Re: [pcp] EAP retransmits and re-authentication
Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp> Thu, 20 September 2012 17:24 UTC
Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6F521F881F for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 10:24:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[AWL=1.168, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_HI=-8, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9pnB65meiSX for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 10:24:08 -0700 (PDT)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by ietfa.amsl.com (Postfix) with ESMTP id 64B7021F8816 for <pcp@ietf.org>; Thu, 20 Sep 2012 10:24:07 -0700 (PDT)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by imx12.toshiba.co.jp with ESMTP id q8KHO4a9022576; Fri, 21 Sep 2012 02:24:04 +0900 (JST)
Received: (from root@localhost) by arc11.toshiba.co.jp id q8KHO4dS004599; Fri, 21 Sep 2012 02:24:04 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by arc11.toshiba.co.jp with ESMTP id CAA04598; Fri, 21 Sep 2012 02:24:04 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id q8KHO45R014736; Fri, 21 Sep 2012 02:24:04 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id q8KHNxYv028009; Fri, 21 Sep 2012 02:23:59 +0900 (JST)
Received: from [133.199.16.197] by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTPA id <0MAN007IOSBYGTA0@mail.po.toshiba.co.jp>; Fri, 21 Sep 2012 02:23:59 +0900 (JST)
Date: Fri, 21 Sep 2012 02:24:01 +0900
From: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
In-reply-to: <6CDC61E8-2811-4D44-959E-0F01BEA5C7EF@lilacglade.org>
To: Margaret Wasserman <margaretw42@gmail.com>
Message-id: <505B5131.3000400@toshiba.co.jp>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-2022-JP"
Content-transfer-encoding: 7bit
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <tslipbap18s.fsf@mit.edu> <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org> <tsl392clv10.fsf_-_@mit.edu> <505B35E4.5020108@toshiba.co.jp> <tslfw6ciuan.fsf@mit.edu> <505B4077.3030802@toshiba.co.jp> <6CDC61E8-2811-4D44-959E-0F01BEA5C7EF@lilacglade.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
Cc: pcp@ietf.org
Subject: Re: [pcp] EAP retransmits and re-authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 17:24:09 -0000
Margaret,
(2012/09/21 1:45), Margaret Wasserman wrote:
>
> On Sep 20, 2012, at 12:12 PM, Yoshihiro Ohba wrote:
>>> Actually, I didn't propose a change; I simply pointed out that you can
>>> do it either way depending on what is easiest for PCP implementations;
>>> we should pick, but what we pick should be based on the needs of the PCP
>>> community.
>>
>> I would rather consider this as the major disadvantage of tight
>> coupling EAP and PCP. It is much easier to run PANA and PCP
>> side-by-side which achieves loose coupling of EAP and PCP.=
>
> The problem is that running PCP and PANA side-by-side doesn't really change anything...
>
> Either we change PCP to have a notion of a "session" that is associated with every mapping, and to understand to understand that external events can cause an asynchronous event of some sort that invalidates all of those mappings, or we don't...
>
> I greatly prefer a model where the a client is authenticated and authorized to create a mapping, at the time that the mapping is created, and there is no presumption that the mapping is tied to any sort of ongoing client authentication/authorization.
>
I disagree. Loose coupling of authentication/authorization and states
associated with authorization creates a security issue. Loose
coupling makes it difficult for service providers to strictly enforce
their services based on the authentication/authorization.
> Otherwise, I suppose we could _claim_ to support re-authentication, but what does it mean if PANA performs re-authentication and there is no meaningful way to communicate a re-authentication success, or more importantly perhaps, a re-authentication failure to PCP.
>
> How are you imagining this would work in the side-by-side case -- re-authentication occurs, and then what?
>
I suggest you to take a look at RFC 5609 on how it can work.
Completion of initial authentication and re-authentication calls
Authorize() upon success and Disconnect() upon failure which are
typically implemented as a callback.
"
void Disconnect()
A procedure to delete the PANA session as well as the
corresponding EAP session and authorization state.
boolean Authorize()
A procedure to create or modify authorization state. It returns
TRUE if authorization is successful. Otherwise, it returns FALSE.
It is assumed that Authorize() procedure of PaC state machine
always returns TRUE. In the case that a non-key-generating EAP
method is used but a PANA SA is required after successful
authentication (generate_pana_sa() returns TRUE), Authorize()
procedure must return FALSE.
"
If you find some issue, we can work on revising RFC 5609 if something
is missing for PCP needs, which would be more productive IMO.
Yoshihiro Ohba
> Margaret
>
>
>
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Reinaldo Penno (repenno)
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Dan Wing
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Sam Hartman
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Henderickx, Wim (Wim)
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- [pcp] Authentication scenarios (was Re: PANA impl… Alper Yegin
- [pcp] Side-by-side or nested protocols (was Re: P… Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Henderickx, Wim (Wim)
- Re: [pcp] Authentication scenarios (was Re: PANA … Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] [ Side-by-side or nested protocols Sam Hartman
- Re: [pcp] Authentication scenarios (was Re: PANA … Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] [ Side-by-side or nested protocols Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Zhangdacheng (Dacheng)
- Re: [pcp] [ Side-by-side or nested protocols Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols Sam Hartman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Alper Yegin
- [pcp] EAP retransmits and re-authentication Sam Hartman
- [pcp] gss-eap Alper Yegin
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Margaret Wasserman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Margaret Wasserman
- Re: [pcp] gss-eap & client-side rexmit only Sam Hartman
- Re: [pcp] gss-eap & client-side rexmit only Yoshihiro Ohba
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin