IETF Logo Mail Archive

Re: [pcp] Comparison of PCP authentication

Alper Yegin <alper.yegin@yegin.org> Tue, 07 August 2012 07:49 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA8FA21F858E for <pcp@ietfa.amsl.com>; Tue, 7 Aug 2012 00:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.539
X-Spam-Level:
X-Spam-Status: No, score=-102.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gy3bKAcxNysm for <pcp@ietfa.amsl.com>; Tue, 7 Aug 2012 00:49:20 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 4C53521F853D for <pcp@ietf.org>; Tue, 7 Aug 2012 00:49:20 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0MDyul-1SyQbe35DT-00GuxU; Tue, 07 Aug 2012 03:49:18 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org>
Date: Tue, 07 Aug 2012 10:48:58 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <241D4228-E4FE-454A-9C3B-CA34C16D666E@yegin.org>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org>
To: Margaret Wasserman <mrw@lilacglade.org>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:np7hQOHKe/hKhvfv5tfeXNOwhvyqnoNUjcevSIx9RO6 bIC6RPw8piPYgmRLi1GpuRDJRG1WJEmx2anYxN0HkclvxMtLVV IWtfS0MFcAte/jpvsycg7RMa+6tNsQ/095y26hRzB/2RynjrAJ 0cecgyNAv1dR7XHnRb8gm6fzlRz35Oxaz9c1DvinOfsQ3D4gMP OojdsWXmPmR4kW2bA1xTfnelgf781yCKHei+08I0KlzVIpDGqZ 7hBiUa8NevZo1hiUGkCIeQ0XQ+igx5TQzo/qyz4f6ay4PvAEIM uywqdv3uWVJkG98Jn08Irmnp3hX2FksXuuwMh0f3pgiiYaNSyW 3neSR08VAlUH9d0W631n6LNI6UB+bPH3nCcl7n9bT23ahqFNd5 jLiY5b4H3i2gg==
Cc: pcp@ietf.org
Subject: Re: [pcp] Comparison of PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2012 07:49:21 -0000

Hi Margaret,

> Since this is UDP, there is nothing that inherently binds the PANA authentication to a particular (set of) PCP request(s).  So, we will need to make sure that the information passed in the authentication option is sufficient for the sever to securely determine that the client sending a the PCP request is the same client that initiated the PANA exchange and vice versa, just as we would need to do if PANA and PCP were run on separate ports.  I don't think this will be difficult, we just need to make sure that we achieve it.
> 

That's right.
PANA session will generate a Session-Id, Key-Id, and a PCP key. We should use the two identifiers along with the MIC generated using the PCP key in Authentication Tag Option. That's how PANA session and PCP messages get crypto-bound to each other.


> Do you know what existing PANA implementations will do if the "Reserved" field at the start of the packet is non-zero? 
> 

According to the RFC 5191, receiver MUST ignore the Reserved bits.

Alper

v2.23.0 | Report a Bug | By Email