Re: [pcp] WG status on PCP authentication
"Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com> Fri, 14 September 2012 08:31 UTC
Return-Path: <zhangdacheng@huawei.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE46A21F853E for <pcp@ietfa.amsl.com>; Fri, 14 Sep 2012 01:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.399
X-Spam-Level:
X-Spam-Status: No, score=-5.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_25=0.6, J_CHICKENPOX_28=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N5R5qLFp2q9 for <pcp@ietfa.amsl.com>; Fri, 14 Sep 2012 01:31:22 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id B78F021F853C for <pcp@ietf.org>; Fri, 14 Sep 2012 01:31:21 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml204-edg.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.5-GA FastPath queued) with ESMTP id AJQ87402; Fri, 14 Sep 2012 08:31:19 +0000 (GMT)
Received: from LHREML401-HUB.china.huawei.com (10.201.5.240) by lhreml204-edg.china.huawei.com (172.18.7.223) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 14 Sep 2012 09:30:45 +0100
Received: from SZXEML406-HUB.china.huawei.com (10.82.67.93) by lhreml401-hub.china.huawei.com (10.201.5.240) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 14 Sep 2012 09:30:54 +0100
Received: from SZXEML528-MBX.china.huawei.com ([169.254.4.156]) by szxeml406-hub.china.huawei.com ([10.82.67.93]) with mapi id 14.01.0323.003; Fri, 14 Sep 2012 16:30:44 +0800
From: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
To: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] WG status on PCP authentication
Thread-Index: Ac2ROKfBXzEGHHwwTde0XiHvgVohmQAFFD0AAAP3XgAAKV60gAAUGNtQ
Date: Fri, 14 Sep 2012 08:30:44 +0000
Message-ID: <C72CBD9FE3CA604887B1B3F1D145D05E39E372B6@szxeml528-mbx.china.huawei.com>
References: <9B57C850BB53634CACEC56EF4853FF653B7B205A@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <B27AE62F-1ADF-44DE-AF33-0B7A3AD6ACDB@yegin.org> <D6230CDE-E869-406F-B194-8E9B626CA8D8@lilacglade.org> <5052D3F3.8000605@toshiba.co.jp>
In-Reply-To: <5052D3F3.8000605@toshiba.co.jp>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.49]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Subject: Re: [pcp] WG status on PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2012 08:31:24 -0000
Hi, Yoshihiro: I remember that in one of your previous emails you mentioned that a con of the de-multiplexing approach is its Impact on PANA specification (an Update of RFC 5191 is needed on the use of "Reserved" field.). But you didn't mentioned it here. Maybe I have missed some important discussion. Could you please tell me whether you have find some way to avoid it? Cheers Dacheng > -----Original Message----- > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of > Yoshihiro Ohba > Sent: Friday, September 14, 2012 2:52 PM > To: pcp@ietf.org > Subject: Re: [pcp] WG status on PCP authentication > > Last month I posted a rough comparison on the two PANA approaches to > the PCP ML. I would like to update the comparison after working in > detail on the demultiplexing approach as follows: > > Encapsulation/tunneling approach: > - Pros: ??? > - Cons: > -- Encapsulation overhead > -- Tight coupling of PCP and PANA is needed. One issue is that some > workaround is needed to carry a PCI (PANA-Client-Initiation) message > which does not fit PCP's request-response type messaging. > Another issue is that double integrity protection can happen after > establishing a PCP SA, where a PANA message carried in the PCP message > is protected by a PANA AUTH AVP and the PCP message itself is > protected by a PCP Authentication Tag. Double integrity protection > can be considered as overhead. > > Demultiplexing/port-sharing approach: > - Pros: > -- No encapsulation overhead > -- Loose coupling of PCP and PANA > > - Cons: ??? > > Yoshihiro Ohba > > > (2012/09/13 20:06), Margaret Wasserman wrote: > > > > Hi Alper, > > > > I understand that you and Yoshi have done some analysis amongst > > yourselves and come to a conclusion, but my understanding of the > > direction from IETF 84 was that the WG wanted to go through this > > analysis together and come to a conclusion about which approach was > > preferred. > > > > Could you share your reasoning with the rest of us, instead of just > > your conclusions? What do you see as the points in favor of the > > side-by-side (demultiplexing) approach vs. the tunneled PANA (AKA > > encapsulation) approach? Are there weaknesses to the encapsulation > > approach that make the demultiplexing approach more desirable? > > > > Thanks, > > Margaret > > > > > > On Sep 13, 2012, at 5:13 AM, Alper Yegin wrote: > > > >> Hi Dave, > >> > >> Thank you for the summary. > >> > >>> The main comparison point we know about > >>> is between Tunneled PANA vs Side-by-side PANA/PCP. > >> > >> > >> > >> Yoshi and I had an offline discussion and concluded that the > >> so-called side-by-side PANA/PCP (or, running PANA over PCP port) is > >> simple and straightforward, compared to tunneled PANA (carrying PANA > >> header and payloads as PCP options -- more like PANA over PCP). So, > >> we diverted our energy to the former and produced > >> http://tools.ietf.org/html/draft-ohba-pcp-pana-02. > >> > >> I don't see problems with PANA over PCP port, or benefits with PANA > >> over PCP to motivate me to work the details of PANA over PCP. > >> Does anyone see? > >> If not, then we'd only have PANA over PCP port to show people in the > >> call. > >> > >> > >> Alper > >> > >> > >> > >> > >> > >> > >> > >> On Sep 13, 2012, at 1:48 AM, Dave Thaler wrote: > >> > >>> Just to circle back on this now that the minutes are posted. > >>> Relevant snippets from the minutes: > >>> > Francis Dupont: How does this compare to just running PCP over DTLS? > >>> > > >>> > Margaret Wasserman: There is currently no draft written to specify how > it > >>> > would work. You can't "just run" anything over DTLS. It's not that > simple. > >>> Summary: we have not explicitly called a question about DTLS. Mainly > >>> because there's no proposal on the table. Lacking one with real > >>> support, > >>> the WG will go ahead with a proposal that has energy/interest > >>> behind it. > >>> > Alain Durand called for show of hands: > >>> > For single port: 23 > >>> > For two separate ports: 0 > >>> Clear consensus within the room, and I've seen no indication on the > >>> list that this > >>> consensus can't be considered confirmed based on the list > >>> discussion thus far. > >>> > Alain Durand called for show of hands: > >>> > PCP-specific messages (PCP-specific encoding of authentication > information): 5 > >>> > Tunneled PANA (embed PANA data within PCP options): 6/7 > >>> > Side-by-side (multiplex raw PANA packets and PCP packets over same > port): 5/6 > >>> > Don't care: 15 > >>> Room was basically evenly split between the approaches above, so no > >>> consensus yet, but only about half the WG cares. > >>> > Alain Durand called for show of hands: > >>> > PCP-specific encoding of authentication information: 5 > >>> > Some kind of PANA encapsulation: 10 or 11 > >>> In my view there was a rough consensus of the room, and so far the > >>> list discussion > >>> hasn't changed this ratio in my view. > >>> > Dan Wing: request an interim meeting to discuss solutions, once they've > been > >>> > fleshed out a little > >>> And that's the step we're doing next. The main comparison point > >>> we know about > >>> is between Tunneled PANA vs Side-by-side PANA/PCP. We can also > >>> compare > >>> PCP-specific though it appears to already be in the minority. If > >>> there are other new > >>> proposals to consider (DTLS or whatever) by then, we can, but so > >>> far the inertia > >>> seems to be primarily between the PANA variants. There does seem > >>> to be > >>> uncertainty about how they would actually work, so it's important > >>> that they be > >>> fleshed out in enough detail that we can have informed discussion > >>> at the interim > >>> meeting. > >>> -Dave > >>> *From:*pcp-bounces@ietf.org > >>> <mailto:pcp-bounces@ietf.org>[mailto:pcp-bounces@ietf.org]*On > >>> Behalf Of*Alper Yegin > >>> *Sent:*Friday, August 17, 2012 1:09 AM > >>> *To:*Margaret Wasserman > >>> *Cc:*pcp@ietf.org <mailto:pcp@ietf.org> > >>> *Subject:*Re: [pcp] Comparison of PCP authentication > >>> On Aug 16, 2012, at 2:38 PM, Margaret Wasserman wrote: > >>> > >>> > >>> Hi Dacheng, > >>> The conclusion from the meeting was that we will document all three > >>> approaches in our document: > >>> Could the chairs please declare what the meeting conclusions and > >>> next steps are. > >>> Thanks. > >>> Alper > >>> > >>> > >>> - PCP Specific > >>> - PANA Encapsulated in PCP > >>> - PANA Demultiplexed with PCP on the same port > >>> Then, we will have an interim PCP conference call to discuss the > >>> trade-offs and hopefully decide between them. > >>> Margaret > >>> On Aug 15, 2012, at 10:47 PM, Zhangdacheng (Dacheng) wrote: > >>> > >>> > >>> Have we got any conclusions on two approaches? Or we can just > >>> support the two options in the draft for the moment and briefly > >>> compare their pros and cons, can we? > >>> Cheers > >>> Dcheng > >>> *From:*pcp-bounces@ietf.org > >>> <mailto:pcp-bounces@ietf.org>[mailto:pcp-bounces@ietf.org] > >>> <mailto:[mailto:pcp-bounces@ietf.org]>*On Behalf Of*Margaret > Wasserman > >>> *Sent:*Friday, August 10, 2012 3:21 AM > >>> *To:*Dan Wing > >>> *Cc:*pcp@ietf.org <mailto:pcp@ietf.org> > >>> *Subject:*Re: [pcp] Comparison of PCP authentication > >>> On Aug 9, 2012, at 2:32 PM, Dan Wing wrote: > >>> > >>> If I'm updating security policy on a firewall I want to be > >>> able to > >>> > >>> audit whether that actually happened. That requires > >>> authentication. > >>> > >>> > >>> You are saying a PCP client would only want to update firewall > >>> policies > >>> if the PCP server supports authentication, otherwise it would > >>> tell the > >>> user that it cannot enable the webcam, Internet-connected NAS, > >>> Internet-connected printer, etc.? > >>> > >>> I wont presume to guess what Sam is thinking... > >>> However, I am thinking that there will be some clients that are > >>> configured to perform authentication for every request. For > >>> example, there is no reason for a PCP proxy, running in an > >>> environment where authentication is required to do a THIRD-PARTY > >>> request, to perform a useless round-trip for every THIRD-PARTY > >>> request it issues. > >>> Margaret > >>> _______________________________________________ > >>> pcp mailing list > >>> pcp@ietf.org <mailto:pcp@ietf.org> > >>> https://www.ietf.org/mailman/listinfo/pcp > >>> _______________________________________________ > >>> pcp mailing list > >>> pcp@ietf.org <mailto:pcp@ietf.org> > >>> https://www.ietf.org/mailman/listinfo/pcp > >> > >> _______________________________________________ > >> pcp mailing list > >> pcp@ietf.org <mailto:pcp@ietf.org> > >> https://www.ietf.org/mailman/listinfo/pcp > > > > > > > > _______________________________________________ > > pcp mailing list > > pcp@ietf.org > > https://www.ietf.org/mailman/listinfo/pcp > > > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] WG status on PCP authentication Dave Thaler
- Re: [pcp] WG status on PCP authentication Alper Yegin
- Re: [pcp] WG status on PCP authentication Margaret Wasserman
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] WG status on PCP authentication Alper Yegin
- [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)
- Re: [pcp] WG status on PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] WG status on PCP authentication Sam Hartman
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] PCP mapping for 5350 and 5351 ports Dan Wing
- Re: [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)
- Re: [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)