

(Continue reading)

Joseph Salowey (jsalowey | 2 Mar 2010 06:52

Picon

Tunnel method requirements: evaluation of protocol requirements

In his review Dan Harkins stated that he feels that section 4.1.2, Draw
from Existing Work, does not belong in the document since it is not a
technical requirement, but rather something that should be arrived at
through the working group process. This section does seem a little out
of place compared to the rest of the document.  

Since there has been no discussion on the list I am not sure where the
working group is on this issue.  Are people OK with removing section
4.1.2?  

Thanks,

Joe

Joseph Salowey (jsalowey | 2 Mar 2010 06:52

Picon

Re: review of draft-ietf-emu-eaptunnel-req-04

Thanks Dan,

I haven't seen any responses on the list yet so I provided some inline
below. 

> -----Original Message-----
> From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of
Dan
> Harkins
> Sent: Monday, November 30, 2009 12:57 PM
> To: emu <at> ietf.org
> Subject: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> 
> 
>   Hello,
> 
>   I made some of these comments at the mic in Hiroshima but was
> asked to submit them to the list.
> 
>   - I get the feeling that this document is being written to
>     ensure some end-game and not simply as a protocol requirements
>     document.
> 
>     I mentioned that it would be nice if the tunneled method
>     described a way to establish an EAP-TLS -style connection,
>     either anonymous or server-side-auth-only, and then allow
>     for subsequent authentication using another EAP method (or
>     using specific TLVs for some password authentication) or
>     EAP methods chained together by the tunnel. Pasi said that
>     is the intention but it sure doesn't seem that way.

(Continue reading)

Hoeper Katrin-QWKN37 | 2 Mar 2010 15:38

Re: Tunnel Method Requirements - mandatory attributes

I am happy with Alan's proposed text except for the paragraph:

"A peer that either sends or receives a NAK attribute MUST treat the
session as failing authentication."

I suggest deleting this sentence and adopt the rest of the text.

Best regards,
Katrin

> -----Original Message-----
> From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of
> Joseph Salowey (jsalowey)
> Sent: Monday, March 01, 2010 11:53 PM
> To: emu <at> ietf.org
> Subject: [Emu] Tunnel Method Requirements - mandatory attributes
> 
> Alan commented that section 4.3.3 dealing with mandatory attributes
> should better define what is meant by mandatory attributes.  I agree
> with this.  Alan provided some text which describes behavior that may
be
> too specific for a requirements document.  For example, I'm not sure
it
> is appropriate for a NAK to result in a failed authentication in all
> cases. Alan's text is copied below.  Are folks happy with this text or
> is there other specific text that should go in this document.
> 
> " 4.3.3.  Mandatory and Optional Attributes
> 
>    The payload MUST support marking of mandatory and optional

(Continue reading)

Hoeper Katrin-QWKN37 | 2 Mar 2010 15:52

Re: Tunnel method requirements: evaluation of protocolrequirements

For folks not that familiar with the draft, Section 4.1.2 does not
describe existing work but rather recommends given preference to an
existing tunnel method meeting the requirements over a new method.

I personally agree with that statement but am not sure whether we need
to have this statement in the draft or if a group consensus on this is
sufficient. In general, it seems to be better to have some "proof" of a
group consensus for future discussions, e.g., when some people have
forgotten all about it ;) 

Section 4.1.2:
"Several existing tunnel methods are already in widespread usage:
EAP-FAST [RFC4851], EAP-TTLS [RFC5281], and PEAP.  Considerable
experience has been gained from various deployments with these methods.
This experience SHOULD be considered when evaluating tunnel methods.  If
one of these existing tunnel methods can meet the requirements contained
in this specification then that method SHOULD be preferred over a new
method.

Even if minor modifications or extensions to an existing tunnel method
are needed, this method SHOULD be preferred over a completely new method
so that the advantage of accumulated deployment experience and security
analysis can be gained."

Katrin
> -----Original Message-----
> From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of
> Joseph Salowey (jsalowey)
> Sent: Monday, March 01, 2010 11:53 PM
> To: emu <at> ietf.org

(Continue reading)

Hoeper Katrin-QWKN37 | 2 Mar 2010 16:03

Re: review of draft-ietf-emu-eaptunnel-req-04

Dan,

The current text allows server-side only authentication for the tunnel,
i.e. the peer can remain anonymous during that phase and only transmit
its credential inside the tunnel. This enables peer privacy.

I think what you are talking about is mutually anonymous tunnels, i.e.
both peer and server remain anonymous during the tunnel establishment.
These types of tunnels are prone to man-in-the-middle attacks in which
the privacy of both tunnel endpoints is compromised. I don't see any
value of those anonymous tunnels. In fact they are not secure.

I strongly oppose to allowing these tunnels and believe that the current
text about this topic should be kept as is.

Best regards,
Katrin

PS: Details on the mentioned MitM attacks are in
http://portal.acm.org/citation.cfm?id=1577285

> -----Original Message-----
> From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of
> Joseph Salowey (jsalowey)
> Sent: Monday, March 01, 2010 11:53 PM
> To: Dan Harkins; emu <at> ietf.org
> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> 
> Thanks Dan,
>

(Continue reading)

hzhou | 2 Mar 2010 16:08

Picon

Re: Tunnel Method Requirements - mandatory attributes

I agree with deleting this sentence, as in some case, sending a NAK does not
necessary mean the authentication is failing.

I also recommend to remove paragraph 3, " A receiver MUST process mandatory
attributes....". It seems to be describing the protocol behavior, not a
requirement.

On 3/2/10 9:38 AM, "Hoeper Katrin-QWKN37" <khoeper <at> motorola.com> wrote:

> I am happy with Alan's proposed text except for the paragraph:
> 
> "A peer that either sends or receives a NAK attribute MUST treat the
> session as failing authentication."
> 
> I suggest deleting this sentence and adopt the rest of the text.
> 
> Best regards,
> Katrin
> 
>> -----Original Message-----
>> From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of
>> Joseph Salowey (jsalowey)
>> Sent: Monday, March 01, 2010 11:53 PM
>> To: emu <at> ietf.org
>> Subject: [Emu] Tunnel Method Requirements - mandatory attributes
>> 
>> Alan commented that section 4.3.3 dealing with mandatory attributes
>> should better define what is meant by mandatory attributes.  I agree
>> with this.  Alan provided some text which describes behavior that may
> be

(Continue reading)

hzhou | 2 Mar 2010 16:16

Picon

Re: Tunnel method requirements: evaluation of protocolrequirements

I agree to leave this in, a way to capture work group consensus. NEA
Requirement RFC (RFC5209) has similar language.

On 3/2/10 9:52 AM, "Hoeper Katrin-QWKN37" <khoeper <at> motorola.com> wrote:

> For folks not that familiar with the draft, Section 4.1.2 does not
> describe existing work but rather recommends given preference to an
> existing tunnel method meeting the requirements over a new method.
> 
> I personally agree with that statement but am not sure whether we need
> to have this statement in the draft or if a group consensus on this is
> sufficient. In general, it seems to be better to have some "proof" of a
> group consensus for future discussions, e.g., when some people have
> forgotten all about it ;)
> 
> Section 4.1.2:
> "Several existing tunnel methods are already in widespread usage:
> EAP-FAST [RFC4851], EAP-TTLS [RFC5281], and PEAP.  Considerable
> experience has been gained from various deployments with these methods.
> This experience SHOULD be considered when evaluating tunnel methods.  If
> one of these existing tunnel methods can meet the requirements contained
> in this specification then that method SHOULD be preferred over a new
> method.
> 
> Even if minor modifications or extensions to an existing tunnel method
> are needed, this method SHOULD be preferred over a completely new method
> so that the advantage of accumulated deployment experience and security
> analysis can be gained."
> 
> Katrin

(Continue reading)

Group

gmane.ietf.emu.

Project Web Page

IETF working group for EAP Methods Update (EMU)

Search Archive

Page

1 | 2 | 3 | 4

Articles in period: 35

February 2010

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Improving EAP usability and deployment security: call for participants (29 Apr 2013)
Biggest Fake Conference in Computer Science (27 Apr 2013)
draft-ietf-emu-eap-tunnel-method-06 (2 Apr 2013)
I-D Action: draft-ietf-emu-eap-tunnel-method-06.txt (22 Mar 2013)
Working Group Last Call for draft-ietf-emu-crypto-bind-03 (18 Mar 2013)
I-D Action: draft-ietf-emu-crypto-bind-03.txt (14 Mar 2013)
Slides (10 Mar 2013)
Last call comments on emu-eap-tunnel-method-05 (5 Mar 2013)
Comments on draft-ietf-emu-eap-tunnel-method-05 - Set #2 (5 Mar 2013)
FW: Comments on draft-ietf-emu-crypto-bind-02 (28 Feb 2013)
I think draft-ietf-emu-crypto-bind is ready for last call (25 Feb 2013)
I-D Action: draft-ietf-emu-crypto-bind-02.txt (25 Feb 2013)
Comments on draft-ietf-emu-eap-tunnel-method (24 Feb 2013)
crypto binding: why did I want a survey of methods (23 Feb 2013)
Agenda Items for IETF 86 (22 Feb 2013)
FW: Last call comments on emu-eap-tunnel-method-05 (22 Feb 2013)
Last call on draft-ietf-emu-eap-tunnel-method (12 Feb 2013)
TEAP Comments (29 Jan 2013)
TEAP Comments (8 Nov 2012)
Help the NomCom (1 Nov 2012)
Proposed EMU Agenda for IETF-85 (23 Oct 2012)

Archives

3	April 2013
16	March 2013
14	February 2013
2	January 2013
4	November 2012
31	October 2012
11	September 2012
16	July 2012
13	June 2012
20	May 2012
12	April 2012
39	March 2012
18	February 2012
26	January 2012
3	December 2011
6	November 2011
50	October 2011
5	September 2011
30	August 2011
7	July 2011
5	June 2011
44	May 2011
30	April 2011
13	March 2011
10	February 2011
6	January 2011
9	December 2010
4	November 2010
8	October 2010
18	September 2010
5	August 2010
9	July 2010
57	June 2010
9	May 2010
5	April 2010
100	March 2010
2	February 2010
3	January 2010
34	December 2009
4	November 2009
9	October 2009
31	September 2009
106	August 2009
17	July 2009
11	June 2009
12	May 2009
3	April 2009
15	March 2009
74	February 2009
22	January 2009
18	December 2008
16	November 2008
28	October 2008
31	September 2008
35	August 2008
23	July 2008
35	June 2008
9	May 2008
35	April 2008
16	March 2008
30	February 2008
30	January 2008
13	December 2007
8	November 2007
30	October 2007
17	September 2007
53	August 2007
12	July 2007
53	June 2007
12	May 2007
80	April 2007
53	March 2007
56	February 2007
23	January 2007
16	December 2006
80	November 2006
60	October 2006
38	August 2006
23	July 2006
46	June 2006
1	May 2006
4	April 2006
7	March 2006
2	February 2006

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template