Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
Bernard Aboba <bernard_aboba@hotmail.com> Tue, 08 December 2009 03:12 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B04E3A6806 for <emu@core3.amsl.com>; Mon, 7 Dec 2009 19:12:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.333
X-Spam-Level:
X-Spam-Status: No, score=-0.333 tagged_above=-999 required=5 tests=[AWL=-0.335, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzyJitrrP1Tr for <emu@core3.amsl.com>; Mon, 7 Dec 2009 19:12:31 -0800 (PST)
Received: from blu0-omc3-s5.blu0.hotmail.com (blu0-omc3-s5.blu0.hotmail.com [65.55.116.80]) by core3.amsl.com (Postfix) with ESMTP id 1B0C13A677C for <emu@ietf.org>; Mon, 7 Dec 2009 19:12:31 -0800 (PST)
Received: from BLU137-W18 ([65.55.116.72]) by blu0-omc3-s5.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 7 Dec 2009 19:12:17 -0800
Message-ID: <BLU137-W182D9A30E81347A3BA9513938F0@phx.gbl>
Content-Type: multipart/alternative; boundary="_ea8adb72-8b93-414b-aa09-d7f54fbc3cc7_"
X-Originating-IP: [97.113.254.30]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: emu@ietf.org
Date: Mon, 07 Dec 2009 19:12:17 -0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Dec 2009 03:12:17.0254 (UTC) FILETIME=[3F414060:01CA77B4]
Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt (part 1)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 03:12:34 -0000
I agree with Yaron that this document is not ready to be advanced. Aside from whether the document is appropriate for publication on the Standards Track (I believe that Informational would be a better choice), I'd suggest that the document has a more basic problem in that it doesn't do a very good job of defining the problem it is trying to solve or demonstrating that the solution offered actually solves that problem or can be practically implemented. For example, early on the document makes the following statement: This document defines and implements EAP channel bindings to solve the lying NAS and the lying provider problems, using a process in which the EAP peer provides information about the characteristics of the service provided by the authenticator to the AAA server protected within the EAP method. This allows the server to verify the authenticator is providing information to the peer that is consistent with the information received from this authenticator as well as the information stored about this authenticator. "AAA Payloads" defined in [I-D.clancy-emu-aaapay] proposes a mechanism to carry this information. However, as noted in Section 3: In service provider networks, global knowledge is infeasible due to indirection via roaming. When a peer is outside its home administrative domain, the goal is to ensure that the level of service received by the peer is consistent with the contractual agreement between the two service providers. Unfortunately the term "level of service" is not well enough defined here to give a good sense of what is possible and what is not. As noted above, in general the home AAA server does not have enough information to independently verify AAA attributes provided to it by roaming partners. The problem is not just lack of "global knowledge"; even if it were possible for a home AAA server to have perfect global knowledge, if that knowledge were obtained from the providers themselves (where else could it come from?) then if those providers were untrustworthy, then how could it be used in channel binding verification? As a result, I'd suggest that some careful analysis is needed to describe in detail the threats that the "lying provider" solution really can mitigate. As noted later: In other words, channel bindings enable the detection of inconsistencies in the information from a visited network, but cannot determine which entity is lying. Given that it is not really possible to determine whether a provider is actually lying or not, how does the offered solution actually solve the "lying provider" problem? The service provider attacks described in Section 3, which attempt to make the case for the utility of channel bindings are not very convincing: a. Inappropriate billing. In this scenario, it's not clear to me how Channel Bindings would be helpful Today rates are not advertised in Beacons, and if accounting fraud is suspected, wouldn't this be best verified by computing the expected billed amounts against the actual ones, based on RADIUS accounting data? b. Transmit power boost. Detecting inappropriate levels of transmit power seems like something beyond the capability of channel bindings (and more in the jurisdiction of regulatory agencies like the FCC). Even if the geolocation were to be transmitted along with the power measurement, detecting an inappropriate transmit power level would involve some fairly complex modeling with lots of variables (e.g. precise tower location, absorption along the line of sight, etc.). At a minimum, I'd suggest that the document needs to come up with some more plausible service provider scenarios.
- Re: [Emu] Working Group Last Call for draft-ietf-… Bernard Aboba
- Re: [Emu] Working Group Last Call for draft-ietf-… Hoeper Katrin-QWKN37