Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
🔓Dan Wing <dwing@cisco.com> Fri, 10 July 2015 14:31 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4DC1B2C99; Fri, 10 Jul 2015 07:31:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.211
X-Spam-Level:
X-Spam-Status: No, score=-14.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73xAajaP7zY0; Fri, 10 Jul 2015 07:31:17 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F2091B2C95; Fri, 10 Jul 2015 07:29:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7616; q=dns/txt; s=iport; t=1436538593; x=1437748193; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=3p4qdjT3IUurkZDW5t4PnrTNuP49F8KbQU4k6u/kyDg=; b=NSwvKsJyNDWjCU5nDz00qSpBzgneGcJj0OQw1/QKJXi+lKz6hWQ7zYMQ RwKD+eacFl+iMCGmvmeAZx9nyQ6Bg2jdp3Od4noeZx1OIimV5JThjt/iF UfneyzG7vd8aSACfx3oJ5LqVU1GYSXmP1HFEV4XXRvkIgef97pwtefoKA k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B0AwA+1p9V/4wNJK1bgxJUYIMguBMJgWcKhXcCgUc4FAEBAQEBAQGBCoQjAQEBAgEBAQEBIEsLBQsLGAICIwMCAicfEQYTCYgdCA25R5ZEAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4EhiiqEIxEBBhgzB4JoL4EUBYcJhhOELIJphGmHG4E/hBiCbYxIg18mY4M4HjEBgQyBPgEBAQ
X-IronPort-AV: E=Sophos;i="5.15,446,1432598400"; d="scan'208";a="14340686"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-3.cisco.com with ESMTP; 10 Jul 2015 14:29:52 +0000
Received: from [10.24.45.23] ([10.24.45.23]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t6AEToXv014326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 10 Jul 2015 14:29:51 GMT
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: 🔓Dan Wing <dwing@cisco.com>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93300535A11B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Date: Fri, 10 Jul 2015 07:29:54 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <88FA6133-C602-41BC-A1A9-198EF790FD0B@cisco.com>
References: <20150709113220.17494.888.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B933005359436@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <559E6722.7000504@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B9330053594DD@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <559E6E60.8080405@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93300535959B@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93300535A11B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pcp/aFl3207-8PwAkrmgvCkoohEqTG0>
Cc: "pcp@ietf.org" <pcp@ietf.org>, The IESG <iesg@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 14:31:24 -0000
On 10-Jul-2015 04:12 am, mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> wrote: > > Dear all, > > Below a text that I suggested offline to Stephen: > > This document assumes a hop-by-hop PCP authentication scheme. That > is, in reference to Figure 1, the left-most PCP client authenticates > with the PCP Proxy, while the PCP Proxy authenticates with the > upstream server. Note that in some deployments, PCP authentication > may only be enabled between the PCP Proxy and an upstream PCP server > (e.g., a customer premises host may not authenticate with the PCP > Proxy but the PCP Proxy may authenticate with the PCP server). The > hop-by-hop authentication scheme is more suitable from a deployment > standpoint. Furthermore, it allows to easily support a PCP Proxy > that alters PCP messages (e.g., strip a PCP option, modify a PCP > field, etc.). > > Unless there is an objection from the WG, this text will be integrated in the draft. Text looks good. -d > Cheers, > Med > >> -----Message d'origine----- >> De : pcp [mailto:pcp-bounces@ietf.org] De la part de >> mohamed.boucadair@orange.com >> Envoyé : jeudi 9 juillet 2015 15:07 >> À : Stephen Farrell; The IESG >> Cc : pcp@ietf.org >> Objet : Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: >> (with DISCUSS) >> >> Re-, >> >> Please see inline. >> >> Cheers, >> Med >> >>> -----Message d'origine----- >>> De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] >>> Envoyé : jeudi 9 juillet 2015 14:52 >>> À : BOUCADAIR Mohamed IMT/OLN; The IESG >>> Cc : pcp@ietf.org >>> Objet : Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: >>> (with DISCUSS) >>> >>> >>> Hiya. >>> >>> On 09/07/15 13:38, mohamed.boucadair@orange.com wrote: >>>> Re-, >>>> >>>> Both modes you mentioned may be envisaged... >>> >>> Right. But I think there's no way to support both (as of >>> now at least), is that correct? (I'm not asking that both >>> be supported - it's probably over complex for the benefits >>> one could get.) >>> >> >> [Med] I don't have an answer to this question. I will leave it to the PCP >> auth draft authors. >> >>>> but in term of >>>> requirements the wg discussed mainly the case where the left-most >>>> client authenticates with the middle server and the case where the >>>> left-most client does not even authenticate (but still the proxy >>>> authenticate to the upstream server). >>> >>> So that's a credible answer. I do think it ought be stated >>> in this document though as it rules out a few things that >>> one could otherwise have done if the leftmost client could >>> be authenticated to the rightmost server. I'm not saying >>> the WG should have chosen any of the particular answers there >>> btw, but just that it needs to be clear, here. >>> >> >> [Med] I would prefer if this is included in the PCP auth draft to be >> consist with slide 4 of http://www.ietf.org/proceedings/87/slides/slides- >> 87-pcp-2.pdf. >> >>>> >>>> The PCP auth draft says the following: >>> >>> Ah thanks. Sorry for missing/forgetting that. Too much >>> too-quick reading;-) >>> >>>> >>>> When a PCP proxy is located between a PCP server and PCP clients, >>>> the proxy may perform authentication with the PCP server before it >>>> processes requests from the clients. In addition, re-authentication >>>> between the PCP proxy and PCP server will not interrupt the service >>>> that the proxy provides to the clients since the proxy is still >>>> allowed to send common PCP messages to the PCP server during that >>>> period. >>> >>> Ok. So that doesn't quite preclude the leftmost client >>> authenticating to the rightmost server though. Shouldn't it? >> >> [Med] Yes, it does not preclude it. I don't have an opinion whether it >> should preclude it or not. >> >>> >>> Cheers, >>> S. >>> >>>> >>>> Cheers, Med >>>> >>>>> -----Message d'origine----- De : Stephen Farrell >>>>> [mailto:stephen.farrell@cs.tcd.ie] Envoyé : jeudi 9 juillet 2015 >>>>> 14:21 À : BOUCADAIR Mohamed IMT/OLN; The IESG Cc : pcp@ietf.org >>>>> Objet : Re: [pcp] Stephen Farrell's Discuss on >>>>> draft-ietf-pcp-proxy-08: (with DISCUSS) >>>>> >>>>> >>>>> Hi Med, >>>>> >>>>> On 09/07/15 12:58, mohamed.boucadair@orange.com wrote: >>>>>> Hi Stephen, >>>>>> >>>>>> FWIW, the document does not include any discussion about >>>>>> authentication as per slide 4 of >>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-pcp-2.pdf. >>>>>> Those aspects are out of scope of this document; implication >>>>>> assessment is supposed to be in the PCP auth draft. >>>>> >>>>> Well, I don't believe the PCP auth draft says anything about PCP >>>>> proxies does it? >>>>> >>>>> But I'm not asking about where/how we document stuff but rather >>>>> about how it is supposed to work. >>>>> >>>>>> >>>>>> The answer to your question is in slide 3 >>>>>> (https://www.ietf.org/proceedings/87/slides/slides-87-pcp-6.pdf). >>>>> >>>>> >>>>>> >>> Sorry, I don't get an answer to my question from that, can >>>>> you explain? >>>>> >>>>> Ta, S. >>>>> >>>>> >>>>>> >>>>>> Cheers, Med >>>>>> >>>>>>> -----Message d'origine----- De : pcp >>>>>>> [mailto:pcp-bounces@ietf.org] De la part de Stephen Farrell >>>>>>> Envoyé : jeudi 9 juillet 2015 13:32 À : The IESG Cc : >>>>>>> pcp@ietf.org Objet : [pcp] Stephen Farrell's Discuss on >>>>>>> draft-ietf-pcp-proxy-08: (with DISCUSS) >>>>>>> >>>>>>> Stephen Farrell has entered the following ballot position for >>>>>>> draft-ietf-pcp-proxy-08: Discuss >>>>>>> >>>>>>> When responding, please keep the subject line intact and reply >>>>>>> to all email addresses included in the To and CC lines. (Feel >>>>>>> free to cut this introductory paragraph, however.) >>>>>>> >>>>>>> >>>>>>> Please refer to >>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>>>>> more information about IESG DISCUSS and COMMENT positions. >>>>>>> >>>>>>> >>>>>>> The document, along with other ballot positions, can be found >>>>>>> here: https://datatracker.ietf.org/doc/draft-ietf-pcp-proxy/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------- >> -- >>> - >>>>>>> >>>>>>> >>>>> >>>>>>> >>> DISCUSS: >>>>>>> ------------------------------------------------------------------- >> -- >>> - >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>>>> >>> I have one thing I'd like to check. Maybe this just works fine, >>>>>>> but how does this function work with PCP authentication? E.g. >>>>>>> in Figure 1, is the left-most client authenticating to the >>>>>>> middle or rightmost server? I think I could imagine either >>>>>>> answer being desirable and don't see a way that both could be >>>>>>> supported. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ pcp mailing >>>>>>> list pcp@ietf.org https://www.ietf.org/mailman/listinfo/pcp >> _______________________________________________ >> pcp mailing list >> pcp@ietf.org >> https://www.ietf.org/mailman/listinfo/pcp > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] Stephen Farrell's Discuss on draft-ietf-pcp… Stephen Farrell
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… Stephen Farrell
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… Stephen Farrell
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… 🔓Dan Wing
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… Dave Thaler