IETF Logo Mail Archive

Re: [pcp] gss-eap & client-side rexmit only

Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp> Thu, 18 October 2012 15:32 UTC

Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FED621F8710 for <pcp@ietfa.amsl.com>; Thu, 18 Oct 2012 08:32:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.89
X-Spam-Level:
X-Spam-Status: No, score=-4.89 tagged_above=-999 required=5 tests=[AWL=-0.801, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjNEpdP-bnFO for <pcp@ietfa.amsl.com>; Thu, 18 Oct 2012 08:32:03 -0700 (PDT)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) by ietfa.amsl.com (Postfix) with ESMTP id 530C421F8786 for <pcp@ietf.org>; Thu, 18 Oct 2012 08:32:00 -0700 (PDT)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by imx2.toshiba.co.jp with ESMTP id q9IFVwP8023768 for <pcp@ietf.org>; Fri, 19 Oct 2012 00:31:58 +0900 (JST)
Received: (from root@localhost) by arc1.toshiba.co.jp id q9IFVwe8013044 for pcp@ietf.org; Fri, 19 Oct 2012 00:31:58 +0900 (JST)
Received: from unknown [133.199.192.144] by arc1.toshiba.co.jp with ESMTP id AAA13043; Fri, 19 Oct 2012 00:31:58 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp with ESMTP id q9IFVwmQ020141 for <pcp@ietf.org>; Fri, 19 Oct 2012 00:31:58 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id q9IFVwVF017689; Fri, 19 Oct 2012 00:31:58 +0900 (JST)
Received: from [133.199.17.24] by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTPSA id <0MC3004XIHSYPQ00@mail.po.toshiba.co.jp> for pcp@ietf.org; Fri, 19 Oct 2012 00:31:58 +0900 (JST)
Date: Fri, 19 Oct 2012 00:31:56 +0900
From: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
In-reply-to: <3462171E-F143-4810-B463-9E23AA738A03@lilacglade.org>
To: pcp@ietf.org
Message-id: <508020EC.3060601@toshiba.co.jp>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-transfer-encoding: 7bit
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <36E9DFAC-47D5-4942-937F-A88CD2AD75D0@lilacglade.org> <E2495458-DA1F-4BF3-9ACE-0AAEB3836907@yegin.org> <96744887-68C7-4F9A-813E-A5563E4356E2@gmail.com> <6569B9B2-0B82-450A-A328-D023EFC732DA@yegin.org> <F06C0780-EF37-435E-B45D-497111E12B47@yegin.org> <3462171E-F143-4810-B463-9E23AA738A03@lilacglade.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
Subject: Re: [pcp] gss-eap & client-side rexmit only
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 15:32:04 -0000

Margaret,

(2012/10/18 20:46), Margaret Wasserman wrote:
> Hi Alper,
>
> On Oct 18, 2012, at 2:04 AM, Alper Yegin wrote:
>>> Yep, there's no re-auth. It's absence is confirmed! :-)
> Does this mean that you think it is okay not to allow server-side reauthentication?  You wrote this before the call, but seemed to say otherwise on the call.
>
>>> - What happens if server-side needs to re-key, extend lifetime, change authorization, re-challenge the client?
>>> Say, the acceptor receives a RADIUS CoA with EAP-Request, what's going to do with it?
> If the PCP Server determines (for any reason) that the authentication information is invalid, it will invalidate it.  There is no reason to inform the client (or an enforcement point, or anyone else) that the information has been invalidated at that time, because _unlike the PANA case_ there is no need to block any ongoing session and/or any ongoing traffic from the PCP client to other nodes.

This is not true for tightly-coupled authentication/authorization 
model.  Tightly-coupled
authentication/authorization model (which is typical in AAA architecture)
needs to be supported, and in tightly-coupled 
authentication/authorization model,
support for server-initiated re-authentication makes a lot of sense.  
This does not
mean clients cannot sleep.  Clients can sleep but they may just miss to 
receive
server-initiated re-authentication requests, and if that happens they 
will need to start
full authentication, which is fine.   I don't disagree with additional 
support of loosely coupled model,
but I disagree if you say tightly-coupled authentication/authorization 
model is not needed.

Yoshihiro Ohba



> The client can find out that the authentication information has been invalidated when/if it sends a PCP request using the now-invalid authentication information.  This will cause the PCP Server to return an authentication error, and the client will attempt to re-authenticate.
>
>>> Sorry folks, gss-eap as an EAP lower layer spec is incomplete. Whether you recognize and accept this today, or later when you start building complete architectures/systems with it. No worries, you can always add it.
> This is an issue you should raise with the abfab WG, i guess.  I don't think they will agree with you.
>
> Margaret
>
>
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp
>

v2.23.0 | Report a Bug | By Email