RE: [eap] Ordered delivery of EAP messages

["Avi Lior" <avi@bridgewatersystems.com>]

Yoshi

Please see inline.... 

-----Original Message-----
From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] 
Sent: Wednesday, March 07, 2007 2:43 PM
To: Avi Lior
Cc: Bernard Aboba; gwz@cisco.com; alper.yegin@yegin.org;
Pasi.Eronen@nokia.com; eap@frascone.com; radiusext@ops.ietf.org
Subject: Re: [eap] Ordered delivery of EAP messages

On Wed, Mar 07, 2007 at 11:40:39AM -0500, Avi Lior wrote:
> Bernard,
> 
> You said: 
> 
> "So overall, I don't think that the majority of EAP methods deployed 
> today are capable of handling arbitrary reordering."
> 
> Okay, but what is the result when this occurs, would this result in an

> Unauthenticateable user to be Authenticated?
> 
> If NOT, then EAP Methods do not require in order delivery by the 
> underlying transport(s) to give results that are secure.
> 
> In order delivery is desirable for optimal performance -- an 
> Authenticateble user getting authenticated without having to retry the

> method.

Orderly delivery is required for authenticable user to be authenticated.


[Avi] Correct.

Without orderly delivery, authentication for authenticable user can fail
even if (i) EAP and lower layer are doing their jobs correctly as
specified in their specifications, (ii) valid credentials are being used
and (iii) there is no attacking.  From operational perspective, this is
something that should not happen, IMO.

[Avi] I agree.  Yes and RFC 3748 addresses that already and makes a
recommendation that the transport layer should provide inorder delivery.
But it is an entirely different matter to require in order delivery.
The point again and again is that in order delivery by the transport
layer is NOT required for Correct Secure operation of EAP.  EAP Method
need to take care of that aspect themselves they should not delegate
that responsibility to the transport layer.

Yoshihiro Ohba


> 
> 
> -----Original Message-----
> From: Bernard Aboba [mailto:bernard_aboba@hotmail.com]
> Sent: Tuesday, March 06, 2007 11:43 PM
> To: Avi Lior; gwz@cisco.com; alper.yegin@yegin.org; 
> Pasi.Eronen@nokia.com; eap@frascone.com
> Cc: radiusext@ops.ietf.org
> Subject: RE: [eap] Ordered delivery of EAP messages
> 
> Avi Lior said:
> 
> "If an EAP method designer designed their method assuming the in order

> delivery of packets then this would be a bad thing I think.
> 
> A hacker could then exploit this assumption by re-order the packets.
> Surely EAP methods are not susceptible to this type of attack. Right?"
> 
> Certainly, it is a good thing for an EAP method to protect itself 
> against replay.  Using the mechanism provided in RFC 3579, an EAP 
> method could discard replayed packets and ask the NAS to send another
one.
> 
> On the other hand, there are EAP methods that are not protected 
> against replay (e.g. Identity, Notification, etc.).  There are also 
> situations in which EAP packets can be fragmented, and if reassembled 
> in the wrong order, this could cause failure of the MIC which can be a

> terminal error (e.g. in TLS-based methods).
> 
> So overall, I don't think that the majority of EAP methods deployed 
> today are capable of handling arbitrary reordering.
> 
> 
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.frascone.com/pipermail/eap
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>