Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
Paul Kyzivat <pkyzivat@alum.mit.edu> Thu, 09 July 2015 14:55 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8064A1B2A3E for <gen-art@ietfa.amsl.com>; Thu, 9 Jul 2015 07:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xv0HpFkAxnSU for <gen-art@ietfa.amsl.com>; Thu, 9 Jul 2015 07:55:56 -0700 (PDT)
Received: from resqmta-ch2-08v.sys.comcast.net (resqmta-ch2-08v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:40]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 189311B2A3A for <gen-art@ietf.org>; Thu, 9 Jul 2015 07:55:55 -0700 (PDT)
Received: from resomta-ch2-02v.sys.comcast.net ([69.252.207.98]) by resqmta-ch2-08v.sys.comcast.net with comcast id qEvD1q00327uzMh01EvvD2; Thu, 09 Jul 2015 14:55:55 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.151]) by resomta-ch2-02v.sys.comcast.net with comcast id qEvt1q00Y3Ge9ey01Evufj; Thu, 09 Jul 2015 14:55:55 +0000
Message-ID: <559E8B78.4030906@alum.mit.edu>
Date: Thu, 09 Jul 2015 10:55:52 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Sam Hartman <hartmans@painless-security.com>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu> <tslh9pgng78.fsf@mit.edu> <559C1633.10700@alum.mit.edu> <tsla8v7n7nt.fsf@mit.edu> <559C2B63.1060501@alum.mit.edu> <tslpp43las3.fsf@mit.edu> <913383AAA69FF945B8F946018B75898A4788A3B6@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A4788A3B6@xmb-rcd-x10.cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1436453755; bh=QyQ2gy/1rtl42G5Aj89/RsHEPl6uMPW85zDhwSFcwFo=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=MvJRS09GIgi6fVXQzJ5WGXJWbUyUucuqmDuwLHouFvsrTRjgaORm0gvM0GOmA66eh bUd7dSdM88d93cFHI8BGL9EoOMXx7vyoofkC2GxgbUhU+tT395D4amCmfsc5xhmKhA dGqykN+b5+JIyGwO6jZytsS96BFklhaD7BgC/hCorfG3KbAbEJj8JmAOsxHt3hL+no tkB5zs/d9a80XiaoSVCzEr8yDluBxhnBairHt/+Gw4CM7ubb3sy4Nc/BmlnhzenX6+ og8GF1e6n4pAjH4oD4yYCLw+4ypnHsteGG3fozkS/l83KqL+TsRR1+iNHa4mQkm/Yp 39LlmNtqiLRlg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/Q86y2Tq-8EJ7j4s_AwmtT09YY6Y>
Cc: General Area Review Team <gen-art@ietf.org>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 14:55:57 -0000
On 7/8/15 7:20 AM, Tirumaleswar Reddy (tireddy) wrote: > I agree with the discussion and propose the following text to address the comments. > > NEW: Where? I suspect there is need of another document section, or even a larger reorganization, to fit this in with all the other changes we have discussed. (I think at the moment it is becoming a patchwork.) > If a PCP server resets or loses the PCP SA due to reboot, power > failure, or any reason then it sends unsolicited ANNOUNCE response as > explained in section 14.1.3 of [RFC6887] to the PCP client. Upon > receiving the ANNOUNCE response with an anomalous Epoch time, PCP > client deduces that the server may have lost state. I had forgotten about the Epoch time logic. That does provide a tool to facilitate discovering loss of sync. > PCP client sends > re-authentication request to the PCP server to check if the PCP > server has indeed lost the state or an attacker has sent the ANNOUNCE > response. If the response from the PCP server is integrity-protected > then PCP client discards the re-authentication process How do you go about *discarding* the re-authentication process once it has begun? I don't see any mechanism for doing that. The simple solution is to just go ahead and complete the re-authentication. However this does open a DoS attack path. A cleaner way would be for the client to send some sort of NO-OP request within the session. That then could complete or fail. > and the PCP > server MUST NOT delete the PCP SA. If the PCP server responds to the > re-authentication request with UNKNOWN_SESSION_ID error code then the > PCP client MUST discard the re-authentication process and initiate > full EAP authentication with the PCP server as explained in > Section 3.1.1. After EAP authentication is successful PCP client > updates the PCP SA and issues new common PCP requests to recreate any > lost mapping state. In a scenario where the PCP server has lost the > PCP SA but did not inform the PCP client, if the PCP client sends PCP > request integrity-protected then the PCP server rejects the request > with UNKNOWN_SESSION_ID error code. The PCP client then initiates > full EAP authentication with the PCP server as explained in > Section 3.1.1 and updates the PCP SA after successful authentication. > > If the PCP client resets or loses the PCP SA due to reboot, power > failure, or any reason and sends common PCP request then the PCP > server rejects the request with AUTHENTICATION_REQUIRED error code. > The PCP client MUST authenticate with the PCP server and after > EAP authentication is successful retry the common PCP request with > AUTHENTICATION_TAG option. The PCP server MUST update the > PCP SA after successful EAP authentication. The rest of this all seems to work. But I think there is need for more analysis of what happens if client or server restarts at special points in exchanges. For instance: - client sends Common PCP request within a session then restarts before receiving the response. - client restarts somewhere within a sequence of PA messages - server restarted somewhere within a sequence of PA messages I haven't thought through all of those. They may not need any special attention, but I bet at least one of them does. Thanks, Paul > -Tiru > >> -----Original Message----- >> From: Sam Hartman [mailto:hartmans@painless-security.com] >> Sent: Wednesday, July 08, 2015 6:35 AM >> To: Paul Kyzivat >> Cc: Tirumaleswar Reddy (tireddy); draft-ietf-pcp- >> authentication.all@tools.ietf.org; General Area Review Team >> Subject: Re: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt >> >> Yes. >> At this point I think you and I understand what we're talking about. >> >> I haven't been involved in this doc in a while. >> I think we need to let Tirumaleswar comment as well as get feedback from the >> rest of the group. >> Some of this may have been discussed in the WG while I was not watching, and >> you and I have been intentionally abstract. >> >> Unless you and I have both missed something obvious it seems unlikely we'll be >> done with this issue by the telechat. >> >> I am attending the Prague IETF and would be happy to spend significant cycles >> that week wordsmithing/discussing this issue with PCP folks if we don't clear >> before then. >
- [Gen-art] Gen-ART Telechat review of draft-ietf-p… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)