WG Review: EAP Method Update (emu)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A new IETF WG has been proposed in the Security Area. The IESG has not made
any determination yet. The following draft charter was submitted, and is
provided for informational purposes only. Please send your comments to the
IESG mailing list (iesg@ietf.org) by 2018-02-19.

EAP Method Update (emu)
-----------------------------------------------------------------------
Current status: Proposed WG

Chairs:
  TBD

Assigned Area Director:
  Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>

Security Area Directors:
  Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
  Eric Rescorla <ekr@rtfm.com>

Mailing list:
  Address: emu@ietf.org
  To subscribe: https://www.ietf.org/mailman/listinfo/emu
  Archive: https://mailarchive.ietf.org/arch/search/?email_list=emu

Group page: https://datatracker.ietf.org/group/emu/

Charter: https://datatracker.ietf.org/doc/charter-ietf-emu/

The Extensible Authentication Protocol (EAP) [RFC 3748] is a network
access authentication framework used, for instance, in 802.11 and VPN
networks and mobile networks. EAP itself is a simple
protocol and actual authentication happens in EAP methods.

Over 50 different EAP methods exist, including several methods
developed in the IETF, and support for EAP exists in a broad set
of different devices. Previous larger EAP-related efforts at the
IETF included rewriting the base EAP protocol documentation and
the development of several standards track EAP methods.

EAP methods are generally based on existing other security
technologies, such as TLS, SIM cards, and various algorithms.
Some of these technologies continue to evolve. And the
understanding of security threats in today's Internet evolves as
well, which has driven some of the evolution in these underlying
technologies. At the same time, some new use cases for EAP have
been identified, such as broader use of EAP in mobile network
authentication.

This working group has been chartered to provide updates to some
commonly used EAP method. Specifically, the working group shall
produce documents to:

   - Provide a guidance or update to enable the use of TLS 1.3 in the
     context of EAP TLS (RFC 5216). Update the security
     considerations relating to EAP TLS, to document the implications
     of using new vs. old TLS version, any recently gained new
     knowledge on vulnerabilities, and the possible implications of
     pervasive survellaince or other new concerns.

   - Update the EAP-AKA' specification (RFC 5448) to ensure that its
     capability to provide a cryptographic binding to network context
     stays in sync with what updates may come to the referenced 3GPP
     specifications through the use of EAP in 5G.

     Also, the group should document any recently gained new
     knowledge on vulnerabilities or the possible implications of
     pervasive surveillance or other new concerns.

   - Define session identifiers for fast re-authentication for
     EAP-SIM, EAP-AKA, and EAP-AKA’. The lack of this definition
     is a recently discovered bug in the original RFCs.

   - Develop an extension to EAP-AKA' such that Perfect Forward Secrecy
     can be provided. There may also be privacy improvements that
     have become feasible with the introduction of recent identity
     privacy improvements in 3GPP networks.

   - Gather experience regarding the use of large certificate and
     certificate chain sizes in the context of EAP-TLS (all versions),
     as some implementations and access networks may limit the
     number of EAP packet exchanges that can be handled.
     Document operational recommendations or other mitigation
     strategies to avoid issues.

In all of the above, it is a requirement that none of the updates
break backwards compatibility with existing specifications or
implementations. The current RFCs shall not be obsoleted but
rather updated with either new information or instructions on
what is needed, for instance, to employ a new TLS version.

The working group is expected to stay in close collaboration with
the EAP deployment community, the TLS working group (for EAP-TLS
work), and the 3GPP security architecture group (for EAP-AKA'
work).

Milestones:

  Apr 2018 - WG adopts initial draft on guidance for EAP TLS with TLS 1.3

  Apr 2018 - Begin work on EAP-AKA update, RFC5448-bis

  May 2018 - Adopt draft for extension to EAP-AKA to support forward secrecy

  Jul 2018 - Adopt draft to define session identifiers for fast
  re-authentication for EAP-SIM, EAP-AKA, and EAP-AKA

  Jul 2018 - Adopt draft on operational recommendations for large certificate
  and chain sizes

  Feb 2019 - Working group last call for EAP-AKA update, RFC5448-bis





[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux