[pcp] Additional requirements for PCP Authentication.
Ted Lemon <ted.lemon@nominum.com> Tue, 15 April 2014 17:54 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A9761A02E3 for <pcp@ietfa.amsl.com>; Tue, 15 Apr 2014 10:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMPyZ7xlEOES for <pcp@ietfa.amsl.com>; Tue, 15 Apr 2014 10:54:22 -0700 (PDT)
Received: from shell-too.nominum.com (shell-too.nominum.com [64.89.228.229]) by ietfa.amsl.com (Postfix) with ESMTP id 3A4661A01E7 for <pcp@ietf.org>; Tue, 15 Apr 2014 10:54:22 -0700 (PDT)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id A074F1B8017 for <pcp@ietf.org>; Tue, 15 Apr 2014 10:54:19 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id 9A29F19005C for <pcp@ietf.org>; Tue, 15 Apr 2014 10:54:19 -0700 (PDT)
Received: from [192.168.146.119] (192.168.1.10) by CAS-01.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 15 Apr 2014 10:54:19 -0700
From: Ted Lemon <ted.lemon@nominum.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 15 Apr 2014 12:54:17 -0500
To: PCP Working Group <pcp@ietf.org>
Message-ID: <CE4DEAA2-033A-48E4-A31E-3C7EC1936A87@nominum.com>
MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Mailer: Apple Mail (2.1874)
X-Originating-IP: [192.168.1.10]
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/C3TH-KYrQLH_HgS9ActcNh1foj0
Subject: [pcp] Additional requirements for PCP Authentication.
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 17:54:23 -0000
I've mentioned this before, and got a response from Sam Hartman, but then the discussion died down. Stephen Farrell raised the following DISCUSS points with respect to the PCP DHCP option: (2) How can PCP authentication (based on the WG draft, draft-ietf-pcp-authentication I assume?) make sense with this use of DHCP? I guess that that can make sense but I'm not getting it right now sorry. Can you explain? (Note: its quite possible no change is needed, just to explain the plan to a semi-ignorant AD:-) (3) How does a client know that the security identity of one, some of all of the PCP server addresses returned are the same or not? (You might cover this as part of discuss point 2 above, not sure.) I think that the PCP authentication needs to have the ability to provide an identifier to the client that the client can use to choose which credentials to provide to the PCP server in order to address point 3. So I'd like to ask the working group whether they agree or disagree with this. Secondly, in order to address point 2, the authentication protocol needs to have some text talking about how to use it in the context of dynamically-discovered PCP server addresses. I think that if my suggestion above is taken, then it can work, and it's useful: by configuring PCP server addresses with DHCP, we avoid having to have the client maintain a static mapping between server IP addresses and credentials, which I think would be a bad idea anyway. So a site that uses PCP authentication can use DHCP to configure PCP, and clients will be able to authenticate using pre-configured credentials. Does this make sense?