Markdown Version | Transcript | Session Recording | Session Materials
Session Date/Time: 19 Mar 2026 06:00
EMU
Summary
The EMU working group met at IETF 125 to discuss progress on Post-Quantum Cryptography (PQC) integration for EAP methods, updates to Tunnel Extensible Authentication Protocol (TEAP), and enhancements to forward security in re-authentication. Key topics included a new fragmentation mechanism for draft-ietf-emu-pqc-eapaka, a proposal for TEAPv2 with simplified key derivation and MTU management, and a new proposal for forward-secure re-authentication in EAP-AKA'. The session concluded with a discussion on generalizing PQC enhancements for all TLS-based EAP methods.
Key Discussion Points
Post-Quantum Enhancements in EAP-AKA'
Draft: draft-ietf-emu-pqc-eapaka Presentation: Post-Quantum Enhancements in EAP-AKA
- Fragmentation and Reassembly: Tero presented (on behalf of Aritra) the latest updates involving a new
AT_FRAGMENTattribute. Because PQC public keys and ciphertexts often exceed the EAP MTU, a native fragmentation and reassembly mechanism was introduced. - Mechanism: The solution uses a lock-step acknowledgment model similar to EAP-TLS. It includes "First" and "More" fragment flags and requires the receiver to acknowledge fragments before the sender proceeds.
- Generic Use: Hiki asked if this fragmentation mechanism could be generalized for other non-PQC EAP methods. Tero noted that while it is currently within the EAP-AKA' context, the text is written generically enough to potentially be leveraged elsewhere.
- Implementation: Hannes offered to assist with a reference implementation.
TEAPv2
Presentation: TEAPv2
- Simplification: Alan discussed the need for TEAPv2 to simplify key derivation and document actual implementation practices rather than unimplemented theoretical features from RFC 7170.
- Mandating Flows: To ensure interoperability, the proposal suggests mandating all allowed flows to prevent "subset-only" implementations.
- MTU Management: Alan proposed mandating a maximum MTU of 1280 bytes for TEAP. This addresses issues where EAP packets fail to traverse Radius over UDP due to fragmentation issues at the transport/network layer.
- Adoption Interest: Joe inquired about vendor interest. Alan indicated interest from Cisco and potential interest from the Aruba team. Hiki also expressed interest in the implementation.
Forward Secure Re-authentication in EAP-AKA’
Presentation: Forward Secure Reauthentication in EAP-AKA’
- Privacy Vulnerability: Guilin identified a privacy risk in current EAP-AKA' re-authentication. If long-term keys are compromised, attackers can decrypt re-authentication IDs, allowing them to link multiple re-authentication sessions to a single user.
- Proposed Solution: The draft proposes updating transient EAP keys (
K_ENCRandK_AUT) using ephemeral shared secrets (from DH or KEM) to provide forward security for the re-authentication process. - Feedback: John and Tero agreed with the problem analysis and found the proposed update to the key derivation function (KDF) to be a viable solution.
Post-Quantum Enhancements to EAP‑TLS and EAP‑TTLS
Presentation: Post-Quantum Enhancements to EAP‑TLS and EAP‑TTLS
- Migration Paths: Tero discussed transition strategies for TLS-based EAP, including hybrid KEMs (defense-in-depth) and pure PQC paths.
- Certificate Optimization: To mitigate fragmentation issues caused by large PQC signatures, the draft suggests out-of-band retrieval of intermediate certificates using EST (Enrollment over Secure Transport) URIs.
- Scope Expansion: John and Hannes suggested that the document's scope should be expanded to cover all TLS-based EAP methods, not just EAP-TLS and EAP-TTLS. Tero agreed to this change.
- Coordination: Michael noted that using EST URIs for certificate distribution might require coordination with the LAMPS or ANIMA working groups, though it may not require a heavy formal process.
Decisions and Action Items
- draft-ietf-emu-pqc-eapaka: The working group will review the new fragmentation and reassembly sections. If stable, the document will move toward a Working Group Last Call (WGLC).
- TEAPv2: Alan will continue work on a standalone TEAPv2 draft (incorporating stable parts of v1) and coordinate with Elliot on the HostAP/EAPoL-test implementation.
- TLS-based PQC: Tero will update his draft to encompass all TLS-based EAP methods based on working group feedback.
Next Steps
- Call for Adoption: The chairs will take the discussion of the new PQC and TEAPv2 drafts to the mailing list to gauge consensus for adoption.
- Cross-WG Review: Chairs and authors will monitor developments in the TLS and LAMPS working groups regarding hybrid certificates and EST extensions to ensure alignment.
- Review Solicitation: The authors of the forward-secure re-authentication proposal requested more detailed reviews of the KDF updates.