Hi Sujing, I am just getting to update the draft based on received comments. I have further comments and questions below:
From: "zhou.suj...@zte.com.cn<mailto:zhou.suj...@zte.com.cn>" <zhou.suj...@zte.com.cn<mailto:zhou.suj...@zte.com.cn>> Date: Wednesday, June 6, 2012 2:18 AM To: Joseph Salowey <jsalo...@cisco.com<mailto:jsalo...@cisco.com>> Cc: "emu@ietf.org<mailto:emu@ietf.org>" <emu@ietf.org<mailto:emu@ietf.org>> Subject: [Emu] A review Re: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt Section 1 "The other type of PT, PT-TLS [I-D.ietf-nea-pt-tls], operates before the endpoint gains any access to the IP network. " ==>should be "after the endpoint have gained access to the IP network" [NCW] Thank you for catching this! I have updated the draft accordingly. "PT-EAP is an inner EAP [RFC3748] method designed to be used under a protected tunnel such as TEAP [I-D.ietf-emu-eap-tunnel-method], EAP- FAST [RFC4851] or EAP-TTLS [RFC5281]." ==>PEAP is more widely supported. [NCW] Agreed. But the list is not meant to be exhaustive and admittedly it was easier to cite used methods for which there are IETF RFC's….as well as what EMU is adopting. "Finally, it describes how the tls-unique channel binding [RFC5929] may be used to PA-TNC exchanges to the EAP tunnel method, defeating MITM attacks such as the Asokan attack [Asokan]." ==> "Some EAP tunnel methods may provide explicit confirmation of inner method success; others may not. " [NCW] I am not sure I understand the comment or request. The above sentence is true; in PT-EAP's case, as it is not an authenticating method, we describe how tls-unique is used in PT-EAP to address such binding. So, the sentence stands on its own as it is reference further details to follow. section 3.4 " Attack Analysis [16], " the reference [16] [NCW] Fixed the reference (thanks!) section 4.2.3 "The strong integrity protections (hashing) offered by EAP-TTLS allows the PT-EAP message recipients to detect message alterations by other types of network based adversaries. " ===>it is not hashing offering the integrity, but MAC [NCW] Right, text updated to read "hashing in the MAC" also made the reference general As it is provided by the EAP TLS based tunnel section 4.2.4 " the session can be encrypted and hashed to prevent undetected modification that could create a denial of service situation. " ===> only MAC, not encryption and hashing can prevent modification [NCW] In general true, but some modes do both authenticated-encryption so the reference to both should apply. section 4.3 "The phase two dialog may include authentication of the user by doing other EAP methods or in the case of TTLS by using non-EAP authentication dialogs. PT-EAP is also carried by the phase two tunnel allowing the NEA assessment to be within an encrypted and integrity protected transport." ==> TTLS can also use EAP method as inner method. [NCW] I've clarified that sentence "These inner methods may perform additional security handshakes including more granular authentications or exchanges of integrity information (such as PT-EAP.) " ===> IMO,PT-EAP better be exchanged after the phase two of the EAP tunnel method, so that the resulted key derived from tunnel and inner authentication method can be used to protect it. [NCW] Do you mean to enforce an authentication (inner) method prior to PT-EAP? section 5 "To support countermeasures against NEA Asokan attacks as described in Section 3.4, the EAP Tunnel Method used with PT-EAP will need to support the tls-unique channel binding. This should not be a high bar since all EAP tunnel methods currently support this but not all implementations of those methods may do so." ====> It seem no current EAP tunnel support tls-unique now. And Asokan MitM attack is countered by crypto binding, where tunnel method is bound with inner method. While TLS-unique is limited to the tunnel method to provide binding between TLS and application, I wonder if there is some confusion in the document. [NCW] tls-unique is something that will need to be added to those methods that use an EMA….the binding Is done by having the tls-unique value passed to the EMA for validation. It is specified in section 3.4. Regards~~~ -Sujing Zhou Joe Salowey <jsalo...@cisco.com<mailto:jsalo...@cisco.com>> 发件人: emu-boun...@ietf.org<mailto:emu-boun...@ietf.org> 2012-06-06 02:05 收件人 emu@ietf.org<mailto:emu@ietf.org> 抄送 主题 Re: [Emu] [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt June 4 has come and gone and we haven't received any comments. If you have reviewed the document and not found any issues please indicate that on the list. I'll leave the review open until 6/12. If you can commit to review the document, please let me know. Thanks, Joe On May 21, 2012, at 2:01 PM, Joe Salowey wrote: > The NEA working group has produced a draft for carrying NEA posture methods > within EAP. It would be helpful if some EMU working group members reviewed > the draft. Please send your comments to the EMU list by June 4, 2012. > > Thanks, > > Joe > > Begin forwarded message: > >> From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> >> Date: May 15, 2012 8:36:14 AM PDT >> To: i-d-annou...@ietf.org<mailto:i-d-annou...@ietf.org> >> Cc: n...@ietf.org<mailto:n...@ietf.org> >> Subject: [Nea] I-D Action: draft-ietf-nea-pt-eap-02.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. This draft is a work item of the Network Endpoint Assessment >> Working Group of the IETF. >> >> Title : PT-EAP: Posture Transport (PT) Protocol >> For EAP Tunnel Methods >> Author(s) : Nancy Cam-Winget >> Paul Sangster >> Filename : draft-ietf-nea-pt-eap-02.txt >> Pages : 20 >> Date : 2012-05-15 >> >> This document specifies PT-EAP, an EAP based Posture Transport (PT) >> protocol designed to be used only inside a TLS protected tunnel >> method. The document also describes the intended applicability of >> PT-EAP. >> >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> This Internet-Draft can be retrieved at: >> ftp://ftp.ietf.org/internet-drafts/draft-ietf-nea-pt-eap-02.txt >> >> The IETF datatracker page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-ietf-nea-pt-eap/ >> >> _______________________________________________ >> Nea mailing list >> n...@ietf.org<mailto:n...@ietf.org> >> https://www.ietf.org/mailman/listinfo/nea > > _______________________________________________ > Emu mailing list > Emu@ietf.org<mailto:Emu@ietf.org> > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
