Sam,
I was concerned that something along these lines was lurking in here :-(.
I think this is the crucial "running code" consideration to start from:
Practically speaking, it will be a while before peers implement channel
binding for network access.
Assuming that network access does not use channel binding, how does one
avoid the proxy attack on network access authentication via application
access authentication when the latter is introduced?
For environments where EAP is used for network access authentication,
the suggestion of a "MUST use" requirement for channel binding with
application access authentication sounds like the right approach:
If all the application access peers support channel binding, then you
could potentially require the eap-lower-layer attribute or similar for
application authentication and work securely in environments where peers
for network access have not been updated yet.
Is that plausible and reasonable in practice?
This would be in addition to the "MUST implement" requirements for AAA
servers, EAP serves and peers doing application access:
I know you're correct that AAA servers and EAP servers need to implement
channel binding for network access in such environments.
Thanks,
--David
-----Original Message-----
From: Sam Hartman [mailto:hartmans(_at_)painless-security(_dot_)com]
Sent: Tuesday, June 18, 2013 10:19 AM
To: Black, David
Cc: stefan(_dot_)winter(_at_)restena(_dot_)lu; jsalowey(_at_)cisco(_dot_)com;
General Area Review Team;
abfab(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
Subject: Re: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-03
"Black," == Black, David <david(_dot_)black(_at_)emc(_dot_)com> writes:
Black,> The next to last paragraph on p.3 begins with this sentence:
Black,> For these reasons, channel binding MUST be implemented by
Black,> peers, EAP servers and AAA servers in environments where EAP
Black,> authentication is used to access application layer services.
Black,> It appear that this "MUST" requirement applies to all uses
Black,> of EAP, including network access authentication, not just
Black,> application layer access authentication. If so, that's not
Black,> immediately obvious from the text, and an additional
Black,> sentence should be added to make this clearer. If not, the
Black,> above sentence needs to exclude network access
Black,> authentication from that requirement.
I know you're correct that AAA servers and EAP servers need to implement
channel binding for network access in such environments.
I'm not sure whether peers only doing network access SHOULD implement
channel binding or MUST implement channel binding.
Practically speaking, it will be a while before peers implement channel
binding for network access.
The sorts of attacks that result without channel binding are attacks
where a peer thinks it is doing network access authentication but what
it's really doing is helping an attacker access an application.
If all the application access peers support channel binding, then you
could potentially require the eap-lower-layer attribute or similar for
application authentication and work securely in environments where peers
for network access have not been updated yet.
It's also kind of tempting to stick our head in the sand and just add
the clarification that "yes, we mean network access too."
--Sam