Re: [pcp] CONSENSUS CALL on PCP security

I think we should try to reach consensus on a a way forward now.  If we don't get moving, we may not be able to finish any PCP security solution before the WG disappears, and I think it is important to have a security solution.  Because of that I do not support asking any new questions now.

From my perspective, though, the only PANA solution I can live with is the encapsulated approach.

I understand that it is possible to specify some sort of hack involving the version fields and/or create a new short header to allow the side-by-side PANA approach to work on a single port, but I think that is equally undesirable to running the side-by-side version on two ports.  

After talking to Subir about his implementation, he indicated that the PANA messages in his implementation are transmitted inside PCP headers, which (in my mind) means that he has implemented the encapsulated option.  The fact that he has said that he implements the side-by-side option makes me concerned that we may not have the same idea of what those two different options actually are.  We will need to make sure we know exactly what we are comparing before we ask people to choose between them.

Margaret

On Jul 16, 2013, at 10:01 PM, Alper Yegin <alper.yegin@yegin.org> wrote:

> Dave,
> 
> Last time we conducted this polling, the two pana-based solutions were asked separately.
> Based on the discussions and the result of the poll, I realized some people preferred one PANA solution over the other, with possibly varying preference with respect to the EAP-o-PCP solution.
> Bundling them up as one option is not a good idea.
> So, I suggest we pose them as separate questions (like we did last time). After all, they are technically different.
> 
> One other thing: 
> 
> I'm not sure if enough thought went into the PCP Proxy security. As much as I'd love to be DONE! with this discussion, I also want to make sure people feel comfortable having thought all aspects around the proxy use. For (very important) example, what kind of security associations are needed for securing the proxy use: An SA btw client and server, an SA btw client and proxy, an SA btw proxy and server -- which combinations of these are needed? Then we need to talk about how we dynamically create those using any one of these solutions.
> 
> Alper
> 
> 
> 
> 
> 
> On Jul 16, 2013, at 7:50 PM, Dave Thaler wrote:
> 
>>> -----Original Message-----
>>> From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
>>> Sent: Monday, July 15, 2013 10:51 PM
>>> To: Dave Thaler; pcp@ietf.org
>>> Subject: RE: [pcp] CONSENSUS CALL on PCP security
>>> 
>>> Hi Dave,
>>> 
>>> In the poll when you refer to PANA, please clarify the draft you are referring
>>> to http://tools.ietf.org/html/draft-ohba-pcp-pana-04 or
>>> http://tools.ietf.org/html/draft-ohba-pcp-pana-encap-01 ?
>>> 
>>> --Tiru.
>> 
>> The question is intentionally agnostic as this is about a general approach,
>> not which specific implementation.  If it helps, you can interpret the
>> answer as "which of the two you think is better".
>> 
>> If the consensus is PANA rather than direct EAP-in-PCP, then we could 
>> ask as a follow-up question which of the two we should go with. If
>> you'd like to include your answer to that now though, feel free to
>> include that in your response to the call.
>> 
>> -Dave
>> 
>> 
>> 
>> _______________________________________________
>> pcp mailing list
>> pcp@ietf.org
>> https://www.ietf.org/mailman/listinfo/pcp
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp