Re: [pcp] PANA implementatinos to consider

[Margaret Wasserman <margaretw42@gmail.com>]

On Sep 14, 2012, at 9:38 AM, Alper Yegin wrote:
>> How does this work in the case where the PCP Server is not running a PANA Server?  I _think_ that if a PCP Client asks its PANA Client to perform authentication, and the PCP Server does support authentication, some sort of "unsupported version" error code will be returned to the _PCP Client_ (due to the details of your proposed demultiplexing scheme), and that nothing will be returned to the PANA Client, at all.  We would need to make sure that secure PCP clients are specified to handle an "unsupported version" error differently when the PANA Client is in this particular state, but how does the PCP Client know that this is why that error was returned?  If this does happen, how does the PCP client inform the PANA Client that it should stop trying to perform authentication with that particular PCP Server?  
>> 
> 
> I'd like to first understand how the client-side decides when to use authentication, and when not to?
> Can you, or someone, explain that? Once I understand the scenarios we are trying to cover, I can come back and answer your question.

There are two cases we have considered where PCP clients may send authenticated PCP requests:

(1) Cases where the client sends an unauthenticated request and is told that authentication is required, so it retries with an authenticated request.  

(2) Cases where the client initially attempts to send an authenticated request.

In the first case, the PCP Server will (we hope :-)) not return the "authentication required" error if it doesn't actually support authentication.  But, in the second case, a client may try to send an authenticated request to a PCP Server that does not support authentication.  Obviously, an error will result, be we want to be certain that the error can be properly detected and returned to the user, so that the user can understand what went wrong.

Margaret