Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
Bernard Aboba <bernard_aboba@hotmail.com> Tue, 08 December 2009 03:12 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B04E3A6806 for <emu@core3.amsl.com>; Mon, 7 Dec 2009 19:12:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.333
X-Spam-Level:
X-Spam-Status: No, score=-0.333 tagged_above=-999 required=5 tests=[AWL=-0.335, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzyJitrrP1Tr for <emu@core3.amsl.com>; Mon, 7 Dec 2009 19:12:31 -0800 (PST)
Received: from blu0-omc3-s5.blu0.hotmail.com (blu0-omc3-s5.blu0.hotmail.com [65.55.116.80]) by core3.amsl.com (Postfix) with ESMTP id 1B0C13A677C for <emu@ietf.org>; Mon, 7 Dec 2009 19:12:31 -0800 (PST)
Received: from BLU137-W18 ([65.55.116.72]) by blu0-omc3-s5.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 7 Dec 2009 19:12:17 -0800
Message-ID: <BLU137-W182D9A30E81347A3BA9513938F0@phx.gbl>
Content-Type: multipart/alternative; boundary="_ea8adb72-8b93-414b-aa09-d7f54fbc3cc7_"
X-Originating-IP: [97.113.254.30]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: emu@ietf.org
Date: Mon, 07 Dec 2009 19:12:17 -0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Dec 2009 03:12:17.0254 (UTC) FILETIME=[3F414060:01CA77B4]
Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 03:12:34 -0000
I agree with Yaron that this document is not ready to be advanced.
Aside from whether the document is appropriate for publication on the Standards Track (I believe that Informational would be a better choice), I'd suggest that the document has a more basic problem in that it doesn't do a very good job of defining the problem it is trying to solve or demonstrating that the solution offered actually solves that problem or can be practically
implemented.
For example, early on the document makes the following statement:
This document defines and implements EAP channel bindings to solve
the lying NAS and the lying provider problems, using a process in
which the EAP peer provides information about the characteristics of
the service provided by the authenticator to the AAA server protected
within the EAP method. This allows the server to verify the
authenticator is providing information to the peer that is consistent
with the information received from this authenticator as well as the
information stored about this authenticator. "AAA Payloads" defined
in [I-D.clancy-emu-aaapay] proposes a mechanism to carry this
information.
However, as noted in Section 3:
In service provider networks, global knowledge is
infeasible due to indirection via roaming. When a peer is outside
its home administrative domain, the goal is to ensure that the level
of service received by the peer is consistent with the contractual
agreement between the two service providers.
Unfortunately the term "level of service" is not well enough defined here to give a good sense of what is
possible and what is not. As noted above, in general the home AAA server does not have
enough information to independently verify AAA attributes provided to it by
roaming partners. The problem is not just lack of "global knowledge"; even if it were possible
for a home AAA server to have perfect global knowledge, if that knowledge were obtained from the
providers themselves (where else could it come from?) then if those providers were untrustworthy,
then how could it be used in channel binding verification?
As a result, I'd suggest that some careful analysis is needed to describe in detail the threats that
the "lying provider" solution really can mitigate. As noted later:
In other words, channel bindings enable the
detection of inconsistencies in the information from a visited
network, but cannot determine which entity is lying.
Given that it is not really possible to determine whether a provider is actually lying or not, how
does the offered solution actually solve the "lying provider" problem?
The service provider attacks described in Section 3, which attempt to make the case for the
utility of channel bindings are not very convincing:
a. Inappropriate billing. In this scenario, it's not clear to me how Channel Bindings would be
helpful Today rates are not advertised in Beacons, and if accounting fraud is suspected,
wouldn't this be best verified by computing the expected billed amounts against the actual
ones, based on RADIUS accounting data?
b. Transmit power boost. Detecting inappropriate levels of transmit power seems like something
beyond the capability of channel bindings (and more in the jurisdiction of regulatory agencies
like the FCC). Even if the geolocation were to be transmitted along with the power measurement,
detecting an inappropriate transmit power level would involve some fairly complex modeling with
lots of variables (e.g. precise tower location, absorption along the line of sight, etc.).
At a minimum, I'd suggest that the document needs to come up with some more plausible service provider
scenarios.
- Re: [Emu] Working Group Last Call for draft-ietf-… Bernard Aboba
- Re: [Emu] Working Group Last Call for draft-ietf-… Hoeper Katrin-QWKN37