[Emu] Questions on draft-ietf-emu-eap-gpsk-02.txt

To: emu at ietf.org
Subject: [Emu] Questions on draft-ietf-emu-eap-gpsk-02.txt
From: Victor Fajardo <vfajardo at tari.toshiba.com>
Date: Thu, 18 Jan 2007 15:39:53 -0500
Cc:
List-archive: <http://www1.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
User-agent: Thunderbird 1.5.0.9 (X11/20061206)

Hi Tom/Hannes,

I just have a couple of questions/comments regarding draft-ietf-emu-eap-gpsk-02.txt:

o In the terminology section, the last sentence of SEC_X(Y) definition is "SEC_X(Y) = Y|MAC_X(Y)". Maybe it should be "SEC_X(Y) = Y || MAC_X(Y)" instead.

o  In Sec 8., 3rd paragraph:

"GPSK-1 contains no MAC protection, so provided it properly parses, it
 MUST be accepted by the client. If the EAP client decides the
 ID_Server is that of a AAA server to which it does not wish to
 authenticate, the EAP client should respond with an EAP-NACK."

Should this also provision for the case where the client is unable to
support any of the ciphers in CSuite_List of GPSK-1 ? In such a case
is it proper for the client to just send an EAP-NACK ?

o  In Sec 8., 4th paragraph:

 "For GPSK-2, if ID_Client is for an unknown user, the EAP server MUST
  send either a "PSK Not Found" GPSK-Fail message, or an
  "Authentication Failure" GPSK-Fail, depending on its policy, and
  discard the received packet.  If the MAC validation fails, the server
  MUST transmit a GPSK-Fail message specifying "Authentication
  Failure". and discard the received packet.  If the RAND_Server or
  CSuite_List field in GPSK-2 does not match the values in GPSK-1, the
  server MUST silently discard the packet.  If server policy determines
  the client is not authorized and the MAC is correct, the server MUST
  transmit a GPSK-Protected-Fail message indicating "Authorization
  Failure" and discard the received packet."

In the case of "Authentication Failure" where the user is unknown or MAC
is not correct maybe EAP_FAILURE is better (???) rather than GPSK-Fail
since the failure is severe enough to warrant a method failure ?

Should the CSuite_List in GPSK-2 be equivalent to CSuite_List in GPSK-1 ?
Maybe I have the wrong impression but I thought the idea is auth sends
a CSuite_List to peer and peer selects a supported CSuite denoted by
CSuite_Sel. If this is the case we may not need CSuite_List in GPSK-2.
Also, if CSuite_Sel does not match any value in CSuite_List in GPSK-1
then auth can send GPSK-Fail.

o  In Sec 8, 5th paragraph:

 "A client receiving a GPSK-Fail or GPSK-Protected-Fail message in
  response to a GPSK-2 message MUST either transmit an EAP-Failure
  message and end the session, ... "

I'm probably missing something but is the client allowed to send EAP-Failure ?

regards,
victor


_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu

Follow-Ups:
- Re: [Emu] Questions on draft-ietf-emu-eap-gpsk-02.txt
  - From: Charles Clancy

Prev by Date: RE: [Emu] Open issues with draft-simon-emu-rfc2716bis-06.txt
Next by Date: [Emu] Removal of key strength table in RFC 2716bis
Previous by thread: [Emu] Open issues with draft-simon-emu-rfc2716bis-06.txt
Next by thread: Re: [Emu] Questions on draft-ietf-emu-eap-gpsk-02.txt
Index(es):
- Date
- Thread

[Emu] Questions on draft-ietf-emu-eap-gpsk-02.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.