Re: [pcp] Additional requirements for PCP Authentication.
Dan Wing <dwing@cisco.com> Wed, 16 April 2014 00:14 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C26F21A0065 for <pcp@ietfa.amsl.com>; Tue, 15 Apr 2014 17:14:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.773
X-Spam-Level:
X-Spam-Status: No, score=-14.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8oL6CGXEEbq for <pcp@ietfa.amsl.com>; Tue, 15 Apr 2014 17:14:19 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id F18751A004A for <pcp@ietf.org>; Tue, 15 Apr 2014 17:14:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2446; q=dns/txt; s=iport; t=1397607256; x=1398816856; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=FdW/DAZ4vPHPvL8K4fEBbXaU4et6asGStlwp346jLVc=; b=AVlxLmAsRHOUaqopSAV7dgTMP5Pw+s98vyYcoyS+HFtGjWNTC5DPzKtn qwVvqU9/+7BffXExzQRGv09GbzCC9mgVPejCX8xG/xXoOzZ1U0r1NGS2q 8gp9Hng1oJxBHFUeisRq3O9zmoXeexg/QB5apoFu40bxkCGF8hCQJIYPd I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgYFAMrKTVOrRDoH/2dsb2JhbABRCYMGxEKBIxZ0giUBAQEDATo/BQsLRlcGE4d0B8xLF44IKDMHgySBFASJXIsZg22SRYNRHQ
X-IronPort-AV: E=Sophos;i="4.97,867,1389744000"; d="scan'208";a="110459406"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 16 Apr 2014 00:14:15 +0000
Received: from sjc-vpn5-425.cisco.com (sjc-vpn5-425.cisco.com [10.21.89.169]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s3G0EEMp021759; Wed, 16 Apr 2014 00:14:15 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <CE4DEAA2-033A-48E4-A31E-3C7EC1936A87@nominum.com>
Date: Tue, 15 Apr 2014 17:14:22 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF4C2310-AE6A-4553-81F7-35FA63774998@cisco.com>
References: <CE4DEAA2-033A-48E4-A31E-3C7EC1936A87@nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/F27cadN9f1ALoilcbKm68pLRqLg
Cc: PCP Working Group <pcp@ietf.org>
Subject: Re: [pcp] Additional requirements for PCP Authentication.
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 00:14:24 -0000
On Apr 15, 2014, at 10:54 AM, Ted Lemon <Ted.Lemon@nominum.com> wrote: > I've mentioned this before, and got a response from Sam Hartman, but then the discussion died down. Stephen Farrell raised the following DISCUSS points with respect to the PCP DHCP option: > > (2) How can PCP authentication (based on the WG draft, > draft-ietf-pcp-authentication I assume?) make sense > with this use of DHCP? I guess that that can make > sense but I'm not getting it right now sorry. Can you > explain? (Note: its quite possible no change is > needed, just to explain the plan to a semi-ignorant > AD:-) > > (3) How does a client know that the security identity > of one, some of all of the PCP server addresses > returned are the same or not? (You might cover this as > part of discuss point 2 above, not sure.) > > I think that the PCP authentication needs to have the ability to provide an identifier to the client that the client can use to choose which credentials to provide to the PCP server in order to address point 3. So I'd like to ask the working group whether they agree or disagree with this. Yes I agree that PCP authentication needs to obtain the server's identity so that the PCP client can choose which credentials to use with that particular PCP server. But that isn't the fault of the DHCP option. Without the DHCP option, a PCP client will communicate with its default router, which it only knows by IP address. If that client and server understand PCP authentication, the PCP client still only knows the IP address but would really want a "name". draft-ietf-pcp-dhcp suffers the same problem, in that the client only knows IP addresses of the PCP servers, and not its name. > Secondly, in order to address point 2, the authentication protocol needs to have some text talking about how to use it in the context of dynamically-discovered PCP server addresses. I think that if my suggestion above is taken, then it can work, and it's useful: by configuring PCP server addresses with DHCP, we avoid having to have the client maintain a static mapping between server IP addresses and credentials, which I think would be a bad idea anyway. So a site that uses PCP authentication can use DHCP to configure PCP, and clients will be able to authenticate using pre-configured credentials. > > Does this make sense? -d