Hello Jouni,
Thanks for the further update.
OK, so we have
IEEE 802.1X authentication: Extensible Authentication Protocol (EAP) authentication transported by the
IEEE 802.1X protocol.
and so by implication "EAP authentication" would be EAP authentication
transported by anything else (otherwise we'd have called it 802.1X
authentication).
So my preference would be to
1) Add something like
NOTE—In the context of IEEE Std 802.11, EAP authentication is sometimes transported by a protocol
other than IEEE 802.1X, e.g. <a good example>.
2) Change those instances that refer to EAP authentication but are actually
about EAP authentication over 802.1X to say 802.X authentication
[2b) Change those instances that refer to 802.1X authentication but are actually
about EAP authentication not over 802.1X to say EAP authentication. I assume
this is the null set.]
3) As regards the specific instances you discussed:
As far as doing some changes to just make things look more consistent or by trying to get rid of "EAP authentication" (or "IEEE 802.1X authentication") is concerned, I might not be strongly against some of the changes, but I don't really see much, if any, value in doing them. It is useful to reference "EAP authentication" whenever talking about MSK (that is a key coming from EAP, not 802.1X; 802.1X state machine is simply providing access to fetching it; this includes the cases like "key is received .. from the EAP authentication" that does not explicitly use MSK, but is referring to it).
I think that per the above discussion, if the EAP is necessarily being
transported over 802.1X then we should use the tem defined in Clause 3.
Similarly, "full EAP authentication" is significantly more accurate term than "full 802.1X authentication".
Why is that? Is the former defined somewhere but not the latter? In
D3.4 I can find "full authentication using the full EAP", "full EAP exchange
[…] performed via IEEE 802.1X authentication", "full EAP exchange using RSNA"
and this "full EAP authentication via IEEE 802.1X authentication", but
none of these full things seem to have their fullness defined.
"EAP authentication session timeout" feels more appropriate as well.
The 802.1X session cannot time out?
"Successful completion of EAP authentication over IEEE Std 802.1X establishes a PMKSA" could, in theory, be "Successful completion of IEEE 802.1X authentication establishes a PMKSA" since this skips the MSK to the PMK detail, but it is still correct to talk about EAP authentication here and "successful EAP authentication" is clearly defined in the EAP RFC while "Successful completion of IEEE 802.1X authentication" is not that clearly defined.
OK, I guess that if the EAP RFC defines "successful EAP authentication"
then that can stay, but does the 802.1X session/handshake not need
to complete too?
The reason I did not agree with rejecting the comment during the call was that I did not remember us having an explicit definition for "IEEE 802.1X authentication" with wording that makes it clear that it refers to the case of IEEE 802.1X being used with EAP (and not the newer PSK option). Now that I see that definition here and after having reviewed all the instances of "EAP authentication", I think the comment should be rejected. The current language is more appropriate than the proposed changes at most locations and correct in all locations.
I think we should address the locations where the current language is
less appropriate than the proposed changes.
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk
From: Jouni Malinen <jouni@xxxxxxxxxxxxxxxx>
Sent: Friday, 17 July 2020 21:24
To: Harkins, Daniel <daniel.harkins@xxxxxxx>; Mark Rison <m.rison@xxxxxxxxxxx>; M Montemurro <montemurro.michael@xxxxxxxxx>
Cc: Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: RE: 11md/D3.0 CID 4286
Things were much simpler when IEEE 802.1X was used for IEEE Std 802.1X-2004, i.e., when the reference was to IEEE Std 802.1X-2001 or IEEE Std 802.1X-2004. However, we (against my preferences) changed that reference to point to IEEE Std 802.1X-2010 which brought in MACsec and the PSK-based authentication mechanism that does not use EAP. As such, "IEEE 802.1X authentication" is not really a clear reference to use of EAP authentication anymore. IMHO, "IEEE 802.1X authentication" would be an ambiguous term now had we not defined it to refer to use of EAP since could have referred to EAP authentication or PSK authentication as defined in IEEE Std 802.1X-2010. However, we do define this term as noted in the email thread here..
To be frank, I don't like any of the proposed changed to the draft. I don't think any of them make the text more readable or more accurate. In fact, they make number of places less clear and more difficult to understand. As such, I think the best approach would be to reject this comment since the current standard is unambiguous with our definition of "IEEE 802.1X authentication".
As far as doing some changes to just make things look more consistent or by trying to get rid of "EAP authentication" (or "IEEE 802.1X authentication") is concerned, I might not be strongly against some of the changes, but I don't really see much, if any, value in doing them. It is useful to reference "EAP authentication" whenever talking about MSK (that is a key coming from EAP, not 802.1X; 802.1X state machine is simply providing access to fetching it; this includes the cases like "key is received .. from the EAP authentication" that does not explicitly use MSK, but is referring to it). Similarly, "full EAP authentication" is significantly more accurate term than "full 802.1X authentication". "EAP authentication session timeout" feels more appropriate as well. "Successful completion of EAP authentication over IEEE Std 802.1X establishes a PMKSA" could, in theory, be "Successful completion of IEEE 802.1X authentication establishes a PMKSA" since this skips the MSK to the PMK detail, but it is still correct to talk about EAP authentication here and "successful EAP authentication" is clearly defined in the EAP RFC while "Successful completion of IEEE 802.1X authentication" is not that clearly defined.
The reason I did not agree with rejecting the comment during the call was that I did not remember us having an explicit definition for "IEEE 802.1X authentication" with wording that makes it clear that it refers to the case of IEEE 802.1X being used with EAP (and not the newer PSK option). Now that I see that definition here and after having reviewed all the instances of "EAP authentication", I think the comment should be rejected. The current language is more appropriate than the proposed changes at most locations and correct in all locations.
- Jouni
From: Harkins, Daniel <daniel.harkins@xxxxxxx>
Sent: 17 July 2020 21:32
To: m.rison@xxxxxxxxxxx; M Montemurro <montemurro.michael@xxxxxxxxx>
Cc: Jouni Malinen <jouni@xxxxxxxxxxxxxxxx>; Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: Re: 11md/D3.0 CID 4286
On 7/17/20, 11:16 AM, "Mark Rison" <m.rison@xxxxxxxxxxx> wrote:
OK, so that matches the definition
IEEE 802.1X authentication: Extensible Authentication Protocol (EAP) authentication transported by the
IEEE 802.1X protocol.
Why don't you read the standard produced by IEEE 802.1X? There are roles and protocols defined.
So this means that we should be using the term "802.1X authentication"
except where the EAP is being performed over a transport other than
802.1X, right?
If you read the standard produced by the IEEE 802.1X WG you will see it includes several state machines
which we implement in order to do one of the defined authentication techniques we have in 802.11.
And you're saying that when an MSK is involved, the EAP is not being
performed over 802.1X, and hence in those contexts one should speak
of "EAP authentication" not 802.1X authentication, is that correct?
When is an MSK not involved? And, no, the presence of the MSK has nothing to do with 802.1X. Read
the standard!
I'm very alarmed that we are considering rewriting our standard because someone who doesn't understand
how the protocols work and apparently hasn't bothered to read the referenced standards is confused. This
text has been understood and implemented in billions of devices around the world over the past 15+ years!
Dan.
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk
From: M Montemurro <montemurro.michael@xxxxxxxxx>
Sent: Friday, 17 July 2020 19:08
To: Daniel Harkins <daniel.harkins@xxxxxxx>; Mark Rison <m.rison@xxxxxxxxxxx>
Cc: Jouni Malinen (jouni@xxxxxxxxxxxxxxxx) <jouni@xxxxxxxxxxxxxxxx>; Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: Re: 11md/D3.0 CID 4286
EAP methods are authentication protocols that can run over any transport. EAP protocols are independent of 802.1X. IEEE 802.1X provides one transport mechanism for EAP.
From: Mark Rison <m.rison@xxxxxxxxxxx>
Sent: Friday, July 17, 2020 1:58:49 PM
To: M Montemurro <montemurro.michael@xxxxxxxxx>; Daniel Harkins <daniel.harkins@xxxxxxx>
Cc: Jouni Malinen (jouni@xxxxxxxxxxxxxxxx) <jouni@xxxxxxxxxxxxxxxx>; Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: RE: 11md/D3.0 CID 4286
Hello Mike,
Sorry, my question was not clear. What is the distinction between
EAP authentication and 802.1X authentication? Is one a subset of
the other?
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk
From: M Montemurro <montemurro.michael@xxxxxxxxx>
Sent: Friday, 17 July 2020 18:53
To: Mark Rison <m.rison@xxxxxxxxxxx>; Daniel Harkins <daniel.harkins@xxxxxxx>
Cc: Jouni Malinen (jouni@xxxxxxxxxxxxxxxx) <jouni@xxxxxxxxxxxxxxxx>; Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: Re: 11md/D3.0 CID 4286
Hi Mark,
Yes I can. When an EAP method is used, the MSK is used to derive the PMK, or the PMK-R0 in the case of FT. Therefore the MSK is a result of EAP Authentication, not 802.1X authentication.
Cheers,
Mike
On Fri, Jul 17, 2020 at 1:49 PM Mark Rison <m.rison@xxxxxxxxxxx> wrote:
Hello Mike,
Thanks for this.
- 13.2.2 MSK is an output of a successful EAP Authentication - not IEEE 802.1X
- 13.2.3 MSK is an output of a successful EAP Authentication - not IEEE 802.1X
- 13.9.2.2 MSK is an output of a successful EAP Authentication - not IEEE 802.1X
- 13.9.3.3 Session timeout is a property of the EAP Authentication - not IEEE 802.1X
This response implies a difference between "EAP authentication"
and "802.1X authentication" in the context of IEEE Std 802.11 here.
Can you clarify the distinction?
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk
From: M Montemurro <montemurro.michael@xxxxxxxxx>
Sent: Friday, 17 July 2020 18:43
To: Mark Rison <m.rison@xxxxxxxxxxx>
Cc: Jouni Malinen (jouni@xxxxxxxxxxxxxxxx) <jouni@xxxxxxxxxxxxxxxx>; Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: Re: 11md/D3.0 CID 4286
Hi Mark,
To help Jouni, I reviewed your proposed resolution:
These changes cannot be made for the following reasons:
- 12.6.1.1.2 does refer to EAP Authentication
- 13.2.2 MSK is an output of a successful EAP Authentication - not IEEE 802.1X
- 13.2.3 MSK is an output of a successful EAP Authentication - not IEEE 802.1X
- 13.9.2.2 MSK is an output of a successful EAP Authentication - not IEEE 802.1X
- 13.9.3.3 Session timeout is a property of the EAP Authentication - not IEEE 802.1X
- 13.9.4.2 refers to a key from EAP Authentication - not IEEE 802.1X
- C.3 refers to the receipt of a session-timeout attribute during EAP Authentication - not IEEE 802.1X
apFailedIeee8021XEapAuthentication - I think the use of this term is fine since failure could be either an EAP Method or a more generic IEEE 802.1X method.
- 12.6.10.2 does refer to successful EAP Authentication over 802.1X
- 12.11.2.3.5 - I don't particularly like this change but I could live with it.
Proposed changes: (annotated based on above)
In D3.2:
Change “EAP authentication” to “802.1X authentication” in 12.6.1.1.2 PMKSA, 13.2.2 Authenticator key holders, 13.2.3 Supplicant key holders, 13.9.2.2 R0KH state machine states, 13.9.3.3 R1KH state machine variables, 13.9.4.2 S0KH state machine states, C.3 (for dot11FTR0KeyLifetime),
In 12.2.5 RSNA assumptions and constraints change “EAP authentication methods” to “EAP methods”.
Change “apFailedIeee8021XEapAuthentication” to “apFailedIeee8021XAuthentication” in C.3 (3x).
In 12.6.10.2 Preauthentication and RSNA key management change “EAP authentication over IEEE Std 802.1X” to “802.1X authentication”
.
In 12.6.10.3 and Table 9-198—Transition and Transition Query reasons and Figure 4-31—IEEE 802.1X EAP authentication caption change “IEEE 802.1X EAP authentication” to “802.1X authentication”.
In 12.11.2.3.5 Non-AP STA processing of Authentication frame change “full EAP authentication via IEEE 802.1X authentication” to “full 802.1X authentication”
Cheers,
Mike
On Fri, Jul 17, 2020 at 10:54 AM Mark Rison <m.rison@xxxxxxxxxxx> wrote:
From: Mark Rison
Sent: Tuesday, 30 June 2020 18:39
To: Jouni Malinen (jouni@xxxxxxxxxxxxxxxx) <jouni@xxxxxxxxxxxxxxxx>
Cc: Dorothy Stanley <dstanley1389@xxxxxxxxx> (dstanley1389@xxxxxxxxx) <dstanley1389@xxxxxxxxx>
Subject: 11md/D3.0 CID 4286
Hello Jouni,
Is this OK with you?
Identifiers
Comment
Proposed change
CID 4286
Mark RISON
It is not clear what the difference between 802.1X authentication and EAP authentication is. Jouni said "In the context of IEEE 802.11 standard, 802.1X authentication is really referring to EAP authentication, so these would also be interchangeable here"
Change "EAP authentication" to "802.1X authentication" throughout, except in the definition of IEEE 802.1X authentication and Extensible Authentication Protocol (EAP) reauthentication protocol (EAP-RP) and in the arrow label in Figure 4-31--IEEE 802.1X EAP authentication and Figure 4-37--Example using IEEE 802.1X authentication. Delete "EAP" in the caption of Figure 4-31--IEEE 802.1X EAP authentication and in Table 9-198--Transition and Transition Query reasons and in last para of 12.6.10.3 Cached PMKSAs and RSNA key management. Change "Successful completion of EAP authentication over IEEE Std 802.1X" to "Successful completion of IEEE Std 802.1X authentication" and "full EAP authentication via IEEE 802.1X authentication." to "full IEEE 802.1X authentication."
Discussion:
As it says in the comment.
Proposed changes:
In D3.2:
Change “EAP authentication” to “802.1X authentication” in 12.6.1.1.2 PMKSA, 13.2.2 Authenticator key holders, 13.2.3 Supplicant key holders, 13.9.2.2 R0KH state machine states, 13.9.3.3 R1KH state machine variables, 13.9.4.2 S0KH state machine states, C.3 (for dot11FTR0KeyLifetime),
In 12.2.5 RSNA assumptions and constraints change “EAP authentication methods” to “EAP methods”.
Change “apFailedIeee8021XEapAuthentication” to “apFailedIeee8021XAuthentication” in C.3 (3x).
In 12.6.10.2 Preauthentication and RSNA key management change “EAP authentication over IEEE Std 802.1X” to “802.1X authentication”.
In 12.6.10.3 and Table 9-198—Transition and Transition Query reasons and Figure 4-31—IEEE 802.1X EAP authentication caption change “IEEE 802.1X EAP authentication” to “802.1X authentication”.
In 12.11.2.3.5 Non-AP STA processing of Authentication frame change “full EAP authentication via IEEE 802.1X authentication” to “full 802.1X authentication”.
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk