Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
Sam Hartman <hartmans@painless-security.com> Tue, 07 July 2015 15:25 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 158E81ACDE7 for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 08:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dY4itInkZZz0 for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 08:25:26 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46D3F1ACD0A for <gen-art@ietf.org>; Tue, 7 Jul 2015 08:24:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 94DFD20730; Tue, 7 Jul 2015 11:24:27 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2V-mjd0oLtBP; Tue, 7 Jul 2015 11:24:27 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-65-96-232-173.hsd1.ma.comcast.net [65.96.232.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 7 Jul 2015 11:24:27 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4C51488C32; Tue, 7 Jul 2015 11:24:43 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu>
Date: Tue, 07 Jul 2015 11:24:43 -0400
In-Reply-To: <559BE75E.9010904@alum.mit.edu> (Paul Kyzivat's message of "Tue, 07 Jul 2015 10:51:10 -0400")
Message-ID: <tslh9pgng78.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/rsWOvlcLrcfGJ-Z8GrBjpgpEYX8>
Cc: General Area Review Team <gen-art@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 15:25:28 -0000
>>>>> "Paul" == Paul Kyzivat <pkyzivat@alum.mit.edu> writes: Paul> Do you agree with this conclusion? If not, please explain why Paul> you think my logic is wrong. I partially agree with your conclusion. I agree that we need a mechanism to resynchronize state, and I agree that unsolicited announces aren't really good enough. I think it's highly undesirable to permit some requests over a five-tuple to be authenticated and some to not be authenticated. You seem to be thinking of authentication as something that tends to benefit the server. In some deployments that's certainly true. However, the client may gain significant benefit from: * Gaining integrity protection over its communications * Preventing third-parties from disrupting state it establishes. So, for these reasons, I think it's very important that once a session is established, only authenticated requests be accepted over that five-tuple. In addition, I think it's desirable that once a session is established, a client be expected to re-authenticate if session state is lost, *not* to send requests and let the server force re-authentication. However, I do agree with you that we need a mechanism for the server to indicate that it has lost state. That's only a hint to the client. Since that indication will not be integrity-protected, it may be sent by an attacker. A client MAY disregard it, for example if the client suspects a DOS attack. Generally, though a client SHOULD try and re-authenticate, discarding the session state only when re-authentication is successful. To get this right, it sounds like we need to: * Describe how the server indicates session state lost * Describe what clients do if the client is starting re-authentication but gets a response under the old session. Presumably this is an indication that an attacker is trying to force re-authentication. * Describe sufficient server behavior for what our client behavior is to work out well. That is, if we say that when a client gains evidence the server actually does still have the session, we abandon the re-authentication, we need to make sure servers are still maintaining session state. --Sam
- [Gen-art] Gen-ART Telechat review of draft-ietf-p… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)