[pcp] issue#60: Loosely coupled vs. tightly coupled authentication
Alper Yegin <alper.yegin@yegin.org> Mon, 05 November 2012 11:12 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1774621F8585 for <pcp@ietfa.amsl.com>; Mon, 5 Nov 2012 03:12:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.37
X-Spam-Level:
X-Spam-Status: No, score=-102.37 tagged_above=-999 required=5 tests=[AWL=0.228, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92AceQuZadmh for <pcp@ietfa.amsl.com>; Mon, 5 Nov 2012 03:12:54 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 5263121F855C for <pcp@ietf.org>; Mon, 5 Nov 2012 03:12:54 -0800 (PST)
Received: from [192.168.2.4] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0LzsTb-1THFku1dDv-014eMA; Mon, 05 Nov 2012 06:12:53 -0500
From: Alper Yegin <alper.yegin@yegin.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6803E23E-6678-44A5-AB5C-5A142B95EFA4"
Date: Mon, 05 Nov 2012 13:12:37 +0200
Message-Id: <A153DB81-B799-43EE-9894-B8D7F1E56BEB@yegin.org>
To: pcp@ietf.org
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:ongHqPR97T2QUyWD5JeSn+eSI9YxSZYSFYI2KUOf1Vr 2q35Uz7pvZtAumq1hJGFdXycCTTHC7kaoSO6UF7j8vCDt76V6B xCdRJAJDM6ZpWFF66ACzYOdo5LxSHi8/+5tTvWjINFotFD/UUJ Mw2zRx00ZgRDjj/3Px8paL7lM/9VDNkO/Pi2Re3N4vZtXAgyqi cAJFWIaSrrDXwN4cOayE/TNN9LMtN+xcRO2QQh++xrB0wuJg+g CnhnoD9n01dX7U+U97YTbyl/i6WUu3oSJtOwMVRLq8v1KB1FQD jfEBJmVL+jWX+xY/1eEqRCAQSVUk4ChRiH1q3rakRIew+p9Qj4 U2BitD66GhVBgZeSI+fvmcr4jAwSNd1quIXl2TZbT8zycDOPhp CFu5q3JXwRATQ==
Subject: [pcp] issue#60: Loosely coupled vs. tightly coupled authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 11:12:55 -0000
Let me summarize my thoughts on each of these outstanding issues…. First of all, the issue description has lot of problems. See further below for more specifics… Nevertheless, here's what I can say about the essence of this discussion: - EAP session lifetime, EAP session keys lifetime, hence PCP SA (security association) lifetime are all driven by the AAA server. - The state created by the execution of PCP (i.e., NAT mappings, firewall rules) may have a lifetime different than the PCP SA lifetime. Such state's lifetime may be initially set to PCP SA lifetime (and may be not). Their lifetime may be extended or cut-down by actors other than PCP, without any coordination with the PCP SA lifetime. These are all scenario specific. I think all we can really say is, anything is possible. Coming back to the flaws in the issue description: Loosely coupled: – Authentication needed only at the time of a request, to create/modify a mapping. Alper> Authentication of the end-point (the ID that gets authenticated via EAP) is what this text must be referring to. Alper> There's also the "origin authentication for PCP packets (+ integrity and replay protection). Alper> Gotta be specific about which authentication we are talking about. Alper> Since PCP server can be sending unsolicited messages updating the PCP client, that also needs to be taken into account. – Authorization done separately, using the same mechanism as in non-authenticated PCP • Mappings are removed when authorization is revoked Alper> I have no idea what these two lines really mean. – Mapping lifetime is not tied to authentication lifetime Alper> Good, this makes sense as the definition of "loosely coupled". Tightly coupled: – Authentication and authorization are performed using the same mechanism, or there is a link between them Alper> There's always. There's a corner case where AAA server authenticates the user, and the PCP server has a database mapping user IDs to authorization parameters. That way you can say AAA authenticates the user, PCP server authorizes the user. But that's such a corner case. Typically, user IDs (with credentials to authenticate) and the mapping to authorization parameters are maintained by the AAA server (remember the second A in that acronym). – Mapping lifetime is tied to authentication lifetime • Mappings are removed when keys expire OR authorization is revoke Alper