IETF Logo Mail Archive

Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)

<mohamed.boucadair@orange.com> Fri, 10 July 2015 11:12 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DB441A9051; Fri, 10 Jul 2015 04:12:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vR2lJVYufnLX; Fri, 10 Jul 2015 04:12:45 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 176CF1A905C; Fri, 10 Jul 2015 04:12:45 -0700 (PDT)
Received: from omfedm07.si.francetelecom.fr (unknown [xx.xx.xx.3]) by omfedm14.si.francetelecom.fr (ESMTP service) with ESMTP id 6A6C822CCFD; Fri, 10 Jul 2015 13:12:43 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.31]) by omfedm07.si.francetelecom.fr (ESMTP service) with ESMTP id 4B0544C015; Fri, 10 Jul 2015 13:12:43 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM22.corporate.adroot.infra.ftgroup ([fe80::8c90:f4e9:be28:2a1%19]) with mapi id 14.03.0235.001; Fri, 10 Jul 2015 13:12:42 +0200
From: mohamed.boucadair@orange.com
To: "pcp@ietf.org" <pcp@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
Thread-Index: AQHQukYFPke+GohYzECeDJ81wNOlbp3TF99QgAF1JHA=
Date: Fri, 10 Jul 2015 11:12:42 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300535A11B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <20150709113220.17494.888.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B933005359436@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <559E6722.7000504@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B9330053594DD@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <559E6E60.8080405@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93300535959B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93300535959B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.7.10.102415
Archived-At: <http://mailarchive.ietf.org/arch/msg/pcp/EPHFpqFRvaokg_rGdhgZPWw-M58>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 11:12:48 -0000

Dear all,

Below a text that I suggested offline to Stephen: 

   This document assumes a hop-by-hop PCP authentication scheme.  That
   is, in reference to Figure 1, the left-most PCP client authenticates
   with the PCP Proxy, while the PCP Proxy authenticates with the
   upstream server.  Note that in some deployments, PCP authentication
   may only be enabled between the PCP Proxy and an upstream PCP server
   (e.g., a customer premises host may not authenticate with the PCP
   Proxy but the PCP Proxy may authenticate with the PCP server).  The
   hop-by-hop authentication scheme is more suitable from a deployment
   standpoint.  Furthermore, it allows to easily support a PCP Proxy
   that alters PCP messages (e.g., strip a PCP option, modify a PCP
   field, etc.).

Unless there is an objection from the WG, this text will be integrated in the draft.

Cheers,
Med 

> -----Message d'origine-----
> De : pcp [mailto:pcp-bounces@ietf.org] De la part de
> mohamed.boucadair@orange.com
> Envoyé : jeudi 9 juillet 2015 15:07
> À : Stephen Farrell; The IESG
> Cc : pcp@ietf.org
> Objet : Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08:
> (with DISCUSS)
> 
> Re-,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> > Envoyé : jeudi 9 juillet 2015 14:52
> > À : BOUCADAIR Mohamed IMT/OLN; The IESG
> > Cc : pcp@ietf.org
> > Objet : Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08:
> > (with DISCUSS)
> >
> >
> > Hiya.
> >
> > On 09/07/15 13:38, mohamed.boucadair@orange.com wrote:
> > > Re-,
> > >
> > > Both modes you mentioned may be envisaged...
> >
> > Right. But I think there's no way to support both (as of
> > now at least), is that correct? (I'm not asking that both
> > be supported - it's probably over complex for the benefits
> > one could get.)
> >
> 
> [Med] I don't have an answer to this question. I will leave it to the PCP
> auth draft authors.
> 
> > > but in term of
> > > requirements the wg discussed mainly the case where the left-most
> > > client authenticates with the middle server and the case where the
> > > left-most client does not even authenticate (but still the proxy
> > > authenticate to the upstream server).
> >
> > So that's a credible answer. I do think it ought be stated
> > in this document though as it rules out a few things that
> > one could otherwise have done if the leftmost client could
> > be authenticated to the rightmost server. I'm not saying
> > the WG should have chosen any of the particular answers there
> > btw, but just that it needs to be clear, here.
> >
> 
> [Med] I would prefer if this is included in the PCP auth draft to be
> consist with slide 4 of http://www.ietf.org/proceedings/87/slides/slides-
> 87-pcp-2.pdf.
> 
> > >
> > > The PCP auth draft says the following:
> >
> > Ah thanks. Sorry for missing/forgetting that. Too much
> > too-quick reading;-)
> >
> > >
> > > When a PCP proxy is located between a PCP server and PCP clients,
> > > the proxy may perform authentication with the PCP server before it
> > > processes requests from the clients.  In addition, re-authentication
> > > between the PCP proxy and PCP server will not interrupt the service
> > > that the proxy provides to the clients since the proxy is still
> > > allowed to send common PCP messages to the PCP server during that
> > > period.
> >
> > Ok. So that doesn't quite preclude the leftmost client
> > authenticating to the rightmost server though. Shouldn't it?
> 
> [Med] Yes, it does not preclude it. I don't have an opinion whether it
> should preclude it or not.
> 
> >
> > Cheers,
> > S.
> >
> > >
> > > Cheers, Med
> > >
> > >> -----Message d'origine----- De : Stephen Farrell
> > >> [mailto:stephen.farrell@cs.tcd.ie] Envoyé : jeudi 9 juillet 2015
> > >> 14:21 À : BOUCADAIR Mohamed IMT/OLN; The IESG Cc : pcp@ietf.org
> > >> Objet : Re: [pcp] Stephen Farrell's Discuss on
> > >> draft-ietf-pcp-proxy-08: (with DISCUSS)
> > >>
> > >>
> > >> Hi Med,
> > >>
> > >> On 09/07/15 12:58, mohamed.boucadair@orange.com wrote:
> > >>> Hi Stephen,
> > >>>
> > >>> FWIW, the document does not include any discussion about
> > >>> authentication as per slide 4 of
> > >>> http://www.ietf.org/proceedings/87/slides/slides-87-pcp-2.pdf.
> > >>> Those aspects are out of scope of this document; implication
> > >>> assessment is supposed to be in the PCP auth draft.
> > >>
> > >> Well, I don't believe the PCP auth draft says anything about PCP
> > >> proxies does it?
> > >>
> > >> But I'm not asking about where/how we document stuff but rather
> > >> about how it is supposed to work.
> > >>
> > >>>
> > >>> The answer to your question is in slide 3
> > >>> (https://www.ietf.org/proceedings/87/slides/slides-87-pcp-6.pdf).
> > >>
> > >>
> > >>>
> > Sorry, I don't get an answer to my question from that, can
> > >> you explain?
> > >>
> > >> Ta, S.
> > >>
> > >>
> > >>>
> > >>> Cheers, Med
> > >>>
> > >>>> -----Message d'origine----- De : pcp
> > >>>> [mailto:pcp-bounces@ietf.org] De la part de Stephen Farrell
> > >>>> Envoyé : jeudi 9 juillet 2015 13:32 À : The IESG Cc :
> > >>>> pcp@ietf.org Objet : [pcp] Stephen Farrell's Discuss on
> > >>>> draft-ietf-pcp-proxy-08: (with DISCUSS)
> > >>>>
> > >>>> Stephen Farrell has entered the following ballot position for
> > >>>> draft-ietf-pcp-proxy-08: Discuss
> > >>>>
> > >>>> When responding, please keep the subject line intact and reply
> > >>>> to all email addresses included in the To and CC lines. (Feel
> > >>>> free to cut this introductory paragraph, however.)
> > >>>>
> > >>>>
> > >>>> Please refer to
> > >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for
> > >>>> more information about IESG DISCUSS and COMMENT positions.
> > >>>>
> > >>>>
> > >>>> The document, along with other ballot positions, can be found
> > >>>> here: https://datatracker.ietf.org/doc/draft-ietf-pcp-proxy/
> > >>>>
> > >>>>
> > >>>>
> > >>>> -------------------------------------------------------------------
> --
> > -
> > >>>>
> > >>>>
> > >>
> > >>>>
> > DISCUSS:
> > >>>> -------------------------------------------------------------------
> --
> > -
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>
> > >>>>
> > I have one thing I'd like to check. Maybe this just works fine,
> > >>>> but how does this function work with PCP authentication?  E.g.
> > >>>> in Figure 1, is the left-most client authenticating to the
> > >>>> middle or rightmost server? I think I could imagine either
> > >>>> answer being desirable and don't see a way that both could be
> > >>>> supported.
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> _______________________________________________ pcp mailing
> > >>>> list pcp@ietf.org https://www.ietf.org/mailman/listinfo/pcp
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email