Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
Sam Hartman <hartmans@painless-security.com> Tue, 07 July 2015 18:29 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127F01A0125 for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 11:29:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6_cl5FE-u4P for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 11:29:12 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D169C1A1A91 for <gen-art@ietf.org>; Tue, 7 Jul 2015 11:29:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id E142E20730; Tue, 7 Jul 2015 14:28:51 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVmotnVqe1HL; Tue, 7 Jul 2015 14:28:51 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 7 Jul 2015 14:28:51 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 3EDF688C32; Tue, 7 Jul 2015 14:29:10 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu> <tslh9pgng78.fsf@mit.edu> <559C1633.10700@alum.mit.edu>
Date: Tue, 07 Jul 2015 14:29:10 -0400
In-Reply-To: <559C1633.10700@alum.mit.edu> (Paul Kyzivat's message of "Tue, 07 Jul 2015 14:10:59 -0400")
Message-ID: <tsla8v7n7nt.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/IvdCgoXGhTzRRlXtPBTeRziJocM>
Cc: General Area Review Team <gen-art@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 18:29:14 -0000
>>>>> "Paul" == Paul Kyzivat <pkyzivat@alum.mit.edu> writes: Paul> Hi Sam, Paul> On 7/7/15 11:24 AM, Sam Hartman wrote: >>>>>>> "Paul" == Paul Kyzivat <pkyzivat@alum.mit.edu> writes: >> Paul> Do you agree with this conclusion? If not, please explain why Paul> you think my logic is wrong. >> >> I partially agree with your conclusion. I agree that we need a >> mechanism to resynchronize state, and I agree that unsolicited >> announces aren't really good enough. >> >> I think it's highly undesirable to permit some requests over a >> five-tuple to be authenticated and some to not be authenticated. Paul> I had no a priori understanding of what the thinking was on Paul> this. I was going only be what I could learn by reading the Paul> document, and wasn't able to discern the intent from the Paul> document. Paul> So I at least make a plea that the document be clarified so Paul> that future readers will understand the intended use model. >> You seem to be thinking of authentication as something that tends >> to benefit the server. In some deployments that's certainly >> true. However, the client may gain significant benefit from: >> >> * Gaining integrity protection over its communications >> >> * Preventing third-parties from disrupting state it establishes. Paul> Sure. That is certainly an argument for *allowing* all PCP Paul> requests to be sent over the PA session once one has been Paul> established. I think it's an argument for requiring, not just allowing. That is once you have a session you need to use it. Because unless you require that the server doesn't know whether a request is from an attacker or the client. However, this is all about cases where the session is established. We're in agreement that many clients will not choose to authenticate until they are required by the server. >> So, for these reasons, I think it's very important that once a >> session is established, only authenticated requests be accepted >> over that five-tuple. Paul> I looked at the Advanced Threat Model of RFC6887. And I see Paul> some cases (e.g. "Any implementation that wants to be more Paul> permissive in authorizing explicit mappings than it is in Paul> authorizing implicit mappings") where a mixed model might make Paul> sense. In particular that query/manipulation of implicit Paul> mappings (or mappings that would be allowed implicitly) might Paul> not require authentication, while some or all explicit Paul> mappings that wouldn't be allowed implicitly require Paul> authentication. Paul> In that case, authentication might never happen until the Paul> client requires one of the explicit mappings. It may be that Paul> user intervention is required for authentication to succeed, Paul> so it is undesirable to force it before it is needed. Agreed. Paul> Of course this is still compatible with requiring all PCP Paul> messages (except re-authentication) to go over the PA session Paul> once one has been established. Agreed. >> In addition, I think it's desirable that once a session is >> established, a client be expected to re-authenticate if session >> state is lost, *not* to send requests and let the server force >> re-authentication. Paul> IIUC, when a client is first started it may not know if Paul> authentication will be required. Rather it may learn that only Paul> by being forced by the server to authenticate. If it then Paul> reboots, losing its PA SA state, it will be back in the same Paul> position it was initially. Else you will be forcing it to Paul> maintain persistent state across reboots. O, sorry. Our requirements seem compatible here but we focused on different sides. You said that when I client discovered a server had lost sessions it should try the request without reauthentication. To me that implies the client expects a session. In that case, I would prefer the client authenticate. We are in agreement that clients having lost authentication sessions and not wishing to authenticate before sending a request should just send an unauthenticated request. Paul> Surely if it *knows* it can preemptively authenticate. But if Paul> it doesn't know then things should still work. I'd say MUST instead of can, but we're basically in agreement here. MUST because you open up attacks that the software implementor will typically not be in a position to evaluate if you choose not to authenticate in the case where you know you lost a session. (I'd be OK with SHOULD) We're in agreement though that if you don't know you've lost a session it needs to still work. >> However, I do agree with you that we need a mechanism for the >> server to indicate that it has lost state. That's only a hint to >> the client. Since that indication will not be >> integrity-protected, it may be sent by an attacker. A client MAY >> disregard it, for example if the client suspects a DOS attack. >> Generally, though a client SHOULD try and re-authenticate, >> discarding the session state only when re-authentication is >> successful. Paul> Re-authentication requires the client and server to both have Paul> the prior session state. So that path won't work in cases Paul> where one has forgotten the state. I was using re-authentication with its English meaning not as a term of art from the document. Sorry for the confusion. With that clarification are we basically on the same page?
- [Gen-art] Gen-ART Telechat review of draft-ietf-p… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)