Re: [pcp] Comparison of PCP authentication
Sam Hartman <hartmans@painless-security.com> Thu, 09 August 2012 13:25 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72A7021F859B for <pcp@ietfa.amsl.com>; Thu, 9 Aug 2012 06:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.124
X-Spam-Level: **
X-Spam-Status: No, score=2.124 tagged_above=-999 required=5 tests=[AWL=-2.164, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqBC6zCP-IZl for <pcp@ietfa.amsl.com>; Thu, 9 Aug 2012 06:25:38 -0700 (PDT)
Received: from ec2-23-21-76-251.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id D386A21F8599 for <pcp@ietf.org>; Thu, 9 Aug 2012 06:25:36 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id ED30C201B6; Thu, 9 Aug 2012 09:25:25 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9B0A7420E; Thu, 9 Aug 2012 09:25:22 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Dan Wing <dwing@cisco.com>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org> <BB72B80F-0622-4A5B-A985-79D8AED13E0B@apple.com> <003b01cd7587$a111b760$e3352620$@com> <15990E87-2D59-49B1-845C-2A4CB5A1FBD6@lilacglade.org> <008801cd758f$3fd306e0$bf7914a0$@com> <C72CBD9FE3CA604887B1B3F1D145D05E2CE65225@szxeml528-mbx.china.huawei.com> <028801cd75d6$c5765490$5062fdb0$@com>
Date: Thu, 09 Aug 2012 09:25:22 -0400
In-Reply-To: <028801cd75d6$c5765490$5062fdb0$@com> (Dan Wing's message of "Wed, 8 Aug 2012 19:29:15 -0700")
Message-ID: <tsla9y4gptp.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 'Margaret Wasserman' <mrw@lilacglade.org>, pcp@ietf.org
Subject: Re: [pcp] Comparison of PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2012 13:25:38 -0000
>>>>> "Dan" == Dan Wing <dwing@cisco.com> writes: Dan> Doing PANA first is a good optimization only if the PCP client Dan> knows that PCP authentication will be required by the PCP Dan> server on that particular network. If PCP authentication is Dan> not needed on a particular network, requesting PCP Dan> authentication incurs an extra round trip. Thinking about this as an optimization seems wrong to me. consider the case where the client wants authentication but the server does not require it. For example, the client wants integrity protection of the result of the request. In this case it's about security requirements *not* optimization. The client needs a way to force the server to require authentication. Another case where this becomes important is where a server will accept requests from unauthenticated clients but treat them differently. For example an authenticated client is allowed to ask for longer lifetimes, etc. Especially since interacting with firewalls is in-scope for PCP, supporting clients with higher security requirements seems and important design goal for a PCP authentication mechanism. So, I don't think we should be thinking of this purely in terms of optimization.
- [pcp] Reminder: submit IETF 84 PCP agenda requests Dave Thaler
- Re: [pcp] Reminder: submit IETF 84 PCP agenda req… Xiaohong Deng
- [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication james woodyatt
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- [pcp] single port PANA+PCP Alper Yegin
- Re: [pcp] single port PANA+PCP Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] single port PANA+PCP Alper Yegin
- Re: [pcp] single port PANA+PCP Dan Wing
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] single port PANA+PCP Dan Wing
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] single port PANA+PCP Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- [pcp] channel binding (was Re: Comparison of PCP … Alper Yegin
- [pcp] PANA and PCP port sharing (was Re: Comparis… Alper Yegin
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] channel binding Sam Hartman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] channel binding Alper Yegin
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- [pcp] Fwd: Comparison of PCP authentication Subir Das
- Re: [pcp] Fwd: Comparison of PCP authentication Dan Wing
- Re: [pcp] Fwd: Comparison of PCP authentication Subir Das
- Re: [pcp] Fwd: Comparison of PCP authentication Sam Hartman