Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Sat, 11 July 2015 02:18 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C972D1A1B82 for <gen-art@ietfa.amsl.com>; Fri, 10 Jul 2015 19:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0cc2igUyt1M for <gen-art@ietfa.amsl.com>; Fri, 10 Jul 2015 19:18:38 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8615B1A1B44 for <gen-art@ietf.org>; Fri, 10 Jul 2015 19:18:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8818; q=dns/txt; s=iport; t=1436581118; x=1437790718; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=SFEV59N5DE5YeF3l66NPVu8ajhbZxSvgP/gNTgIL28Q=; b=eelBCpexfa7TvWczMyB+BdnbQn7Xjvi3R28eKkGiEsDdN91yiDBLR7og k8BuWRM3vpT6Yjwq1Korl294dbDtM4oLyohllN9rpUHNRg3HlosDoVgqA fEnx2VUvKVcKo6tHRPUHjwvpMv0rdpGngB4cvQq2za63YukIcP9cK1AF/ M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B7AwDme6BV/4QNJK1bDoMFgTQGuy0Jh2oCgUU4FAEBAQEBAQGBCoQjAQEBBDo/DAQCAQgOAwQBAQEKFAkHMhQJCAEBBAENBQgTiBPPKgEBAQEBAQEBAQEBAQEBAQEBAQEBAReLS4Q3BBoxBwaDEYEUBYUfjxIBhU6EEINkhBiLB4gNJmOBKRyBFT5vAYEFJRyBBAEBAQ
X-IronPort-AV: E=Sophos;i="5.15,452,1432598400"; d="scan'208";a="167687520"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Jul 2015 02:18:37 +0000
Received: from xhc-rcd-x04.cisco.com (xhc-rcd-x04.cisco.com [173.37.183.78]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id t6B2IbcV031551 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 11 Jul 2015 02:18:37 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.123]) by xhc-rcd-x04.cisco.com ([173.37.183.78]) with mapi id 14.03.0195.001; Fri, 10 Jul 2015 21:18:36 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, Sam Hartman <hartmans@painless-security.com>
Thread-Topic: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
Thread-Index: AdC6xkCJTpuN5PIoShG936OO4EQ6OAAkAdEAAAmFBUA=
Date: Sat, 11 Jul 2015 02:18:35 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A4788D53D@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A4788C4BA@xmb-rcd-x10.cisco.com> <559FF0DC.7070205@alum.mit.edu>
In-Reply-To: <559FF0DC.7070205@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.72.90]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/tOdvBjWp5Ftu_lajaufsgmO8BHc>
Cc: General Area Review Team <gen-art@ietf.org>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 02:18:41 -0000
> -----Original Message----- > From: Paul Kyzivat [mailto:pkyzivat@alum.mit.edu] > Sent: Friday, July 10, 2015 9:51 PM > To: Tirumaleswar Reddy (tireddy); Sam Hartman > Cc: draft-ietf-pcp-authentication.all@tools.ietf.org; General Area Review Team > Subject: Re: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt > > On 7/10/15 12:09 AM, Tirumaleswar Reddy (tireddy) wrote: > > Hi Paul, > > > > Please see inline > > > >> -----Original Message----- > >> From: Paul Kyzivat [mailto:pkyzivat@alum.mit.edu] > >> Sent: Thursday, July 09, 2015 8:26 PM > >> To: Tirumaleswar Reddy (tireddy); Sam Hartman > >> Cc: draft-ietf-pcp-authentication.all@tools.ietf.org; General Area Review > Team > >> Subject: Re: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt > >> > >> On 7/8/15 7:20 AM, Tirumaleswar Reddy (tireddy) wrote: > >>> I agree with the discussion and propose the following text to address the > >> comments. > >>> > >>> NEW: > >> > >> Where? > >> > >> I suspect there is need of another document section, or even a larger > >> reorganization, to fit this in with all the other changes we have discussed. (I > >> think at the moment it is becoming a patchwork.) > > > > Yes, I have added a new section called "Recovery from lost PA session". > > Sounds good. > > >>> If a PCP server resets or loses the PCP SA due to reboot, power > >>> failure, or any reason then it sends unsolicited ANNOUNCE response as > >>> explained in section 14.1.3 of [RFC6887] to the PCP client. Upon > >>> receiving the ANNOUNCE response with an anomalous Epoch time, PCP > >>> client deduces that the server may have lost state. > >> > >> I had forgotten about the Epoch time logic. That does provide a tool to > >> facilitate discovering loss of sync. > >> > >>> PCP client sends > >>> re-authentication request to the PCP server to check if the PCP > >>> server has indeed lost the state or an attacker has sent the ANNOUNCE > >>> response. If the response from the PCP server is integrity-protected > >>> then PCP client discards the re-authentication process > >> > >> How do you go about *discarding* the re-authentication process once it has > >> begun? I don't see any mechanism for doing that. > > > > The client can stop the re-authentication process anytime and it won't impact > the PCP SA as long as the session lifetime has not expired. What problem do > you see with this approach ? > > IIUC client and server each have an implied state machine for handling > received PA messages based on their response code. But it is only > implied, so there is little specification of error conditions, such as > receipt of a message with a response code that is unexpected in that state. > > If you just stop in some intermediate state, the other side will be > stuck in that state until it receives another PA message on the 5-tuple. > Depending on where things stopped, it might retransmit the last message. > And you are then depending on the implementation being happy if > re-authentication starts over from the beginning at some later time. > > I think it would improve the chanced for interoperability if you > included explicit specification of those state machines, with all the > transitions. (One state machine for the client, another for the server.) > > >> The simple solution is to just go ahead and complete the re-authentication. > >> However this does open a DoS attack path. > >> > >> A cleaner way would be for the client to send some sort of NO-OP request > >> within the session. That then could complete or fail. Good point, updated new section to use unicast ANNOUNCE to check if the PCP server has lost the state or not. -Tiru > >> > >>> and the PCP > >>> server MUST NOT delete the PCP SA. If the PCP server responds to the > >>> re-authentication request with UNKNOWN_SESSION_ID error code then > >> the > >>> PCP client MUST discard the re-authentication process and initiate > >>> full EAP authentication with the PCP server as explained in > >>> Section 3.1.1. After EAP authentication is successful PCP client > >>> updates the PCP SA and issues new common PCP requests to recreate > any > >>> lost mapping state. In a scenario where the PCP server has lost the > >>> PCP SA but did not inform the PCP client, if the PCP client sends PCP > >>> request integrity-protected then the PCP server rejects the request > >>> with UNKNOWN_SESSION_ID error code. The PCP client then initiates > >>> full EAP authentication with the PCP server as explained in > >>> Section 3.1.1 and updates the PCP SA after successful authentication. > >>> > >>> If the PCP client resets or loses the PCP SA due to reboot, power > >>> failure, or any reason and sends common PCP request then the PCP > >>> server rejects the request with AUTHENTICATION_REQUIRED error code. > >>> The PCP client MUST authenticate with the PCP server and after > >>> EAP authentication is successful retry the common PCP request with > >>> AUTHENTICATION_TAG option. The PCP server MUST update the > >>> PCP SA after successful EAP authentication. > >> > >> The rest of this all seems to work. > > > > Thanks. > > > >> > >> But I think there is need for more analysis of what happens if client or server > >> restarts at special points in exchanges. For instance: > >> > >> - client sends Common PCP request within a session then restarts before > >> receiving the response. > > > > If the endpoint reboots then application triggering the PCP request would > also have re-started and would not care about the PCP request/response. After > the application restarts it would trigger new PCP request. > > OK, I guess so for this one. The restarted client may receive the > response, but would presumably ignore it because of an unknown session id. > > >> - client restarts somewhere within a sequence of PA messages > > > > After restart PCP client would do EAP authentication as discussed in section > 3.1.1. PCP server should have idle timer to delete PCP SA if there is no > response from the PCP client (for example to also handle a case if the client has > detached from the network). > > It *might* do that. Or it might start using unauthenticated PCP, until > it gets a response forcing it to authenticate. > > But what does the server do? Various things might happen depending on > where it was in the sequence. Certainly it will go wrong one way or > another. The state machine I mentioned above would help clarify this. > > >> - server restarted somewhere within a sequence of PA messages > > > > PCP server would reject the PA-Client message with UNKNOWN_SESSION_ID > because it has lost state. > > Yup. > > I have the feeling that you are answering my questions based on an > implementation. If so, it is a good thing to have such an implementation > to validate the spec. But that doesn't mean that other implementations > will behave the same way, unless the spec is sufficiently precise about > the details. > > Thanks, > Paul > > > Cheers, > > -Tiru > > > >> > >> I haven't thought through all of those. They may not need any special > attention, > >> but I bet at least one of them does. > >> > >> Thanks, > >> Paul > >> > >>> -Tiru > >>> > >>>> -----Original Message----- > >>>> From: Sam Hartman [mailto:hartmans@painless-security.com] > >>>> Sent: Wednesday, July 08, 2015 6:35 AM > >>>> To: Paul Kyzivat > >>>> Cc: Tirumaleswar Reddy (tireddy); draft-ietf-pcp- > >>>> authentication.all@tools.ietf.org; General Area Review Team > >>>> Subject: Re: Gen-ART Telechat review of > >>>> draft-ietf-pcp-authentication-13.txt > >>>> > >>>> Yes. > >>>> At this point I think you and I understand what we're talking about. > >>>> > >>>> I haven't been involved in this doc in a while. > >>>> I think we need to let Tirumaleswar comment as well as get feedback > >>>> from the rest of the group. > >>>> Some of this may have been discussed in the WG while I was not > >>>> watching, and you and I have been intentionally abstract. > >>>> > >>>> Unless you and I have both missed something obvious it seems unlikely > >>>> we'll be done with this issue by the telechat. > >>>> > >>>> I am attending the Prague IETF and would be happy to spend > >>>> significant cycles that week wordsmithing/discussing this issue with > >>>> PCP folks if we don't clear before then. > >>> > > > >
- [Gen-art] Gen-ART Telechat review of draft-ietf-p… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Sam Hartman
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Tirumaleswar Reddy (tireddy)