IETF Logo Mail Archive

Re: [pcp] Comparison of PCP authentication

Sam Hartman <hartmans@painless-security.com> Thu, 16 August 2012 12:46 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6383021F85E1 for <pcp@ietfa.amsl.com>; Thu, 16 Aug 2012 05:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.162
X-Spam-Level: ****
X-Spam-Status: No, score=4.162 tagged_above=-999 required=5 tests=[AWL=-0.126, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MIxjXNbTqSDb for <pcp@ietfa.amsl.com>; Thu, 16 Aug 2012 05:46:26 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id F1EDB21F85D5 for <pcp@ietf.org>; Thu, 16 Aug 2012 05:46:25 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 7948D2085F; Thu, 16 Aug 2012 08:46:23 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 154A14350; Thu, 16 Aug 2012 08:46:17 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Margaret Wasserman <margaretw42@gmail.com>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org> <BB72B80F-0622-4A5B-A985-79D8AED13E0B@apple.com> <003b01cd7587$a111b760$e3352620$@com> <15990E87-2D59-49B1-845C-2A4CB5A1FBD6@lilacglade.org> <008801cd758f$3fd306e0$bf7914a0$@com> <C72CBD9FE3CA604887B1B3F1D145D05E2CE65225@szxeml528-mbx.china.huawei.com> <028801cd75d6$c5765490$5062fdb0$@com> <tsla9y4gptp.fsf@mit.edu> <04c901cd7658$37a740c0$a6f5c240$@com> <tslboikexlv.fsf@mit.edu> <054001cd765d$54c0f3e0$fe42dba0$@com> <0F259BA1-CEFF-4346-AFE5-3D33BB0CF0CC@lilacglade.org> <C72CBD9FE3CA604887B1B3F1D145D05E2CE756EE@szxeml528-mbs.china.huawei.com> <502C6BF0.3030400@toshiba.co.jp> <6F0B4ED8-68F1-44BB-A94B-E5D86E6C7254@lilacglade.org>
Date: Thu, 16 Aug 2012 08:46:17 -0400
In-Reply-To: <6F0B4ED8-68F1-44BB-A94B-E5D86E6C7254@lilacglade.org> (Margaret Wasserman's message of "Thu, 16 Aug 2012 07:41:01 -0400")
Message-ID: <tsly5lf80o6.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: pcp@ietf.org
Subject: Re: [pcp] Comparison of PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2012 12:46:26 -0000

I have a question.
As background reading I recommend taking a look at RFC 6677 section 5.1.


If we want to use EAP channel binding to bind an authentication to a
specific PCP server, how will we do that with PANA?

For all three approaches we need to define i1 or what attributes the client
sends in the EAP channel binding to give the identity of the PCP
server. We could for example use the IP address of the PCP server in the
nas-ip-address (or v6 address) AVP.

For the PCP specific approach the rest is easy. The PCP server knows it
is a PCP server, and includes those attributes in the AAA message
so that  the EAP server has i2.

How does the PANA server find out i2?

RFC 6677 strongly recommends that an eap-lower-layer attribute be
included.  There's a value defined for PANA.  However, that wouldn't
really be a good choice here because it would not allow an EAP server to
distinguish PCP authentications from uses of PANA for network access.
how does the PANA server know which eap-lower-layer to include?

--Sam

v2.23.0 | Report a Bug | By Email