< draft-funk-eap-ttls-v1-00.txt   draft-funk-eap-ttls-v1-01.txt >
PPPEXT Working Group Paul Funk EAP Paul Funk
Internet-Draft Funk Software, Inc. Internet-Draft Juniper Networks
Category: Standards Track Simon Blake-Wilson Category: Standards Track Simon Blake-Wilson
<draft-funk-eap-ttls-v1-00.txt> Basic Commerce & <draft-funk-eap-ttls-v1-01.txt> Basic Commerce &
Industries, Inc. Industries, Inc.
February 2005 March 2006
EAP Tunneled TLS Authentication Protocol Version 1 EAP Tunneled TLS Authentication Protocol Version 1
(EAP-TTLSv1) (EAP-TTLSv1)
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions By submitting this Internet-Draft, each author represents that any
of section 3 of RFC 3667. By submitting this Internet-Draft, each applicable patent or other IPR claims of which he or she is aware
author represents that any applicable patent or other IPR claims of have been or will be disclosed, and any of which he or she becomes
which he or she is aware have been or will be disclosed, and any of aware will be disclosed, in accordance with Section 6 of BCP 79.
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001 - 2005). All Rights Copyright (C) The Internet Society (2006). All Rights Reserved.
Reserved.
Abstract Abstract
EAP-TTLS is an EAP type that utilizes TLS to establish a secure EAP-TTLS is an EAP type that utilizes TLS to establish a secure
connection between a client and server, through which additional connection between a client and server, through which additional
information may be exchanged. The initial TLS handshake may mutually information may be exchanged. The initial TLS handshake may mutually
authenticate client and server; or it may perform a one-way authenticate client and server; or it may perform a one-way
authentication, in which only the server is authenticated to the authentication, in which only the server is authenticated to the
client. The secure connection established by the initial handshake client. The secure connection established by the initial handshake
may then be used to allow the server to authenticate the client may then be used to allow the server to authenticate the client
skipping to change at page 5, line 49 skipping to change at page 5, line 49
changes dramatically: changes dramatically:
- Wireless connections are considerably more susceptible to - Wireless connections are considerably more susceptible to
eavesdropping and man-in-the-middle attacks. These attacks may eavesdropping and man-in-the-middle attacks. These attacks may
enable dictionary attacks against low-entropy passwords. In enable dictionary attacks against low-entropy passwords. In
addition, they may enable channel hijacking, in which an attacker addition, they may enable channel hijacking, in which an attacker
gains fraudulent access by seizing control of the communications gains fraudulent access by seizing control of the communications
channel after authentication is complete. channel after authentication is complete.
- Existing authentication protocols often begin by exchanging the - Existing authentication protocols often begin by exchanging the
clientÆs username in the clear. In the context of eavesdropping client’s username in the clear. In the context of eavesdropping
on the wireless channel, this can compromise the clientÆs on the wireless channel, this can compromise the client’s
anonymity and locational privacy. anonymity and locational privacy.
- Often in wireless networks, the access point does not reside in - Often in wireless networks, the access point does not reside in
the administrative domain of the service provider with which the the administrative domain of the service provider with which the
user has a relationship. For example, the access point may reside user has a relationship. For example, the access point may reside
in an airport, coffee shop, or hotel in order to provide public in an airport, coffee shop, or hotel in order to provide public
access via 802.11. Even if password authentications are protected access via 802.11. Even if password authentications are protected
in the wireless leg, they may still be susceptible to in the wireless leg, they may still be susceptible to
eavesdropping within the untrusted wired network of the access eavesdropping within the untrusted wired network of the access
point. point.
skipping to change at page 20, line 31 skipping to change at page 20, line 31
be considered if attacks against recorded authentication or data be considered if attacks against recorded authentication or data
sessions are considered to pose a significant threat. sessions are considered to pose a significant threat.
11. References 11. References
11.1 Normative References 11.1 Normative References
[TLS/IA] Funk, P., Blake-Wilson, S., Smith, N., Tschofenig, H. [TLS/IA] Funk, P., Blake-Wilson, S., Smith, N., Tschofenig, H.
and T. Hardjono, " TLS Inner Application Extension and T. Hardjono, " TLS Inner Application Extension
(TLS/IA)", draft-funk-tls-inner-application-extension- (TLS/IA)", draft-funk-tls-inner-application-extension-
00.txt, July 2004. 02.txt, March 2006.
[RFC1700] Reynolds, J., and J. Postel, "Assigned Numbers", RFC [RFC1700] Reynolds, J., and J. Postel, "Assigned Numbers", RFC
1700, October 1994. 1700, October 1994.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC2246] Dierks, T., and C. Allen, "The TLS Protocol Version [RFC2246] Dierks, T., and C. Allen, "The TLS Protocol Version
1.0", RFC 2246, November 1998. 1.0", RFC 2246, November 1998.
skipping to change at page 22, line 22 skipping to change at page 22, line 22
[AAA-EAP] Eronen, P., Hiller, T. and G. Zorn, "Diameter Extensible [AAA-EAP] Eronen, P., Hiller, T. and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", draft-ietf- Authentication Protocol (EAP) Application", draft-ietf-
aaa-eap-03.txt (work in progress), October 2003. aaa-eap-03.txt (work in progress), October 2003.
12. Authors' Addresses 12. Authors' Addresses
Questions about this memo can be directed to: Questions about this memo can be directed to:
Paul Funk Paul Funk
Funk Software, Inc. Juniper Networks
222 Third Street 222 Third Street
Cambridge, MA 02142 Cambridge, MA 02142
USA USA
Phone: +1 617 497-6339 Phone: +1 617 497-6339
E-mail: paul@funk.com E-mail: pfunk@juniper.net
Simon Blake-Wilson Simon Blake-Wilson
Basic Commerce & Industries, Inc. Basic Commerce & Industries, Inc.
304 Harper Drive, Suite 203 304 Harper Drive, Suite 203
Moorestown, NJ 08057 Moorestown, NJ 08057
Phone: +1 856 778-1660 Phone: +1 856 778-1660
E-mail: sblakewilson@bcisse.com E-mail: sblakewilson@bcisse.com
Disclaimer of Validity Disclaimer of Validity
This document and the information contained herein are provided on This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2001 - 2005). This document is Copyright (C) The Internet Society (2006). This document is subject
subject to the rights, licenses and restrictions contained in BCP to the rights, licenses and restrictions contained in BCP 78, and
78, and except as set forth therein, the authors retain all their except as set forth therein, the authors retain all their rights.
rights.
 End of changes. 10 change blocks. 
17 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/