[pcp] EAP retransmits and re-authentication
Sam Hartman <hartmans@painless-security.com> Thu, 20 September 2012 12:49 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A075821F8805 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 05:49:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.384
X-Spam-Level: ****
X-Spam-Status: No, score=4.384 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3QOY13EfjyR for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 05:49:17 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 0CCEF21F87F4 for <pcp@ietf.org>; Thu, 20 Sep 2012 05:49:16 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 5930320167; Thu, 20 Sep 2012 08:49:06 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E5D6A414A; Thu, 20 Sep 2012 08:48:43 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alper Yegin <alper.yegin@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <tslipbap18s.fsf@mit.edu> <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org>
Date: Thu, 20 Sep 2012 08:48:43 -0400
In-Reply-To: <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org> (Alper Yegin's message of "Thu, 20 Sep 2012 12:38:50 +0300")
Message-ID: <tsl392clv10.fsf_-_@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "'pcp@ietf.org'" <pcp@ietf.org>
Subject: [pcp] EAP retransmits and re-authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 12:49:17 -0000
I wanted to give the WG some final thoughts on the conversation Alper and I have been having. This will probably be my last message on the topic as I think we're basically at the point of diminishing returns. >>>>> "Alper" == Alper Yegin <alper.yegin@yegin.or g> writes: On the topic of retransmits, we agree that under section 4.3 of RFC 3748, you can set the transmit timer to infinite. I think we agree that this moves retransmits from within the EAP layer to the EAP lower layer. Alper> When run over a reliable lower layer (e.g., EAP over Alper> ISAKMP/TCP, as within [PIC]), the authenticator Alper> retransmission timer SHOULD be set to an infinite value, so Alper> that retransmissions do not occur at the EAP layer. Alper> Only when run over a reliable EAP lower layer, the EAP layer Alper> sets the timeout to infinity. So, whether the rexmit is Alper> handled by the EAP layer, or the EAP lower layer, the PCP Alper> server will be sending retransmissions in your case. It's actually fairly easy to move which side generates the retransmission once you move it into the lower layer. Note that the PCP server still needs to maintain the state of what EAP request to send, but whether to send that can be based on what the client sends. That is, if the PCP state machine works better with client-driven retransmits, we can achieve that. We do need authentication-session state in the server, and part of that state is the unacknowledged eap-request if there is one. With regard to re-authentication: >> Consider what happens in an AAA server. There, your EAP >> server cannot (and is not supposed to) handle retransmits. >> RADIUS at least is a lock-step protocol. Ignoring things like Alper> COA, Alper> Ah, "ignoring CoA". CoA is the RADIUS' tool to generate an Alper> unsolicited message, more specifically for starting EAP I'd like to draw the WG's attention to RFC 5176, which defines COA. Section 4 explicitly mentions that COA cannot be used for starting re-authentication. Section 1.1 is an applicability statement explaining why COA is not standards-track because of security and semantic concerns. As best I can tell only diameter has AAA support for re-authentication. So, I'd like to draw our attention to RFC 4005, section 3.3 which defines rules for diameter re-authentication. That section explicitly calls out re-authentication must be supported *if the underlying service supports it*. That is, re-authentication is OPTIONAL for a given service like PCP, but if a given PCP server supports re-authentication and diameter, then it needs to support re-authentication via diameter. Section 3 of RFC 4072 (diameter over eap) confirms the guidelines of RFC 4005 apply. Re-authentication being optional is definitely consistent with my implementation experience. I have no experience with diameter, but do have a lot of experience with EAP implementations that consider re-authentication optional. This is all great news for the PCP community. We can choose the retransmission strategy that best meets the PCP implementations. we can choose to support re-authentication if it is useful, or decline to support it if it is not. If we don't choose to support re-authentication then we can avoid the complexity.
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Reinaldo Penno (repenno)
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Dan Wing
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Sam Hartman
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Henderickx, Wim (Wim)
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- [pcp] Authentication scenarios (was Re: PANA impl… Alper Yegin
- [pcp] Side-by-side or nested protocols (was Re: P… Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Henderickx, Wim (Wim)
- Re: [pcp] Authentication scenarios (was Re: PANA … Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] [ Side-by-side or nested protocols Sam Hartman
- Re: [pcp] Authentication scenarios (was Re: PANA … Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] [ Side-by-side or nested protocols Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Zhangdacheng (Dacheng)
- Re: [pcp] [ Side-by-side or nested protocols Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols Sam Hartman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Alper Yegin
- [pcp] EAP retransmits and re-authentication Sam Hartman
- [pcp] gss-eap Alper Yegin
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Margaret Wasserman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Margaret Wasserman
- Re: [pcp] gss-eap & client-side rexmit only Sam Hartman
- Re: [pcp] gss-eap & client-side rexmit only Yoshihiro Ohba
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin