Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
"Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com> Mon, 11 August 2014 06:25 UTC
Return-Path: <zhangdacheng@huawei.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEBB1A031B for <pcp@ietfa.amsl.com>; Sun, 10 Aug 2014 23:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.869
X-Spam-Level:
X-Spam-Status: No, score=-4.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JhflVtkK0mD0 for <pcp@ietfa.amsl.com>; Sun, 10 Aug 2014 23:25:53 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E1201A0317 for <pcp@ietf.org>; Sun, 10 Aug 2014 23:25:53 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml401-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BIC62044; Mon, 11 Aug 2014 06:25:51 +0000 (GMT)
Received: from NKGEML410-HUB.china.huawei.com (10.98.56.41) by lhreml401-hub.china.huawei.com (10.201.5.240) with Microsoft SMTP Server (TLS) id 14.3.158.1; Mon, 11 Aug 2014 07:25:50 +0100
Received: from NKGEML507-MBS.china.huawei.com ([169.254.6.82]) by nkgeml410-hub.china.huawei.com ([10.98.56.41]) with mapi id 14.03.0158.001; Mon, 11 Aug 2014 14:25:43 +0800
From: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
Thread-Index: AQHPsik1tLrwE8DKqEuMbbcdEaWCY5vGX7Ag//+qbACABOl2UA==
Date: Mon, 11 Aug 2014 06:25:43 +0000
Message-ID: <C72CBD9FE3CA604887B1B3F1D145D05E7BCCB5B2@nkgeml507-mbs.china.huawei.com>
References: <20140721132717.8597.69523.idtracker@ietfa.amsl.com> <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl> <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com> <C72CBD9FE3CA604887B1B3F1D145D05E7BCC9FC8@nkgeml507-mbs.china.huawei.com> <913383AAA69FF945B8F946018B75898A2830338B@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A2830338B@xmb-rcd-x10.cisco.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.139]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/OgcU9nF6il8AFv-GsyIlIxQf_Y0
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 06:25:55 -0000
> -----Original Message----- > From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] > Sent: Friday, August 08, 2014 7:17 PM > To: Zhangdacheng (Dacheng); pcp@ietf.org > Subject: RE: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > Hi Dacheng, > > Responding to the only ones which needs further discussion. > > > > > > > [12] I think a section is required to explain how PCP authentication > > > works in the presence of PCP proxies ? > > > In specific explain what happens when PCP proxy and PCP > > > server are involved in re-authentication while PCP clients are > > > sending PCP > > requests. > > > > > [Dacheng Zhang:] > > How about the following text? > > > > " During a re-authentication procedure between a PCP server and a PCP > > proxy, the proxy SHOULD discard the mapping creation requests from its > > PCP > > It could be any PCP request (not just specific to mapping creation request) > > > clients if the PCP proxy does not already have a valid active mapping > > for this mapping-creation request. Because PCP clients are responsible > > for reliable delivery of PCP request messages, it will resend the > > requests. Then, after the re-authentication finishes, the requests will be > processed. " > > The other variation is that in case of re-authentication b/w PCP proxy and PCP > server, PCP proxy can use current SA to proxy the PCP request from the client > and does not have to discard PCP messages. [Dacheng Zhang:] I think it works. Before the current key are discarded by the new keys generated during the re-auth, this key can be used to protect the PCP-auth messages. So, it is also reasonable to used this key to protect the common pcp messages. Thanks for pointing this out. Cheers Dacheng > -Tiru > > > > > > Cheers, > > > -Tiru > > > > > > > -----Original Message----- > > > > From: Dacheng Zhang [mailto:zhang_dacheng@hotmail.com] > > > > Sent: Monday, July 21, 2014 8:35 PM > > > > To: pcp@ietf.org > > > > Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > > > > > > > Hi, in this version of the document, we try to address the > > > > comments got since the last meeting. Particularly, we: > > > > o Refine the retransmission policies. > > > > > > > > o Provide the discussion about how to instruct a PCP client to > > > > choose proper credential during authenticaiton, and an ID > > > > Indication Option is defined for that purpose. > > > > In addition, it is advised that we should remove the key ID from > > > > the PCP authentication message, and only use one key for a PCP session. > > > > However, this indicates we will use the MSK to generate MACs for > > > > PCP > > > message directly. > > > > We would like to check with the group again before including it > > > > into the document. > > > > > > > > Any comments and suggestions are appreciated. > > > > > > > > Cheers > > > > > > > > Dacheng > > > > > > > > > > > > > > > > > > A New Internet-Draft is available from the on-line > > > > > Internet-Drafts > > > > directories. > > > > > This draft is a work item of the Port Control Protocol Working > > > > > Group of the > > > > IETF. > > > > > > > > > > Title : Port Control Protocol (PCP) Authentication > > > Mechanism > > > > > Authors : Margaret Wasserman > > > > > Sam Hartman > > > > > Dacheng Zhang > > > > > Filename : draft-ietf-pcp-authentication-04.txt > > > > > Pages : 24 > > > > > Date : 2014-07-21 > > > > > > > > > > Abstract: > > > > > An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to > > > > > flexibly manage the IP address and port mapping information on > > > > > Network Address Translators (NATs) or firewalls, to facilitate > > > > > communications with remote hosts. However, the un-controlled > > > > > generation or deletion of IP address mappings on such network > > devices > > > > > may cause security risks and should be avoided. In some cases the > > > > > client may need to prove that it is authorized to modify, create or > > > > > delete PCP mappings. This document proposes an in-band > > > > > authentication mechanism for PCP that can be used in those cases. > > > > > The Extensible Authentication Protocol (EAP) is used to perform > > > > > authentication between PCP devices. > > > > > > > > > > > > > > > The IETF datatracker status page for this draft is: > > > > > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication/ > > > > > > > > > > There's also a htmlized version available at: > > > > > http://tools.ietf.org/html/draft-ietf-pcp-authentication-04 > > > > > > > > > > A diff from the previous version is available at: > > > > > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication-0 > > > > > 4 > > > > > > > > > > > > > > > Please note that it may take a couple of minutes from the time > > > > > of submission until the htmlized version and diff are available > > > > > at > > tools.ietf.org. > > > > > > > > > > Internet-Drafts are also available by anonymous FTP at: > > > > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > > > > > _______________________________________________ > > > > > pcp mailing list > > > > > pcp@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/pcp > > > > > > > > > > > > > > > _______________________________________________ > > > pcp mailing list > > > pcp@ietf.org > > > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… internet-drafts
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dave Thaler
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)