IETF Logo Mail Archive

Re: [pcp] WG status on PCP authentication

Margaret Wasserman <margaretw42@gmail.com> Thu, 13 September 2012 11:07 UTC

Return-Path: <margaretw42@gmail.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0426221F855A for <pcp@ietfa.amsl.com>; Thu, 13 Sep 2012 04:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOCacnHvEtgN for <pcp@ietfa.amsl.com>; Thu, 13 Sep 2012 04:07:06 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id D2FD121F8505 for <pcp@ietf.org>; Thu, 13 Sep 2012 04:07:05 -0700 (PDT)
Received: by qcac10 with SMTP id c10so2142904qca.31 for <pcp@ietf.org>; Thu, 13 Sep 2012 04:07:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=wtglmeFGlZx2a0X17GTOyD/t6eJKxYVCKYgdAbdTLJs=; b=irxFi+hf1xnm/vieSY9lvhJcsgr4sEAcPqY8WRf5ldSIGnNtgfb0BL3QFstdRNyEjr AwbTYMSeHZ0SFDEEHyiOdGkjLBGwZUmlIAYhCZ8rmCKL/3XyP6kKSLsQygjoo+FoAATM QBqjXRXBcpcEBHynzSmQs0Loj117n2pS7vSYm3PR6XzP1nXhV9Bhjj9E+3nM97UDW+mi 4xVd/27phOzW/GZNvkDMHgXzOIa6ahVv/9xi5G/92Trx2XjzN1LIMITX7c4wIfg5trXG b9OuavGu5YR4nAcuY7yD2byKDr1/wtDV6b3UOUVV5LuHcpDses3R00BEMpnJGlNh2NaS Pqig==
Received: by 10.224.198.131 with SMTP id eo3mr4685864qab.78.1347534420957; Thu, 13 Sep 2012 04:07:00 -0700 (PDT)
Received: from lilac-too.home (pool-71-184-79-25.bstnma.fios.verizon.net. [71.184.79.25]) by mx.google.com with ESMTPS id ez6sm13620671qab.17.2012.09.13.04.06.57 (version=SSLv3 cipher=OTHER); Thu, 13 Sep 2012 04:06:59 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-20--139968371"
From: Margaret Wasserman <margaretw42@gmail.com>
In-Reply-To: <B27AE62F-1ADF-44DE-AF33-0B7A3AD6ACDB@yegin.org>
Date: Thu, 13 Sep 2012 07:06:58 -0400
Message-Id: <D6230CDE-E869-406F-B194-8E9B626CA8D8@lilacglade.org>
References: <9B57C850BB53634CACEC56EF4853FF653B7B205A@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <B27AE62F-1ADF-44DE-AF33-0B7A3AD6ACDB@yegin.org>
To: Alper Yegin <alper.yegin@yegin.org>
X-Mailer: Apple Mail (2.1084)
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] WG status on PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2012 11:07:08 -0000

Hi Alper,

I understand that you and Yoshi have done some analysis amongst yourselves and come to a conclusion, but my understanding of the direction from IETF 84 was that the WG wanted to go through this analysis together and come to a conclusion about which approach was preferred.

Could you share your reasoning with the rest of us, instead of just your conclusions?  What do you see as the points in favor of the side-by-side (demultiplexing) approach vs. the tunneled PANA (AKA encapsulation) approach?  Are there weaknesses to the encapsulation approach that make the demultiplexing approach more desirable?

Thanks,
Margaret


On Sep 13, 2012, at 5:13 AM, Alper Yegin wrote:

> Hi Dave,
> 
> Thank you for the summary.
> 
>> The main comparison point we know about
>> is between Tunneled PANA vs Side-by-side PANA/PCP.
> 
> 
> 
> Yoshi and I had an offline discussion and concluded that the so-called side-by-side PANA/PCP (or, running PANA over PCP port) is simple and straightforward, compared to tunneled PANA (carrying PANA header and payloads as PCP options -- more like PANA over PCP). So, we diverted our energy to the former and produced http://tools.ietf.org/html/draft-ohba-pcp-pana-02. 
> 
> I don't see problems with PANA over PCP port, or benefits with PANA over PCP to motivate me to work the details of PANA over PCP. 
> Does anyone see? 
> If not, then we'd only have PANA over PCP port to show people in the call.
> 
> 
> Alper
> 
> 
> 
> 
> 
> 
> 
> On Sep 13, 2012, at 1:48 AM, Dave Thaler wrote:
> 
>> Just to circle back on this now that the minutes are posted.
>>  
>> Relevant snippets from the minutes:
>> > Francis Dupont: How does this compare to just running PCP over DTLS?
>> > 
>> > Margaret Wasserman: There is currently no draft written to specify how it
>> >    would work.  You can't "just run" anything over DTLS. It's not that simple.
>>  
>> Summary: we have not explicitly called a question about DTLS.   Mainly
>> because there’s no proposal on the table.   Lacking one with real support,
>> the WG will go ahead with a proposal that has energy/interest behind it.
>>  
>> > Alain Durand called for show of hands:
>> > For single port: 23
>> > For two separate ports: 0
>>  
>> Clear consensus within the room, and I’ve seen no indication on the list that this
>> consensus can’t be considered confirmed based on the list discussion thus far.
>>  
>> > Alain Durand called for show of hands:
>> > PCP-specific messages (PCP-specific encoding of authentication information): 5
>> > Tunneled PANA (embed PANA data within PCP options): 6/7
>> > Side-by-side (multiplex raw PANA packets and PCP packets over same port): 5/6
>> > Don't care: 15
>>  
>> Room was basically evenly split between the approaches above, so no
>> consensus yet, but only about half the WG cares.
>>  
>> > Alain Durand called for show of hands:
>> > PCP-specific encoding of authentication information: 5
>> > Some kind of PANA encapsulation: 10 or 11
>>  
>> In my view there was a rough consensus of the room, and so far the list discussion
>> hasn’t changed this ratio in my view.
>>  
>> > Dan Wing: request an interim meeting to discuss solutions, once they've been
>> >    fleshed out a little
>>  
>> And that’s the step we’re doing next.   The main comparison point we know about
>> is between Tunneled PANA vs Side-by-side PANA/PCP.   We can also compare
>> PCP-specific though it appears to already be in the minority.  If there are other new
>> proposals to consider (DTLS or whatever) by then, we can, but so far the inertia
>> seems to be primarily between the PANA variants.   There does seem to be
>> uncertainty about how they would actually work, so it’s important that they be
>> fleshed out in enough detail that we can have informed discussion at the interim
>> meeting.
>>  
>> -Dave
>>  
>> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of Alper Yegin
>> Sent: Friday, August 17, 2012 1:09 AM
>> To: Margaret Wasserman
>> Cc: pcp@ietf.org
>> Subject: Re: [pcp] Comparison of PCP authentication
>>  
>>  
>> On Aug 16, 2012, at 2:38 PM, Margaret Wasserman wrote:
>> 
>> 
>>  
>>  
>> Hi Dacheng,
>>  
>> The conclusion from the meeting was that we will document all three approaches in our document:
>>  
>>  
>> Could the chairs please declare what the meeting conclusions and next steps are.
>>  
>> Thanks.
>>  
>> Alper
>>  
>>  
>>  
>> 
>> 
>> - PCP Specific
>> - PANA Encapsulated in PCP
>> - PANA Demultiplexed with PCP on the same port
>>  
>> Then, we will have an interim PCP conference call to discuss the trade-offs and hopefully decide between them.
>>  
>> Margaret
>>  
>>  
>>  
>> On Aug 15, 2012, at 10:47 PM, Zhangdacheng (Dacheng) wrote:
>> 
>> 
>> Have we got any conclusions on two approaches?  Or we can just support the two options in the draft for the moment and briefly compare their pros and cons, can we?
>>  
>> Cheers
>>  
>> Dcheng
>>  
>> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of Margaret Wasserman
>> Sent: Friday, August 10, 2012 3:21 AM
>> To: Dan Wing
>> Cc: pcp@ietf.org
>> Subject: Re: [pcp] Comparison of PCP authentication
>>  
>>  
>> On Aug 9, 2012, at 2:32 PM, Dan Wing wrote:
>>  
>> If I'm updating security policy on a firewall I want to be able to
>> audit whether that actually happened.  That requires authentication.
>> 
>> You are saying a PCP client would only want to update firewall policies 
>> if the PCP server supports authentication, otherwise it would tell the
>> user that it cannot enable the webcam, Internet-connected NAS, 
>> Internet-connected printer, etc.?
>>  
>> I wont presume to guess what Sam is thinking...
>>  
>> However, I am thinking that there will be some clients  that are configured to perform authentication for every request.  For example, there is no reason for a PCP proxy, running in an environment where authentication is required to do a THIRD-PARTY request, to perform a useless round-trip for every THIRD-PARTY request it issues.  
>>  
>> Margaret
>>  
>>  
>>  
>> _______________________________________________
>> pcp mailing list
>> pcp@ietf.org
>> https://www.ietf.org/mailman/listinfo/pcp
>>  
>> _______________________________________________
>> pcp mailing list
>> pcp@ietf.org
>> https://www.ietf.org/mailman/listinfo/pcp
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email