IETF Logo Mail Archive

Re: [pcp] EAP-over-PCP

Alper Yegin <alper.yegin@yegin.org> Thu, 20 September 2012 09:39 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7BDC21F8745 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 02:39:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.187
X-Spam-Level:
X-Spam-Status: No, score=-102.187 tagged_above=-999 required=5 tests=[AWL=-0.189, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5PIUJ6WHIlQP for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 02:39:10 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 7551121F873B for <pcp@ietf.org>; Thu, 20 Sep 2012 02:39:10 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MHIpn-1TIk4x260h-00E5Th; Thu, 20 Sep 2012 05:39:09 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_27A01A29-7DE3-4BA7-A249-B26784551B00"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <tslipbap18s.fsf@mit.edu>
Date: Thu, 20 Sep 2012 12:38:50 +0300
Message-Id: <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <tslipbap18s.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:Bosp3KH0SK/WrR/5BnlZ4nJ8ruqkTeFpLV42mt7VfLc 1lpNZUWEz1S4096XM/yX9ZcQoUnZ0y5ATw4Xl1X53hIRYdJbnY RbhhMJDG/zAza7ld028ruut7Q+HBVqGXZxEiQcB+m/q5orm/WF RzjIAUTwJHHRE+7Z7l+mH+1Lna+CNRZQzMHQMURhnhf7RDuCOt WoaPf7iFTTrLob88SBgAhLGJNc2+tR31gQNBCLR+GlxG5UycFN 0//bYX4IMkx0ZF/h2P/Ro5F7PIMGOhrg2aXkfzvIoNkwgJci8e HE9AFFkVro0kgdzj6tW9Ye7jdNN7V+omRH3dMKCnEgXywv22YQ NsD7sztSahNxpGdDSZXiuJkGRYihFvykcSUEGBy/R0HEyyQuV6 BuNo78p2GAKgQ==
Cc: "'pcp@ietf.org'" <pcp@ietf.org>
Subject: Re: [pcp] EAP-over-PCP
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 09:39:11 -0000

>>> Depending on what's easy for PCP implementations we have a number
>>> of options.
>>> 
>>> In RFC 3748 the conversation is conceptually server driven.
>>> However, there is typically a client (lower layer) indication to
>>> get things started.
>>> 
>>> However, the only reason that the conversation is server-driven
>>> iss retransmissions. If you take a look at section 2 of RFC 3748
>>> you note that the protocol is lockstep. The server cannot send a
>>> new request until the client has responded to the previous one.
>>> If you take a look at section 4.3, a lower layer may sent the
>>> retransmission timeout to infinite. In this mode, the server will
>>> never generate an unsolicited request.  So, it's entirely
>>> possible to view things as a client-server protocol with
>>> client-driven retransmissions if that makes things easier for PCP
>>> implementations.
>>> 
> 
> Alper>I don't understand how this works.
>    Alper> EAP authenticator performs rexmits.  So, if it does not get a
>    Alper> response, it'll keep rexmitting. So, how can you achieve
>    Alper> "server will never generate an unsolicited request"?
> 
> There are three aspects to this: why does it work in practice, why does
> it comply with the spec, and why do I think  it's been reviewed
> adequately to suggest it?
> 
> For the first, EAP libraries tend to have a way to ignore  retransmits
> or set the retransmission timeout to infinite.

You mean the "EAP layer"? 

  When run over a reliable lower layer (e.g., EAP over ISAKMP/TCP, as
   within [PIC]), the authenticator retransmission timer SHOULD be set
   to an infinite value, so that retransmissions do not occur at the EAP
   layer. 

Only when run over a reliable EAP lower layer, the EAP layer sets the timeout to infinity.
So, whether the rexmit is handled by the EAP layer, or the EAP lower layer, the PCP server will be sending retransmissions in your case.


> Consider what happens in an AAA server. There, your EAP server cannot
> (and is not supposed to) handle retransmits.
> RADIUS at least is a lock-step protocol. Ignoring things like COA,

Ah, "ignoring CoA". CoA is the RADIUS' tool to generate an unsolicited message, more specifically for starting EAP re-authentication.
So, let's not ignore that.


> a
> RADIUS server cannot send an unsolicited response to a client.
> So any EAP server library basically has to have a way to disable
> retransmits.
> I guess it's possible that you could have a passthrough authenticator
> library that doesn't pull this off.

Rexmit is the responsibility of the "EAP passthru authenticator".


> IN practice we've not run into this problem; see below for why.
> 
> Also, as I understand it (without close reading) the IKEv2 EAP support
> works this way as well.
> 
> So, why does it comply with the spec?
> Take a look at RFC 3748 section 4.3. That section points out a lower
> layer can set the retransmit timeout to infinite if it is reliable
> itself.
> 

True. But see my explanations above.


> Why do I think the whole idea of assuming you'll never get an
> unsolicited server request has been adequately reviewed? It's part of
> draft-ietf-abfab-gss-eap, which has already been approved and is waiting
> publication. I've personally walked through what we were doing with
> Bernard; I know Joe is familiar with the work enough that he understands
> our state machine constraints. Klaas is one of the chairs; he also has a
> lot of EAP experience. Josh Howlett, my co-author has many more years of
> EAP experience than I do.  So, I believe that this idea has received
> adequate review that if I were somehow misreading the base EAP spec we
> would have noticed it.
> 

Sam, you are claiming "it's entirely possible to view things as a client-server protocol with client-driven retransmissions if that makes things easier for PCP implementations."
I don't see how it works from your technical explanations here. 
You are referring to a past work, which I was not involved. Unless I go back and read that spec, and email archives, I cannot know why/how/what happened, and if it's applicable to here.

So, why don't you just explain us how it'd work, better yet show us on your document.

Bottom line is, 
EAP is server driven.
PCP is client driven. 
How do you stack them up against each other?


> 
>    Alper> And, furthermore, there'd be EAP re-authentication which can
>    Alper> be initiated by the client or server. This is another reason
>    Alper> for having to support server-side requests.
> 
> 
> I'm not entirely sure what you're talking about when you say EAP
> re-authentication.
> Do you mean the EAP re-authentication protocol (the one done in HOKEY?)

No, not that. That's just an optimized re-authentication.
Re-authentication is executing EAP again.

> The base EAP spec mentions re-authentication once or twice  but does not
> define it.
> My best reading of that text is that they simply mean there can be later
> EAP conversations if you want to access a new resource or the like, or
> the network wants to re-key, or prove fresh access to tokens or
> whatever.
> 

You got it.

> 
> When you look at the peer state machine in RFC 4137, you note that the
> success state is a final state.
> It's going to require lower layer interactions to get out of that state.
> If you look at the commen open-source supplicants (all I have access to)
> you see that tends to be how people implement things.
> You expect a disassociation or something else to trigger new
> authentication.

You want service continuity. So, you don't use disassociation. EAP re-authentication is performed while the existing EAP session is still good and other layers are still using the unexpired security association.


> And when that happens, yes, depending on who's doing the trigger and
> what's going on, the first *EAP* message may be from the server.
> 

There you go.

> In our proposal, PCP is the same way.  A server can throw away a session
> and give a client an error that they must authenticate again if it wants
> an EAP exchange.  This is intended to deal with wanting to expire
> sessions or servers that lose state.  However it also deals with a
> server wanting to confirm freshness, or getting a re-authentication
> demand via some complex AAA infrastructure that seems unlikely to be
> used with PCP in practice.

First of all, this is not in your document. 
Secondly, this is a bad design. As soon as the network side decides to re-auth, it's should be able to do so. It shouldn't have to wait for the client to make the next contact.

Alper

v2.23.0 | Report a Bug | By Email