IETF Logo Mail Archive

Re: [pcp] Comparison of PCP authentication

Sam Hartman <hartmans@painless-security.com> Tue, 07 August 2012 18:01 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B88411E8097 for <pcp@ietfa.amsl.com>; Tue, 7 Aug 2012 11:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.583
X-Spam-Level: *
X-Spam-Status: No, score=1.583 tagged_above=-999 required=5 tests=[AWL=-2.705, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B+VOscnKNtIv for <pcp@ietfa.amsl.com>; Tue, 7 Aug 2012 11:01:20 -0700 (PDT)
Received: from ec2-23-21-76-251.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 47C6B21F86F7 for <pcp@ietf.org>; Tue, 7 Aug 2012 11:01:20 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 078DF2029E; Tue, 7 Aug 2012 14:01:19 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 344DD420E; Tue, 7 Aug 2012 14:01:14 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org> <075301cd7419$19557dd0$4c007970$@com> <A8A3C2BF-6966-4043-ABF1-363EDA3BB7F8@lilacglade.org> <tslzk67shwh.fsf@mit.edu> <C72CBD9FE3CA604887B1B3F1D145D05E2CE64A4A@szxeml528-mbx.china.huawei.com>
Date: Tue, 07 Aug 2012 14:01:14 -0400
In-Reply-To: <C72CBD9FE3CA604887B1B3F1D145D05E2CE64A4A@szxeml528-mbx.china.huawei.com> (zhangdacheng@huawei.com's message of "Tue, 7 Aug 2012 03:50:24 +0000")
Message-ID: <tslfw7yr385.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Margaret Wasserman <mrw@lilacglade.org>, "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Comparison of PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2012 18:01:21 -0000

If you are concerned about server DOS issues, the general solution is to
have the server send the client an encrypted cookie so the server
maintains no state.
See for example RFc 6113  section 5.2.
That's a Kerberos mechanism but it has similar properties.

EAP protocols have generally not done that, but it's certainly possibly
to do with EAP-like things. We designed draft-ietf-abfab-gss-eap to
permit extending to this use in the future if needed. The Moonshot
implementation of draft-ietf-abfab-gss-eap supports the necessary
mechanisms for no server state, demonstrating that it is possible.

Everything I say here can be applied to PANA with a bit of creativity.

v2.23.0 | Report a Bug | By Email