* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Jan2010Interim: nea-minutes-jan2010-v2.txt

File nea-minutes-jan2010-v2.txt, 16.7 KB (added by sethomso@cisco.com, 6 hours ago)

Meeting minutes

Line 
1These notes do not attempt to duplicate the content of the slides.
2Instead, they summarize the material presented, and focus on comments
3and discussion.
4
5
6Agenda
7======
8
9Date: Thursday, Jan 28, 2010
10Time: 0800-1000 PST / 1600-1800 GMT
11WG Charter: http://www.ietf.org/html.charters/nea-charter.html
12WG Tools: http://tools.ietf.org/wg/nea
13WG email: nea@ietf.org
14
150800 Administrivia
16         Blue Sheets
17         Jabber & Minute scribes
18         Agenda bashing
190805 WG Status, Meeting Goal and Consensus Check Process
200810 Review PT submissions: TLS
21   http://www.ietf.org/id/draft-sangster-nea-pt-tls-00.txt
220830 Review PT submissions: EAP 
23   http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-00.txt
24   http://www.ietf.org/id/draft-cam-winget-eap-nea-tlv-00.txt
25   http://www.ietf.org/id/draft-cam-winget-eap-tlv-00.txt
260930 Plan for developing WG I-Ds
270950 Next Steps
281000 Adjourn
29
30
31Minute Scribes
32==============
33Brian Ford and Steve Hanna volunteered to take minutes.
34
35Agenda Bashing
36==============
37Susan Thomson reviewed the proposed agenda. No changes were needed.
38
39WG Status
40=========
41Susan Thomson reviewed WG status.
42
43The PA-TNC and PB-TNC I-Ds are in the RFC Editor Queue. They are going
44through the final editing process and will hopefully be published soon.
45
46Call for submissions for PT protocols ended Jan 4, 2010. One TLS proposal
47and two EAP proposals were submitted.
48
49Meeting Goal
50============
51The aim of this interim meeting is to review the PT proposals and propose
52the path forward for developing WG drafts.
53
54Consensus Check Questions:
55
56Susan previewed the consensus check questions that would be asked at the
57end of the call for the purpose of determining the path forward for WG
58drafts of the PT protocols.
59
60For the TLS-based PT, there will be 2 questions:
61
621. Is there an interest in working on a TLS-based PT in general? Possible
63answers are:
64- Yes   
65- No
66- Defer (decision pending some other action taking place)
67
682. Is there support for adopting the PT-TLS proposal, in particular, as a
69-00 WG draft:
70- Yes
71- No
72- Defer (decision pending some other action taking place)
73
74
75Similarly, for the EAP-based PT, there will be two questions:
763. Is there an interest in working on a EAP-based PT in general? Possible
77answers are:
78- Yes   
79- No
80- Defer (decision pending some other action taking place)
81
824. What should we adopt as a -00 WG I-D?
83- PT-EAP
84- NEA-TLV
85- Other / Defer
86
87For answers of no/defer/other, we would like to understand why, so that
88we can figure out how to make progress.
89
90Review of PT-TLS
91=================
92Paul Sangster reviewed the PT-TLS proposal and described how the proposal
93meets the PT requirements laid out in RFC 5209 and the PB-TNC I-D.
94
95PT-TLS is a TCG specification published last year. It has the same IPR
96grants as PA-TNC and PB-TNC.
97
98PT-TLS supports posture assessment over TLS as an application. No changes
99to TLS are required.
100
101PT-TLS addresses the PT requirements for a L3 transport. Use cases
102include posture re-assessment, application services and non-802.1x-
103enabled networks.
104
105PT-TLS consists of 3 phases:
1061. TLS Handshake (unchanged)
1072. Pre-Negotiation
108   - version negotiation
109   - optional client authentication
1103. Data Transport
111   - NEA Assessment
112
113PT-TLS supports client authentication during the TLS handshake. It also
114provides the ability for the NEA Server to request that the client
115authenticate after the handshake. PT-TLS defines a basic authentication
116mechanism similar to that for the web. The proposal provides a framework
117for adding other authentication types later.
118
119The data transport phase carries PB-TNC messages and supports error
120handling.
121
122The PT-TLS message format is similar to that of PA-TNC and PB-TNC
123containing a message type scoped by vendor-id. Like PA-TNC, a message
124identifier is used to aid in error processing.
125
126Paul said that the pros of PT-TLS are that it runs over an established,
127secure, reliable, full duplex protocol, capable of carrying large amounts
128of data. PT-TLS has been designed to be extensible.
129
130One con of PT-TLS is that more work is needed on client authentication.
131Only a basic authentication mechanism is defined, but more authentication
132types are likely needed.  Another con is that, since PT-TLS is not part
133of the TLS handshake, it is not independent of the application. On the
134other hand, it eases adoption.
135
136Paul then opened up the floor to questions.
137
138Joe Salowey said that PT-TLS defines a new framework for client
139authentication and that he feels it would be better to use an existing
140one like SASL.
141
142Paul agreed that this would be interesting to look at and that EAP is a
143possible candidate as well. He considers this area one of the areas that
144needs more work.
145
146Joe said that the draft does not provide sufficient detail on certificate
147processing during the TLS handshake, not only on the client, but also on
148the server. More specificity will help interoperability, e.g. proof of
149possession of private key, and making sure that the identity of the
150server the client is connecting to, is authorized to service the request.
151
152Paul said that this sounds like best current practices that could be
153added even though the protocol being defined is running on top of TLS.
154
155Joe added that the HTTP specification has included recommendations along
156these lines and so this would be a good baseline to look at.
157
158Kaushik reiterated the point made by Joe re SASL. He also said some text
159regarding state management and performance implications would be useful.
160
161Paul said that there is a section on supporting reassessment which
162mentions state management, but more could be said regarding scaling
163implications.
164
165Nancy said that the document was inconsistent in its use of TLS versions.
166Nancy recommended that there be a requirement for TLS 1.2.
167
168Paul said that there was text in the document regarding use of TLS 1.1
169(must) and 1.2 (should). A mandatory requirement for TLS 1.2 could be
170considered.
171
172Joe added there was mention of TLS 1.0 in the document which needed to be
173cleaned up.
174
175Review of PT-EAP
176=================
177Steve Hanna reviewed the PT-EAP proposal and described how the proposal
178meets the PT requirements laid out in RFC 5209 and the PB-TNC I-D.
179
180The PT-EAP proposal is a TCG standard and was published around 5 years
181ago.
182
183PT-EAP supports an NEA assessment over an EAP tunnel method. Supported
184tunnel methods include PEAP, EAP-FAST and TTLS. No changes are required
185to the EAP tunnel method.
186
187The use case for PT-EAP is to provide the ability to perform posture
188assessment in networks deploying access control such as 802.1x and IKEv2.
189
190PT-EAP runs as an inner EAP method. PT-EAP has the following properties:
191- can be chained with other EAP methods used for authentication
192- supports key derivation allowing inner method to be bound to tunnel
193- supports fragmentation
194
195Due to EAP limitations, the protocol is lock-step, allowing only one
196packet in flight at a time. Large data transfers are therefore not
197recommended.
198
199PT-EAP supports 3 phases:
2001. Optional Diffie-Hellman pre-negotiation
201   - derives key
2022. PB-TNC exchange
203   - NEA Assessments
204   - Hashed into eventual key
2053. Optional key derivation and export
206
207Steve stated that the pros of PT-EAP include the fact that it works with
208any EAP tunnel method, and that there are no changes to the EAP state
209machine and supplicant implementations (assuming they support adding EAP
210methods).  It provides for protection against lying endpoints when used
211with TPM. The protocol has undergone security reviews, and it has no
212dependencies on other working groups.
213
214The cons are that key derivation and export adds complexity to the
215protocol, but its use is optional. A client need not support it.
216
217Steve then opened up the floor for questions.
218
219Nancy questioned the assertion that there is no external dependency. She
220said there is a dependency on a standard EAP tunnel method for
221interoperability.
222
223Steve said there are a lot of EAP methods that are best run in tunnel
224methods. The IESG has not held up standardizing these methods. So he does
225not believe there is a dependency on defining a standard EAP tunnel
226method.
227
228Joe said that one difference between PT-EAP and other EAP methods is that
229it requires that it be run in a tunnel method, whereas other EAP methods
230do not require it.
231
232Steve said that it would be possible to add security measures to run
233without a tunnel method.
234
235Nancy says it is still not clear to her what the threat is that is being
236countered with the key derivation and export, and why that same threat
237does not need to be addressed in the PT-TLS proposal.
238
239Steve says that he thinks that the WG might decide that it needs to be
240addressed in a TLS-based protocol as well. The threat is a man-in-the-
241middle attack against a EAP tunnel method, where an attacker injects an
242EAP exchange in the tunnel from another endpoint. This allows a
243compromised endpoint to claim to have the posture of a clean endpoint and
244not be detected. By binding the inner EAP method to the tunnel, this
245ensures that the tunnel and the inner EAP method terminate on the same
246device.
247
248Nancy asked how the Diffie-Hellman is being authenticated.
249
250Steve says it is through a PA-TNC message over PT-EAP. He said this is
251not specified in the draft, but is described in full in the TCG
252specification. He tried to summarize it in the draft, but it may have
253been too brief.
254
255
256Paul says this is specified in Section 3.5.3 of the draft, but it may
257need to be clarified.
258
259Joe said that without this critical piece, it is incomplete.
260
261Steve says it may be useful to write an Info RFC on the PA-TNC exchange
262to explain how this works. He does not believe it is normative.
263
264Kaushik asked whether the channel binding work being discussed in EMU WG
265would make the Diffie-Hellman redundant.
266
267Steve did not think channel binding would ensure that the posture check
268terminated on the same device as the tunnel.
269
270Kaushik said that there seemed to have been a change in the trust model
271and questioned why the threat was protected against in PT-EAP and not PT-
272TLS.
273
274Steve said that the WG could look at different options that solve the
275problem for both posture transports.
276
277Paul said it is plausible to carry the D-H pre-negotiation in PT-TLS.
278
279Nancy said it would be good to get a good understanding of the trust
280relationships and the problem statement.
281
282Steve suggested that people read Section 4.2.5 and the TCG spec (which
283has pictures).
284
285Review of NEA TLV
286==================
287Nancy Cam-Winget reviewed the NEA TLV proposal and described how the
288proposal meets the PT requirements laid out in RFC 5209 and the PB-TNC I-
289D.
290
291This proposal defines a general EAP-TLV container, and the NEA-specific
292TLV that is carried inside the general container.
293
294The general EAP-TLV container facilitates the exchange of arbitrary data
295in tunnel methods that do not need to generate keys. The EMU WG has
296discussed various uses for such a container such as channel and crypto
297binding. NEA assessment is another usage.
298
299The use cases for an EAP-based transport are similar to those described
300in PT-EAP above. Also, the same EAP protocol limitations apply.
301
302The protocol flow consists of:
3031. EAP tunnel method set up (no change)
3042. Inner EAP method for optional user/machine authentication (no change)
3053. NEA Assessment exchange using NEA-TLV
306
307Nancy said that the pros of the protocol are that it is simple and
308extensible, and can be carried inside of existing EAP tunnel methods. The
309NEA-TLV  format could be used in the TLS-based protocol as well.
310
311The cons are that this approach assumes that key derivation is not
312required. It also depends on the EAP-TLV format being defined.
313
314Nancy then opened up the floor to questions.
315
316Steve asked how requirement C-5 which states that the selection process
317must prefer open standards is met.
318
319Nancy argued that the EAP-TLV container is open in the sense that it is
320already used in existing tunnel methods.
321
322Steve disagreed but said that we should let the WG decide.
323
324Steve also asked about C-7 and support for large data transfers.
325
326Nancy says fragmentation is assumed to be supported in the EAP tunnel
327method.
328
329Steve agreed with this, but TLVs larger than 2**16-1 would not be
330supported.
331
332Nancy says the current proposal could be extended to support
333fragmentation into EAP_TLVs, if needed.
334
335Steve agreed that this could be done.
336
337Paul asked for a clarification on whether EAP-TLV I-D would be specified
338in EMU WG and NEA-TLV in the NEA WG.
339
340Nancy said that this was correct.
341
342Paul said that the implication of this was that progress in the NEA WG
343was tied to that of the EMU WG. It was unlikely that the NEA-TLV I-D
344could be published as an RFC prior to the EMU WG completing the EAP-TLV
345specification.
346
347Kaushik said the relationship exists already because of the need for a
348tunnel method to be standardized.
349
350Paul argued that this was not the case for the PT-EAP proposal. Even if
351the IESG decided not to publish the RFC as Proposed Standard straight
352away, the NEA WG could complete the work independently of progress in the
353EMU WG.
354
355Steve asked whether EAP-TLV required changes to the EAP state machine.
356
357Nancy said that it did not require changes to the state machine.
358
359Steve asked how existing supplicants that provide support for adding new
360EAP methods would support the NEA-TLV without requiring changes to
361implementations.
362
363Hao Zhou said a mechanism that would be needed to support NEA-TLV is
364required anyway, e.g. for returning final results and to support crypto-
365binding. Several implementations support this.
366
367Steve said that supplicants supporting multiple inner EAP methods can
368support PT-EAP without change.
369
370Joe countered that not all supplicant implementations support this. Some
371support TLVs.
372
373Consensus Check
374===============
375Susan asked the WG for their feedback on the consensus check questions:
376
377Regarding the TLS-based PT:
378-----------------------------
3791. Is there an interest in working on a TLS-based PT in general?
380
381The response was unanimous in favor of working on a TLS-based PT.
382Prior to the next consensus question being asked, Nancy expressed the
383concern that she could not support PT-TLS without a better understanding
384of the trust model, especially with respect to the authentication.
385
386Paul said that D-H pre-negotiation could be added to the specification
387without a problem. Adding SASL may be a bigger change. But it is doable.
388
389Susan then asked the second consensus question.
390
3912. Is there support for adopting the PT-TLS proposal as a -00 WG draft?
392
393The response (hum) was in favor of the yes responses, over the defer
394responses, with no-one humming no, but there was no clear consensus.
395
396
397Regarding EAP-based PT:
398-----------------------
399Susan asked consensus check questions on the EAP-based proposals.
400
4013. Is there an interest in working on a EAP-based PT in general?
402
403The response was unanimous in favor of working on an EAP-based PT.
404
405
4064. What should we adopt as a -00 WG I-D?
407- PT-EAP
408- NEA-TLV
409- Other/Defer
410
411Responses were roughly equal in favor of PT-EAP and NEA-TLV with one
412response indicating a preference to defer.
413
414Next Steps:
415===========
416Given the lack of consensus on moving forward with any of the proposals
417as -00 WG drafts at this time, the working group identified topics that
418need to be discussed on the mailing list, prior to making a decision.
419
420Susan suggested that getting agreement on the trust model would help move
421things forward.
422
423Paul suggested that the WG chairs discuss with the AD questions around
424the process for publishing the EAP-based PT as a Proposed Standard.
425First, can a EAP PT progress without there being a standard EAP tunnel
426method? Second, is it OK to stop work until EAP-TLV is standardized?
427
428Brian Ford mentioned that the impact of the EAP proposals on supplicants
429be a factor taken into consideration.
430
431Steve said another topic for discussion would be a description of the
432MITM attack and the D-H PN counter-measure.
433
434Joe agreed on the need for a discussion of the threat model, and the need
435for a binding to the tunnel.
436
437Steve would like to see a discussion of how the EAP protocols stack up
438against the requirements because there are specific cases where there was
439no agreement.
440
441
442Actions:
443- Steve and Paul to send description of the MITM attack and the D-H PN
444countermeasure.
445- Steve and Nancy to describe how proposals meet PT requirements on
446mailing list
447- Impact on existing supplicants. (Juniper-Steve, Cisco-Nancy, Microsoft-
448Steve, Apple-Nancy/Steve, open source-Paul)
449- Susan and Steve to consult with our AD on process for moving forward on
450standardizing an EAP-based PT.