Re: [pcp] Comparison of PCP authentication

EAP Authenticator is on the PCP server.
Hence, PAA (PANA Authentication Agent) and PCP server are on the same node.
Therefore, the PAA can tell whether it's authenticating the PaC for PCP or for network access by looking at the destination port.
That's sufficient.

(I don't know why you folks are digressing to another model where EAP authenticator resides on a different node than the PCP server --  in which case we need to engage PANA relay (OK, fine) ; and EAPoPCP folks need to come up with yet another solution to relay the EAP from PCP server to the EAP authenticator).

On Aug 16, 2012, at 4:41 PM, Yoshihiro Ohba wrote:

> Hi Margaret,
> 
> I understand your point.
> 
> I think the challenging case is that the same node is acting as PANA
> relay for both network access authentication and PCP authentication
> where the both types of authentication goes to the same PAA.  In this
> case, probably PANA needs to be extended to carry additional
> information (a new flag or AVP) for distinguishing the two types of
> authentication.  Once the additional information is defined, then the
> information may also be used for channel binding purpose.
> 
> Yoshihiro Ohba
> 
> (2012/08/16 21:53), Margaret Wasserman wrote:
>> 
>> Hi Yoshi,
>> 
>> I thought the point of running PANA over/beside PCP, instead of using a PCP-specific mechanism, was that the PCP Server could hand the PANA request to a separate PANA server for processing, just like a PANA Relay would hand-off a PANA request to a PANA Server.
>> 
>> How will that PANA Server (the one that receives the PANA request from the PCP Server, presumably on the PANA port) know that the request is coming from a PCP Server and concerns PCP access, and that it isn't a network access request from a regular PANA PaC or Relay?  I think it is pretty important that we not set-up a situation where a PANA server could think that it is authorizing network access while it is actually authorizing PCP requests, don't you?
>> 
>> Margaret
>> 
>> 
>> On Aug 16, 2012, at 8:45 AM, Yoshihiro Ohba wrote:
>> 
>>> Hi Margaret,
>>> 
>>> In my opinion, PANA should be dedicated to PCP authentication in both
>>> cases where PANA runs over PCP port.
>>> 
>>> In other words, we can say that PANA is used for network access
>>> authentication only when PANA operates over PANA port, regardless of
>>> whether the same or different credentials are used for PCP
>>> authentication and network access authentication.
>>> 
>>> Yoshihiro Ohba
>>> 
>>> (2012/08/16 20:41), Margaret Wasserman wrote:
>>>> 
>>>> Hi Yoshi,
>>>> 
>>>> On Aug 15, 2012, at 11:41 PM, Yoshihiro Ohba wrote:
>>>> 
>>>>> Here is a brief comparison on both PANA-based schemes:
>>>>> 
>>>>> Encapsulation/tunneling approach:
>>>>> - Pros: No impact on PANA specification
>>>>> - Cons: Encapsulation overhead
>>>>> 
>>>>> Demultiplexing/port-sharing approach:
>>>>> - Pros: No encapsulation overhead
>>>>> - Cons: Impact on PANA specification (an Update of RFC 5191 is needed
>>>>> on the use of "Reserved" field.)
>>>> 
>>>> In both cases, I think there is an open question (raised by my regarding your draft) of whether we want to modify PANA so that the server will know that it is performing PCP authentication vs. network access authentication.  I think this could be important, if we want a single PANA server to be able to serve both purposes in a small network.  It is possible that the credentials/criteria used to authenticate a node for PCP will be different than for network access, isn't it?
>>>> 
>>>> Margaret
>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp