[pcp] WG status on PCP authentication
Dave Thaler <dthaler@microsoft.com> Wed, 12 September 2012 22:48 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 042B821F853F for <pcp@ietfa.amsl.com>; Wed, 12 Sep 2012 15:48:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.815
X-Spam-Level:
X-Spam-Status: No, score=-103.815 tagged_above=-999 required=5 tests=[AWL=-0.217, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEe-nhnJ60Qc for <pcp@ietfa.amsl.com>; Wed, 12 Sep 2012 15:48:09 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe005.messaging.microsoft.com [213.199.154.208]) by ietfa.amsl.com (Postfix) with ESMTP id 76E2421F84FD for <pcp@ietf.org>; Wed, 12 Sep 2012 15:48:08 -0700 (PDT)
Received: from mail36-am1-R.bigfish.com (10.3.201.226) by AM1EHSOBE004.bigfish.com (10.3.204.24) with Microsoft SMTP Server id 14.1.225.23; Wed, 12 Sep 2012 22:48:07 +0000
Received: from mail36-am1 (localhost [127.0.0.1]) by mail36-am1-R.bigfish.com (Postfix) with ESMTP id 6207734006F for <pcp@ietf.org>; Wed, 12 Sep 2012 22:48:07 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -35
X-BigFish: VS-35(zz98dI9371Ic85fh1432Id6eah604Tzz1202h1d1ah1d2ahzz1033IL17326ah8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1288h12a5h12bdh1155h)
Received-SPF: pass (mail36-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=dthaler@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail36-am1 (localhost.localdomain [127.0.0.1]) by mail36-am1 (MessageSwitch) id 1347490085704297_415; Wed, 12 Sep 2012 22:48:05 +0000 (UTC)
Received: from AM1EHSMHS017.bigfish.com (unknown [10.3.201.236]) by mail36-am1.bigfish.com (Postfix) with ESMTP id A9EEB300069 for <pcp@ietf.org>; Wed, 12 Sep 2012 22:48:05 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS017.bigfish.com (10.3.207.155) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 12 Sep 2012 22:48:04 +0000
Received: from TK5EX14MLTW653.wingroup.windeploy.ntdev.microsoft.com (157.54.24.14) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 12 Sep 2012 22:48:02 +0000
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14MLTW653.wingroup.windeploy.ntdev.microsoft.com (157.54.24.14) with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 12 Sep 2012 15:48:02 -0700
Received: from TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com ([169.254.4.129]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi id 14.02.0318.003; Wed, 12 Sep 2012 15:48:02 -0700
From: Dave Thaler <dthaler@microsoft.com>
To: "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: WG status on PCP authentication
Thread-Index: Ac2ROKfBXzEGHHwwTde0XiHvgVohmQ==
Date: Wed, 12 Sep 2012 22:48:01 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF653B7B205A@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.90]
Content-Type: multipart/alternative; boundary="_000_9B57C850BB53634CACEC56EF4853FF653B7B205ATK5EX14MBXW604w_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: [pcp] WG status on PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2012 22:48:12 -0000
Just to circle back on this now that the minutes are posted. Relevant snippets from the minutes: > Francis Dupont: How does this compare to just running PCP over DTLS? > > Margaret Wasserman: There is currently no draft written to specify how it > would work. You can't "just run" anything over DTLS. It's not that simple. Summary: we have not explicitly called a question about DTLS. Mainly because there's no proposal on the table. Lacking one with real support, the WG will go ahead with a proposal that has energy/interest behind it. > Alain Durand called for show of hands: > For single port: 23 > For two separate ports: 0 Clear consensus within the room, and I've seen no indication on the list that this consensus can't be considered confirmed based on the list discussion thus far. > Alain Durand called for show of hands: > PCP-specific messages (PCP-specific encoding of authentication information): 5 > Tunneled PANA (embed PANA data within PCP options): 6/7 > Side-by-side (multiplex raw PANA packets and PCP packets over same port): 5/6 > Don't care: 15 Room was basically evenly split between the approaches above, so no consensus yet, but only about half the WG cares. > Alain Durand called for show of hands: > PCP-specific encoding of authentication information: 5 > Some kind of PANA encapsulation: 10 or 11 In my view there was a rough consensus of the room, and so far the list discussion hasn't changed this ratio in my view. > Dan Wing: request an interim meeting to discuss solutions, once they've been > fleshed out a little And that's the step we're doing next. The main comparison point we know about is between Tunneled PANA vs Side-by-side PANA/PCP. We can also compare PCP-specific though it appears to already be in the minority. If there are other new proposals to consider (DTLS or whatever) by then, we can, but so far the inertia seems to be primarily between the PANA variants. There does seem to be uncertainty about how they would actually work, so it's important that they be fleshed out in enough detail that we can have informed discussion at the interim meeting. -Dave From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of Alper Yegin Sent: Friday, August 17, 2012 1:09 AM To: Margaret Wasserman Cc: pcp@ietf.org Subject: Re: [pcp] Comparison of PCP authentication On Aug 16, 2012, at 2:38 PM, Margaret Wasserman wrote: Hi Dacheng, The conclusion from the meeting was that we will document all three approaches in our document: Could the chairs please declare what the meeting conclusions and next steps are. Thanks. Alper - PCP Specific - PANA Encapsulated in PCP - PANA Demultiplexed with PCP on the same port Then, we will have an interim PCP conference call to discuss the trade-offs and hopefully decide between them. Margaret On Aug 15, 2012, at 10:47 PM, Zhangdacheng (Dacheng) wrote: Have we got any conclusions on two approaches? Or we can just support the two options in the draft for the moment and briefly compare their pros and cons, can we? Cheers Dcheng From: pcp-bounces@ietf.org<mailto:pcp-bounces@ietf.org> [mailto:pcp-bounces@ietf.org]<mailto:[mailto:pcp-bounces@ietf.org]> On Behalf Of Margaret Wasserman Sent: Friday, August 10, 2012 3:21 AM To: Dan Wing Cc: pcp@ietf.org<mailto:pcp@ietf.org> Subject: Re: [pcp] Comparison of PCP authentication On Aug 9, 2012, at 2:32 PM, Dan Wing wrote: If I'm updating security policy on a firewall I want to be able to audit whether that actually happened. That requires authentication. You are saying a PCP client would only want to update firewall policies if the PCP server supports authentication, otherwise it would tell the user that it cannot enable the webcam, Internet-connected NAS, Internet-connected printer, etc.? I wont presume to guess what Sam is thinking... However, I am thinking that there will be some clients that are configured to perform authentication for every request. For example, there is no reason for a PCP proxy, running in an environment where authentication is required to do a THIRD-PARTY request, to perform a useless round-trip for every THIRD-PARTY request it issues. Margaret _______________________________________________ pcp mailing list pcp@ietf.org<mailto:pcp@ietf.org> https://www.ietf.org/mailman/listinfo/pcp
- [pcp] WG status on PCP authentication Dave Thaler
- Re: [pcp] WG status on PCP authentication Alper Yegin
- Re: [pcp] WG status on PCP authentication Margaret Wasserman
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] WG status on PCP authentication Alper Yegin
- [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)
- Re: [pcp] WG status on PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] WG status on PCP authentication Sam Hartman
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] PCP mapping for 5350 and 5351 ports Dan Wing
- Re: [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)
- Re: [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)