[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)

To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Date: Sun, 11 Mar 2007 09:26:27 -0400
Cc: Yoshihiro Ohba <yohba@tari.toshiba.com>, Avi Lior <avi@bridgewatersystems.com>, radiusext@ops.ietf.org, eap@frascone.com
In-reply-to: <45F39C54.60601@qualcomm.com>
References: <20070308001437.GQ22467@steelhead> <E7CCE8A83907104ABEE91AC3AE3709A00B76304D@exchange.bridgewatersys.com> <20070308052017.GA26227@steelhead> <45F28A57.8030907@qualcomm.com> <20070311021010.GB10637@steelhead> <45F38EDA.8050103@qualcomm.com> <20070311055609.GC22843@steelhead> <45F39C54.60601@qualcomm.com>
User-agent: Mutt/1.5.13 (2006-08-11)

On Sat, Mar 10, 2007 at 10:06:12PM -0800, Lakshminath Dondeti wrote:
> 
> Do EAP methods require in-order delivery to support any of their 
> security properties?
> 
> I think yes; for example, TTLS would need in-order delivery for
> "Replay protection:        Yes"
> in Section 9 of draft-funk-eap-ttls-v1-01.

We can ask ourselves a question similar to Avi's here: can attacker
succeed a replay attack on TTLS without in-order delivery?  I believe
the answer is no.  Instead, TTLS session would be terminated
immediately when a replayed TLS record is received.  Note that this
session termination due to an active attacker could happen even if
transport is reliable.

Yoshihiro Ohba


> 
> Thoughts?
> 
> Lakshminath
> 
> >
> >If TLS are used over unreliable transport, of course it is not
> >possible for TLS to maintain implicit sequence number.  Without
> >reliable transport implicit sequence number would not work if loss or
> >out-of-order delivery of TLS records happens and *even if there is no
> >attacker*.  That is why I think that reliable transport is needed for
> >TLS to make implicit sequence number work *correctly* so that it is
> >used for *security*.  Maybe we are talking about the same thing in
> >different ways.
> >
> >Yoshihiro Ohba
> >
> >On Sat, Mar 10, 2007 at 09:08:42PM -0800, Lakshminath Dondeti wrote:
> >>Yoshihiro Ohba wrote:
> >>>On Sat, Mar 10, 2007 at 02:37:11AM -0800, Lakshminath Dondeti wrote:
> >>>>TLS requires reliable transport for replay protection.  (I guess 
> >>>>Bernard was trying to get at this in another context in this thread)
> >>>TLS requires reliable transport for implicit sequence number to work
> >>>for replay protection.  
> >>Right, that's what I was getting at.
> >>
> >>>But this does not mean replay attack is
> >>>possible if TLS is run over unreliable transport.
> >>How is the sequence number maintained in that case?  Are you saying that 
> >>we might use an explicit sequence number as in DTLS?  But, we are not 
> >>discussing DTLS, are we?
> >>
> >>What am I missing?
> >>
> >>thanks,
> >>Lakshminath
> >>
> >>PS: To Avi's question, I was thinking in case of PEAP and TTLS if the 
> >>EAP layer cannot guarantee in-order reliable delivery, how else do the 
> >>endpoints maintain sequence numbers?  If there is no other way, we can 
> >>conclude that PEAP and TTLS require in-order reliable delivery for one 
> >>of its security guarantees.
> >>
> >>>Yoshihiro Ohba
> >>>
> >
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: [eap] Ordered delivery of EAP messages
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>
- RE: [eap] Ordered delivery of EAP messages
  - From: "Avi Lior" <avi@bridgewatersystems.com>
- Re: [eap] Ordered delivery of EAP messages
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>
- Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>
- Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>

Prev by Date: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
Next by Date: Re: Simultaneous session limits and duplicate detection
Previous by thread: Re: TLS clarifications (Re: [eap] Ordered delivery of EAP messages)
Next by thread: RE: [eap] Ordered delivery of EAP messages
Index(es):
- Date
- Thread