headers
Jim Schaad | 21 Mar 2012 11:15

Comments on emu-eap-tunnel-method-02

1.  After the first exchange of messages, if the version does not match the
agreed on version - what happens?

2.  Section 3.2 says that one should be able to do a renegotiate for getting
the peers identity certificate.  Do the following points need to be made?
a) If you are doing a re-negotiation - then you SHOULD not be using an
anonymous cipher suite
b) Once you have started phase 2, re-negotiation MUST NOT be done.

3. in section 3.3.1 - did you miss changing and EAP-TLS to a TEAP? "For
example, EAP-TLS..."  If not, then I would suggest changing to a std track
protocol.

4.  In section 3.4 - I want to make sure that what I read is what you
intend.
 == If I do multiple (one or more) inner EAP methods, the authenticated peer
identity is the set of all of these identities.
 == If I do zero inner EAP methods and I do a client auth TLS, the
authenticated peer identity comes from the certificate.
 == If I do zero inner EAP methods and do not do a client auth TLS, then I
have no authenticated peer identity.

 -- specifically - should the client auth TLS identity be excluded if I run
an inner EAP method
 -- Specifically - should the all non EAP methods be excluded -- include the
TEAP defined user name/password
 -- Specifically - should any EAP server name established in an EAP method
be excluded from its name set?

5.  In section 3.8 - potentially ambiguous statement:  "The request MAY be
(Continue reading)

Permalink | Reply |
headers
Hao Zhou | 21 Mar 2012 19:26
Picon
Favicon

Re: Comments on emu-eap-tunnel-method-02

Jim:

Thanks for the detailed review. My comments are below inline:

On 3/21/12 6:15 AM, "Jim Schaad" <ietf <at> augustcellars.com> wrote:

> 1.  After the first exchange of messages, if the version does not match the
> agreed on version - what happens?
> 
[HZ] Good catch. Both sides should stick with the version negotiated. I
guess we will add some language to describe the behavior handling
exceptions. My initial thoughts are both sides should treat it as fatal
error and proceed with fatal error processing, e.g., server should just send
back EAP-Failure and peer sends back EAP-Nak.

> 2.  Section 3.2 says that one should be able to do a renegotiate for getting
> the peers identity certificate.  Do the following points need to be made?
> a) If you are doing a re-negotiation - then you SHOULD not be using an
> anonymous cipher suite
> b) Once you have started phase 2, re-negotiation MUST NOT be done.
> 
[HZ] Good points. I will add them.

> 3. in section 3.3.1 - did you miss changing and EAP-TLS to a TEAP? "For
> example, EAP-TLS..."  If not, then I would suggest changing to a std track
> protocol.
> 
[HZ] No. It is meant to say EAP-TLS. I thought EAP-TLS RFC5216 is a std
track RFC.
(Continue reading)

Permalink | Reply |
headers
Jim Schaad | 21 Mar 2012 21:56

Re: Comments on emu-eap-tunnel-method-02


> -----Original Message-----
> From: Hao Zhou [mailto:hzhou <at> cisco.com]
> Sent: Wednesday, March 21, 2012 11:26 AM
> To: Jim Schaad; draft-ietf-emu-eap-tunnel-method <at> tools.ietf.org
> Cc: emu <at> ietf.org
> Subject: Re: [Emu] Comments on emu-eap-tunnel-method-02
> 
> Jim:
> 
> Thanks for the detailed review. My comments are below inline:
> 
> 
> On 3/21/12 6:15 AM, "Jim Schaad" <ietf <at> augustcellars.com> wrote:
> 
> > 7. In section 4.2.4 - What do I do for an defined value.  Do these
> > values only match those of the available through the base document or
> > are other
> >
> [HZ} I am confused. Are you talking about Section 4.2.4 Result TLV or
others?

I was looking at the result TLV, I was thinking in terms of a Not Available
at this time - but that should probably be in the NAK not in the Result.  As
there are only two possible results to be returned at the top level EAP -
this is probably an extraneous comment.

> > 11. Section 4.2.15 - If we change the "standard" way of doing name
> > preparation, should we be creating a new item, or should we have a
> > byte field that specifies the username/password processing function.
(Continue reading)

Permalink | Reply |
headers
Jim Schaad | 22 Mar 2012 01:52

Re: Comments on emu-eap-tunnel-method-02

You might also need to put in an IANA consideration for the use of the TLS
Exporter
(http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#exporter-
labels)

Jim

> -----Original Message-----
> From: Hao Zhou [mailto:hzhou <at> cisco.com]
> Sent: Wednesday, March 21, 2012 11:26 AM
> To: Jim Schaad; draft-ietf-emu-eap-tunnel-method <at> tools.ietf.org
> Cc: emu <at> ietf.org
> Subject: Re: [Emu] Comments on emu-eap-tunnel-method-02
> 
> Jim:
> 
> Thanks for the detailed review. My comments are below inline:
> 
> 
> On 3/21/12 6:15 AM, "Jim Schaad" <ietf <at> augustcellars.com> wrote:
> 
> > 1.  After the first exchange of messages, if the version does not
> > match the agreed on version - what happens?
> >
> [HZ] Good catch. Both sides should stick with the version negotiated. I
guess
> we will add some language to describe the behavior handling exceptions. My
> initial thoughts are both sides should treat it as fatal error and proceed
with
> fatal error processing, e.g., server should just send back EAP-Failure and
(Continue reading)

Permalink | Reply |

Gmane