Re: [pcp] Posted auth req slide that was edited during meeting
<yoshihiro.ohba@toshiba.co.jp> Tue, 26 March 2013 23:07 UTC
Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ECF621F8936 for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 16:07:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJ7e8LyMhOcV for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 16:07:51 -0700 (PDT)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) by ietfa.amsl.com (Postfix) with ESMTP id BB0AA21F8922 for <pcp@ietf.org>; Tue, 26 Mar 2013 16:07:50 -0700 (PDT)
Received: from tsbmgw-mgw02.tsbmgw-mgw02.toshiba.co.jp ([133.199.200.50]) by imx2.toshiba.co.jp with ESMTP id r2QN7kd0009698 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Mar 2013 08:07:46 +0900 (JST)
Received: from tsbmgw-mgw02 (localhost [127.0.0.1]) by tsbmgw-mgw02.tsbmgw-mgw02.toshiba.co.jp (8.13.8/8.14.5) with ESMTP id r2QN7k7P018991; Wed, 27 Mar 2013 08:07:46 +0900
Received: from localhost ([127.0.0.1]) by tsbmgw-mgw02 (JAMES SMTP Server 2.3.1) with SMTP ID 940; Wed, 27 Mar 2013 08:07:46 +0900 (JST)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by tsbmgw-mgw02.tsbmgw-mgw02.toshiba.co.jp (8.13.8/8.14.5) with ESMTP id r2QN7kfm018988; Wed, 27 Mar 2013 08:07:46 +0900
Received: (from root@localhost) by arc1.toshiba.co.jp id r2QN7k1G018536; Wed, 27 Mar 2013 08:07:46 +0900 (JST)
Received: from unknown [133.199.192.144] by arc1.toshiba.co.jp with ESMTP id JAA18535; Wed, 27 Mar 2013 08:07:46 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp with ESMTP id r2QN7juO001634; Wed, 27 Mar 2013 08:07:45 +0900 (JST)
Received: from tgxml329.toshiba.local by toshiba.co.jp id r2QN7jUn026158; Wed, 27 Mar 2013 08:07:45 +0900 (JST)
Received: from TGXML337.toshiba.local ([169.254.3.203]) by tgxml329.toshiba.local ([133.199.60.16]) with mapi id 14.02.0328.009; Wed, 27 Mar 2013 08:07:45 +0900
From: yoshihiro.ohba@toshiba.co.jp
To: dwing@cisco.com
Thread-Topic: [pcp] Posted auth req slide that was edited during meeting
Thread-Index: AQHOI+DTZVo7fOcKTKW7xX5uXeSScpirfAWwgATfK/CABuV4EIAAV0sAgAEFN9A=
Date: Tue, 26 Mar 2013 23:07:44 +0000
Message-ID: <674F70E5F2BE564CB06B6901FD3DD78B12CE1089@tgxml337.toshiba.local>
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <5EF8B214-6563-47C7-9D48-621D9D5E1B29@yegin.org> <tslip4r42r3.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CD0A01@tgxml337.toshiba.local> <tslk3p4zyze.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB0CB@tgxml337.toshiba.local> <tsl620ox0zb.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB148@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CDEA18@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CE012A@tgxml337.toshiba.local> <56946F7F-B646-42B1-A421-F2D3559CCEA2@cisco.com>
In-Reply-To: <56946F7F-B646-42B1-A421-F2D3559CCEA2@cisco.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-originating-ip: [133.199.16.158]
msscp.transfermailtomossagent: 103
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: pcp@ietf.org
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 23:07:52 -0000
Another way is to let the SA expire, and if the server needs to send a message later on, then it can initiate authentication (and this is not a re-authentication by definition because the SA has expired). I am fine with this way either. For those who are interested in security details: Depending on the timing of the server-initiated authentication, the client might still have an unexpired SA. Such a client may enter the authentication while keeping the current SA until the authentication succeeds so that it can switch back to the current SA in case the authentication fails, which provides robustness against false authentication trigger DoS attacks (at the cost of maintaining multiple authentication sessions temporarily). PANA supports this robust operation. Regards, Yoshihiro Ohba -----Original Message----- From: Dan Wing [mailto:dwing@cisco.com] Sent: Wednesday, March 27, 2013 1:02 AM To: ohba yoshihiro Cc: pcp@ietf.org Subject: Re: [pcp] Posted auth req slide that was edited during meeting On Mar 25, 2013, at 6:55 PM, yoshihiro.ohba@toshiba.co.jp wrote: > Here is my suggested change on REQ-5 of draft-reddy-pcp-auth-req-01. > > (Current) > > REQ-5: PCP allows a server to send multiple responses. If the > server wants to send an unsolicited message, but the previous > security association has expired, the server MUST be able to > trigger re-authentication with the client. > " > > (New) > > " > REQ-5: PCP allows a server to send multiple responses. If the > server wants to send an unsolicited message, but the previous > security association is going to expire, the server MUST be able to > trigger re-authentication with the client prior to expiration of the security association. > " The PCP server does not know, a priori, if it will want or need to send a message later. So the only way to comply with that requirement would be for the PCP server to prevent a security association from expiring at all. Is there some other way to comply with that requirement? -d > > Best Regards, > Yoshihiro Ohba > > -----Original Message----- > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of > yoshihiro.ohba@toshiba.co.jp > Sent: Friday, March 22, 2013 1:42 AM > To: pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during > meeting > > Can we take silence as agreement about re-auth to happen before the SA expires? > > Yoshihiro Ohba > > > -----Original Message----- > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of > yoshihiro.ohba@toshiba.co.jp > Sent: Monday, March 18, 2013 11:12 PM > To: hartmans@painless-security.com > Cc: pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during > meeting > > Sam, > > -----Original Message----- > From: Sam Hartman [mailto:hartmans@painless-security.com] > Sent: Monday, March 18, 2013 11:00 PM > To: ohba yoshihiro > Cc: alper.yegin@yegin.org; pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during > meeting > >>>>>> <yoshihiro.ohba@toshiba.co.jp> writes: > > >> In any case, we should follow the definition of EAP re-authentication >> in RFC 5247 about re-authentication timing. I see absolutely no >> reason to change the definition. > > OK. So you're saying that the goal of the security association expiration is to make sure that a client cannot change the PCP state in a manner that requires authentication outside a time window defined by the AAA infrastructure/PCP server? > > [YO] Yes. > > So, the sorts of attacks we'd want to prevent are people changing state after credentials have changed or authorizations have changed? > > [YO] Yes, unless the credentials or authorizations are changed via a valid re-authentication, that is the whole purpose of re-authentication. > > Yoshihiro Ohba > > --Sam > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] Posted auth req slide that was edited durin… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… Alper Yegin
- Re: [pcp] Posted auth req slide that was edited d… Rafa Marin Lopez
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba