Section 1 "The other type of PT, PT-TLS [I-D.ietf-nea-pt-tls], operates before the endpoint gains any access to the IP network. " ==>should be "after the endpoint have gained access to the IP network"
"PT-EAP is an inner EAP [RFC3748] method designed to be used under a protected tunnel such as TEAP [I-D.ietf-emu-eap-tunnel-method], EAP- FAST [RFC4851] or EAP-TTLS [RFC5281]." ==>PEAP is more widely supported. "Finally, it describes how the tls-unique channel binding [RFC5929] may be used to PA-TNC exchanges to the EAP tunnel method, defeating MITM attacks such as the Asokan attack [Asokan]." ==> "Some EAP tunnel methods may provide explicit confirmation of inner method success; others may not. " section 3.4 " Attack Analysis [16], " the reference [16] section 4.2.3 "The strong integrity protections (hashing) offered by EAP-TTLS allows the PT-EAP message recipients to detect message alterations by other types of network based adversaries. " ===>it is not hashing offering the integrity, but MAC section 4.2.4 " the session can be encrypted and hashed to prevent undetected modification that could create a denial of service situation. " ===> only MAC, not encryption and hashing can prevent modification section 4.3 "The phase two dialog may include authentication of the user by doing other EAP methods or in the case of TTLS by using non-EAP authentication dialogs. PT-EAP is also carried by the phase two tunnel allowing the NEA assessment to be within an encrypted and integrity protected transport." ==> TTLS can also use EAP method as inner method. "These inner methods may perform additional security handshakes including more granular authentications or exchanges of integrity information (such as PT-EAP.) " ===> IMO,PT-EAP better be exchanged after the phase two of the EAP tunnel method, so that the resulted key derived from tunnel and inner authentication method can be used to protect it. section 5 "To support countermeasures against NEA Asokan attacks as described in Section 3.4, the EAP Tunnel Method used with PT-EAP will need to support the tls-unique channel binding. This should not be a high bar since all EAP tunnel methods currently support this but not all implementations of those methods may do so." ====> It seem no current EAP tunnel support tls-unique now. And Asokan MitM attack is countered by crypto binding, where tunnel method is bound with inner method. While TLS-unique is limited to the tunnel method to provide binding between TLS and application, I wonder if there is some confusion in the document. Regards~~~ -Sujing Zhou Joe Salowey <jsalo...@cisco.com> 发件人: emu-boun...@ietf.org 2012-06-06 02:05 收件人 emu@ietf.org 抄送 主题 Re: [Emu] [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt June 4 has come and gone and we haven't received any comments. If you have reviewed the document and not found any issues please indicate that on the list. I'll leave the review open until 6/12. If you can commit to review the document, please let me know. Thanks, Joe On May 21, 2012, at 2:01 PM, Joe Salowey wrote: > The NEA working group has produced a draft for carrying NEA posture methods within EAP. It would be helpful if some EMU working group members reviewed the draft. Please send your comments to the EMU list by June 4, 2012. > > Thanks, > > Joe > > Begin forwarded message: > >> From: internet-dra...@ietf.org >> Date: May 15, 2012 8:36:14 AM PDT >> To: i-d-annou...@ietf.org >> Cc: n...@ietf.org >> Subject: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Endpoint Assessment Working Group of the IETF. >> >> Title : PT-EAP: Posture Transport (PT) Protocol For EAP Tunnel Methods >> Author(s) : Nancy Cam-Winget >> Paul Sangster >> Filename : draft-ietf-nea-pt-eap-02.txt >> Pages : 20 >> Date : 2012-05-15 >> >> This document specifies PT-EAP, an EAP based Posture Transport (PT) >> protocol designed to be used only inside a TLS protected tunnel >> method. The document also describes the intended applicability of >> PT-EAP. >> >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> This Internet-Draft can be retrieved at: >> ftp://ftp.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt >> >> The IETF datatracker page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-ietf-nea-pt-eap/ >> >> _______________________________________________ >> Nea mailing list >> n...@ietf.org >> https://www.ietf.org/mailman/listinfo/nea > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
