eap Mailing List: Re: draft-ietf-eap-statemachine-05.txt and Identifier in EAP-Success

[Bernard Aboba (aboba]

> Based on the source code comment about this, I seem to have noticed this
> first when testing against IAS. I did some quick testing with couple of
> RADIUS servers:
>
> FreeRADIUS: same Id
> Radiator: same Id
> Meetinghouse Aegis: lastId + 1
> Microsoft IAS: lastId + 1
>
> In other words, there are existing EAP authenticators that do not match
> the behavior defined in RFC 3748 and draft-ietf-eap-statemachine-05.txt.
> RFC 2284 seemed to have the same text, so this is not even a new
> requirement.
>
> It looks like draft-ietf-eap-statemachine-05.txt is correct on this
> part. However, this is not going to help with the interoperability
> issue. I don't see any security issues with skipping this test and as
> such, I will leave the workaround in my implementation. Adding some kind
> of note about this issue in the draft could be useful, though.

I'd be ok with a note, but since this is a MUST in RFC 3748, the note
shouldn't imply that existing behavior is correct.  Not requiring an
Identifier match does make it somewhat easier to spoof EAP-Failure
or Success messages, so it seems like there are some security
implications.

One of the reasons for completing work on RFC 3748 and the State Machine
document was to enable the development of conformance tests.  Hopefully
once the draft is published we will have more testing and some of these
issues will be resolved.