Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt

"Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com> Mon, 11 August 2014 06:25 UTC

Return-Path: <zhangdacheng@huawei.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEBB1A031B for <pcp@ietfa.amsl.com>; Sun, 10 Aug 2014 23:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.869
X-Spam-Level:
X-Spam-Status: No, score=-4.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JhflVtkK0mD0 for <pcp@ietfa.amsl.com>; Sun, 10 Aug 2014 23:25:53 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E1201A0317 for <pcp@ietf.org>; Sun, 10 Aug 2014 23:25:53 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml401-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BIC62044; Mon, 11 Aug 2014 06:25:51 +0000 (GMT)
Received: from NKGEML410-HUB.china.huawei.com (10.98.56.41) by lhreml401-hub.china.huawei.com (10.201.5.240) with Microsoft SMTP Server (TLS) id 14.3.158.1; Mon, 11 Aug 2014 07:25:50 +0100
Received: from NKGEML507-MBS.china.huawei.com ([169.254.6.82]) by nkgeml410-hub.china.huawei.com ([10.98.56.41]) with mapi id 14.03.0158.001; Mon, 11 Aug 2014 14:25:43 +0800
From: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
Thread-Index: AQHPsik1tLrwE8DKqEuMbbcdEaWCY5vGX7Ag//+qbACABOl2UA==
Date: Mon, 11 Aug 2014 06:25:43 +0000
Message-ID: <C72CBD9FE3CA604887B1B3F1D145D05E7BCCB5B2@nkgeml507-mbs.china.huawei.com>
References: <20140721132717.8597.69523.idtracker@ietfa.amsl.com> <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl> <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com> <C72CBD9FE3CA604887B1B3F1D145D05E7BCC9FC8@nkgeml507-mbs.china.huawei.com> <913383AAA69FF945B8F946018B75898A2830338B@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A2830338B@xmb-rcd-x10.cisco.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.139]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/OgcU9nF6il8AFv-GsyIlIxQf_Y0
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 06:25:55 -0000


> -----Original Message-----
> From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> Sent: Friday, August 08, 2014 7:17 PM
> To: Zhangdacheng (Dacheng); pcp@ietf.org
> Subject: RE: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
> 
> Hi Dacheng,
> 
> Responding to the only ones which needs further discussion.
> 
> > >
> > > [12] I think a section is required to explain how PCP authentication
> > > works in the presence of PCP proxies ?
> > >         In specific explain what happens when PCP proxy and PCP
> > > server are involved in re-authentication while PCP clients are
> > > sending PCP
> > requests.
> > >
> > [Dacheng Zhang:]
> > How about the following text?
> >
> > " During a re-authentication procedure between a PCP server and a PCP
> > proxy, the proxy SHOULD discard the mapping creation requests from its
> > PCP
> 
> It could be any PCP request (not just specific to mapping creation request)
> 
> > clients if the PCP proxy does not already have a valid active mapping
> > for this mapping-creation request. Because PCP clients are responsible
> > for reliable delivery of PCP request messages, it will resend the
> > requests. Then, after the re-authentication finishes, the requests will be
> processed. "
> 
> The other variation is that in case of re-authentication b/w PCP proxy and PCP
> server, PCP proxy can use current SA to proxy the PCP request from the client
> and does not have to discard PCP messages.
[Dacheng Zhang:] 
I think it works. Before the current key are discarded by the new keys generated during the re-auth, this key can be used to protect the PCP-auth messages. So, it is also reasonable to used this key to protect the common pcp messages. Thanks for pointing this out. 

Cheers

Dacheng 
> -Tiru
> 
> >
> > > Cheers,
> > > -Tiru
> > >
> > > > -----Original Message-----
> > > > From: Dacheng Zhang [mailto:zhang_dacheng@hotmail.com]
> > > > Sent: Monday, July 21, 2014 8:35 PM
> > > > To: pcp@ietf.org
> > > > Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
> > > >
> > > > Hi, in this version of the document, we try to address the
> > > > comments got since the last meeting.  Particularly, we:
> > > >    o  Refine the retransmission policies.
> > > >
> > > >    o  Provide the discussion about how to instruct a PCP client to
> > > >       choose proper credential during authenticaiton, and an ID
> > > >       Indication Option is defined for that purpose.
> > > > In addition, it is advised that we should remove the key ID from
> > > > the PCP authentication message, and only use one key for a PCP session.
> > > > However, this indicates we will use the MSK to generate MACs for
> > > > PCP
> > > message directly.
> > > > We would like to check with the group again before including it
> > > > into the document.
> > > >
> > > > Any comments and suggestions are appreciated.
> > > >
> > > > Cheers
> > > >
> > > > Dacheng
> > > >
> > > >
> > > > >
> > > > > A New Internet-Draft is available from the on-line
> > > > > Internet-Drafts
> > > > directories.
> > > > > This draft is a work item of the Port Control Protocol Working
> > > > > Group of the
> > > > IETF.
> > > > >
> > > > >        Title           : Port Control Protocol (PCP) Authentication
> > > Mechanism
> > > > >        Authors         : Margaret Wasserman
> > > > >                          Sam Hartman
> > > > >                          Dacheng Zhang
> > > > > 	Filename        : draft-ietf-pcp-authentication-04.txt
> > > > > 	Pages           : 24
> > > > > 	Date            : 2014-07-21
> > > > >
> > > > > Abstract:
> > > > >   An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to
> > > > >   flexibly manage the IP address and port mapping information on
> > > > >   Network Address Translators (NATs) or firewalls, to facilitate
> > > > >   communications with remote hosts.  However, the un-controlled
> > > > >   generation or deletion of IP address mappings on such network
> > devices
> > > > >   may cause security risks and should be avoided.  In some cases the
> > > > >   client may need to prove that it is authorized to modify, create or
> > > > >   delete PCP mappings.  This document proposes an in-band
> > > > >   authentication mechanism for PCP that can be used in those cases.
> > > > >   The Extensible Authentication Protocol (EAP) is used to perform
> > > > >   authentication between PCP devices.
> > > > >
> > > > >
> > > > > The IETF datatracker status page for this draft is:
> > > > > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication/
> > > > >
> > > > > There's also a htmlized version available at:
> > > > > http://tools.ietf.org/html/draft-ietf-pcp-authentication-04
> > > > >
> > > > > A diff from the previous version is available at:
> > > > > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication-0
> > > > > 4
> > > > >
> > > > >
> > > > > Please note that it may take a couple of minutes from the time
> > > > > of submission until the htmlized version and diff are available
> > > > > at
> > tools.ietf.org.
> > > > >
> > > > > Internet-Drafts are also available by anonymous FTP at:
> > > > > ftp://ftp.ietf.org/internet-drafts/
> > > > >
> > > > > _______________________________________________
> > > > > pcp mailing list
> > > > > pcp@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/pcp
> > > > >
> > > >
> > >
> > > _______________________________________________
> > > pcp mailing list
> > > pcp@ietf.org
> > > https://www.ietf.org/mailman/listinfo/pcp