Re: [pcp] Comparison of PCP authentication
"Dan Wing" <dwing@cisco.com> Mon, 06 August 2012 21:19 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70A1F21E8082 for <pcp@ietfa.amsl.com>; Mon, 6 Aug 2012 14:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.191
X-Spam-Level:
X-Spam-Status: No, score=-110.191 tagged_above=-999 required=5 tests=[AWL=-0.192, BAYES_00=-2.599, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hRmCU70I2JY for <pcp@ietfa.amsl.com>; Mon, 6 Aug 2012 14:19:04 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id 681D121E804D for <pcp@ietf.org>; Mon, 6 Aug 2012 14:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=9139; q=dns/txt; s=iport; t=1344287944; x=1345497544; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=eQ64rywq1gp3hlTudeJzRgYXs8c/cdYoGczAO3U2/X4=; b=Tg5XBw/+ozVMuVfssLfVotPItVRW/KqqmYBaQuKbp6NPJyEhCIg75Lyc TRJ4ZuguxsJ0O3vcOl1eeW6QhBwTilH/Ct87x7sBFiOz5Ltc76EVerDss mx0iOe7GPINX5JJ4gI9ccCz2cKeNZlCqCky87JBOoRw0DsNrDvKlGJ/v6 I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAPMzIFCrRDoH/2dsb2JhbABFqhKPNoEHgiABAQEDAQEBAQUKARcQMgIIAwUHAQMCCQ4BAgQBAQEnBxkOFQoJCAEBBAESCQIQB4dlBQybCI1jkkOLSocEA4hNhQ2JA40SgWaCfw
X-IronPort-AV: E=Sophos;i="4.77,720,1336348800"; d="scan'208";a="51150360"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-1.cisco.com with ESMTP; 06 Aug 2012 21:19:01 +0000
Received: from dwingWS (sjc-vpn3-793.cisco.com [10.21.67.25]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q76LJ1Ux002133; Mon, 6 Aug 2012 21:19:01 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Margaret Wasserman' <mrw@lilacglade.org>, 'Alper Yegin' <alper.yegin@yegin.org>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org>
In-Reply-To: <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org>
Date: Mon, 06 Aug 2012 14:19:00 -0700
Message-ID: <075301cd7419$19557dd0$4c007970$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac10DnhIECfuuNknRVyqZBU7iOOwuwACmqDw
Content-Language: en-us
Cc: pcp@ietf.org
Subject: Re: [pcp] Comparison of PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 21:19:05 -0000
> -----Original Message----- > From: Margaret Wasserman [mailto:mrw@lilacglade.org] > Sent: Monday, August 06, 2012 1:03 PM > To: Alper Yegin > Cc: Dan Wing; pcp@ietf.org > Subject: Re: [pcp] Comparison of PCP authentication > > > Hi Alper, > > Thanks for your help with this! While it would work to demultiplex on > the first byte, as you indicate, there is a bit more to defining a > demultiplexing solution than this... > > Since this is UDP, there is nothing that inherently binds the PANA > authentication to a particular (set of) PCP request(s). So, we will > need to make sure that the information passed in the authentication > option is sufficient for the sever to securely determine that the > client sending a the PCP request is the same client that initiated the > PANA exchange and vice versa, just as we would need to do if PANA and > PCP were run on separate ports. I don't think this will be difficult, > we just need to make sure that we achieve it. > > Do you know what existing PANA implementations will do if the > "Reserved" field at the start of the packet is non-zero? Also, if an update to PANA allows 0b00000010 in that first octet, we will have a problem. It would be safer if we assign the last two bits in that first octet of PANA to must-be-zero. Perhaps via an Errata against the PANA spec, if we decide this is the best solution. > We should also consider the trade-offs between a demultiplexing > approach (which allows us to run PANA and PCP separately over a single > port), and an encapsulation approach (PANA encapsulated in PCP). A > demultiplexing approach is somewhat cleaner, in that we can process the > whole message as a PANA or PCP message. But, the encapsulation > approach would allow us to gain some optimization by piggy-backing the > first (and possibly the final?) messages of the PANA exchange in the > original PCP request (and response?) to cut down on the number of > messages needed to create a secure mapping. How many messages are we talking about (5?), and how much reduction could we see (reduction from 5 to 3??). > Since the PCP exchange may > happen as part of client connection set-up (while a user is waiting), > cutting down on the number of messages exchanged could be valuable. > > As discussed at the PCP meeting in Vancouver, we will be writing up > both of these approaches soon, for further discussion on an interim > phone call. Looking forward to that. -d > Margaret > > > On Aug 6, 2012, at 3:43 PM, Alper Yegin wrote: > > > > PANA: > > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 > 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+ > | Reserved | Message Length > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+ > | Flags | Message Type > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+ > | Session Identifier > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+ > | Sequence Number > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+ > | AVPs ... > +-+-+-+-+-+-+-+-+-+-+-+-+- > > > Reserved > > This 16-bit field is reserved for future use. It MUST be > set to > zero and ignored by the receiver. > > > > > PCP: > > > 0 1 2 > 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 > 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+-+ > | Version = 2 |R| Opcode | Reserved > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+-+ > | Requested Lifetime (32 bits) > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+-+ > | > | > | PCP Client's IP Address (128 bits) > | > | > | > | > | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+-+ > : > : > : (optional) Opcode-specific information > : > : > : > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+-+ > : > : > : (optional) PCP Options > : > : > : > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+-+ > > > First octet can be used for demux'ing. > > Alper > > > > > > On Aug 6, 2012, at 9:01 PM, Dan Wing wrote: > > > -----Original Message----- > > > From: pcp-bounces@ietf.org [mailto:pcp- > bounces@ietf.org] On Behalf Of > > > Alper Yegin > > > Sent: Thursday, August 02, 2012 2:31 PM > > > To: pcp@ietf.org > > > Subject: [pcp] Comparison of PCP authentication > > > > http://www.ietf.org/proceedings/84/slides/slides-84- > pcp-10.pdf > > > > Ah, isn't it odd that this beauty contest is run by > one of the > > > contestants? This material should have been prepared > and presented by a > > > neutral party. > > > > One important question: With this proposal, are the > authors advocating > > > each protocol should come with their own in-band key > management, more > > > specifically embedding an EAP transport? > > > > > what's the big deal of using the same port vs > different port? Is > > > jamming all in the same port is a benefit? > > > > "TLS is in-band" > > > > - There's standalone use of TLS as "a separate" KMP. > RFC 5705 is driven > > > by the fact that some other protocols need to use TLS > as a "separate > > > KMP". > > > - TLS is basically "transport layer security", > something that sits > > > below the protocol one would be trying to secure. We > are not doing > > > that. > > > > To throw another TLS thing into the mix: > > DTLS-SRTP [RFC5764] uses the (D)TLS handshake to encrypt > SRTP and is > pretty well aligned with what we want for PCP -- we want a > key > exchange and then run the PCP protocol natively. DTLS-SRTP > has a > normal DTLS handshake, followed by SRTP packets that appear > normal > on the wire (that is, the packets are RFC3711 packets which > have > their RTP headers in the clear). It does this over the > same socket, > because the first byte indicates if the packet is DTLS, > SRTP, or > STUN (ICE), http://tools.ietf.org/html/rfc5764#section- > 5.1.2. > > At the meeting, I suggested we consider if PANA and PCP > could > be similarly demux'd. Stuart suggested using some sort of > GRE- > like header if they cannot be demux'd. Either approach > would > eliminate one of the objections of PANA, specifically its > use > of a separate port. > > -d > > > > > > are the EAP and PCP state machines compatible? > If marrying two > > > protocols, one needs to pay attention to this. This > was one of the > > > reasons why EAPoDHCP did not work. > > > > Does the EAP-over-PCP satisfy the "EAP lower > layer requirements" as > > > stated in RFC 3848? I had asked this question but > don't remember seeing > > > any response. > > > > "Possible in-band optimization". Is this > documented anywhere? It's > > > not easy to understand how it works by looking at > this slide. > > > > PANA RFC 5191 was published in 2008, not 2011. > It's adopted by Zigbee > > > IP, ETSI TISPAN, and also ETSI M2M. Aside from two > open-source > > > implementations, multiple commercial implementations > have successfully > > > passed interop events in Zigbee Alliance. > > > > > > * Need to specify the portions of PANA that don't > need to be > > > implemented > > > > in a PCP PANA Client and Server (such as IP Address > > > reconfiguration) > > > > > >> this is just a single bit flag. We don't use it, > and that's > > > all we need to do about it. > > > * Need to specify/describe interface between PANA and > PCP elements > > > > >> this is an implementation issue, like how the > other spec > > > implementors would need to define the interface > between the EAP and PCP > > > for passing keys, etc. > > > > * Need to specify how the PANA client finds the > correct PANA Server > > > for PCP Authentication (may be passed from PCP > client?) > > > > >> PCP server the the PAA are the same node. > > > > > > > > > > > > > > > > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp > >
- [pcp] Reminder: submit IETF 84 PCP agenda requests Dave Thaler
- Re: [pcp] Reminder: submit IETF 84 PCP agenda req… Xiaohong Deng
- [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication james woodyatt
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- [pcp] single port PANA+PCP Alper Yegin
- Re: [pcp] single port PANA+PCP Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] single port PANA+PCP Alper Yegin
- Re: [pcp] single port PANA+PCP Dan Wing
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] single port PANA+PCP Dan Wing
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Dan Wing
- Re: [pcp] single port PANA+PCP Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] Comparison of PCP authentication Margaret Wasserman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- [pcp] channel binding (was Re: Comparison of PCP … Alper Yegin
- [pcp] PANA and PCP port sharing (was Re: Comparis… Alper Yegin
- Re: [pcp] Comparison of PCP authentication Sam Hartman
- Re: [pcp] channel binding Sam Hartman
- Re: [pcp] Comparison of PCP authentication Yoshihiro Ohba
- Re: [pcp] channel binding Alper Yegin
- Re: [pcp] Comparison of PCP authentication Alper Yegin
- Re: [pcp] Comparison of PCP authentication Zhangdacheng (Dacheng)
- [pcp] Fwd: Comparison of PCP authentication Subir Das
- Re: [pcp] Fwd: Comparison of PCP authentication Dan Wing
- Re: [pcp] Fwd: Comparison of PCP authentication Subir Das
- Re: [pcp] Fwd: Comparison of PCP authentication Sam Hartman