Re: [pcp] Posted auth req slide that was edited during meeting
Dave Thaler <dthaler@microsoft.com> Wed, 27 March 2013 03:25 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7B821F86F5 for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 20:25:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVAU2Li7zXpY for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 20:25:22 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 8D47D21F8707 for <pcp@ietf.org>; Tue, 26 Mar 2013 20:25:12 -0700 (PDT)
Received: from BN1AFFO11FD023.protection.gbl (10.58.52.200) by BN1BFFO11HUB012.protection.gbl (10.58.53.122) with Microsoft SMTP Server (TLS) id 15.0.651.3; Wed, 27 Mar 2013 03:19:37 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BN1AFFO11FD023.mail.protection.outlook.com (10.58.52.83) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Wed, 27 Mar 2013 03:19:37 +0000
Received: from TK5EX14MBXC264.redmond.corp.microsoft.com ([169.254.1.147]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.02.0318.003; Wed, 27 Mar 2013 03:18:48 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "yoshihiro.ohba@toshiba.co.jp" <yoshihiro.ohba@toshiba.co.jp>, "hartmans@painless-security.com" <hartmans@painless-security.com>
Thread-Topic: [pcp] Posted auth req slide that was edited during meeting
Thread-Index: AQHOKiGOZVo7fOcKTKW7xX5uXeSScpi4uthAgAAgv3CAAAL14A==
Date: Wed, 27 Mar 2013 03:18:48 +0000
Message-ID: <44E744236D325141AE8DDC88A45908AD0BF2D1@TK5EX14MBXC264.redmond.corp.microsoft.com>
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <5EF8B214-6563-47C7-9D48-621D9D5E1B29@yegin.org> <tslip4r42r3.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CD0A01@tgxml337.toshiba.local> <tslk3p4zyze.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB0CB@tgxml337.toshiba.local> <tsl620ox0zb.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB148@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CDEA18@tgxml337.toshiba.local> <tslvc8e52al.fsf@mit.edu> <tslip4e48td.fsf@mit.edu> <44E744236D325141AE8DDC88A45908AD0BEE66@TK5EX14MBXC264.redmond.corp.microsoft.com> <674F70E5F2BE564CB06B6901FD3DD78B12CE1134@tgxml337.toshiba.local>
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B12CE1134@tgxml337.toshiba.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(13464002)(189002)(377454001)(51704002)(50986001)(46102001)(54356001)(63696002)(79102001)(47736001)(77982001)(47776003)(59766001)(74662001)(20776003)(53806001)(23726001)(4396001)(47446002)(50466001)(5343635001)(74502001)(31966008)(66066001)(47976001)(54316002)(65816001)(46406002)(69226001)(16406001)(49866001)(51856001)(5343655001)(55846006)(56776001)(33656001)(80022001)(76482001)(56816002); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB012; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0798146F16
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2013 03:25:22 -0000
> -----Original Message----- > From: yoshihiro.ohba@toshiba.co.jp [mailto:yoshihiro.ohba@toshiba.co.jp] > Sent: Tuesday, March 26, 2013 8:13 PM > To: Dave Thaler; hartmans@painless-security.com > Cc: pcp@ietf.org > Subject: RE: [pcp] Posted auth req slide that was edited during meeting > > I agree to enforce in servers that clients cannot send messages using expired > SAs to avoid security issues. > > For the same reason, we should also enforce in clients that servers cannot > send messages using expired SAs. No, the same reason doesn't apply. The reason to enforce in servers is to prevent modification of server state. Enforcing in clients wouldn't mitigate any state change attack I understand. The message from a server using an expired SA would just have the effect of (for example) being a hint to the client that it needs to refresh its state in the server, and could trigger the client to do reauth as it needs to send a MAP or PEER or whatever. So I think the effects are quite different. Is there some attack you have in mind that doing enforcement in the client would mitigate? -Dave > > Yoshihiro Ohba > > -----Original Message----- > From: Dave Thaler [mailto:dthaler@microsoft.com] > Sent: Wednesday, March 27, 2013 10:09 AM > To: Sam Hartman; ohba yoshihiro > Cc: pcp@ietf.org > Subject: RE: [pcp] Posted auth req slide that was edited during meeting > > > > -----Original Message----- > > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of > > Sam Hartman > > Sent: Tuesday, March 26, 2013 5:58 AM > > To: yoshihiro.ohba@toshiba.co.jp > > Cc: pcp@ietf.org > > Subject: Re: [pcp] Posted auth req slide that was edited during > > meeting > > > > I'm sorry, but I think it's totally reasonable to mandate in a spec > > and enforce in servers that PCP clients cannot send messages using expired > SAs. > [...] > > (With no hats on) I agree with the above. It's totally reasonable to mandate > such a thing, if that's what the WG decides to do. > > -Dave
- [pcp] Posted auth req slide that was edited durin… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… Alper Yegin
- Re: [pcp] Posted auth req slide that was edited d… Rafa Marin Lopez
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba