Extensible Authentication Protocol (EAP) Attributes for Wi-Fi Integration with the Evolved Packet Core
draft-ietf-netext-wifi-epc-eap-attributes-16

[Ballot comment]

Thanks for addressing my discuss points and sorry for the delay in
clearing - it took me a while to grok the various bits and pieces so
as to be happy that your slightly shorthand way of describing how
the IMEI is protected is ok. I'm now happy it's ok though so
thanks again for bearing with me. (Took me a while e.g. to check
if the ciphertext emitted could be the same or not but I think
that's ok as IVs need to be random.)

That said. I still hate the (ab)use of the word "trusted" here. If
you could get rid of it, and you could, this would be a better
document. There is no need for RFCs to use the same
marketing jargon as other bodies or vendors and we're better
off when we do not.

While it's very late to add a new comment, I just noticed that the
document doesn't actually include the word privacy at all. And I
think that's a pity. (I did call this out as part of my discuss point
2 but mostly that was about the encryption part and that latter
is what we discussed;-) Anyway, I think adding a sentence along
these lines to the security considerations would be good:

"Note that sending identifiers like the IMEI to networks can have
significant privacy implications, allowing users to be unexpectedly
tracked for example. Implementers ought consider those privacy
issues and where possible attempt to mitigate them. See [refs]
for some of the issues involved."

And where [refs] could be a set of 2-3 references that you consider
useful from [1] which looks like it has some good enough papers.

  [1] http://scholar.google.com/scholar?hl=en&q=imei+privacy&btnG=&as_sdt=1%2C5&as_sdtp=

[Ballot comment]
[Clearing the DISCUSS about the normative references; thanks for fixing that in vesion -12.  My non-blocking comments remain.  They are non-blocking, but I think they really should be fixed, and fixing them should be very easy.]

-- Section 2 --
The section title seems to be from an old version; please fix it.  Section 2 has nothing to do with reference architecture.

-- Section 5.2 --

  In turn, the network
  provides what is supported.

Do you mean to say, "provides a list of what is supported." ?  Or what?  I can't understand this sentence.

-- Section 7 --

  A
  specification would be required to request assignments from this
  registry; see [RFC5226].

The usual way to specify a well known registration policy from 5226 is to use its capitalized name exactly.  I'd prefer to see that:

NEW
  New
  assignments in this registry are made with the Specification
  Required policy [RFC5226].
END

[Ballot discuss]

I think this document has some seriuos privacy issues.  In
part, (in point 1 below) I'm piling on Alissa's discuss, but I
would like to aslo stay involved in the discuss resolution.

(1) 4.4/5.6: Why is it considered ok to tell a WiFi AP my IMEI?
It is generally NOT ok to do that.  When we did the URN for
that, it specifically said to never send those outside the IMS
n/w. Yet here you want to send them to any old WiFi AP, without
it seems any privacy considerations at all?  (Is this
encrypted?)

(2) 5.5 - what are the privacy implications of sending this?
I'm not sure what all the various 3G identifiers are.  (And is
it encrypted?)

(3) section 6 says: "In doing so, these attribute processing,
security-wise, is no worse than that in existing 3G and 4G
mobile networks." I don't buy that.  I can authenticate to a
coffee shop hotspot via EAP but yet not want it to know my
IMEI.

[Ballot comment]

- abstract: "trusted access network" is a horrible phrase.
Trusted by whom for what? I'd delete that and all other
mentions of "trusted " which seem purely promotional and
content free.

[Ballot discuss]
-- Section 1 --

  This document
  refers to [RFC6459] for the basic definitions of mobile network
  terminology (such as APN) used here.

I think that makes 6459 a normative reference, don't you?  Please also reconsider whether 3748 should be normative.  And I think the use of 5226 in Section 7 makes it normative.

[Ballot comment]
-- Section 2 --
The section title seems to be from an old version; please fix it.

-- Section 5.2 --

  In turn, the network
  provides what is supported.

Do you mean to say, "provides a list of what is supported." ?

-- Section 7 --

  A
  specification would be required to request assignments from this
  registry; see [RFC5226].

The usual way to specify a well known registration policy from 5226 is to use its capitalized name exactly.  I'd prefer to see that:

NEW
  New
  assignments in this registry are made with the Specification
  Required policy [RFC5226].
END

[Ballot discuss]
I don’t really see the justification in this draft for standardizing AT_MN_SERIAL_ID, which can contain a rather privacy-sensitive identifier (IMEI) given that it’s a permanent device ID. Even if 3GPP networks use it for authentication, if the Wi-Fi network is trusted I don’t see why that creates a need for the new EAP attribute for the use cases given in this draft.

[Ballot discuss]
This is a simple Discuss as a place-holder for IANA's issues.

I see Rajeev's email answering IANA's questions, but the document hasn't
been updated accordingly. This needs to happen before the document can
be approved.

I don't suppose that these changes will be controversial, but since this
defines how future allocations can be made, it should at least be shown
to the working group.

The AD will (of course :-) want to cause a Management Action to identify
the Designated Expert for the new registry.

[A hint here - The shepherd review says "No new registeries (sic) need
to be created" and so misses these points.]

[Ballot discuss]
This is a simple Discuss as a place-holder for IANA's issues.

I see Rajeev's email answering IANA's questions, but the document hasn't
been updated accordingly. This needs to happen before the document can
be approved.

I don't suppose that these changes will be controversial, but since this
defines how future allocations can be made, it should at least be shown
to the working group.

The AD will (of course :-) want to cause a Management Action to identify
the Designated Expert for the new registry.

[A hint here - The shepherd review says "No new registeries (sic) need to
be created" and so misses these points.]

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the
title page header?

Informational.

The reason this I-D is being requested to be published as an Informational RFC is because the base RFC that it extends i.e RFC4187 (Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) is itself an Information RFC.
This document is adding a set of additional attributes to be included alongside those specified in RFC4187.
A registry for the attributes specified in this I-D will be required to be created by IANA.


(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary:

  With WiFi beginning to establishing itself as a trusted access
  network for service providers, it has become important to provide
  functions commonly available in 3G and 4G networks in WiFi access
  networks.  Such functions include Access Point Name (APN) Selection,
  multiple Packet Data Network (PDN) connections and seamless mobility
  between WiFi and 3G/4G networks.

  EAP/AKA (and EAP/AKA') is standardized by 3GPP as the access
  authentication protocol for trusted access networks.  This IETF
  specification is required for mobile devices to access the 3GPP
  Evolved Packet Core (EPC) networks.  This document defines a few new
  EAP attributes and procedures to provide the above-mentioned
  functions in trusted WiFi access networks.

Working Group Summary:

Was there anything in WG process that is worth noting? For example,
was there controversy about particular points or were there decisions
where the consensus was particularly rough?

This document has been in a dormant state for a while. There is no
controversy regarding the document. Using EAP attributes to address a
problem that is faced in mobile networks when attaching via WiFi is
one solution. And there is enough consensus in the WG w.r.t the
solution.


Document Quality:

Are there existing implementations of the protocol? Have a significant
number of vendors indicated their plan to implement the specification?
Are there any reviewers that merit special mention as having done a
thorough review, e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If there was a
MIB Doctor, Media Type or other expert review, what was its course
(briefly)? In the case of a Media Type review, on what date was the
request posted?

There are no known implementations of the attributes for EAP defined
by this document. At this time there is'nt any indication from vendors
or 3GPP to use the approach specified by this document.
The document has acknowledged the one person who has helped in
improving the specification. The document does not specify any media
type or MIB and hence no specialists have been consulted for reviews.

Personnel:

Who is the Document Shepherd? Who is the Responsible Area Director?

Document Shepherd: Basavaraj Patil
Responsible AD: Brian Haberman

(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

I have reviewed the document and provided feedback to the authors via
the working group mailing list. See:
http://www.ietf.org/mail-archive/web/netext/current/msg03035.html

This version of the document is ready for publication.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

I am satisfied with the depth and breadth of reviews this document has
gone through.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No.


(6) Describe any specific concerns or issues that the Document
Shepherd has with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he or she is
uncomfortable with certain parts of the document, or has concerns
whether there really is a need for it. In any event, if the WG has
discussed those issues and has indicated that it still wishes to
advance the document, detail those concerns here.

I have no concerns with any aspect of this document.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP
78 and BCP 79 have already been filed. If not, explain why?

Yes. Each author has indicated that they are not aware of any IPRs and
are in conformance of the provisions of BCP 78, 79

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosure that references this document has been filed.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it?

There is sufficient consensus in the WG about the proposed solution of
using EAP attributes and publishing it as an Informational RFC.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the
Internet-Drafts Checklist). Boilerplate checks are not enough; this
check needs to be thorough.

Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).
== Missing Reference: 'RFC2119' is mentioned on line 172, but not
    defined
== Unused Reference: 'EPC' is defined on line 557, but no explicit
    reference was found in the text

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

The document does not define any MIB or a media type or URI type.

(13) Have all references within this document been identified as
either normative or informative?

The document only has informative references.

(14) Are there normative references to documents that are not ready
for advancement or are otherwise in an unclear state? If such
normative references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC
3967)? If so, list these downward references to support the Area
Director in the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are
not listed in the Abstract and Introduction, explain why, and point to
the part of the document where the relationship of this document to
the other RFCs is discussed. If this information is not in the
document, explain why the WG considers it unnecessary.

No. This is an informational document and will not change the status
of any existing RFCs.

(17) Describe the Document Shepherd's review of the IANA
considerations section, especially with regard to its consistency with
the body of the document. Confirm that all protocol extensions that
the document makes are associated with the appropriate reservations in
IANA registries. Confirm that any referenced IANA registries have been
clearly identified. Confirm that newly created IANA registries include
a detailed specification of the initial contents for the registry,
that allocations procedures for future registrations are defined, and
a reasonable name for the new registry has been suggested (see RFC
5226).

The IANA section is clear in terms ofthe registry to be used for
adding the new attributes defined in the document. I am satisfied with
the level of detail provided in the IANA section.

(18) List any new IANA registries that require Expert Review for
future allocations. Provide any public guidance that the IESG would
find useful in selecting the IANA Experts for these new registries.

No new registeries need to be created. The document proposes the use
of "EAP-AKA and EAP-SIM Parameters" registry for the attributes
specified.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

No XML code, BNF rules or MIB is defined in the document.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the
title page header?

Informational.

The reason this I-D is being requested to be published as an Informational RFC is because the base RFC that it extends i.e RFC4187 (Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) is itself an Information RFC.
This document is adding a set of additional attributes to be included alongside those specified in RFC4187.
A registry for the attributes specified in this I-D will be required to be created by IANA.


(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary:

  With WiFi beginning to establishing itself as a trusted access
  network for service providers, it has become important to provide
  functions commonly available in 3G and 4G networks in WiFi access
  networks.  Such functions include Access Point Name (APN) Selection,
  multiple Packet Data Network (PDN) connections and seamless mobility
  between WiFi and 3G/4G networks.

  EAP/AKA (and EAP/AKA') is standardized by 3GPP as the access
  authentication protocol for trusted access networks.  This IETF
  specification is required for mobile devices to access the 3GPP
  Evolved Packet Core (EPC) networks.  This document defines a few new
  EAP attributes and procedures to provide the above-mentioned
  functions in trusted WiFi access networks.

Working Group Summary:

Was there anything in WG process that is worth noting? For example,
was there controversy about particular points or were there decisions
where the consensus was particularly rough?

This document has been in a dormant state for a while. There is no
controversy regarding the document. Using EAP attributes to address a
problem that is faced in mobile networks when attaching via WiFi is
one solution. And there is enough consensus in the WG w.r.t the
solution.


Document Quality:

Are there existing implementations of the protocol? Have a significant
number of vendors indicated their plan to implement the specification?
Are there any reviewers that merit special mention as having done a
thorough review, e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If there was a
MIB Doctor, Media Type or other expert review, what was its course
(briefly)? In the case of a Media Type review, on what date was the
request posted?

There are no known implementations of the attributes for EAP defined
by this document. At this time there is'nt any indication from vendors
or 3GPP to use the approach specified by this document.
The document has acknowledged the one person who has helped in
improving the specification. The document does not specify any media
type or MIB and hence no specialists have been consulted for reviews.

Personnel:

Who is the Document Shepherd? Who is the Responsible Area Director?

Document Shepherd: Basavaraj Patil
Responsible AD: Brian Haberman

(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

I have reviewed the document and provided feedback to the authors via
the working group mailing list. See:
http://www.ietf.org/mail-archive/web/netext/current/msg03035.html

This version of the document is ready for publication.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

I am satisfied with the depth and breadth of reviews this document has
gone through.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No.


(6) Describe any specific concerns or issues that the Document
Shepherd has with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he or she is
uncomfortable with certain parts of the document, or has concerns
whether there really is a need for it. In any event, if the WG has
discussed those issues and has indicated that it still wishes to
advance the document, detail those concerns here.

I have no concerns with any aspect of this document.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP
78 and BCP 79 have already been filed. If not, explain why?

Yes. Each author has indicated that they are not aware of any IPRs and
are in conformance of the provisions of BCP 78, 79

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosure that references this document has been filed.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it?

There is sufficient consensus in the WG about the proposed solution of
using EAP attributes and publishing it as an Informational RFC.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the
Internet-Drafts Checklist). Boilerplate checks are not enough; this
check needs to be thorough.

Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).
== Missing Reference: 'RFC2119' is mentioned on line 172, but not
    defined
== Unused Reference: 'EPC' is defined on line 557, but no explicit
    reference was found in the text

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

The document does not define any MIB or a media type or URI type.

(13) Have all references within this document been identified as
either normative or informative?

The document only has informative references.

(14) Are there normative references to documents that are not ready
for advancement or are otherwise in an unclear state? If such
normative references exist, what is the plan for their completion?

No.

(15) Are there downward normative references references (see RFC
3967)? If so, list these downward references to support the Area
Director in the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are
not listed in the Abstract and Introduction, explain why, and point to
the part of the document where the relationship of this document to
the other RFCs is discussed. If this information is not in the
document, explain why the WG considers it unnecessary.

No. This is an informational document and will not change the status
of any existing RFCs.

(17) Describe the Document Shepherd's review of the IANA
considerations section, especially with regard to its consistency with
the body of the document. Confirm that all protocol extensions that
the document makes are associated with the appropriate reservations in
IANA registries. Confirm that any referenced IANA registries have been
clearly identified. Confirm that newly created IANA registries include
a detailed specification of the initial contents for the registry,
that allocations procedures for future registrations are defined, and
a reasonable name for the new registry has been suggested (see RFC
5226).

The IANA section is clear in terms ofthe registry to be used for
adding the new attributes defined in the document. I am satisfied with
the level of detail provided in the IANA section.

(18) List any new IANA registries that require Expert Review for
future allocations. Provide any public guidance that the IESG would
find useful in selecting the IANA Experts for these new registries.

No new registeries need to be created. The document proposes the use
of "EAP-AKA and EAP-SIM Parameters" registry for the attributes
specified.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

No XML code, BNF rules or MIB is defined in the document.

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-netext-wifi-epc-eap-attributes-08.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

IANA's reviewer has the following comments/questions:

IANA has questions about one of the actions requested in the IANA Considerations section of this document.

IANA understands that, upon approval of this document, there are two actions which IANA must complete.

First, in the Attribute Types (Skippable Attributes 128-255) registry in the EAP-AKA and EAP-SIM Parameters registry located at:

https://www.iana.org/assignments/eapsimaka-numbers/

six new attribute types are to be registered as follows:

Value: [ TBD-at-registration ]
Description: AT_VIRTUAL_NETWORK_ID
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Description: AT_VIRTUAL_NETWORK_REQ
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Description: AT_CONNECTIVITY_TYPE
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Description: AT_HANDOVER_INDICATION
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Description: AT_HANDOVER_SESSION_ID
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Description: AT_MN_SERIAL_ID
Reference: [ RFC-to-be ]

NOTE: As this is a "Specification Required" registry, IANA has asked the IESG-designated to review these requests.

Second, IANA understands that the authors are asking IANA to create a registry called "Trusted non-3GPP Access EAP Parameters."

IANA Question -> is this registry to be created in the EAP-AKA and EAP-SIM Parameters registry at http://www.iana.org/assignments/eapsimaka-numbers?

IANA Question -> what are the registration rules (see RFC 5226)?

IANA Question -> should IANA assign values to these registrations? If so, what's the possible range of values? If "0" should be included in the registry, should it be listed as "Unassigned," "Reserved," or "Virt-Net-Req Type"?

Initial registrations  will be made for

- Virt-Net-Req Type
- Virt-Net-Req Sub type
- Connectivity Type
- Access Technology
- Serial ID Type

NOTE: IANA also requests that the reference in the IANA Considerations section be changed from "https://www.iana.org/assignments/eapsimaka-numbers/eapsimaka-numbers.xhtml", which is subject to change, to "http://www.iana.org/assignments/eapsimaka-numbers".

IANA understands that these two actions are the only ones required upon approval of this document.

The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (EAP Attributes for WiFi - EPC Integration) to Informational RFC


The IESG has received a request from the Network-Based Mobility
Extensions WG (netext) to consider the following document:
- 'EAP Attributes for WiFi - EPC Integration'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2014-06-24. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  With WiFi emerging as a trusted access network for service providers,
  it has become important to provide functions commonly available in 3G
  and 4G networks in WiFi access networks as well.  Such functions
  include Access Point Name (APN) Selection, multiple Packet Data
  Network (PDN) connections and seamless mobility between WiFi and
  3G/4G networks.

  The EAP/AKA (and EAP/AKA') protocol is required for mobile devices to
  access the mobile Evolved Packet Core (EPC) via trusted WiFi
  networks.  This document defines a few new EAP attributes to enable
  the above-mentioned functions in trusted WiFi access networks.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-netext-wifi-epc-eap-attributes/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-netext-wifi-epc-eap-attributes/ballot/


No IPR declarations have been submitted directly on this I-D.