[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [eap] Ordered delivery of EAP messages

To: "Yoshihiro Ohba" <yohba@tari.toshiba.com>, "Avi Lior" <avi@bridgewatersystems.com>
Subject: RE: [eap] Ordered delivery of EAP messages
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Wed, 7 Mar 2007 19:08:31 -0800
Cc: "Bernard Aboba" <bernard_aboba@hotmail.com>, <alper.yegin@yegin.org>, <Pasi.Eronen@nokia.com>, <eap@frascone.com>, <radiusext@ops.ietf.org>
In-reply-to: <20070307210506.GK22467@steelhead>
References: <20070307194230.GH22467@steelhead> <E7CCE8A83907104ABEE91AC3AE3709A00B69CA7D@exchange.bridgewatersys.com> <20070307210506.GK22467@steelhead>

Yoshihiro Ohba <mailto:yohba@tari.toshiba.com> allegedly scribbled on
Wednesday, March 07, 2007 1:05 PM:
...
>> But you didn't answer the first part -- which is the key part.  If
>> you had unordered delivery of packets, could an unAuthenticatble
>> user be authenticated?
> 
> I have been thinking about this, and so far I have not found an
> example case of unauthenticatble user be authenticated when
> misordering happens.  The answer is "I don't know."  
> 
>> 
>> If the answer to this question is NO, then EAP does not require in
>> order delivery of packets and RFC 3748 has an error.
> 
> I am not sure what makes you conclude like this.  I don't want my
> authentication attempt to fail just because IP packets are arriving
> out of order.  

Just to be clear, we're talking about EAP packets here, not IP packets.

> 
> Yoshihiro Ohba
> 
> 
>> 
>> 
>> 
>> -----Original Message-----
>> From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com]
>> Sent: Wednesday, March 07, 2007 2:43 PM
>> To: Avi Lior
>> Cc: Bernard Aboba; gwz@cisco.com; alper.yegin@yegin.org;
>> Pasi.Eronen@nokia.com; eap@frascone.com; radiusext@ops.ietf.org
>> Subject: Re: [eap] Ordered delivery of EAP messages
>> 
>> On Wed, Mar 07, 2007 at 11:40:39AM -0500, Avi Lior wrote:
>>> Bernard,
>>> 
>>> You said:
>>> 
>>> "So overall, I don't think that the majority of EAP methods deployed
>>> today are capable of handling arbitrary reordering."
>>> 
>>> Okay, but what is the result when this occurs, would this result in
>>> an
>> 
>>> Unauthenticateable user to be Authenticated?
>>> 
>>> If NOT, then EAP Methods do not require in order delivery by the
>>> underlying transport(s) to give results that are secure.
>>> 
>>> In order delivery is desirable for optimal performance -- an
>>> Authenticateble user getting authenticated without having to retry
>>> the
>> 
>>> method.
>> 
>> Orderly delivery is required for authenticable user to be
>> authenticated. Without orderly delivery, authentication for
>> authenticable user can fail even if (i) EAP and lower layer are
>> doing their jobs correctly as specified in their specifications,
>> (ii) valid credentials are being used and (iii) there is no
>> attacking.  From operational perspective, this is something that
>> should not happen, IMO. 
>> 
>> Yoshihiro Ohba
>> 
>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: Bernard Aboba [mailto:bernard_aboba@hotmail.com]
>>> Sent: Tuesday, March 06, 2007 11:43 PM
>>> To: Avi Lior; gwz@cisco.com; alper.yegin@yegin.org;
>>> Pasi.Eronen@nokia.com; eap@frascone.com
>>> Cc: radiusext@ops.ietf.org
>>> Subject: RE: [eap] Ordered delivery of EAP messages
>>> 
>>> Avi Lior said:
>>> 
>>> "If an EAP method designer designed their method assuming the in
>>> order
>> 
>>> delivery of packets then this would be a bad thing I think.
>>> 
>>> A hacker could then exploit this assumption by re-order the packets.
>>> Surely EAP methods are not susceptible to this type of attack.
>>> Right?" 
>>> 
>>> Certainly, it is a good thing for an EAP method to protect itself
>>> against replay.  Using the mechanism provided in RFC 3579, an EAP
>>> method could discard replayed packets and ask the NAS to send
>>> another
>> one.
>>> 
>>> On the other hand, there are EAP methods that are not protected
>>> against replay (e.g. Identity, Notification, etc.).  There are also
>>> situations in which EAP packets can be fragmented, and if
>>> reassembled in the wrong order, this could cause failure of the MIC
>>> which can be a
>> 
>>> terminal error (e.g. in TLS-based methods).
>>> 
>>> So overall, I don't think that the majority of EAP methods deployed
>>> today are capable of handling arbitrary reordering.
>>> 
>>> 
>>> _________________________________________________________________
>>> To unsubscribe or modify your subscription options, please visit:
>>> http://lists.frascone.com/mailman/listinfo/eap
>>> 
>>> Arhives: http://lists.frascone.com/pipermail/eap

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: [eap] Ordered delivery of EAP messages
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>
- RE: [eap] Ordered delivery of EAP messages
  - From: "Avi Lior" <avi@bridgewatersystems.com>
- Re: [eap] Ordered delivery of EAP messages
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>

Prev by Date: RE: [eap] Ordered delivery of EAP messages
Next by Date: RE: Issues & Fixes: Ordered delivery of EAP messages
Previous by thread: RE: [eap] Ordered delivery of EAP messages
Next by thread: RE: [eap] Ordered delivery of EAP messages
Index(es):
- Date
- Thread