Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
Paul Kyzivat <pkyzivat@alum.mit.edu> Tue, 07 July 2015 19:41 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A22031A889C for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 12:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sso6FrT_1T2R for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 12:41:26 -0700 (PDT)
Received: from resqmta-ch2-05v.sys.comcast.net (resqmta-ch2-05v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:37]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDD741A8898 for <gen-art@ietf.org>; Tue, 7 Jul 2015 12:41:26 -0700 (PDT)
Received: from resomta-ch2-14v.sys.comcast.net ([69.252.207.110]) by resqmta-ch2-05v.sys.comcast.net with comcast id pXdz1q0072PT3Qt01XhSVM; Tue, 07 Jul 2015 19:41:26 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.151]) by resomta-ch2-14v.sys.comcast.net with comcast id pXhQ1q0053Ge9ey01XhQrf; Tue, 07 Jul 2015 19:41:26 +0000
Message-ID: <559C2B63.1060501@alum.mit.edu>
Date: Tue, 07 Jul 2015 15:41:23 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Sam Hartman <hartmans@painless-security.com>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu> <tslh9pgng78.fsf@mit.edu> <559C1633.10700@alum.mit.edu> <tsla8v7n7nt.fsf@mit.edu>
In-Reply-To: <tsla8v7n7nt.fsf@mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1436298086; bh=8E+FOTupb02w+qVTeFjH21G7ECjD9z7BKNf8lMRUVrU=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=fm/gcGOcIDds1sRaikWCt+L04PTkQAjoJ5V0zOM1/x7H6C/11w05vvBCyFlVhT3/b IiEPFmE6hdJOj2URW8BxH9fqvKmiTmaxn9Bwb7KFBXEgJyLnYe0NPtoYIEdkrHOrZZ nJGmoGRPmLj4jrRomEDQIHE49SEGBylvtoE4rb6/sOMLnrYPAp+yM7SNxjwgdaIArU A0x0EI7RnQ7oMcWrXbYR7csNq0D2nN5beBaEkPy0+jKmo2gYpumD0j9tXNbRsLwf7r xQrqfpFhva7r5+xC3skZ8/4OjHBuzgy0R/B8WIN+E0uQrLPXfoFNa1JBASG3TYBgJd CGzKYfKIybM1Q==
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/PB4ACXbJMLAj3guaynIgY9xeSAg>
Cc: General Area Review Team <gen-art@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 19:41:28 -0000
On 7/7/15 2:29 PM, Sam Hartman wrote: > >> You seem to be thinking of authentication as something that tends > >> to benefit the server. In some deployments that's certainly > >> true. However, the client may gain significant benefit from: > >> > >> * Gaining integrity protection over its communications > >> > >> * Preventing third-parties from disrupting state it establishes. > > Paul> Sure. That is certainly an argument for *allowing* all PCP > Paul> requests to be sent over the PA session once one has been > Paul> established. > > I think it's an argument for requiring, not just allowing. > That is once you have a session you need to use it. > Because unless you require that the server doesn't know whether a > request is from an attacker or the client. Good point. > However, this is all about cases where the session is established. > We're in agreement that many clients will not choose to authenticate > until they are required by the server. OK. > >> In addition, I think it's desirable that once a session is > >> established, a client be expected to re-authenticate if session > >> state is lost, *not* to send requests and let the server force > >> re-authentication. > > Paul> IIUC, when a client is first started it may not know if > Paul> authentication will be required. Rather it may learn that only > Paul> by being forced by the server to authenticate. If it then > Paul> reboots, losing its PA SA state, it will be back in the same > Paul> position it was initially. Else you will be forcing it to > Paul> maintain persistent state across reboots. > > O, sorry. > Our requirements seem compatible here but we focused on different sides. > > You said that when I client discovered a server had lost sessions it > should try the request without reauthentication. > To me that implies the client expects a session. > In that case, I would prefer the client authenticate. OK. That seems reasonable. To restate: If the client sends a request within a session, and receives an error from the server indicating that the server doesn't know of that session, then the client SHOULD/MUST first request a new session, and only retransmit the original request after that session is established. (Corner case: the new authentication fails. Maybe the server reset to different credentials, that the client doesn't have. Should the client try the request again, in case it might work without authentication?) > We are in agreement that clients having lost authentication sessions and > not wishing to authenticate before sending a request should just send an > unauthenticated request. Good. > Paul> Surely if it *knows* it can preemptively authenticate. But if > Paul> it doesn't know then things should still work. > > I'd say MUST instead of can, but we're basically in agreement here. > MUST because you open up attacks that the software implementor will > typically not be in a position to evaluate if you choose not to > authenticate in the case where you know you lost a session. > (I'd be OK with SHOULD) > We're in agreement though that if you don't know you've lost a session > it needs to still work. I think we are aligned here. > >> However, I do agree with you that we need a mechanism for the > >> server to indicate that it has lost state. That's only a hint to > >> the client. Since that indication will not be > >> integrity-protected, it may be sent by an attacker. A client MAY > >> disregard it, for example if the client suspects a DOS attack. > >> Generally, though a client SHOULD try and re-authenticate, > >> discarding the session state only when re-authentication is > >> successful. > > Paul> Re-authentication requires the client and server to both have > Paul> the prior session state. So that path won't work in cases > Paul> where one has forgotten the state. > > I was using re-authentication with its English meaning not as a term of > art from the document. > Sorry for the confusion. > With that clarification are we basically on the same page? Yes, I think so. I fear it may take some heavy editing to make the document agree with this. And, the changes may impact the security properties. But that is your playground! Thanks, Paul
- [Gen-art] Gen-ART Telechat review of draft-ietf-p… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)