eap Mailing List: Re: TLS clarifications (Re: Ordered delivery of EAP messages)

[Lakshminath Dondeti (ldondeti]

Yoshihiro Ohba wrote:
> On Sat, Mar 10, 2007 at 10:06:12PM -0800, Lakshminath Dondeti wrote:
> > Do EAP methods require in-order delivery to support any of their 
> > security properties?
> >
> > I think yes; for example, TTLS would need in-order delivery for
> > "Replay protection:        Yes"
> > in Section 9 of draft-funk-eap-ttls-v1-01.
>
> We can ask ourselves a question similar to Avi's here: can attacker
> succeed a replay attack on TTLS without in-order delivery?  I believe
> the answer is no.  Instead, TTLS session would be terminated
> immediately when a replayed TLS record is received.  Note that this
> session termination due to an active attacker could happen even if
> transport is reliable.

Sure, if the question is whether the attacker can gain access because 
there is no replay protection at TLS-layer, the answer to my knowledge 
is a qualified no.  I don't know all the methods out there; I thought of 
some pretty weak methods, but at the end of the day most of them have 
some liveness built into them and where there isn't, for example in PAP, 
there are other problems.

What I can say is that an attack that might have been discovered as a 
replay by TLS may result in a blind DoS attack.  I can also construct 
examples where there may be delayed discovery of a DoS attack.  That 
indicates to me that we may be better of requiring/recommending the 
replay protection property of TLS.

Any other opinions?

thanks,
Lakshminath

> Yoshihiro Ohba
>
>
> > Thoughts?
> >
> > Lakshminath
> >
> > > If TLS are used over unreliable transport, of course it is not
> > > possible for TLS to maintain implicit sequence number.  Without
> > > reliable transport implicit sequence number would not work if loss or
> > > out-of-order delivery of TLS records happens and *even if there is no
> > > attacker*.  That is why I think that reliable transport is needed for
> > > TLS to make implicit sequence number work *correctly* so that it is
> > > used for *security*.  Maybe we are talking about the same thing in
> > > different ways.
> > >
> > > Yoshihiro Ohba
> > >
> > > On Sat, Mar 10, 2007 at 09:08:42PM -0800, Lakshminath Dondeti wrote:
> > > > Yoshihiro Ohba wrote:
> > > > > On Sat, Mar 10, 2007 at 02:37:11AM -0800, Lakshminath Dondeti wrote:
> > > > > > TLS requires reliable transport for replay protection.  (I guess 
> > > > > > Bernard was trying to get at this in another context in this thread)
> > > > > TLS requires reliable transport for implicit sequence number to work
> > > > > for replay protection.  
> > > > Right, that's what I was getting at.
> > > >
> > > > > But this does not mean replay attack is
> > > > > possible if TLS is run over unreliable transport.
> > > > How is the sequence number maintained in that case?  Are you saying that 
> > > > we might use an explicit sequence number as in DTLS?  But, we are not 
> > > > discussing DTLS, are we?
> > > >
> > > > What am I missing?
> > > >
> > > > thanks,
> > > > Lakshminath
> > > >
> > > > PS: To Avi's question, I was thinking in case of PEAP and TTLS if the 
> > > > EAP layer cannot guarantee in-order reliable delivery, how else do the 
> > > > endpoints maintain sequence numbers?  If there is no other way, we can 
> > > > conclude that PEAP and TTLS require in-order reliable delivery for one 
> > > > of its security guarantees.
> > > >
> > > > > Yoshihiro Ohba
>
> --
> to unsubscribe send a message to radiusext-request [at] ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________