Hi Katrin, Thanks for the clarifications, I think I understand better now.
Comments inline. > > > Joe, > > > > > > Thank you for bringing this up. Find my replies below: > > > > > > "1. In sections 5.1 and 5.2 clarify the role of message i2 with > > > respect to channel bindings." > > > > > > [KH] I agree with your observations that the use and > exchange of i2 > > > is not well described in the draft and needs to be clarified. > > > > > > The EAP server can utilize three pieces of information for its > > > channel binding verification, namely: i1 received from > the EAP peer, > > > i2 received as part of AAA communications with the > authenticator and > > > i3 stored in a local database. The confusion lies in the > description > > > of i2 and its "exchange". > > > > > > i2 is basically information that the EAP server already "knows" > > > about the authenticator. The information is *not* sent as > payload to > > > the EAP server, it was rather part of previous > communications with > > > the authenticator during the current EAP session. For > example, the > > > EAP server typically "knows" the NAS-IP address of the > authenticator > > > in an EAP execution. Basically, we want to utilize > information for > > > the channel binding consistency check that the EAP server already > > > knows about the authenticator. This information is referred to as > i2. > > > > > > I agree that the arrow with i2 from authenticator to EAP > server in > > > Figure 1 is wrong, because i2 is not a protocol message. Figure 1 > > > does not reflect the above description and needs to be revised > > > accordingly. > > > On the other hand, an EAP server can optionally include i2 in its > > > reply to the EAP peer, e.g. to enable the peer to perform its own > > > consistency checks. In that case, i2 needs to be explicitly > > > exchanged. > > > > > [Joe] OK, I think I may understand better. If I understand > correctly, > > there are two separate consistency checks: > > > > 1. one checking the consistency of what the client sees against a > > database of what should be seen. (i1) 2. one checking the > consistency > > of what the authenticator against a database of what should > be seen. > > (i2) > > > > Is this correct? > > > [KH] Almost. Check 1 "is the authenticator lying to the peer?": > consistency check of i1 and i2 with the aid of the database > (because a direct comparison is not possible), i.e. checking > whether the info submitted to the peer and known to by the > EAP server are consistent. > Check 2 "is the authenticator lying to both ends to violate rules": > check whether i1 and i2 comply with policies stored in the database. > Actually check 2 could be split into two checks: 2a) check > whether authenticator lies to the EAP server and 2b) does the > authenticator violate any rules. > [Joe] Good point, so 2A would be useful in the case where the AAA is making some policy decision based on what the authenticator states and there is more than one choice for the authenticator. Perhaps if the authenticator can advertise a free and charged SSID the client associates with the free one, but the authenticator reports the charged one. This may be a bit contrived, but it seems like it could be a good thing to do. I think it would be useful to split this up into 2A and 2B. 2A is needed when there is an attribute used in AAA policy that the client is aware of and there is more than one choice for the value of the attribute for the authenticator. 2B I think is something more for AAA validation of the message. > > It seems that in your picture i2 is really between the authenticator > and > > AAA. This affects some of your statements above. For > example its not > > clear to me that the EAP Server would necessarily know > anything about > > NAS-IP. > [KH] This is true and needs to be clarified. Either the EAP > server can only use the AAA attributes it knows about the > authenticator from the on-going EAP execution or the EAP > server needs to get this information from the AAA server to > perform the consistency check. Do you see any use case for the former? [Joe] So, I think some of the data, mostly 2B data, should be validated by the AAA server. Some of the type 1 data may not be passed in the AAA protocol. For 1 and 2A data that is communicated in AAA I think it will depend upon implementation as to who maintains the authoritative database for attributes. In some cases validation responsibility may be split. > > > > > "2. In section 6.1 define channel binding data as a > superset of AAA > > > attributes. In particular the last paragraph needs work > and seems > > > inconsistent with 7.1 which allows for the inclusion of Diameter > > > attributes without the exclusion of other attributes." > > > > > > [KH] The reason why we chose i2 as AAA data is because the > > > authenticator and EAP server communicate using an AAA protocol > > > during an EAP execution. Hence, the EAP server has access to AAA > > > attributes of the authenticator in its role as AAA client. > > > > [Joe] So I think it makes sense that i2 is AAA data, what I'm not > seeing > > is what the EAP server is dealing with it instead of the AAA server. > [KH] Agreed, this needs to be addressed-see previous comment. > > > > > In this way no additional exchange of information is required > > > (again, the flow in Figure 1 is > > > wrong) and i2 does not need to be explicitly exchanged. This is > > > important because we want to be able to add channel > binding to EAP > > > methods without modifying the method's protocol flow. If we would > > > allow > > > i2 to be any type of data about the authenticator, this would > > > require an explicit message flow from authenticator to > EAP server as > > > part of the EAP method. > > > > > > To avoid the introduction of additional communication flows, the > > > modification of EAP methods and potentially the > involvement of other > > > protocols, I argue that i2 should only contain AAA > information about > > > the authenticator. Any other type of information about the > > > authenticator that seems desirable for the channel binding > > > verification can be stored in the local database (i3). > > > > > [Joe] I'm fine with i2 containing AAA information, but I > don't really > > see how it is part of EAP channel bindings. This seems to be more > about > > validating information in the AAA protocol. > [KH] I believe this is the only way to check whether an > authenticator is lying about its identity, i.e. the > identifier& addresses broadcasted to peers and identifiers & > addresses used in the backend network. Again these > identifiers & addresses may be of different types but should > nevertheless map to the same device (check via a lookup in > the database). [Joe] I'm not sure how much of this information is useful or practically verifiable by the EAP server. For example, often the client has no idea of the NAS IP address and may not have an idea of the NAS-ID. In many cases I'm not sure if spoofing addresses is a problem or if this is very manageable to maintain this information. If we split the data into i2a and i2b it may be clearer. > > > > For channel bindings I am more concerned with what is > communicated in > > i1. This is what EAP methods need to carry. i1 may need to carry > some > > data that may also be in a AAA attribute, but it may also need to > carry > > other data. My objection is restricting everything in i1 to being > AAA > > data. The current draft seems to requirements for i1 and i2 all > > together. I don't think this is correct. > > > [KH] Agreed. This limitation of i1 was not intended and needs > to be addressed. i1 can contain anything that was broadcasted > in the authenticator's (NAS) beacon while i2 is restricted to > AAA attributes. > > > > > > " Sections 7.1, 7.2, 7.3 only recommend comparing > information with > > > what is received from the NAS and not about comparing with local > > > information" > > > > > > [KH] Section 7 describes which attributes can be used in > i1 for the > > > channel binding compliance check, and Section 8 the > attributes that > > > can be used as part of i2. Comparing local information is only > > > described as text in Section 10.1. We cannot provide concrete > > > attributes here because > > > i3 is protocol-independent and basically contains data > derived from > > > policies. I don't think we can provide concrete examples > here, but > > > it might be a good idea to add another section after 7 and 8, to > > > generally outline how the comparison with the local information > > > should be executed. In that case, Section 10 could remain > the same, > > > explaining how such a database can be set up. > > > > > > "4. Section 8 is about AAA validation and is not channel > bindings, > > > is this section necessary?" > > > > > > [KH] Disagree, see my comments to your suggestions #2. > > > > > [Joe] So, I see i1 as the messages used in EAP channel > bindings. i2 > > looks to me like validation that should be done by the AAA protocol. > I > > think I may not have understood your points above. I think > the draft > > needs to focus more on the requirements of i1 exchange and > less on the > > requirements of the i2 exchange. > > [KH] In order to detect whether an authenticator is "lying" > you need some data to compare i1 too. We believe that lying > can be detected by comparing the views the EAP peer and EAP > server have about the authenticator in an EAP session. The > database is needed to enable the comparison. In addition, we > check for the case that the authenticator lies to both ends > (i.e. to the EAP peer and the EAP server) by checking the > compliance of i1 and i2 with the policies stored in the database. [Joe] OK, so some i1 data can be compared with i2, in particular i2A data that has various options that affect policy evaluation. In general all i1 and i2 data that is important to the system should be checked against some authoritative database. > > > > > > > > Joe, I hope I could clarify some of your issues. I would > also like > > > to hear other opinions from the list on these issues. > > > > > > Katrin > > > > > > > > > > > > -----Original Message----- > > > From: emu-boun...@ietf.org [mailto:emu-boun...@ietf.org] > On Behalf > > > Of Joseph Salowey (jsalowey) > > > Sent: Thursday, June 18, 2009 12:12 PM > > > To: emu@ietf.org > > > Subject: [Emu] draft-ietf-emu-chbind-02 and AAA interaction > > > > > > After reviewing recent comments from Klaas on the list on Channel > > > bindings there is one issue I would like to try to resolve before > > > bringing this draft to last call. > > > > > > In section 5.1, the draft defines a message i2, which is > the message > > > carrying AAA attributes from the authenticator to the > server using a > > > AAA protocol. While, this message does occur in the protocol > > > interactions, it is actually not that important in the channel > > > binding interactions because the server does not completely trust > > > the authenticator and must know what is valid through some other > > > mechanism, such as the local database defined in the > draft. I think > > > this section is a bit misleading and needs to emphasize > this point. > > > This is further confused by the fact that in some > sections the draft > > > focuses entirely on AAA attributes to carry channel-binding > > > information. While AAA attributes are undoubtedly important to > > > carry it does not appear that they should be the only > type of data > > > allowed especially since the AAA protocol is not required to be > > > directly involved other than to carry EAP. > > > This is demonstrated by the "TODO" 7.3 which suggests we > need to add > > > a way to carry the 802.11 RSN-IE. Since AAA protocols haven't > > > needed to carry this information to date, it is not clear that > > > adding this information to them would be helpful. > > > Given this I would suggest the following modifications to the > > > draft: > > > > > > 1. In sections 5.1 and 5.2 clarify the role of message i2 with > > > respect to channel bindings. > > > 2. In section 6.1 define channel binding data as a > superset of AAA > > > attributes. In particular the last paragraph needs work > and seems > > > inconsistent with 7.1 which allows for the inclusion of Diameter > > > attributes without the exclusion of other attributes. > > > 3. Sections 7.1, 7.2, 7.3 only recommend comparing > information with > > > what is received from the NAS and not about comparing with local > > > information 4. Section 8 is about AAA validation and is > not channel > > > bindings, is this section necessary? > > > > > > If the working group agrees with this direction I can > provide text > > > for the changes. > > > > > > Please send comments to the list. > > > > > > Thanks, > > > > > > Joe > > > _______________________________________________ > > > Emu mailing list > > > Emu@ietf.org > > > https://www.ietf.org/mailman/listinfo/emu > > > > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
