Re: [pcp] #62: Client-driven or server-driven auth retransmissions
Sam Hartman <hartmans@painless-security.com> Wed, 24 October 2012 11:59 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0871021F8964 for <pcp@ietfa.amsl.com>; Wed, 24 Oct 2012 04:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.662
X-Spam-Level:
X-Spam-Status: No, score=0.662 tagged_above=-999 required=5 tests=[AWL=3.261, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CU7ro5bKSBYB for <pcp@ietfa.amsl.com>; Wed, 24 Oct 2012 04:59:35 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id C06F521F8941 for <pcp@ietf.org>; Wed, 24 Oct 2012 04:59:31 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS id A79E520167; Wed, 24 Oct 2012 07:59:05 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A2D8D412A; Wed, 24 Oct 2012 07:59:28 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: pcp issue tracker <trac@tools.ietf.org>
References: <059.9cf5d7c12f5da883f5db53fb2786e69b@tools.ietf.org>
Date: Wed, 24 Oct 2012 07:59:28 -0400
In-Reply-To: <059.9cf5d7c12f5da883f5db53fb2786e69b@tools.ietf.org> (pcp issue tracker's message of "Fri, 19 Oct 2012 22:09:40 -0000")
Message-ID: <tslwqyggjxb.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: draft-ietf-pcp-authentication@tools.ietf.org, pcp@ietf.org
Subject: Re: [pcp] #62: Client-driven or server-driven auth retransmissions
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 11:59:36 -0000
Hi. Yoshi and I have had several rounds of discussing EAp retransmissions in the ABFAB working group. My understanding of the situation has improved. Retransmission of an EAP request will always happen I've been describing this issue incorrectly when I brought it up in the PCP group. The question is what is used to trigger retransmissions, not what party does the retransmission. The authenticator (PCP server/PAA) has the EAP request packet as part of security state it maintains. The question is whether the authenticator has a timer that causes it to retransmit the request. That's what the default behavior in EAP is. Alternatively, the EAP specification (RFC 3748) allows that timer to be set to infinite. In that case, the lower layer (PCP or PANA) is taking responsibility for reliability. If the lower layer is handling reliability, then you can use whatever trigger you like. You can have a timer on the server. Alternatively, you can have a timer on the client and retransmit the request on the server when you receive a duplicate response. So, no matter what option you pick, the server is required to hold the state. The potential advantage of picking client-triggered retransmits is that it may make it easier to match an existing implementation. We could really use input from PCP implementations about whether having the authentication retransmit timer on the client is easier than the server.
- [pcp] #62: Client-driven or server-driven auth re… pcp issue tracker
- Re: [pcp] #62: Client-driven or server-driven aut… Sam Hartman
- Re: [pcp] #62: Client-driven or server-driven aut… Yoshihiro Ohba
- Re: [pcp] #62: Client-driven or server-driven aut… Sam Hartman
- Re: [pcp] #62: Client-driven or server-driven aut… Simon Perreault
- Re: [pcp] #62: Client-driven or server-driven aut… Rafa Marin Lopez
- Re: [pcp] #62: Client-driven or server-driven aut… Alper Yegin
- Re: [pcp] #62: Client-driven or server-driven aut… Alper Yegin
- Re: [pcp] #62 (authentication): Client-driven or … pcp issue tracker