Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt
"Hoeper Katrin-QWKN37" <khoeper@motorola.com> Tue, 02 March 2010 15:56 UTC
Return-Path: <khoeper@motorola.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4637628C16E for <emu@core3.amsl.com>; Tue, 2 Mar 2010 07:56:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f17fpbWs80np for <emu@core3.amsl.com>; Tue, 2 Mar 2010 07:56:54 -0800 (PST)
Received: from mail128.messagelabs.com (mail128.messagelabs.com [216.82.250.131]) by core3.amsl.com (Postfix) with ESMTP id 64CD128C10A for <emu@ietf.org>; Tue, 2 Mar 2010 07:56:54 -0800 (PST)
X-VirusChecked: Checked
X-Env-Sender: khoeper@motorola.com
X-Msg-Ref: server-5.tower-128.messagelabs.com!1267545414!7924806!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [129.188.136.8]
Received: (qmail 14315 invoked from network); 2 Mar 2010 15:56:54 -0000
Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-5.tower-128.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Mar 2010 15:56:54 -0000
Received: from il06exr03.mot.com (il06exr03.mot.com [129.188.137.133]) by motgate8.mot.com (8.14.3/8.14.3) with ESMTP id o22Fusqu000061 for <emu@ietf.org>; Tue, 2 Mar 2010 08:56:54 -0700 (MST)
Received: from il06vts02.mot.com (il06vts02.mot.com [129.188.137.142]) by il06exr03.mot.com (8.13.1/Vontu) with SMTP id o22Furqu026212 for <emu@ietf.org>; Tue, 2 Mar 2010 09:56:53 -0600 (CST)
Received: from de01exm68.ds.mot.com (de01exm68.am.mot.com [10.176.8.24]) by il06exr03.mot.com (8.13.1/8.13.0) with ESMTP id o22FurHc026207 for <emu@ietf.org>; Tue, 2 Mar 2010 09:56:53 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 02 Mar 2010 10:56:32 -0500
Message-ID: <3A241A6B234BE948B8B474D261FEBC2F07239DCB@de01exm68.ds.mot.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E0C14@il-ex01.ad.checkpoint.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt
Thread-Index: Acp15ZmDxYsma/7oTkSCurGf4fvL7QAcZ0qQEPG0OrA=
References: <mailman.47.1260043204.5501.emu@ietf.org> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E0C14@il-ex01.ad.checkpoint.com>
From: Hoeper Katrin-QWKN37 <khoeper@motorola.com>
To: Yaron Sheffer <yaronf@checkpoint.com>, emu@ietf.org
X-CFilter-Loop: Reflected
Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind-04.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 15:56:56 -0000
Yaron, Thank you for your comments. The intended status of the draft is "Standards track", i.e., the draft should describe a channel binding solution and not only summarize the problem and possible solution strategies. The original draft contained both, a channel binding protocol and a definition of containers for carrying the exchanged channel binding information. It was decided early on that for clarity reasons and more universal usage of these containers, it is better to have two separate documents to cover both topics. This is why we have <draft-ietf-emu-chbind-04> to describe the protocol and <draft-clancy-emu-aaapay-03> to describe the containers. Recently another draft <draft-cam-winget-eap-tlv-00> has been submitted that describes EAP TLV containers. For these reasons, I believe that such a container does *not* need to be defined in the channel binding draft. It seems to be a much better approach to use more general EAP containers that can carry channel binding as well as other data. To answer your other comments: "Is this taking place at the EAP level?" Yes "The SAP level?" No "Is it a new EAP method?" No, it is an extension to EAP methods that can be supported by some existing EAP methods and SHOULD be supported by all new EAP methods. "Should it be built into each and every new EAP method?" Yes, at least it is a SHOULD requirement per WG consensus to support channel bindings. "How does it apply to the few existing EAP methods that can accommodate it today?" EAP methods that already support the exchange of channel binding information can easily implement the protocol. >From your questions, it is obvious that the draft needs to do a better job to clearly answer the above questions. Best regards, Katrin > -----Original Message----- > From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of > Yaron Sheffer > Sent: Sunday, December 06, 2009 4:03 AM > To: emu@ietf.org > Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-chbind- > 04.txt > > Hi, > > IMHO this document is not ready to be advanced, at least not as Standards > Track. > > The document is extremely abstract: it defines the problem statement very > well, but then keep its options open when describing the solution. The > fact that the document has an empty IANA section is a strong hint that it > is not really defining a protocol. > > This can be resolved either of two ways: > > - Change it to Informational, and add text to clarify that the document is > *not* defining a protocol (despite the title of Sec. 5), but rather > presents the problem and proposes several alternative solution strategies. > > - Or extend it to really define a protocol. In which case you need to > answer some simple questions like: > * Is this taking place at the EAP level? The SAP level? Is it a new > EAP method? Should it be built into each and every new EAP method? > * How does it apply to the few existing EAP methods that can > accommodate it today? > * How are the actual TLVs represented/encoded? > > BTW, just defining the TLV formats (and IANA numbers) for EAP methods > would serve the community well: looking at the IANA registry for EAP-GPSK, > there's a "protected payload" defined > (http://www.iana.org/assignments/eap-gpsk-parameters/eap-gpsk- > parameters.xhtml#eap-gpsk-parameters-2). But nobody ever bothered defining > *any* specific payloads for channel bindings. > > Thanks, > Yaron > > > > ---------------------------------------------------------------------- > > > > Date: Fri, 4 Dec 2009 12:12:30 -0800 > > From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> > > Subject: [Emu] Working Group Last Call for > > draft-ietf-emu-chbind-04.txt > > To: <emu@ietf.org> > > Message-ID: > > <AC1CFD94F59A264488DC2BEC3E890DE5093AAD03@xmb-sjc- > > 225.amer.cisco.com> > > Content-Type: text/plain; charset="us-ascii" > > > > This is an announcement of working group last call for the Channel > > Bindings draft: draft-ietf-emu-chbind-04. Please send comments to the > > list by December 18, 2009. When proposing changes to the document it is > > helpful to provide some sample text. Also if you have reviewed the > > document and found no issues it is appropriate to send a message to the > > list indicating your approval. > > > > The URL for the document is > > http://www.ietf.org/id/draft-ietf-emu-chbind-04.txt > > > > Cheers, > > > > Joe > > > > > > ------------------------------ > > > > Message: 2 > > Date: Fri, 4 Dec 2009 13:11:26 -0800 (PST) > > From: "Dan Harkins" <dharkins@lounge.org> > > Subject: Re: [Emu] Issue #7: Password Authentication > > To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> > > Cc: emu@ietf.org > > Message-ID: > > <356e783c475bc4bfd423f50e6b5a4302.squirrel@www.trepanning.net> > > Content-Type: text/plain;charset=iso-8859-1 > > > > > > Hi Joe, > > > > I like your suggestion. Using "EAP server" would satisfy my concern. > > > > thanks, > > > > Dan. > > > > On Fri, December 4, 2009 11:56 am, Joseph Salowey (jsalowey) wrote: > > > OK good points. I can see the problem with the authentication server > > > wording. I think EAP server is more correct in this case as it leaves > > > deployment options open. Is the text OK if we change Authentication > > > Server to EAP server in this paragraph? > > > > > > Joe > > > > > >> -----Original Message----- > > >> From: Alan DeKok [mailto:aland@deployingradius.com] > > >> Sent: Friday, December 04, 2009 10:00 AM > > >> To: Joseph Salowey (jsalowey) > > >> Cc: Dan Harkins; emu@ietf.org > > >> Subject: Re: [Emu] Issue #7: Password Authentication > > >> > > >> Joseph Salowey (jsalowey) wrote: > > >> > This section is about transporting clear text usernames and > > >> passwords > > >> > within the tunnel, so password transport requirement needs > > >> to stay. > > >> > I'm fine with more accurate text for describing the attacks. I > > >> > propose the following text: > > >> > > > >> > "The tunnel method MUST support transporting clear text > > >> username and > > >> > password to the authentication server. It MUST NOT reveal > > >> information > > >> > about the username and password to parties in the > > >> communication path > > >> > between the peer and the EAP Server. The advantage any > > >> attacker gains > > >> > against the tunneled method when employing a username and > > >> password for > > >> > authentication MUST be through interaction and not computation. " > > >> > > >> The first sentence refers to "authentication server", while > > >> the second uses "EAP server". I suggest using "EAP server" > > >> for both, as it is used elsewhere in the document, too. > > >> > > >> Alan DeKok. > > >> > > > > > > > > > > > > > ------------------------------ > > > > _______________________________________________ > > Emu mailing list > > Emu@ietf.org > > https://www.ietf.org/mailman/listinfo/emu > > > > > > End of Emu Digest, Vol 47, Issue 7 > > ********************************** > > > > Scanned by Check Point Total Security Gateway. > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu
- [Emu] Working Group Last Call for draft-ietf-emu-… Joseph Salowey (jsalowey)
- Re: [Emu] Working Group Last Call for draft-ietf-… Glen Zorn
- Re: [Emu] Working Group Last Call for draft-ietf-… Yaron Sheffer
- Re: [Emu] Working Group Last Call for draft-ietf-… Hoeper Katrin-QWKN37
- Re: [Emu] Working Group Last Call for draft-ietf-… Hoeper Katrin-QWKN37
- Re: [Emu] Working Group Last Call for draft-ietf-… Yaron Sheffer