IETF Logo Mail Archive

Re: [pcp] pcp auth requirements

Alper Yegin <alper.yegin@yegin.org> Thu, 23 May 2013 06:47 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE8A411E819E for <pcp@ietfa.amsl.com>; Wed, 22 May 2013 23:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.248
X-Spam-Level:
X-Spam-Status: No, score=-102.248 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0bHAefNgIQT for <pcp@ietfa.amsl.com>; Wed, 22 May 2013 23:47:40 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 776F311E819D for <pcp@ietf.org>; Wed, 22 May 2013 23:47:40 -0700 (PDT)
Received: from [192.168.2.49] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0Mdruv-1Up4uM2iVx-00PaQ0; Thu, 23 May 2013 02:47:38 -0400
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9167EBBE-775C-4106-B8CA-CF05EF50E059"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B12D1002A@tgxml338.toshiba.local>
Date: Thu, 23 May 2013 09:47:29 +0300
Message-Id: <C5769D94-8FF6-4861-A7F1-1BFED9544DB4@yegin.org>
References: <8B30790D-E36B-478D-8F4D-8B86A5E675DE@yegin.org> <913383AAA69FF945B8F946018B75898A14B6EFF0@xmb-rcd-x10.cisco.com> <674F70E5F2BE564CB06B6901FD3DD78B12D0CD38@tgxml338.toshiba.local> <B99D7818-F8DA-4617-A0AC-59070860F0E0@yegin.org> <674F70E5F2BE564CB06B6901FD3DD78B12D0FD42@tgxml338.toshiba.local> <BF68F2DE-0A38-4CA8-9D4F-122121CE5EEF@yegin.org> <674F70E5F2BE564CB06B6901FD3DD78B12D1002A@tgxml338.toshiba.local>
To: yoshihiro.ohba@toshiba.co.jp
X-Mailer: Apple Mail (2.1283)
X-Provags-ID: V02:K0:lgZRbuX1iUKQg7ctXYstoRBv9F0Odb3Ybc5qCT3y2xl Ruovr9mrPenqcsYmltNDCEcc6tTkcDeBehfgs0/EvrVl1gk/U3 h4DyKrlvK1VcMRazt+eumJilFG8SJzszOcq65RFq7+Lc6HScgr qScMuUzcJsqBokqK2Lm31u5GiX3CTrLFUuFSXfcxRMNAnu81oN LPrMfikpoyNawhubw28WycyeUt5qt4W4RxEq5Y4YYZ+U1d54cr 5lXD9KzG6bRMeMWEof9fk8AuS2q9hFq8IU9oeE/RrOpAR9B9EM 9bmZTwvqBG0KmHCOA66sXGKDMs4g9/pS6bX4rlSaxQFwKtpjYA osr9hLXfvuHQUVwBSkgkPyCYCElL8xQ2/TcGsXJ3Gloptrs40V XUD1PsnsNTM1Q==
Cc: pcp@ietf.org, tireddy@cisco.com
Subject: Re: [pcp] pcp auth requirements
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 06:47:46 -0000

Yoshi,

You are right. In terms of EAP and RFC 5247, only the second case qualifies for "EAP re-authentication".

On the other hand, first and third case are not the same. 
And I'd conceptually think of the third case as a some sort of "re-authentication" (apparently not an "EAP re-authentication" per RFC 5247).

Anyways, at least I'd like people to be aware of these three different cases -- even if we cannot find a proper name to all of them.

Alper



On May 23, 2013, at 1:39 AM, <yoshihiro.ohba@toshiba.co.jp> wrote:

> Hi Alper,
>  
> When we talk about re-authentication, we should not care about whether there is a PCP session or not.
>  
> Please see the following definition in RFC 5247:
> “
>    EAP Re-Authentication
>       EAP authentication between an EAP peer and a server with whom the
>       EAP peer shares valid unexpired EAP keying material.
> “
>  
> According to the above definition, if authentication is conducted over a live SA, it is re-authentication, otherwise it is not re-authentication.
>  
> Yoshihiro Ohba
>  
>  
> From: Alper Yegin [mailto:alper.yegin@yegin.org] 
> Sent: Thursday, May 23, 2013 6:16 AM
> To: ohba yoshihiro
> Cc: tireddy@cisco.com; pcp@ietf.org
> Subject: Re: [pcp] pcp auth requirements
>  
> Hi Yoshi,
>  
> Here are the three states:
>  
> 0. Before PCP client and PCP server has initiated PCP session.
>  
> 1. There is a PCP session and a live SA.
>  
> 2. There is a PCP session, but no live SA (i.e., the last used SA is already expired).
>  
>  
> If we execute auth in state 0, we call it "(initial) authentication".
> Auth executed in state 1 is called "re-authenticaiton".
> I'd call auth executed in state 2 a "re-authentication" as well, unless we want to give it a more specific name.
>  
> Alper
>  
>  
>  
>  
> On May 22, 2013, at 11:16 AM, <yoshihiro.ohba@toshiba.co.jp> wrote:
> 
> 
> Hi Alper,
>  
> I agree that we should allow unprotected authentication trigger from the server, but we should distinguish authentication after expiration of SA from “re-authentication”.
>  
> Yoshihiro Ohba
>  
> From: Alper Yegin [mailto:alper.yegin@yegin.org] 
> Sent: Wednesday, May 22, 2013 4:22 PM
> To: ohba yoshihiro
> Cc: tireddy@cisco.com; pcp@ietf.org
> Subject: Re: [pcp] pcp auth requirements
>  
>  
> On May 21, 2013, at 10:14 AM, <yoshihiro.ohba@toshiba.co.jp> <yoshihiro.ohba@toshiba.co.jp> wrote:
> 
> 
> 
> Tiru,
>  
> In my analysis, Req-4-d-1 is basically introducing a three-state SA model for PCP: State 0:  unavailable (or non-existent), State 1: partially available only for triggering re-auth, and State 2: fully available. MSCHAPv2 password change function is designed based on this model.
>  
> I am not going to get into details about the three-state SA model, but even the three-state SA model will require re-auth trigger to be integrity protected.  
>  
> Having said that, I think the following requirement is sufficient for Req-4-d: “The server MUST be able to send an integrity protected re-authentication trigger to the client.”
>  
>  
> If there is no SA available, then the server can send an un-protected re-auth trigger. We should allow that.
> This is equivalent to what happens at the very beginning before the very first authentication between the client and the server.
>  
> Alper
>  
>  
>  
> 
> 
> 
> Regards,
> Yoshihiro Ohba
>  
>  
> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of Tirumaleswar Reddy (tireddy)
> Sent: Sunday, May 19, 2013 2:24 AM
> To: Alper Yegin; pcp@ietf.org
> Subject: Re: [pcp] pcp auth requirements
>  
> Hi Alper,
>  
> Please see inline [TR]
>  
> From: Alper Yegin [mailto:alper.yegin@yegin.org] 
> Sent: Tuesday, April 30, 2013 12:53 PM
> To: pcp@ietf.org
> Subject: [pcp] pcp auth requirements
>  
> 
> 
>       c.  If a server wants to send an unsolicited message, but the
>           previous security association has expired
>  
>           1.  The server can continue to use the same SA to protect
>               messages pertaining to that mapping, even if the SA is
>               technically expired.
> 
> "Expired" means "do not use (even if its still hanging around)". 
> We not only do not need to use expired SAs, but also using something expired in any sense is plain wrong -- unless someone wants to redefine what "expired" means.
>  
> [TR]
> For example if we consider MSCHAPv2, there is configuration option where server accepts the challenge-response from the client even if the password is expired and allows it be changed. 
>  
> Please clarify if you have some attack in mind that would cause problems using expired SA.
>  
> [/TR]
>  
>               -  Such server notifications will not change state in the
>                  PCP client.
>  
>               -  The notification could be a trigger for the client to
>                  re-authenticate.  
> 
> Here the document is getting into some solution description.
> 
> And as for such a solution:
> 
> Instead of sending a notification that is protected with an expired SA to mean "re-authenticate", why not send an explicit message that says "re-authenticate"?
>  
> [TR] 
> The client has trusted the PCP server sometime back using mutual authentication, so it can assume the integrity protected PCP response using expired SA is coming from the same PCP server and not from some attacker posing as PCP server.
> [/TR]
>  
> What is gained by appearing to use an expired SA (but in fact not really using it! because the payload of the notification is not consumed by the receiver).
> 
> 
>                  For example, if the server indicates
>                  that external IP address/port has changed, the PCP
>                  client can then re-authenticate with the server to
>                  confirm if the external IP address/port for the mapping
>                  has indeed changed.
>  
>           2.  The server can optionally trigger re-authentication with
>               the client.
>  
>  
> Yes, that's the solution. If the server has something to send to the client, and there's no live SA, then the server first needs to trigger re-auth, setup a fresh SA, then send whatever it wants to send to the client.
>  
> [TR]
>  
> We have updated this requirement in the new draft, please have a look.
>  
> Best Regards,
> --Tiru.
>  
> [/TR]
>  
>  
> Alper
>  
>  
>

v2.23.0 | Report a Bug | By Email