Re: [pcp] PANA implementatinos to consider

[Alper Yegin <alper.yegin@yegin.org>]

Hi Margaret,

Your below questions are implementation specific. 
Let me answer them to describe how this can be implemented in one way. Certainly there are other ways to implement them.

> 
> On Sep 14, 2012, at 2:52 AM, Alper Yegin wrote:
>> As for the implementation complexity, I don't quite understand why PANA (which is basically EAP over UDP) would ever be more complicated then to-be-designed "EAP over UDP within PCP framework". While I don't see a reason for former being more complicated, I see reasons for seeing the latter being more complicated, as the whole thing now needs to live within another protocol framework (read: format, flow, state machine harmonization between the two).
> 
> I don't understand how you get away from coupling PANA and PCP, even in the demultiplexing case where they run side-by-side on the same port.  I think a number of details are being glossed over in your latest document when you refer to a need for an "API" between PANA and PCP…
> 

Association or binding of state between PANA and PCP is common on both.
But there are different degrees of "coupling". Or where you couple them. Are we coupling the state generated/maintained between the two, or are we coupling the protocols themselves.

You could say, a host configures a care-of address using DHCP, and uses that IP address with Mobile IP, hence DHCP and Mobile IP are coupled.
Or, you could invent carrying DHCP over Mobile IP, and call that coupling too.

Another more relevant example: Running IKE for IPsec, or running IKE over IPsec (however you do it).


> Let's start with a simple case where the PCP Client wants to initiate and authenticated PCP request...
> 
> The Client needs to ask the PANA Client to initiate authentication.  How?  

PCP software triggers the PaC to perform authentication. 
Like how IKE gets triggered when IPsec SA needs to be setup.


> Will that request include any details about the mapping request that is being made?  i.e. will the PANA Client be asking for authentication _and authorization_ to perform a particular action?  Or do we assume that a PCP client is authenticated via PANA, and that authorization for a particular action is a separate step that is performed as part of PCP?  If they are separate, do we need a new set of PCP error codes for the situation where an authenticated PCP client performs an unauthorized action, or is that already covered in the PCP spec?


That trigger I mentioned above will include two pieces of information: 1. Indication that this is an auth/authz for PCP, 2. IP address of the PAA (which is same as the PCP server).


> When the PCP Client asks the PANA Client to perform authentication, what are the possible results that can be returned from that request, and how are they communicated back to the PCP Client?  You have only described the success case in your document.

PANA already generates success and failure results. This result will be conveyed to the PCP client via the API.
If the result is success, also the PCP_AUTH_KEY and PANA Session ID and PANA Key ID need to be passed via that interface. 



> 
> How does this work in the case where the PCP Server is not running a PANA Server?  I _think_ that if a PCP Client asks its PANA Client to perform authentication, and the PCP Server does support authentication, some sort of "unsupported version" error code will be returned to the _PCP Client_ (due to the details of your proposed demultiplexing scheme), and that nothing will be returned to the PANA Client, at all.  We would need to make sure that secure PCP clients are specified to handle an "unsupported version" error differently when the PANA Client is in this particular state, but how does the PCP Client know that this is why that error was returned?  If this does happen, how does the PCP client inform the PANA Client that it should stop trying to perform authentication with that particular PCP Server?  
> 

I'd like to first understand how the client-side decides when to use authentication, and when not to?
Can you, or someone, explain that? Once I understand the scenarios we are trying to cover, I can come back and answer your question.


> Also, how does the PCP Client know when the _PCP Server_ is ready to receive its request?  Are we assuming that the PANA Server will not return an indication to the PANA Client that the client has been authenticated until _after_ it has provisioned the necessary SA on the PANA Server?  
> 

The order of events is:

1. PANA is executed
2. PaC provides the results to the PCP client
3. PCP client contacts PCP server, using  authentication tag generated with the SA from step 2.
4. Upon encountering new SA, PCP server contacts the PAA to obtain the matching parameters (or, the PAA had already pushed those params to PCP server after 1. These are different implementation choices…..)



> What if an additional application on the same PCP Client system wants to perform an authenticated request with the same PCP Server in the meantime?  Will that second request result in a second (interleaved) PANA negotiation, or will the PCP Client be told that a PANA negotiation is already pending?  If the latter, how will the second PCP Client thread by informed when the PANA negotiation has completed?  (Note:  The right answer here depends heavily on whether the PANA authentication depends, in any way, on the contents of a specific PCP request -- the authentication vs. authentication/authorization question above).
> 

Second API call can be told that there is already an ongoing authentication and wait for the result.
Or, maybe it says "OK" but does not generate a second PANA session because the same PANA session (or, more specifically the security association generated by it) can be used with both PCP requests.


> All of these questions will need to be answered, IMO, in a full specification of the PCP/PANA demultiplexing mechanism, precisely _because_ PCP and PANA are running separately.  

Errr, I don't think so. None of these are impacting the over-the-wire behavior (i.e., the "protocol"), but they are all about implementation -- not something we need to put in the protocol specs. 


If we were to use EAP over PCP, do you think we need to define how EAP methods interface with EAP which interfaces with PCP. How one triggers the other and gets the results back. I don't think so. 



> The "API" is where this coupling is provided between the two "state machines", as you refer to them.  Why is this any simpler if PANA and PCP are running side-by side than if we run PANA encapsulated in PCP?  (or, if we run PCP directly over EAP, for that matter)
> 


Please see the top part about my "coupling" response. 

If you run two protocols side by side, you point how one can trigger the other. And ideally, triggers target meaningful states. E.g., one protocol triggers other to run, and at the end of execution the result is returned (PCP triggers PANA to execute).
If you run one protocol inside another, then you have to nest their state machines, and unless you are purely lucky, that cannot work automatically w/o aligning their state machines. (Like I said, PANA state machine is designed the way it is in accordance with the EAP state machine.)

Alper










> Margaret
> 
>