Re: [pcp] gss-eap & client-side rexmit only
Alper Yegin <alper.yegin@yegin.org> Mon, 22 October 2012 09:53 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A595A21F8B3D for <pcp@ietfa.amsl.com>; Mon, 22 Oct 2012 02:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.54
X-Spam-Level:
X-Spam-Status: No, score=-102.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfJSqxRYcffl for <pcp@ietfa.amsl.com>; Mon, 22 Oct 2012 02:53:40 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF8921F8B03 for <pcp@ietf.org>; Mon, 22 Oct 2012 02:53:40 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0LymTv-1TLE8u1NuJ-015RqP; Mon, 22 Oct 2012 05:53:38 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <tsllif3yksm.fsf@mit.edu>
Date: Mon, 22 Oct 2012 12:53:21 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <3BFA5ACF-FCE2-435A-BC22-2264AA0536F7@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <36E9DFAC-47D5-4942-937F-A88CD2AD75D0@lilacglade.org> <E2495458-DA1F-4BF3-9ACE-0AAEB3836907@yegin.org> <96744887-68C7-4F9A-813E-A5563E4356E2@gmail.com> <6569B9B2-0B82-450A-A328-D023EFC732DA@yegin.org> <F06C0780-EF37-435E-B45D-497111E12B47@yegin.org> <tsllif3yksm.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:UnbG91uz5AeLU0rx3IaHo/VzmWW6argeb5N4sTEpSp0 U+BmE9nb7S0DXNYJeqCzCfaICIPNq+0EC+aISrqLb93D/aaSI+ iL3wyP7S3pg5jZuPHkYO/hgcKb3TPs03eozmpa9IgJnszr0X6g 6EppoSBGSER/YX3diMTiIgEQyUPK6O8BMLYSz3mdaHi953NYls 6BVuJbFCBNyR/9np2Bxx8nNDhyZR+eC47x5a0hhWSHbep1EFKy 1RofzGMukcpcEYhyJ0MTV6UUPxEaf9JMQ+T1T8mIpND64JiQ9B NqEmeqEGNDaKDlnN/erzTk+fc2ohD26dZOAABxE8XCDvUNLVUY 3CpUBqC2qVMjDh6aqoZ6Orr6vbcBXPVJyQ3y8wRAu/a4g0t7gN Lilv8ynYr/3AA==
Cc: pcp@ietf.org
Subject: Re: [pcp] gss-eap & client-side rexmit only
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 09:53:41 -0000
Sam, > >>>>> "Alper" == Alper Yegin <alper.yegin@yegin.org> writes: > > Alper> Sam, You claimed you can design an EAP lower layer that's > Alper> always client driven, and gave GSS-EAP as an example of how > Alper> you did it. > > Alper> So, I had already looked at it and still don't see it how. > Alper> See below for the last email I sent on this matter which went > Alper> unanswered. > > Hi Alper. > I think I've done a number of things to try and walk you through this: > > * We've had multiple discussions on the list where we discussed whether > this was possible in the EAP spec EAP spec talks about delegating the reliable delivery from EAP layer to the EAP-lower layer. it does not talk about turning the req/resp direction 180 degree from network-driven to client-driven. So, I don't really find comfort in reading RFC 3748 when it comes to supporting your approach. > * I pointed you at the gss-eap specification > * I gave textual explanations of how it works > * I went over it on the call again yesterday > Honestly, we need to dig deeper. See the kind of example Yoshi gave in his last email and let's see how such a thing works. > * During the PANA implementation discussion I pointed you at an > open-source implementation of GSS-EAP and particularly pointed you at > the part of the code that interacts with the EAP library. > > Other people do seem to be following this issue at this point, so I'm afraid we're talking past each other. > I'm sorry about that, but perhaps it would make more sense for you to try and > work with someone else on this issue. > If there are PCP implementors on this who need to discuss this in more detail > I'd be happy to try and help as I can. I have to admit I had missed your earlier email on CoA discussion, sorry. Here's what you had said, and my comments: Alper> Ah, "ignoring CoA". CoA is the RADIUS' tool to generate an Alper> unsolicited message, more specifically for starting EAP Sam> I'd like to draw the WG's attention to RFC 5176, which defines COA. Sam> Section 4 explicitly mentions that COA cannot be used for starting Sam> re-authentication. You are reading a special section on RADIUS-Diameter interworking. If you look at the table of attributes on page 21, you see the "CoA request" can carry 0+ EAP message. So, the NAS (PCP client) can receive an asynchronous EAP request from the AAA. Sam> Section 1.1 is an applicability statement explaining Sam> why COA is not standards-track because of security and semantic Sam> concerns. So, you want to pretend RADIUS CoA does not exist? It's used in the industry, cannot ignore. Sam> As best I can tell only diameter has AAA support for re-authentication. Sam> So, I'd like to draw our attention to RFC 4005, section 3.3 which Sam> defines rules for diameter re-authentication. That section explicitly Sam> calls out re-authentication must be supported *if the underlying service Sam> supports it*. That is, re-authentication is OPTIONAL for a given Sam> service like PCP, but if a given PCP server supports re-authentication Sam> and diameter, then it needs to support re-authentication via diameter. Sam> Section 3 of RFC 4072 (diameter over eap) confirms the guidelines of RFC Sam> 4005 apply. I had said: > - What happens if server-side needs to re-key, extend lifetime, change authorization, re-challenge the client? > Say, the acceptor receives a RADIUS CoA with EAP-Request, what's going to do with it? So, if you want to prohibit use of server-initiated re-auth, prohibit use of CoA for now and for future, you need to tell us how none of the above is ever needed. I think you have a very particular way of using EAP and AAA in mind, nothing like the standard ways of using these protocols. We need to understand your model, and why your model shall be the only model that we'll ever see with PCP. Alper > Date: Thu, 18 Oct 2012 09:24:51 -0400 > In-Reply-To: <F06C0780-EF37-435E-B45D-497111E12B47@yegin.org> (Alper Yegin's > message of "Thu, 18 Oct 2012 09:04:43 +0300") > Message-ID: <tslmwzjykt8.fsf@mit.edu> > User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Reinaldo Penno (repenno)
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Dan Wing
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Sam Hartman
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Henderickx, Wim (Wim)
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- [pcp] Authentication scenarios (was Re: PANA impl… Alper Yegin
- [pcp] Side-by-side or nested protocols (was Re: P… Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Henderickx, Wim (Wim)
- Re: [pcp] Authentication scenarios (was Re: PANA … Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] [ Side-by-side or nested protocols Sam Hartman
- Re: [pcp] Authentication scenarios (was Re: PANA … Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] [ Side-by-side or nested protocols Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Zhangdacheng (Dacheng)
- Re: [pcp] [ Side-by-side or nested protocols Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols Sam Hartman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Alper Yegin
- [pcp] EAP retransmits and re-authentication Sam Hartman
- [pcp] gss-eap Alper Yegin
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Margaret Wasserman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Margaret Wasserman
- Re: [pcp] gss-eap & client-side rexmit only Sam Hartman
- Re: [pcp] gss-eap & client-side rexmit only Yoshihiro Ohba
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin