Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP WG IETF 55 Atlanta, GA. EAP WG Meeting Monday, Salon II 1530-1730 Preliminaries (10 minutes) –Bluesheets, minutes –Document Status RFC 2284 Bis EAP.

Published byMarcia Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "EAP WG IETF 55 Atlanta, GA. EAP WG Meeting Monday, Salon II 1530-1730 Preliminaries (10 minutes) –Bluesheets, minutes –Document Status RFC 2284 Bis EAP."— Presentation transcript:

1 EAP WG IETF 55 Atlanta, GA

2 EAP WG Meeting Monday, Salon II 1530-1730 Preliminaries (10 minutes) –Bluesheets, minutes –Document Status RFC 2284 Bis EAP Design Team Report, Jari Arkko (5 minutes) http://www.ietf.org/internet-drafts/draft-ietf-eap-esteem-00.txt IEEE 802.1aa D4 reconciliation, Paul Congdon (5 minutes) http://www.ieee802.org/1/mirror/8021/aa-drafts/d4/802-1aa-d4.pdf username: p8021, password: go_wildcats RFC 2284bis Open issues, Bernard Aboba (15 minutes) http://www.ietf.org/internet-drafts/draft-ietf-pppext-rfc2284bis-07.txt EAP state machine, Bryan Payne & Nick Petroni (10 minutes) http://www.ietf.org/internet-drafts/draft-payne-eap-sm-01.{ps,txt} EAP state machine, John Vollbrecht (10 minutes) http://www.ietf.org/internet-drafts/draft-ietf-eap-esteem-00.txt

3 Monday agenda, continued EAP TLV method, Glen Zorn (5 minutes) http://www.ietf.org/internet-drafts/draft-hiller-eap-tlv-00.txt EAP IANA considerations, Bernard Aboba (10 minutes) http://www.ietf.org/internet-drafts/draft-aboba-pppext-eap-iana- 02.txt EAP Security EAP Binding Problem, V. Lortz (10 minutes) http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding- 00.txt EAP Binding Problem, H. Haverinen (10 minutes) http://www.saunalahti.fi/~asokan/research/mitm.html EAP Binding Problem, H. Krawczyk (10 minutes)

4 EAP WG Meeting Tuesday, Salon B 1700-1800 EAP keying problem, Bernard Aboba (10 minutes) http://www.ietf.org/internet-drafts/draft-aboba-pppext-key-problem-03.txt EAP Methods EAP security claims, Glen Zorn (10 minutes) http://www.ietf.org/internet-drafts/draft-zorn-eap-eval-00.txt Smart card support, Pascal Urien (5 minutes) http://www.ietf.org/internet-drafts/draft-urien-eap-smartcard-00.txt EAP SIM, Henry Haverinen (5 minutes) http://www.ietf.org/internet-drafts/draft-haverinen-pppext-eap-sim-07.txt EAP AKA, Henry Haverinen (5 minutes) http://www.ietf.org/internet-drafts/draft-haverinen-pppext-eap-aka-06.txt EAP GSS, Bernard Aboba (5 minutes) http://www.ietf.org/internet-drafts/draft-aboba-pppext-eapgss-12.txt EAP Roadmap EAP Roadmap Discussion (10 minutes)

5 Document Status WG work items –RFC 2284bis draft-ietf-pppext-rfc2284bis-07.txt draft-ietf-eap-otp-00.txt –Eap StatE machinE dEsign teaM (ESTEEM) Draft-ietf-eap-esteem-00.txt Individual submissions –EAP Keying Problem draft-aboba-pppext-key-problem-03.txt

6 Goals and Milestones Dec 02 RFC 2284bis submitted for publication as Proposed Standard RFC –IANA considerations –State machine –Security considerations –Type space expansion –OTP, GTC Jun 03 EAP Keying problem doc submitted for publication as Informational RFC.

7 RFC 2284bis

8 Goals for RFC 2284bis Understanding behavior of current implementations –EAP Implementation Survey Documenting features of EAP implementations –Interoperability testing Documenting interoperation of each feature by at least 2 independent implementations Recycling RFC 2284 at Proposed Standard –Clarifying interoperability issues within the specification –Recognizing support for multiple media PPP, IEEE 802, PIC (EAP over UDP) –Describing the EAP operational model –Security considerations –IANA considerations

9 Non-Goals Re-writing EAP from scratch –This is not EAPng! Making non-backward compatible changes to EAP Revising RADIUS –RFC2869bis is needed, but not part of this effort Revising IEEE 802.1X –IEEE 802.1X revision PAR (aa) in progress

10 Interoperability Testing Opportunities CIUG –Results of past EAP interoperability tests? –Plans for additional tests? Interop –Testing of IEEE 802.1X on the “Interop net”

11 EAP Survey Results Survey requests sent out to PPPEXT, IEEE 802.1X mailing lists in early June 2001 Implementations covered in responses: –2 PPP –2 IEEE 802.3 –1 IEEE 802.11 Many “implementations in progress” not ready to fill out survey yet –IEEE 802: 802.3, 802.11 implementations –Other: PIC –Other potential uses of EAP: Hiperlan2, Bluetooth Features not implemented: –EAP OTP, Generic Token card –Default retransmission timer of 6 seconds –Allowing for loss of EAP Success and Failure packets via alternative indications –Display of Notification to user and use to indicate invalid authentication attempt

12 Implications for RFC 2284bis Generic token card, OTP EAP methods now documented in separate draft –Draft-ietf-eap-otp-00.txt –Given no implementations, OTP & GTC will remain at proposed standard RFC 2284bis may need to cut additional features –We’ll cross that bridge once we come to it

13 RFC 2284bis Issues

14 RFC 2284bis Issues Process Issues represent a request for a specific change to the RFC 2284bis document. –Not just a “question” –Not just a description of the problem – but text for a solution! Issues sent to eap@frascone.com in the following format:eap@frascone.com –Description of issue Submitter name: Your_Name_Here Submitter email address: Your_Email_Address_Here Date first submitted: Insert_Date_Here Reference: URL to e-mail describing problem, if available Document: Document Requiring change [RFC2284bis, RFC 2869bis, Keying Framework] Comment type: ['T'echnical | 'E'ditorial] Priority: ['S' Must fix | '1' Should fix | '2' May fix ] Section: Insert_Section_Number_Here Rationale/Explanation of issue: Length description of problem Requested change: Proposal Issues list kept at: –http://www.drizzle.com/~aboba/EAP/eapissues.htmlhttp://www.drizzle.com/~aboba/EAP/eapissues.html

15 Issues Report 42 Issues raised so far RFC 2284bis (37) –20 resolved –3 rejected –14 still open RFC 2869bis (2) –2 resolved EAP keying framework (2) –2 still open EAP state machine (1) –1 still open

16 Observations Closed/still open ratio is not very good Open 6 months or more: Issues 2,7,10,14,23,25,26,32 Relatively little discussion on posted RFC 2284bis issues If this continues, EAP WG will miss milestones by a considerable margin Have to pick up the pace!

17 RFC 2284bis Open Issues Alternative indications (#2) Authentication sequences (#7) Acknowledged Success/Failure (#10) Identifier usage (#13) EAP Transport behavior (#14) Identifier behavior (#18) Identity Request Payload (#23) Spoofing and duplicate detection (#25) Unprotected success and failure (#26) Keying confirmation (#32) Language negotiation (#38) Man-in-the-middle attacks (#40) NAK of Vendor-specific (#41) EAP enhancements (#42)

18 Alternate Indications (#2) Success and Failure messages are not ACK’d: “Implementation Note: Because the Success and Failure packets are not acknowledged, they may be potentially lost. A peer MUST allow for this circumstance. The peer can use a Network Protocol packet as an alternative indication of Success. Likewise, the receipt of a LCP Terminate-Request can be taken as a Failure.” –Result: If Success or Failure are lost: Timeout or worse! Lower layers have different “alternate indications” –PPP LCP-Terminate, carrier loss an alternate indication of Failure NCP an alternate indication of success –IEEE 802 Carrier sense an alternate indication of Failure No alternate indication of Success –IEEE 802.11 Disassociate, Deauthenticate, EAPOL-Logoff an alternate indication of Failure Association/Reassociation response an alternate indication of success

19 EAP Transport Behavior (#14) EAP is an ACK/NAK protocol –Only one packet in flight at a time –But some methods assume that additional Requests can be sent without a Response EAP is driven by the authenticator –Responses cannot be retransmitted, only Requests –Success/Failure not ACK’d nor retransmitted –RADIUS server does not retransmit (NAS responsibility) –But some methods assume RADIUS server retransmission, ACK’ing of Success/Failure EAP transport characteristics not defined in RFC 2284 –RTO default = 6 seconds (for human interaction) –No exponential backoff –No defined retransmission strategy –When running over IP, EAP retransmission can conflict with transport retransmissions

20 Identifier Behavior (#18) Identifier is unique per port, not per NAS –Ongoing authentications per NAS not limited to 256 Guidelines for Identifier selection –Start from 1 or random selection? –Can identifier wrap within a session? –Is Identifier monotonically increasing or just unique within the conversation? Example issue –AAA server sends Accept with Reply-Message and EAP- Message attributes –If Reply-Message translated to EAP-Notification, EAP authenticator needs to “create” an Identifier for it Assumption is that EAP-Request/EAP-Notification is sent, followed by receipt of EAP-Response/EAP-Notification, then EAP- Message attribute is decapsulated and sent –But EAP-Message attribute already contains an Identifier!

21 Identity Request Payload (#23) RFC 2284 does not define what is included in the Identity Request payload EAP peer typically obtains information about the available networks out of band –PPP: via dialup client –802.11: via Beacon, Probe Responses –PANA: via CAR? Does the peer need additional hints in the Identity Request? –If so, what? –Can the information be provided in other ways? Example: SSID OID proposed in EAP TLS cert profile

22 Duplicate Detection (#25) EAP retransmission behavior –NAS retransmits EAP-Requests –Client never re-transmits EAP-Responses on its own –NAS retransmission doesn’t take RTT into account –Result NAS can retransmit before it is assured that EAP-Request has been lost Client can send duplicate EAP-Responses Interactions with AAA –In RADIUS, NAS is responsible for retransmissions No AAA server-initiated messages AAA server does not retransmit –If NAS doesn’t detect and discard duplicates, can send duplicate Access-Requests to AAA server –If done in the middle of EAP conversation, can cause problems on AAA server

23 EAP Type Multiplexing Proposed EAP methods use NAK and Notification in “novel” ways –NAK used for version negotiation within the EAP method –Notification used for Nonce exchange Some proposed methods have placed data in EAP Success/Failure –Success/Failure are not ACK’d, so data may never arrive –802.1X “manufactures success/failure, so data, if present will be thrown away Not explicitly prohibited by RFC 2284, but unlikely to interoperate either –Might work in a monolithic EAP implementation, but not in a layered one No description of EAP type multiplexing in RFC 2284

24 EAP Type MultiplexingEAPLayer MethodLayer MediaLayer MethodPrimitives PPP802.3802.5802.11 Type= Identity, Notification Code =Success, Failure Type=Foo FooFoo Type=Bar Type=NAK

25 IANA Considerations

26 Allocated EAP Type#’s Type Description Reference Implemented? Spec Available? ---- ----------- --------- ------------ --------------- 1 Identity [RFC2284] Yes RFC 2284 2 Notification [RFC2284] Yes RFC 2284 3 NAK (Response only) [RFC2284] Yes RFC 2284 4 MD5-Challenge [RFC2284] Yes RFC 2284 5 One Time Password (OTP) [RFC2284] No RFC 2284 6 Generic Token Card [RFC2284] No RFC 2284 7 No No 8 No No 9 RSA Public Key Authentication [Whelan] No Expired 10 DSS Unilateral [Nace] Yes I-D? 11 KEA [Nace] Yes I-D? 12 KEA-Validate [Nace] Yes I-D? 13 EAP-TLS [Aboba] Yes RFC 2716 14 Defender Token (AXENT) [Roselli] Yes No 15 Windows 2000 EAP [Asnes] ? No 16 Arcot Systems EAP [Jerdonek] ? No 17 EAP-Cisco Wireless [Norman] Yes No 18 Nokia IP smart card auth [Haverinen] ? No 19 SRP-SHA1 Part 1 [Carlson] Yes I-D 20 SRP-SHA1 Part 2 [Carlson] No I-D 21 EAP-TTLS [Funk] Yes I-D 22 Remote Access Service [Fields] ? No 23 UMTS Auth and Key agreement [Haverinen] ? ? 24 EAP-3Com Wireless [Young] Yes No 25 PEAP [Palekar] Yes I-D 26 MS-EAP-Authentication [Palekar] Yes No 27 Mutual auth w/key exchange (MAKE) [Berrendonner] ? No 28 CRYPTOCard [Webb] Yes No 29 EAP-MSCHAP-V2 [Potter] ? I-D 30 DynamID [Merlin] ? No 31 Rob EAP [Ullah] ? No 32SecurID EAP [Josefsson] Yes I-D 33EAP TLV [Palekar] Yes I-D 34SentriNet [Kelleher] Yes No 35Actiontec Wireless [Chang] ? No 36Congent Systems Biometric [Xiong] ? No

27 Some Observations Rate of Method Type allocation is increasing –36 Type values allocated since March 1998 –4 Type values allocated in the last 3 months Two Method Type values allocated to the same Method –EAP SRP-SHA1 Parts 1 and 2 Most allocations are for vendor-specific use with no specification Not all allocated Method Types are used –At least 5 of the allocated types have not been implemented (~15 percent!) Conclusion –At present rate of allocation, EAP Type space could be exhausted within a few years –EAP Method Type space is a finite resource (255) - could probably be managed more effectively –IANA considerations needed!

28 Proposed IANA Considerations Included in RFC 2284bis –Separated out in draft-aboba-pppext-eap-iana-02.txt Packet Codes –Codes 1-4 described in RFC 2284 –Codes 5-255 allocated by Standards Action Method Types –Method Types 1-36 already allocated by IANA –Method Types 37-191 allocated via Designated Expert w/specification required –Method Types 192-254 reserved; allocation requires Standards Action –Method 255 for Vendor-Specific extensions when no interoperability is deemed useful –More than one type code at a time requires IETF Consensus

29 Vendor-Specific Support Method Type 255 reserved for (optional) Vendor- Specific use and Type expansion Goal is to push exhaustion of EAP Type space out several years Expanded Type space (256+) allocated after Types 32-191 are exhausted

30 Questions Should IANA considerations be kept within RFC 2284bis or progressed separately? –Separation might enable more rapid implementation of IANA considerations What should method allocation be?

Download ppt "EAP WG IETF 55 Atlanta, GA. EAP WG Meeting Monday, Salon II 1530-1730 Preliminaries (10 minutes) –Bluesheets, minutes –Document Status RFC 2284 Bis EAP."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
EAP STATE Machine Proposal

EAP STATE Machine Proposal
doc.: IEEE /382 Bernard Aboba Microsoft

doc.: IEEE /382 Bernard Aboba Microsoft
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
WG RAQMON Internet-Drafts RMON MIB WG Meeting Washington, Nov. 11, 2004.

WG RAQMON Internet-Drafts RMON MIB WG Meeting Washington, Nov. 11, 2004.
Doc: 11-03-0763-00-0000 Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.

EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and 802.11i IKEv2 EAP authentication.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.

Similar presentations

Ads by Google