IETF Logo Mail Archive

Re: [pcp] EAP retransmits and re-authentication

Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp> Thu, 20 September 2012 16:12 UTC

Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9AB21F8775 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 09:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.991
X-Spam-Level:
X-Spam-Status: No, score=-4.991 tagged_above=-999 required=5 tests=[AWL=-0.902, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6CHJVRSzsgs for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 09:12:39 -0700 (PDT)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) by ietfa.amsl.com (Postfix) with ESMTP id 8984421F873E for <pcp@ietf.org>; Thu, 20 Sep 2012 09:12:39 -0700 (PDT)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by imx2.toshiba.co.jp with ESMTP id q8KGCcGv002019; Fri, 21 Sep 2012 01:12:38 +0900 (JST)
Received: (from root@localhost) by arc1.toshiba.co.jp id q8KGCcS1014344; Fri, 21 Sep 2012 01:12:38 +0900 (JST)
Received: from unknown [133.199.192.144] by arc1.toshiba.co.jp with ESMTP id BAA14343; Fri, 21 Sep 2012 01:12:37 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp with ESMTP id q8KGCbL6010238; Fri, 21 Sep 2012 01:12:37 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id q8KGCb4S008525; Fri, 21 Sep 2012 01:12:37 +0900 (JST)
Received: from [133.199.17.158] by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTPA id <0MAN007FEP0ZGRA0@mail.po.toshiba.co.jp>; Fri, 21 Sep 2012 01:12:37 +0900 (JST)
Date: Fri, 21 Sep 2012 01:12:39 +0900
From: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
In-reply-to: <tslfw6ciuan.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
Message-id: <505B4077.3030802@toshiba.co.jp>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-2022-JP"
Content-transfer-encoding: 7bit
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <tslipbap18s.fsf@mit.edu> <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org> <tsl392clv10.fsf_-_@mit.edu> <505B35E4.5020108@toshiba.co.jp> <tslfw6ciuan.fsf@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
Cc: pcp@ietf.org
Subject: Re: [pcp] EAP retransmits and re-authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 16:12:40 -0000

Sam,

(2012/09/21 0:32), Sam Hartman wrote:
>>>>>> "Yoshihiro" == Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp> writes:
> 
>      Yoshihiro> While I agree that ERP is definitely not needed for PCP,
>      Yoshihiro> but I think unsupporting EAP re-authentication in the
>      Yoshihiro> context of RFC 3748 and RFC 5247 is NOT a good idea,
>      Yoshihiro> because it enables smooth migration from old SA to new
>      Yoshihiro> SA.  Without supporting EAP re-authentication in the
>      Yoshihiro> context of RFC 3748 and RFC 5247, communications
>      Yoshihiro> disruptions can happen during rekey, i.e., communication
>      Yoshihiro> quality of PCP and data traffic controlled by PCP can
>      Yoshihiro> affect in our case.
> 
> I'd like to hear from PCP implementors about whether smoothe SA
> migration is even desirable.
> My assumption would be that it would be entirely not worth the
> complexity for PCP.

I have to say that this matters for users of PCP.  PCP implementors
have to implement what PCP users want.  As a user of PCP, I don't want
my established WebEx session for the interim meeting to get disrupted
by rekey ;)

> 
>      Yoshihiro> Also, it seems that there is some desire to change
>      Yoshihiro> PCP-specific authentication design to be based on
>      Yoshihiro> client-
> 
> Actually, I didn't propose a change; I simply pointed out that you can
> do it either way depending on what is easiest for PCP implementations;
> we should pick, but what we pick should be based on the needs of the PCP
> community.

I would rather consider this as the major disadvantage of tight
coupling EAP and PCP.  It is much easier to run PANA and PCP
side-by-side which achieves loose coupling of EAP and PCP.

> 
> It's my experience that security solutions are best when they provide a
> good user experience and are easy to implement. I'm hoping to accomplish
> that here.

Then EAP re-authentication needs to be supported.

Yoshihiro Ohba

> 
> --Sam
>

v2.23.0 | Report a Bug | By Email