IETF Logo Mail Archive

Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)

"Prashanth Patil (praspati)" <praspati@cisco.com> Wed, 17 July 2013 07:46 UTC

Return-Path: <praspati@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D938D21F9CA6 for <pcp@ietfa.amsl.com>; Wed, 17 Jul 2013 00:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56myKOJ0M2xL for <pcp@ietfa.amsl.com>; Wed, 17 Jul 2013 00:46:26 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id EFD6221F88DB for <pcp@ietf.org>; Wed, 17 Jul 2013 00:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13839; q=dns/txt; s=iport; t=1374047169; x=1375256769; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=QaiXiMviWrCTzIp0tLI6Ibh2MJMQtV+0vDhDy5udGlk=; b=b5/dUIyw/7dY88Mp+MMfPnh9cLAyHp/IwiHmFsJSUVhBm9kH4pE1Y0UO P1QNGXIn73S0j4jeFWg8Aw7qc+wc43+p9D8tttJmIcs+DtdR0XpWdijG2 qbZmcdPkcEPx/aarLiT4qcawCDVxDT45hftyDzvK7dORkZ3vmhv0uOutC k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqwFAHJK5lGtJXG+/2dsb2JhbABagkJENE+EJIFDtA6IPYEOFnSCIwEBAQQBAQFrCwwGAQgRBAEBCx0uCxQJCAIEDgUIE4d1DLVFjz0tBAcGgwZuA4FNlziQJIE1gV2BaiQa
X-IronPort-AV: E=Sophos; i="4.89,682,1367971200"; d="scan'208,217"; a="235828774"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-6.cisco.com with ESMTP; 17 Jul 2013 07:46:08 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r6H7k8R1021245 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 17 Jul 2013 07:46:08 GMT
Received: from xmb-rcd-x07.cisco.com ([169.254.7.39]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.02.0318.004; Wed, 17 Jul 2013 02:46:07 -0500
From: "Prashanth Patil (praspati)" <praspati@cisco.com>
To: Alper Yegin <alper.yegin@yegin.org>
Thread-Topic: Proxy security (was Re: [pcp] CONSENSUS CALL on PCP security)
Thread-Index: AQHOgrppRoLDRvF29kml+aCL0HDhsJlpLe+A
Date: Wed, 17 Jul 2013 07:46:07 +0000
Message-ID: <B235506D63D65E43B2E40FD27715372E1CE3238D@xmb-rcd-x07.cisco.com>
In-Reply-To: <758747A2-EB6E-4581-BDE3-DD7798A77EDF@yegin.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [173.39.67.75]
Content-Type: multipart/alternative; boundary="_000_B235506D63D65E43B2E40FD27715372E1CE3238Dxmbrcdx07ciscoc_"
MIME-Version: 1.0
Cc: "pcp@ietf.org" <pcp@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 07:46:32 -0000

Hi Alper,

On 17/07/13 12:23 PM, "Alper Yegin" <alper.yegin@yegin.org<mailto:alper.yegin@yegin.org>> wrote:

Hi Prashanth,


I'm not sure if enough thought went into the PCP Proxy security. As much as I'd love to be DONE! with this discussion, I also want to make sure people feel comfortable having thought all aspects around the proxy use. For (very important) example, what kind of security associations are needed for securing the proxy use: An SA btw client and server, an SA btw client and proxy, an SA btw proxy and server -- which combinations of these are needed?

We've included this in the updated version of auth req:

REQ-9: A PCP proxy that modifies PCP messages SHOULD have the
ability to independently authenticate with the PCP client and PCP
server. The presence of a PCP proxy hence requires two separately
authenticates SAs. As a consequence, the PCP proxy:

A. MUST be able to validate message integrity of PCP messages
from the PCP server and client respectively.

B. MUST be able to ensure message integrity after updating the
PCP message for cases described in sections 6 of ietf-pcp-proxy.

The PCP proxy MUST also permit authentication on only one side of
the proxy. For example, a customer premises host may not
authenticate with the PCP proxy but the PCP proxy may authenticate
with the PCP server.



So:

- We have two types of SAs. One between the client and the proxy, another between the proxy and the server.
- None of them are mandatory to use.

PRA: Yes, none of them are mandatory, it's currently the prerogative of the server to mandate authentication. The proxy MUST be able authenticate with either client or server or both.

For each one that needs to be used, we need to perform authentication between the end-points.
(e.g., between client and proxy).

So, in a way, we are dealing with security in two independent parts; client to proxy, and proxy to server.
They are totally segregated from security perspective.

Right?

PRA: Right. As far as the client is concerned, the proxy is the PCP server. The proxy is in turn a client to the upstream PCP server. The two parts should be independent of each other.

Hmm, one thing: The server may need to know the authenticated ID of the client. Since it's not part of the client authentication, it won't know that value readily. So, we may need to define an option to carry that piece of information from the proxy to the server.

PRA: May be, but don’t know why the server would want to know the auth-id of a client.

-Prashanth

Alper




-Prashanth

Then we need to talk about how we dynamically create those using any one of these solutions.

Alper





On Jul 16, 2013, at 7:50 PM, Dave Thaler wrote:

-----Original Message-----
From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
Sent: Monday, July 15, 2013 10:51 PM
To: Dave Thaler; pcp@ietf.org<mailto:pcp@ietf.org>
Subject: RE: [pcp] CONSENSUS CALL on PCP security
Hi Dave,
In the poll when you refer to PANA, please clarify the draft you are referring
to http://tools.ietf.org/html/draft-ohba-pcp-pana-04 or
http://tools.ietf.org/html/draft-ohba-pcp-pana-encap-01 ?
--Tiru.
The question is intentionally agnostic as this is about a general approach,
not which specific implementation.  If it helps, you can interpret the
answer as "which of the two you think is better".
If the consensus is PANA rather than direct EAP-in-PCP, then we could
ask as a follow-up question which of the two we should go with. If
you'd like to include your answer to that now though, feel free to
include that in your response to the call.
-Dave
_______________________________________________
pcp mailing list
pcp@ietf.org<mailto:pcp@ietf.org>
https://www.ietf.org/mailman/listinfo/pcp

_______________________________________________
pcp mailing list
pcp@ietf.org<mailto:pcp@ietf.org>
https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email