2.7.3 EAP Method Update (emu)

NOTE: This charter is a snapshot of the 66th IETF Meeting in Montreal, Quebec Canada. It may now be out-of-date.

Last Modified: 2006-08-16

Chair(s):

Joseph Salowey <jsalowey@cisco.com>

Security Area Director(s):

Russ Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>

Security Area Advisor:

Sam Hartman <hartmans-ietf@mit.edu>

Mailing Lists:

General Discussion: emu@ietf.org
To Subscribe: https://www1.ietf.org/mailman/listinfo/emu
Archive: http://www.ietf.org/mail-archive/web/emu/current/index.html

Description of Working Group:

The Extensible Authentication Protocol (EAP) [RFC 3748] is a network
access authentication framework used in the PPP, 802.11, 802.16, VPN,
PANA, and in some functions in 3G networks. EAP itself is a simple
protocol and actual authentication happens in EAP methods.

Over 40 different EAP methods exist. Most of this methods are
proprietary methods and only a few methods are documented in RFCs. The
lack of documented, open specifications is a deployment and
interoperability problem. In addition, none of the EAP methods in the
standards track implement features such as key derivation that are
required for many modern applications. This poses a problem for, among
other things, the selection of a mandatory to implement EAP method in
new network access technologies. For example, no standards track
methods meet new requirements such as those posed in RFC 4017, which
documents IEEE 802.11 requirements for EAP methods.

This group is chartered to work on the following types of mechanisms to
meet RFC 3748 and RFC 4017 requirements:

- An update to RFC 2716 to bring EAP-TLS into standards track, clarify
specification, interoperability, and implementation issues gathered
over the years, and update the document to meet the requirements of
RFC 3748, RFC 4017, and EAP keying framework documents. Backwards
compatibility with RFC 2716 is a requirement.

- Enhanced functionality to enable a TLS-based EAP method to support
authentication methods beyond certificates, channel bindings and other
optional functions required in RFC 4017. So as to enable RFC 2716bis
to focus solely on clarifications to the existing protocol, this effort
will be handled in a separate document. Depending on an analysis of the
behavior of existing implementations, it is possible that this effort
may be able to use the existing EAP-TLS type code, or it may need to be
handled via assignment of a new EAP Type Code.

- A mechanism based on strong shared secrets that meets RFC 3748 and
RFC 4017 requirements. This mechanism should strive to be simple and
compact for implementation in resource constrained environments.

- A mechanism meeting RFC 3748 and RFC 4017 requirements that makes use
of existing password databases such as AAA databases. The
implementation should strive to be usable in resource constrained
environments.

In order to facilitate the development of the shared secret and
password based methods design teams will be formed. The design teams
should take into consideration existing methods including mechanisms
based on EAP-TLS such as TLS-PSK.

Goals and Milestones:

Done  Form design team to work on strong shared secret mechanism
Done  Submit 2716bis I-D
Jun 2006  Submit first draft of enhanced EAP-TLS I-D
Jul 2006  Form password based mechanism design team
Done  Submit first draft of shared secret mechanism I-D
Aug 2006  Submit 2716bis draft to IESG for Proposed Standard
Nov 2006  Submit 2716bis draft to IESG for draft standard
Dec 2006  Submit first draft password based method I-D
Jan 2007  Submit Strong Shared Secret Mechanism to IESG
Jan 2007  Submit enhanced EAP-TLS to IESG
Aug 2007  Submit password Based Mechanism to IESG

Internet-Drafts:

  • draft-simon-emu-rfc2716bis-04.txt
  • draft-ietf-emu-eap-gpsk-00.txt

    No Request For Comments

    Meeting Minutes


    Slides

    agenda
    GPSK
    rfc2716bis
    EAP-TLS-PSK
    EAP-TLS Identity Protection
    Enhanced EAP TLS Discussion
    New Method Implementation Experience