IETF Logo Mail Archive

Re: [pcp] WG status on PCP authentication

Alper Yegin <alper.yegin@yegin.org> Fri, 14 September 2012 07:03 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D993721F85DA for <pcp@ietfa.amsl.com>; Fri, 14 Sep 2012 00:03:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, J_CHICKENPOX_25=0.6, J_CHICKENPOX_28=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIDqhgb2t2Kt for <pcp@ietfa.amsl.com>; Fri, 14 Sep 2012 00:03:22 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id F369621F85E6 for <pcp@ietf.org>; Fri, 14 Sep 2012 00:03:21 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MCbwQ-1TKhO32mIM-009aEC; Fri, 14 Sep 2012 03:03:13 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="iso-2022-jp"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <5052D3F3.8000605@toshiba.co.jp>
Date: Fri, 14 Sep 2012 10:02:55 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <52B4EAD8-7B6A-452D-8738-72C59E357519@yegin.org>
References: <9B57C850BB53634CACEC56EF4853FF653B7B205A@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <B27AE62F-1ADF-44DE-AF33-0B7A3AD6ACDB@yegin.org> <D6230CDE-E869-406F-B194-8E9B626CA8D8@lilacglade.org> <5052D3F3.8000605@toshiba.co.jp>
To: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:3ic7sALoxw6j5NzlkQ5jnwPjoO9pmUjiw4iDUoyNp3w 5I9Nq4gDzOytzVQtLVfkpKAa+oCcq1G71Db9R7k0sdresKZSxI gjPwGJ3Gg0pD70Z0ZlqPCzK8CaSZoZI0aRh08Z/0cz6SlcxeUA qmYr6R4v/f+UD/SzllcctCCFvVtT41Z4cYtCMRYSEV9XJJ//hm 2aiICqjLLO8UEd7lF33lO2pY+cQ1T2+gMMceJmAVCvaNMKZgpG +yKkLqS7iclctMHZGnfbEdlb7C9T3NiK8TGU6JNCdutb2LOiFR JPaUZz5i/UTxFvhssdR7a2U3PgRUWf7sKjSk6YYK3+qEtlgL7T lY3ny7z4O91XuWgierVjwOUuUfE1uCuWCQ8Te1mbk8/9OL2bQJ jPyIGDzol7waQ==
Cc: pcp@ietf.org
Subject: Re: [pcp] WG status on PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2012 07:03:23 -0000

Let me add few other things as well.


> Last month I posted a rough comparison on the two PANA approaches to
> the PCP ML.  I would like to update the comparison after working in
> detail on the demultiplexing approach as follows:
> 
> Encapsulation/tunneling approach:
> - Pros: ???
> - Cons:
> -- Encapsulation overhead
> -- Tight coupling of PCP and PANA is needed.  One issue is that some
> workaround is needed to carry a PCI (PANA-Client-Initiation) message
> which does not fit PCP's request-response type messaging.
> Another issue is that double integrity protection can happen after
> establishing a PCP SA, where a PANA message carried in the PCP message
> is protected by a PANA AUTH AVP and the PCP message itself is
> protected by a PCP Authentication Tag.  Double integrity protection
> can be considered as overhead.
> 

- PANA state machine is aligned (in fact, designed in accordance with) EAP state machine.
Now if we mix PCP into that, is PCP state machine aligned with EAP state machine? This probably would impact the PCP design.

- Defining how PANA header and payloads get encapsulated within PCP (as opposed to over UDP) would require changes to the PANA spec. And those changes are certainly more than simple assignment of few reserved bits as we are doing for the port-sharing approach.


> Demultiplexing/port-sharing approach:
> - Pros:
> -- No encapsulation overhead
> -- Loose coupling of PCP and PANA
> 

In fact, there has to be a strong justification to invent protocol nesting when the two natively runs separately and do the job already.


> - Cons: ???
> 


Alper


> Yoshihiro Ohba
> 
> 
> (2012/09/13 20:06), Margaret Wasserman wrote:
>> 
>> Hi Alper,
>> 
>> I understand that you and Yoshi have done some analysis amongst 
>> yourselves and come to a conclusion, but my understanding of the 
>> direction from IETF 84 was that the WG wanted to go through this 
>> analysis together and come to a conclusion about which approach was 
>> preferred.
>> 
>> Could you share your reasoning with the rest of us, instead of just 
>> your conclusions?  What do you see as the points in favor of the 
>> side-by-side (demultiplexing) approach vs. the tunneled PANA (AKA 
>> encapsulation) approach?  Are there weaknesses to the encapsulation 
>> approach that make the demultiplexing approach more desirable?
>> 
>> Thanks,
>> Margaret
>> 
>> 
>> On Sep 13, 2012, at 5:13 AM, Alper Yegin wrote:
>> 
>>> Hi Dave,
>>> 
>>> Thank you for the summary.
>>> 
>>>> The main comparison point we know about
>>>> is between Tunneled PANA vs Side-by-side PANA/PCP.
>>> 
>>> 
>>> 
>>> Yoshi and I had an offline discussion and concluded that the 
>>> so-called side-by-side PANA/PCP (or, running PANA over PCP port) is 
>>> simple and straightforward, compared to tunneled PANA (carrying PANA 
>>> header and payloads as PCP options -- more like PANA over PCP). So, 
>>> we diverted our energy to the former and produced 
>>> http://tools.ietf.org/html/draft-ohba-pcp-pana-02.
>>> 
>>> I don't see problems with PANA over PCP port, or benefits with PANA 
>>> over PCP to motivate me to work the details of PANA over PCP.
>>> Does anyone see?
>>> If not, then we'd only have PANA over PCP port to show people in the 
>>> call.
>>> 
>>> 
>>> Alper
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Sep 13, 2012, at 1:48 AM, Dave Thaler wrote:
>>> 
>>>> Just to circle back on this now that the minutes are posted.
>>>> Relevant snippets from the minutes:
>>>>> Francis Dupont: How does this compare to just running PCP over DTLS?
>>>>> 
>>>>> Margaret Wasserman: There is currently no draft written to specify how it
>>>>>   would work.  You can't "just run" anything over DTLS. It's not that simple.
>>>> Summary: we have not explicitly called a question about DTLS.   Mainly
>>>> because there’s no proposal on the table.   Lacking one with real 
>>>> support,
>>>> the WG will go ahead with a proposal that has energy/interest 
>>>> behind it.
>>>>> Alain Durand called for show of hands:
>>>>> For single port: 23
>>>>> For two separate ports: 0
>>>> Clear consensus within the room, and I’ve seen no indication on the 
>>>> list that this
>>>> consensus can’t be considered confirmed based on the list 
>>>> discussion thus far.
>>>>> Alain Durand called for show of hands:
>>>>> PCP-specific messages (PCP-specific encoding of authentication information): 5
>>>>> Tunneled PANA (embed PANA data within PCP options): 6/7
>>>>> Side-by-side (multiplex raw PANA packets and PCP packets over same port): 5/6
>>>>> Don't care: 15
>>>> Room was basically evenly split between the approaches above, so no
>>>> consensus yet, but only about half the WG cares.
>>>>> Alain Durand called for show of hands:
>>>>> PCP-specific encoding of authentication information: 5
>>>>> Some kind of PANA encapsulation: 10 or 11
>>>> In my view there was a rough consensus of the room, and so far the 
>>>> list discussion
>>>> hasn’t changed this ratio in my view.
>>>>> Dan Wing: request an interim meeting to discuss solutions, once they've been
>>>>>   fleshed out a little
>>>> And that’s the step we’re doing next.   The main comparison point 
>>>> we know about
>>>> is between Tunneled PANA vs Side-by-side PANA/PCP.   We can also 
>>>> compare
>>>> PCP-specific though it appears to already be in the minority.  If 
>>>> there are other new
>>>> proposals to consider (DTLS or whatever) by then, we can, but so 
>>>> far the inertia
>>>> seems to be primarily between the PANA variants.   There does seem 
>>>> to be
>>>> uncertainty about how they would actually work, so it’s important 
>>>> that they be
>>>> fleshed out in enough detail that we can have informed discussion 
>>>> at the interim
>>>> meeting.
>>>> -Dave
>>>> *From:*pcp-bounces@ietf.org 
>>>> <mailto:pcp-bounces@ietf.org>[mailto:pcp-bounces@ietf.org]*On 
>>>> Behalf Of*Alper Yegin
>>>> *Sent:*Friday, August 17, 2012 1:09 AM
>>>> *To:*Margaret Wasserman
>>>> *Cc:*pcp@ietf.org <mailto:pcp@ietf.org>
>>>> *Subject:*Re: [pcp] Comparison of PCP authentication
>>>> On Aug 16, 2012, at 2:38 PM, Margaret Wasserman wrote:
>>>> 
>>>> 
>>>> Hi Dacheng,
>>>> The conclusion from the meeting was that we will document all three 
>>>> approaches in our document:
>>>> Could the chairs please declare what the meeting conclusions and 
>>>> next steps are.
>>>> Thanks.
>>>> Alper
>>>> 
>>>> 
>>>> - PCP Specific
>>>> - PANA Encapsulated in PCP
>>>> - PANA Demultiplexed with PCP on the same port
>>>> Then, we will have an interim PCP conference call to discuss the 
>>>> trade-offs and hopefully decide between them.
>>>> Margaret
>>>> On Aug 15, 2012, at 10:47 PM, Zhangdacheng (Dacheng) wrote:
>>>> 
>>>> 
>>>> Have we got any conclusions on two approaches?  Or we can just 
>>>> support the two options in the draft for the moment and briefly 
>>>> compare their pros and cons, can we?
>>>> Cheers
>>>> Dcheng
>>>> *From:*pcp-bounces@ietf.org 
>>>> <mailto:pcp-bounces@ietf.org>[mailto:pcp-bounces@ietf.org] 
>>>> <mailto:[mailto:pcp-bounces@ietf.org]>*On Behalf Of*Margaret Wasserman
>>>> *Sent:*Friday, August 10, 2012 3:21 AM
>>>> *To:*Dan Wing
>>>> *Cc:*pcp@ietf.org <mailto:pcp@ietf.org>
>>>> *Subject:*Re: [pcp] Comparison of PCP authentication
>>>> On Aug 9, 2012, at 2:32 PM, Dan Wing wrote:
>>>> 
>>>>        If I'm updating security policy on a firewall I want to be
>>>>        able to
>>>> 
>>>>        audit whether that actually happened.  That requires
>>>>        authentication.
>>>> 
>>>> 
>>>>    You are saying a PCP client would only want to update firewall
>>>>    policies
>>>>    if the PCP server supports authentication, otherwise it would
>>>>    tell the
>>>>    user that it cannot enable the webcam, Internet-connected NAS,
>>>>    Internet-connected printer, etc.?
>>>> 
>>>> I wont presume to guess what Sam is thinking...
>>>> However, I am thinking that there will be some clients  that are 
>>>> configured to perform authentication for every request.  For 
>>>> example, there is no reason for a PCP proxy, running in an 
>>>> environment where authentication is required to do a THIRD-PARTY 
>>>> request, to perform a useless round-trip for every THIRD-PARTY 
>>>> request it issues.
>>>> Margaret
>>>> _______________________________________________
>>>> pcp mailing list
>>>> pcp@ietf.org <mailto:pcp@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/pcp
>>>> _______________________________________________
>>>> pcp mailing list
>>>> pcp@ietf.org <mailto:pcp@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/pcp
>>> 
>>> _______________________________________________
>>> pcp mailing list
>>> pcp@ietf.org <mailto:pcp@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/pcp
>> 
>> 
>> 
>> _______________________________________________
>> pcp mailing list
>> pcp@ietf.org
>> https://www.ietf.org/mailman/listinfo/pcp
>> 
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email