Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Sat, 16 August 2014 07:43 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1010A1A86E7 for <pcp@ietfa.amsl.com>; Sat, 16 Aug 2014 00:43:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.169
X-Spam-Level:
X-Spam-Status: No, score=-15.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nVxI2ZSjuJD for <pcp@ietfa.amsl.com>; Sat, 16 Aug 2014 00:43:18 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13ADD1A86E5 for <pcp@ietf.org>; Sat, 16 Aug 2014 00:43:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6561; q=dns/txt; s=iport; t=1408174999; x=1409384599; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=n1YXLyY+kU+ftn7cj8BlTsDeg7Gd8Fe1rFnlVoUcfiU=; b=hXVKJZuwxKpXmPS68VAG30ZS1x3YS7k+iFd4ZGHt2GZctEfxfYAgk0R5 EOij5eXr6v9+5TQRvbnqcfGlVc4KK+f0cXZwgjVv/XD1twIkxXMi2iu43 rp6z+BsWhV5ZJeZ/QHEBi7cFK5ExvKFGtf2lPrXBT3KZYdSgyiR6qkEgK w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnYGACcL71OtJV2U/2dsb2JhbABYgw1TUwQEshqbUgqHWAGBChZ3hAMBAQEDAQEBATc0FwQCAQgRBAEBCxQJBycLFAkIAgQBEggBiCUDCQgIBcN9F40fgUkzOAaDKYEdBY8SghOEJoRpg2WMdYYzg1xsgQZCgQcBAQE
X-IronPort-AV: E=Sophos;i="5.01,876,1400025600"; d="scan'208";a="344856073"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-9.cisco.com with ESMTP; 16 Aug 2014 07:43:18 +0000
Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com [173.37.183.85]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s7G7hG6w031486 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 16 Aug 2014 07:43:16 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.68]) by xhc-rcd-x11.cisco.com ([173.37.183.85]) with mapi id 14.03.0195.001; Sat, 16 Aug 2014 02:43:16 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
Thread-Index: AQHPsusQY6KGA8wXVEOFs4UY48fvMZvGgz1wgATE5oCAB50QsA==
Date: Sat, 16 Aug 2014 07:43:15 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A28316803@xmb-rcd-x10.cisco.com>
References: <20140721132717.8597.69523.idtracker@ietfa.amsl.com> <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl> <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com> <C72CBD9FE3CA604887B1B3F1D145D05E7BCC9FC8@nkgeml507-mbs.china.huawei.com> <913383AAA69FF945B8F946018B75898A2830338B@xmb-rcd-x10.cisco.com> <C72CBD9FE3CA604887B1B3F1D145D05E7BCCB5B2@nkgeml507-mbs.china.huawei.com>
In-Reply-To: <C72CBD9FE3CA604887B1B3F1D145D05E7BCCB5B2@nkgeml507-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.44.47]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/7FSLw5VoolZ8W0RmQaTsk1NNeTE
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2014 07:43:20 -0000
> -----Original Message----- > From: Zhangdacheng (Dacheng) [mailto:zhangdacheng@huawei.com] > Sent: Monday, August 11, 2014 11:56 AM > To: Tirumaleswar Reddy (tireddy); pcp@ietf.org > Subject: RE: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > > > > -----Original Message----- > > From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] > > Sent: Friday, August 08, 2014 7:17 PM > > To: Zhangdacheng (Dacheng); pcp@ietf.org > > Subject: RE: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > > > Hi Dacheng, > > > > Responding to the only ones which needs further discussion. > > > > > > > > > > [12] I think a section is required to explain how PCP > > > > authentication works in the presence of PCP proxies ? > > > > In specific explain what happens when PCP proxy and PCP > > > > server are involved in re-authentication while PCP clients are > > > > sending PCP > > > requests. > > > > > > > [Dacheng Zhang:] > > > How about the following text? > > > > > > " During a re-authentication procedure between a PCP server and a > > > PCP proxy, the proxy SHOULD discard the mapping creation requests > > > from its PCP > > > > It could be any PCP request (not just specific to mapping creation > > request) > > > > > clients if the PCP proxy does not already have a valid active > > > mapping for this mapping-creation request. Because PCP clients are > > > responsible for reliable delivery of PCP request messages, it will > > > resend the requests. Then, after the re-authentication finishes, the > > > requests will be > > processed. " > > > > The other variation is that in case of re-authentication b/w PCP proxy > > and PCP server, PCP proxy can use current SA to proxy the PCP request > > from the client and does not have to discard PCP messages. > [Dacheng Zhang:] > I think it works. Before the current key are discarded by the new keys > generated during the re-auth, this key can be used to protect the PCP-auth > messages. So, it is also reasonable to used this key to protect the common > pcp messages. Thanks for pointing this out. One corner case I forgot to comment earlier: When 32-bit sequence number reaches max value, authentication should be triggered to reset the value (similar to IPSEC where old SA is deleted and new one is established to reset sequence number). -Tiru > > Cheers > > Dacheng > > -Tiru > > > > > > > > > Cheers, > > > > -Tiru > > > > > > > > > -----Original Message----- > > > > > From: Dacheng Zhang [mailto:zhang_dacheng@hotmail.com] > > > > > Sent: Monday, July 21, 2014 8:35 PM > > > > > To: pcp@ietf.org > > > > > Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > > > > > > > > > Hi, in this version of the document, we try to address the > > > > > comments got since the last meeting. Particularly, we: > > > > > o Refine the retransmission policies. > > > > > > > > > > o Provide the discussion about how to instruct a PCP client to > > > > > choose proper credential during authenticaiton, and an ID > > > > > Indication Option is defined for that purpose. > > > > > In addition, it is advised that we should remove the key ID from > > > > > the PCP authentication message, and only use one key for a PCP > session. > > > > > However, this indicates we will use the MSK to generate MACs for > > > > > PCP > > > > message directly. > > > > > We would like to check with the group again before including it > > > > > into the document. > > > > > > > > > > Any comments and suggestions are appreciated. > > > > > > > > > > Cheers > > > > > > > > > > Dacheng > > > > > > > > > > > > > > > > > > > > > > A New Internet-Draft is available from the on-line > > > > > > Internet-Drafts > > > > > directories. > > > > > > This draft is a work item of the Port Control Protocol Working > > > > > > Group of the > > > > > IETF. > > > > > > > > > > > > Title : Port Control Protocol (PCP) Authentication > > > > Mechanism > > > > > > Authors : Margaret Wasserman > > > > > > Sam Hartman > > > > > > Dacheng Zhang > > > > > > Filename : draft-ietf-pcp-authentication-04.txt > > > > > > Pages : 24 > > > > > > Date : 2014-07-21 > > > > > > > > > > > > Abstract: > > > > > > An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to > > > > > > flexibly manage the IP address and port mapping information on > > > > > > Network Address Translators (NATs) or firewalls, to facilitate > > > > > > communications with remote hosts. However, the un-controlled > > > > > > generation or deletion of IP address mappings on such > > > > > > network > > > devices > > > > > > may cause security risks and should be avoided. In some cases the > > > > > > client may need to prove that it is authorized to modify, create or > > > > > > delete PCP mappings. This document proposes an in-band > > > > > > authentication mechanism for PCP that can be used in those cases. > > > > > > The Extensible Authentication Protocol (EAP) is used to perform > > > > > > authentication between PCP devices. > > > > > > > > > > > > > > > > > > The IETF datatracker status page for this draft is: > > > > > > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication > > > > > > / > > > > > > > > > > > > There's also a htmlized version available at: > > > > > > http://tools.ietf.org/html/draft-ietf-pcp-authentication-04 > > > > > > > > > > > > A diff from the previous version is available at: > > > > > > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication > > > > > > -0 > > > > > > 4 > > > > > > > > > > > > > > > > > > Please note that it may take a couple of minutes from the time > > > > > > of submission until the htmlized version and diff are > > > > > > available at > > > tools.ietf.org. > > > > > > > > > > > > Internet-Drafts are also available by anonymous FTP at: > > > > > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > > > > > > > _______________________________________________ > > > > > > pcp mailing list > > > > > > pcp@ietf.org > > > > > > https://www.ietf.org/mailman/listinfo/pcp > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > pcp mailing list > > > > pcp@ietf.org > > > > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… internet-drafts
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dave Thaler
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)