Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)
<yoshihiro.ohba@toshiba.co.jp> Thu, 18 July 2013 13:40 UTC
Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2CC11E8140 for <pcp@ietfa.amsl.com>; Thu, 18 Jul 2013 06:40:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.588
X-Spam-Level:
X-Spam-Status: No, score=-7.588 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tb6thWzNZwT0 for <pcp@ietfa.amsl.com>; Thu, 18 Jul 2013 06:40:08 -0700 (PDT)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by ietfa.amsl.com (Postfix) with ESMTP id 4E47111E8149 for <pcp@ietf.org>; Thu, 18 Jul 2013 06:40:03 -0700 (PDT)
Received: from tsbmgw-mgw01.tsbmgw-mgw01.toshiba.co.jp ([133.199.232.103]) by imx12.toshiba.co.jp with ESMTP id r6IDdw9J007381 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Jul 2013 22:39:58 +0900 (JST)
Received: from tsbmgw-mgw01 (localhost [127.0.0.1]) by tsbmgw-mgw01.tsbmgw-mgw01.toshiba.co.jp (8.13.8/8.14.5) with ESMTP id r6IDdwTT009796; Thu, 18 Jul 2013 22:39:58 +0900
Received: from localhost ([127.0.0.1]) by tsbmgw-mgw01 (JAMES SMTP Server 2.3.1) with SMTP ID 924; Thu, 18 Jul 2013 22:39:58 +0900 (JST)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by tsbmgw-mgw01.tsbmgw-mgw01.toshiba.co.jp (8.13.8/8.14.5) with ESMTP id r6IDdw98009793; Thu, 18 Jul 2013 22:39:58 +0900
Received: (from root@localhost) by arc11.toshiba.co.jp id r6IDdwj5015162; Thu, 18 Jul 2013 22:39:58 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by arc11.toshiba.co.jp with ESMTP id YAA15161; Thu, 18 Jul 2013 22:39:57 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id r6IDdr06017248; Thu, 18 Jul 2013 22:39:53 +0900 (JST)
Received: from tgxml329.toshiba.local by toshiba.co.jp id r6IDdqBX024298; Thu, 18 Jul 2013 22:39:52 +0900 (JST)
Received: from TGXML338.toshiba.local ([169.254.4.194]) by tgxml329.toshiba.local ([133.199.60.16]) with mapi id 14.03.0123.003; Thu, 18 Jul 2013 22:39:52 +0900
From: yoshihiro.ohba@toshiba.co.jp
To: praspati@cisco.com, alper.yegin@yegin.org
Thread-Topic: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)
Thread-Index: AQHOgrpla3wABna3lECF2TL4pPZxUpln5w+AgAKIlgA=
Date: Thu, 18 Jul 2013 13:39:52 +0000
Message-ID: <674F70E5F2BE564CB06B6901FD3DD78B12D315F9@tgxml338.toshiba.local>
References: <758747A2-EB6E-4581-BDE3-DD7798A77EDF@yegin.org> <B235506D63D65E43B2E40FD27715372E1CE3238D@xmb-rcd-x07.cisco.com>
In-Reply-To: <B235506D63D65E43B2E40FD27715372E1CE3238D@xmb-rcd-x07.cisco.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-originating-ip: [133.199.18.89]
msscp.transfermailtomossagent: 103
Content-Type: multipart/alternative; boundary="_000_674F70E5F2BE564CB06B6901FD3DD78B12D315F9tgxml338toshiba_"
MIME-Version: 1.0
Cc: pcp@ietf.org, tireddy@cisco.com
Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 13:40:15 -0000
Hi Tiru, Abstract of pcp-proxy draft says: “ This document specifies a new PCP functional element denoted as PCP Proxy. The PCP Proxy relays PCP requests received from PCP Clients to upstream PCP Server(s). This function is mandatory when PCP Clients can not be configured with the address of the PCP Server located more than one hop. “ If this abstract is correct, I interpret that PCP clients only know the PCP proxy’s address, but the PCP server *can* be the authentication end-point for the PCP clients. This is similar to the http proxy case where http servers are the authentication end-points for http clients. Having said that, I think it is a bad idea to mandate PCP proxy to be *the* end-point that authenticates the PCP clients in the proxy case. Yoshihiro Ohba From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of Prashanth Patil (praspati) Sent: Wednesday, July 17, 2013 4:46 PM To: Alper Yegin Cc: pcp@ietf.org; Tirumaleswar Reddy (tireddy) Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security) Hi Alper, On 17/07/13 12:23 PM, "Alper Yegin" <alper.yegin@yegin.org<mailto:alper.yegin@yegin.org>> wrote: Hi Prashanth, I'm not sure if enough thought went into the PCP Proxy security. As much as I'd love to be DONE! with this discussion, I also want to make sure people feel comfortable having thought all aspects around the proxy use. For (very important) example, what kind of security associations are needed for securing the proxy use: An SA btw client and server, an SA btw client and proxy, an SA btw proxy and server -- which combinations of these are needed? We've included this in the updated version of auth req: REQ-9: A PCP proxy that modifies PCP messages SHOULD have the ability to independently authenticate with the PCP client and PCP server. The presence of a PCP proxy hence requires two separately authenticates SAs. As a consequence, the PCP proxy: A. MUST be able to validate message integrity of PCP messages from the PCP server and client respectively. B. MUST be able to ensure message integrity after updating the PCP message for cases described in sections 6 of ietf-pcp-proxy. The PCP proxy MUST also permit authentication on only one side of the proxy. For example, a customer premises host may not authenticate with the PCP proxy but the PCP proxy may authenticate with the PCP server. So: - We have two types of SAs. One between the client and the proxy, another between the proxy and the server. - None of them are mandatory to use. PRA: Yes, none of them are mandatory, it's currently the prerogative of the server to mandate authentication. The proxy MUST be able authenticate with either client or server or both. For each one that needs to be used, we need to perform authentication between the end-points. (e.g., between client and proxy). So, in a way, we are dealing with security in two independent parts; client to proxy, and proxy to server. They are totally segregated from security perspective. Right? PRA: Right. As far as the client is concerned, the proxy is the PCP server. The proxy is in turn a client to the upstream PCP server. The two parts should be independent of each other. Hmm, one thing: The server may need to know the authenticated ID of the client. Since it's not part of the client authentication, it won't know that value readily. So, we may need to define an option to carry that piece of information from the proxy to the server. PRA: May be, but don’t know why the server would want to know the auth-id of a client. -Prashanth Alper -Prashanth Then we need to talk about how we dynamically create those using any one of these solutions. Alper On Jul 16, 2013, at 7:50 PM, Dave Thaler wrote: -----Original Message----- From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] Sent: Monday, July 15, 2013 10:51 PM To: Dave Thaler; pcp@ietf.org<mailto:pcp@ietf.org> Subject: RE: [pcp] CONSENSUS CALL on PCP security Hi Dave, In the poll when you refer to PANA, please clarify the draft you are referring to http://tools.ietf.org/html/draft-ohba-pcp-pana-04 or http://tools.ietf.org/html/draft-ohba-pcp-pana-encap-01 ? --Tiru. The question is intentionally agnostic as this is about a general approach, not which specific implementation. If it helps, you can interpret the answer as "which of the two you think is better". If the consensus is PANA rather than direct EAP-in-PCP, then we could ask as a follow-up question which of the two we should go with. If you'd like to include your answer to that now though, feel free to include that in your response to the call. -Dave _______________________________________________ pcp mailing list pcp@ietf.org<mailto:pcp@ietf.org> https://www.ietf.org/mailman/listinfo/pcp _______________________________________________ pcp mailing list pcp@ietf.org<mailto:pcp@ietf.org> https://www.ietf.org/mailman/listinfo/pcp
- [pcp] CONSENSUS CALL on PCP security Dave Thaler
- Re: [pcp] CONSENSUS CALL on PCP security Tirumaleswar Reddy (tireddy)
- Re: [pcp] CONSENSUS CALL on PCP security yoshihiro.ohba
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security yoshihiro.ohba
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Dave Thaler
- Re: [pcp] CONSENSUS CALL on PCP security Tirumaleswar Reddy (tireddy)
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Prashanth Patil (praspati)
- [pcp] REQ-14 in PCP Authentication Requirements Tirumaleswar Reddy (tireddy)
- [pcp] Proxy security (was Re: CONSENSUS CALL on P… Alper Yegin
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Tirumaleswar Reddy (tireddy)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Prashanth Patil (praspati)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Alper Yegin
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Prashanth Patil (praspati)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Alper Yegin
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Dan Wing
- Re: [pcp] CONSENSUS CALL on PCP security Ben McCann
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Tirumaleswar Reddy (tireddy)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Alper Yegin
- [pcp] PANA misconceptions (was Re: CONSENSUS CALL… Alper Yegin
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Rafa Marin Lopez
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Tirumaleswar Reddy (tireddy)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … yoshihiro.ohba
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Alper Yegin
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Prashanth Patil (praspati)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … yoshihiro.ohba
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Tirumaleswar Reddy (tireddy)
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Prashanth Patil (praspati)
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Ben McCann
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … yoshihiro.ohba
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Rafa Marin Lopez
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Ben McCann
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Dan Wing
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Alper Yegin
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … Prashanth Patil (praspati)
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Alper Yegin
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Alper Yegin
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Prashanth Patil (praspati)
- Re: [pcp] REQ-14 in PCP Authentication Requiremen… Alper Yegin
- Re: [pcp] Proxy security (was Re: CONSENSUS CALL … yoshihiro.ohba
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Rafa Marin Lopez
- Re: [pcp] CONSENSUS CALL on PCP security Tina TSOU
- Re: [pcp] CONSENSUS CALL on PCP security Martija, Ricardo V
- Re: [pcp] CONSENSUS CALL on PCP security Dave Thaler
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Stuart Cheshire
- Re: [pcp] CONSENSUS CALL on PCP security yoshihiro.ohba
- Re: [pcp] CONSENSUS CALL on PCP security Subir Das
- Re: [pcp] CONSENSUS CALL on PCP security Ted Lemon
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Rafa Marin Lopez
- Re: [pcp] CONSENSUS CALL on PCP security yoshihiro.ohba
- Re: [pcp] CONSENSUS CALL on PCP security Pedro Moreno Sánchez
- Re: [pcp] CONSENSUS CALL on PCP security Ted Lemon
- Re: [pcp] CONSENSUS CALL on PCP security Ted Lemon
- Re: [pcp] CONSENSUS CALL on PCP security Alan DeKok
- Re: [pcp] CONSENSUS CALL on PCP security Alan DeKok
- Re: [pcp] CONSENSUS CALL on PCP security Alan DeKok
- Re: [pcp] CONSENSUS CALL on PCP security Dacheng Zhang
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Ted Lemon
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Tassos Chatzithomaoglou
- Re: [pcp] CONSENSUS CALL on PCP security Subir Das
- Re: [pcp] CONSENSUS CALL on PCP security yoshihiro.ohba
- Re: [pcp] CONSENSUS CALL on PCP security Alan DeKok
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Alan DeKok
- Re: [pcp] CONSENSUS CALL on PCP security Alan DeKok
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Subir Das
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Pedro Moreno Sánchez
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] CONSENSUS CALL on PCP security Tassos Chatzithomaoglou
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Dave Thaler
- Re: [pcp] CONSENSUS CALL on PCP security Tassos Chatzithomaoglou
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Alper Yegin
- Re: [pcp] CONSENSUS CALL on PCP security Margaret Wasserman
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … Ben McCann
- Re: [pcp] PANA misconceptions (was Re: CONSENSUS … yoshihiro.ohba