Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
"Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com> Fri, 08 August 2014 09:28 UTC
Return-Path: <zhangdacheng@huawei.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113EC1B2951 for <pcp@ietfa.amsl.com>; Fri, 8 Aug 2014 02:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wShx8GREWc8k for <pcp@ietfa.amsl.com>; Fri, 8 Aug 2014 02:28:04 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 249D81A0A8E for <pcp@ietf.org>; Fri, 8 Aug 2014 02:28:04 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BIA73121; Fri, 08 Aug 2014 09:28:02 +0000 (GMT)
Received: from nkgeml405-hub.china.huawei.com (10.98.56.36) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 8 Aug 2014 10:28:01 +0100
Received: from NKGEML507-MBS.china.huawei.com ([169.254.6.82]) by nkgeml405-hub.china.huawei.com ([10.98.56.36]) with mapi id 14.03.0158.001; Fri, 8 Aug 2014 17:27:56 +0800
From: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
Thread-Index: AQHPsik1tLrwE8DKqEuMbbcdEaWCY5vGX7Ag
Date: Fri, 08 Aug 2014 09:27:56 +0000
Message-ID: <C72CBD9FE3CA604887B1B3F1D145D05E7BCC9FC8@nkgeml507-mbs.china.huawei.com>
References: <20140721132717.8597.69523.idtracker@ietfa.amsl.com> <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl> <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.139]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/McS-CV8fYsINvFZaCjDyZmSLYvs
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 09:28:08 -0000
Hi, Tiru: Thanks again for the review. I've included most of the comments in the document. Please see my answers inline. Cheers Dacheng > -----Original Message----- > From: pcp [mailto:pcp-bounces@ietf.org] On Behalf Of Tirumaleswar Reddy > (tireddy) > Sent: Thursday, August 07, 2014 6:20 PM > To: Dacheng Zhang; pcp@ietf.org > Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > Hi Dacheng, > > My comments: > > [1] ID Indicator: The value for a PCP client to choose proper > credentials for authentication. The method of generating this > value is out of scope of this document. Note this field MUST end > on a 32-bit boundary, padded with 0's when necessary. > > Comment> ID indicator should be user-friendly. For example check out A-ID-Info > in EAP-FAST. > [Dacheng Zhang:] Done! > [2] Each PA message is attached with an > Authentication OpCode and may optionally contain a set of Options for > various purposes (e.g., transporting authentication messages and > session managements). > > Nit> replace session managements with session management [Dacheng Zhang:] Done! > > [3] o On security infrastructure equipment, such as corporate firewalls, > that does not create implicit mappings. > > Comment> The above line is very clear, are you referring to firewalls > Comment> not creating implicit mapping for specific traffic like UDP > [Dacheng Zhang:] Update the document according to your comment, done! > [4] This mechanism can be used to > secure PCP in the following situations:: > > Nit> Remove extra ":" [Dacheng Zhang:] Done! > > [5] > The draft says fragmentation and re-assembly is handled by EAP methods but > http://tools.ietf.org/html/rfc3748 explains that it's only handled by EAP-TLS. > > Does that make EAP-TLS mandatory to support ? [Dacheng Zhang:] Please give me some time to think about it. > > [6] In this case, before sending > out the PA-Server, the PCP server must update the SA and use the new > key to generate digests to protect the integrity and authenticity of > the PA-Server and any subsequent PCP message. > > Nit> replace digests with digest > [Dacheng Zhang:] Done! > [7] Because there is no authenticaiton OpCode in common PCP messages, > the > authentication tag for common PCP messages needs to provide the > inforamtion of session ID and sequence numbers. > > Nit> Fix spelling mistakes for authenticaiton, inforamtion. [Dacheng Zhang:] Done! > > [8] The generation of the digest can be various according to the algorithms > specified in different PCP SAs. > Comment> Replace the above line with > "The generation of the digest varies according to the algorithm finalized in > different PCP SAs" [Dacheng Zhang:] Done! > > [9] Do the Authentication tag option for PCP authentication message and > authentication tag option for common PCP have different option codes ? [Dacheng Zhang:] Yes, I think so. They contain different information. > > [10] Update IANA Considerations with the new PCP option, opcode and result > codes introduced in the draft. [Dacheng Zhang:] Will do it before the next version. > > [11] This section applies only to the in-band key management mechanism. > It will need to be updated if the WG choose to pursue the out-of-band key > management mechanism discussed above. > > Comment> I think the above paragraph can be removed. [Dacheng Zhang:] Done! > > [12] I think a section is required to explain how PCP authentication works in the > presence of PCP proxies ? > In specific explain what happens when PCP proxy and PCP server are > involved in re-authentication while PCP clients are sending PCP requests. > [Dacheng Zhang:] How about the following text? " During a re-authentication procedure between a PCP server and a PCP proxy, the proxy SHOULD discard the mapping creation requests from its PCP clients if the PCP proxy does not already have a valid active mapping for this mapping-creation request. Because PCP clients are responsible for reliable delivery of PCP request messages, it will resend the requests. Then, after the re-authentication finishes, the requests will be processed. " > Cheers, > -Tiru > > > -----Original Message----- > > From: Dacheng Zhang [mailto:zhang_dacheng@hotmail.com] > > Sent: Monday, July 21, 2014 8:35 PM > > To: pcp@ietf.org > > Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > > > Hi, in this version of the document, we try to address the comments > > got since the last meeting. Particularly, we: > > o Refine the retransmission policies. > > > > o Provide the discussion about how to instruct a PCP client to > > choose proper credential during authenticaiton, and an ID > > Indication Option is defined for that purpose. > > In addition, it is advised that we should remove the key ID from the > > PCP authentication message, and only use one key for a PCP session. > > However, this indicates we will use the MSK to generate MACs for PCP > message directly. > > We would like to check with the group again before including it into > > the document. > > > > Any comments and suggestions are appreciated. > > > > Cheers > > > > Dacheng > > > > > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > > directories. > > > This draft is a work item of the Port Control Protocol Working Group > > > of the > > IETF. > > > > > > Title : Port Control Protocol (PCP) Authentication > Mechanism > > > Authors : Margaret Wasserman > > > Sam Hartman > > > Dacheng Zhang > > > Filename : draft-ietf-pcp-authentication-04.txt > > > Pages : 24 > > > Date : 2014-07-21 > > > > > > Abstract: > > > An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to > > > flexibly manage the IP address and port mapping information on > > > Network Address Translators (NATs) or firewalls, to facilitate > > > communications with remote hosts. However, the un-controlled > > > generation or deletion of IP address mappings on such network devices > > > may cause security risks and should be avoided. In some cases the > > > client may need to prove that it is authorized to modify, create or > > > delete PCP mappings. This document proposes an in-band > > > authentication mechanism for PCP that can be used in those cases. > > > The Extensible Authentication Protocol (EAP) is used to perform > > > authentication between PCP devices. > > > > > > > > > The IETF datatracker status page for this draft is: > > > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication/ > > > > > > There's also a htmlized version available at: > > > http://tools.ietf.org/html/draft-ietf-pcp-authentication-04 > > > > > > A diff from the previous version is available at: > > > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication-04 > > > > > > > > > Please note that it may take a couple of minutes from the time of > > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > > > Internet-Drafts are also available by anonymous FTP at: > > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > > pcp mailing list > > > pcp@ietf.org > > > https://www.ietf.org/mailman/listinfo/pcp > > > > > > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… internet-drafts
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dave Thaler
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)