Re: [Emu] EAP and authorization

To: Alan DeKok <aland at deployingradius.com>
Subject: Re: [Emu] EAP and authorization
From: Bernard Aboba <bernard_aboba at hotmail.com>
Date: Tue, 18 Aug 2009 06:53:45 -0700
Cc: emu at ietf.org
Delivered-to: emu at core3.amsl.com
Importance: Normal
In-reply-to: <4A8A5AD7.7030302 at deployingradius.com>
List-archive: <http://www.ietf.org/mail-archive/web/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <BLU137-DS630E018EC6047D189F92D93FF0 at phx.gbl> <4A8A5AD7.7030302 at deployingradius.com>

> The discussion here is (a) if we can get *some* generic authorization
> passed via methods used for Channel Bindings, and (b) is that a good idea.
>
> I think that the answer to (a) is "yes", and (b) is "some say yes,
> some say no".

Existing RFCs are clear that Channel Bindings have a specific purpose and
are not a generic authorization mechanism. For example, RFC 3748
Section 7.15 states:

"

   In order to address this vulnerability, EAP methods may support a
   protected exchange of channel properties such as endpoint
   identifiers, including (but not limited to): Called-Station-Id
   [RFC2865][RFC3580], Calling-Station-Id [RFC2865][RFC3580], NAS-
   Identifier [RFC2865], NAS-IP-Address [RFC2865], and NAS-IPv6-Address
   [RFC3162].

   Using such a protected exchange, it is possible to match the channel
   properties provided by the authenticator via out-of-band mechanisms
   against those exchanged within the EAP method.  Where discrepancies
   are found, these SHOULD be logged; additional actions MAY also be
   taken, such as denying access.

"

Given the above (and similar material in RFC 5247), it would seem (surprise!)
that channel bindings relate to properties of the channel. Despite the confusion
introduced by Section 1 of the Channel Bindings document, the parameters
actually discussed in the Channel Bindings document generally appear consistent
with existing work.

I say "generally" because the document does appear to need an update or two.
For example, Section 7.3.2 of the Channel Bindings document
introduces the Mesh-Key-Distributor-Domain-Id. My understanding is that
this parameter has been removed from 11s, so this section is now out of date.

References:
- [Emu] EAP and authorization
  - From: Bernard Aboba
- Re: [Emu] EAP and authorization
  - From: Alan DeKok

Prev by Date: Re: [Emu] Impersonation and Lying NAS problem: two distinctissues (with different solutions)
Next by Date: Re: [Emu] Impersonation and Lying NAS problem: two distinctissues (with different solutions)
Previous by thread: Re: [Emu] EAP and authorization
Next by thread: Re: [Emu] #18 Internationalization
Index(es):
- Date
- Thread

Re: [Emu] EAP and authorization

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.