Re: [pcp] PCP Authentication *Technique* Requirements
"Prashanth Patil (praspati)" <praspati@cisco.com> Mon, 15 July 2013 17:49 UTC
Return-Path: <praspati@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D5A311E81CB for <pcp@ietfa.amsl.com>; Mon, 15 Jul 2013 10:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNLYn0VIlSD7 for <pcp@ietfa.amsl.com>; Mon, 15 Jul 2013 10:49:46 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id AD80D11E81CD for <pcp@ietf.org>; Mon, 15 Jul 2013 10:49:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18434; q=dns/txt; s=iport; t=1373910580; x=1375120180; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=C9TdLGteqgP4VfR6qT99aHkXoZpHnTgafm7bIKK41q4=; b=NrVcAo3gYTuS6q5NQ9GfO01qhZzAAxUGoEByv0BOb4bgVvrQ3iokfoLl 4f9XkurF1x3Axl2l5Gz7prF60eiY2eVDR8tZex3EnMtaShOIIGH1JBs0M XtAhAo4QQhJMtIfxnmtCHAr/MPtXQPsdSyKmUPALs8iiYEErDM0VM5VDg k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ai0FACo15FGtJXG//2dsb2JhbABRCYJCRDRPuRyINoETFnSCJQEEeRIBCCIdKBEUEQIEDgUIh3YDDwyseg2IXox6gS+BCjEHgwttA5NEgi+DEop+hSaDEoIo
X-IronPort-AV: E=Sophos; i="4.89,670,1367971200"; d="scan'208,217"; a="235016907"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by rcdn-iport-2.cisco.com with ESMTP; 15 Jul 2013 17:49:36 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id r6FHnajs029347 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 15 Jul 2013 17:49:36 GMT
Received: from xmb-rcd-x07.cisco.com ([169.254.7.39]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.02.0318.004; Mon, 15 Jul 2013 12:49:36 -0500
From: "Prashanth Patil (praspati)" <praspati@cisco.com>
To: Ben McCann <bn.mccann@gmail.com>
Thread-Topic: [pcp] PCP Authentication *Technique* Requirements
Thread-Index: AQHOgYOrY67Zcr3LHUyYECKqu7Ohvw==
Date: Mon, 15 Jul 2013 17:49:36 +0000
Message-ID: <B235506D63D65E43B2E40FD27715372E1CE314C5@xmb-rcd-x07.cisco.com>
In-Reply-To: <51BB6571.3000901@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.65.48.101]
Content-Type: multipart/alternative; boundary="_000_B235506D63D65E43B2E40FD27715372E1CE314C5xmbrcdx07ciscoc_"
MIME-Version: 1.0
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] PCP Authentication *Technique* Requirements
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 17:49:51 -0000
Hi Ben,
On 15/06/13 12:18 AM, "Ben McCann" <bn.mccann@gmail.com<mailto:bn.mccann@gmail.com>> wrote:
draft-reddy-pcp-auth-03 defines about 14 requirements for the PCP authentication protocol. These requirements don't include any discussion about the cryptographic strength or user identity model of the authentication techniques(s) used within PCP authentication.
PRA: REQ-5 highlights basic requirements
REQ-5: It is important that PCP not leak privacy information between
the PCP client and PCP server,
A. The authentication mechanism MUST be able to keep credentials
hidden from eavesdroppers on path between the client and
server.
B. Confidentiality of the PCP messages is OPTIONAL for PCP
request and response of opcodes MAP, PEER, ANNOUNCE and
options THIRD_PARTY, PREFER_FAILURE and FILTER as explained in
[RFC6887<http://tools.ietf.org/html/rfc6887>]. Other PCP drafts MUST evaluate if confidentiality
is OPTIONAL for new PCP opcodes and options introduced.
C. PCP authentication SHOULD be immune to passive dictionary
attacks.
D. PCP Authentication MUST ensure that an attacker snooping PCP
messages cannot guess the SA.
Not sure if cryptographic strength and identity model be detailed, maybe a requirement that the authentication framework support multiple cryptographic methods? It is then up to the parties to choose one based on their configs/requirements.
Same about the identity model I suppose.
The current requirements are too vague on this point because, I think, there's an assumption in the WG that PCP authentication will be based on EAP. I agree. I don't think the PCP WG should invent authentication techniques.
So, I suggest we change the following recommendation:
REQ-11: It is RECOMMENDED to choose a widely deployed authentication
technique with known security properties rather than inventing a
new authentication mechanism.
to a requirement:
REQ-11: A widely deployed authentication technique with known security
properties MUST be selected as the authentication mechanism within PCP.
PRA: Sure, a widely deployed auth technique eg EAP.
I'd also add another recommendation:
REQ-11-A: It is RECOMMENDED to choose an extensible authentication
technique to ensure PCP authentication can adapt to future authentication
methods.
PRA: Will do.
-Prashanth
This may be obvious to WG members who've followed the authentication discussion to date but it's not clear by looking at the PCP authentications requirements draft. The draft leaves open the possibility of inventing a new authentication technique and I think that would be a distraction and a waste of time.
-Ben McCann
- [pcp] PCP Authentication *Technique* Requirements Ben McCann
- Re: [pcp] PCP Authentication *Technique* Requirem… Prashanth Patil (praspati)