IETF Logo Mail Archive

Re: [pcp] Comparison of PCP authentication

Margaret Wasserman <margaretw42@gmail.com> Thu, 16 August 2012 12:53 UTC

Return-Path: <margaretw42@gmail.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A32621F85D5 for <pcp@ietfa.amsl.com>; Thu, 16 Aug 2012 05:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77MvFdkr6fIJ for <pcp@ietfa.amsl.com>; Thu, 16 Aug 2012 05:53:42 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 82E4C21F8594 for <pcp@ietf.org>; Thu, 16 Aug 2012 05:53:42 -0700 (PDT)
Received: by qadb17 with SMTP id b17so467590qad.10 for <pcp@ietf.org>; Thu, 16 Aug 2012 05:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=aaAaoBT++O96PrA/u46Mv/sqwZA5nqickttxC5AXGnc=; b=KfiFHY/T7Vif5Om84KnHdx87BNg0SnlQ5VxghchwJeTSjCwK+zcNeJxIqEC5n6Y7E1 9Jz+975ZzW04rqwZaFg+d2Uj0EB9vcW9lUFIHgPbNjOd7LVovrKlgRTs9LpQQcaHTy5Q XvUQQWjpH/+SfkjjsHPj7YnI7fpNOhC7W6QNMNnSAGZPpSRXVdKDpc+6A3YIUAL5uHg/ 3XATAXI/yG3zuPjWPajK5wOCeZJjZF2QdDMPOEb8EXci33Lf0nEUnrRolCPMWEV6sboZ I4gUg+oeF1U+9KOmnRec186aHHrrfwDiollcr5g6iuVuJnMTqlwt3fQBFyp0QPd421Lt LNqg==
Received: by 10.229.135.81 with SMTP id m17mr679846qct.34.1345121621885; Thu, 16 Aug 2012 05:53:41 -0700 (PDT)
Received: from lilac-too.home (pool-71-184-120-122.bstnma.fios.verizon.net. [71.184.120.122]) by mx.google.com with ESMTPS id ga2sm6533311qab.17.2012.08.16.05.53.38 (version=SSLv3 cipher=OTHER); Thu, 16 Aug 2012 05:53:40 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Margaret Wasserman <margaretw42@gmail.com>
In-Reply-To: <502CEB6D.6040304@toshiba.co.jp>
Date: Thu, 16 Aug 2012 08:53:37 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <684F11AE-1361-4A75-A70B-8B0226510E09@gmail.com>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org> <BB72B80F-0622-4A5B-A985-79D8AED13E0B@apple.com> <003b01cd7587$a111b760$e3352620$@com> <15990E87-2D59-49B1-845C-2A4CB5A1FBD6@lilacglade.org> <008801cd758f$3fd306e0$bf7914a0$@com> <C72CBD9FE3CA604887B1B3F1D145D05E2CE65225@szxeml528-mbx.china.huawei.com> <028801cd75d6$c5765490$5062fdb0$@com> <tsla9y4gptp.fsf@mit.edu> <04c901cd7658$37a740c0$a6f5c240$@com> <tslboikexlv.fsf@mit.edu> <054001cd765d$54c0f3e0$fe42dba0$@com> <0F259BA1-CEFF-4346-AFE5-3D33BB0CF0CC@lilacglade.org> <C72CBD9FE3CA604887B1B3F1D145D05E2CE756EE@szxeml528-mbs.china.huawei.com> <502C6BF0.3030400@toshiba.co.jp> <6F0B4ED8-68F1-44BB-A94B-E5D86E6C7254@lilacglade.org> <502CEB6D.6040304@toshiba.co.jp>
To: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
X-Mailer: Apple Mail (2.1084)
Cc: pcp@ietf.org
Subject: Re: [pcp] Comparison of PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2012 12:53:43 -0000

Hi Yoshi,

I thought the point of running PANA over/beside PCP, instead of using a PCP-specific mechanism, was that the PCP Server could hand the PANA request to a separate PANA server for processing, just like a PANA Relay would hand-off a PANA request to a PANA Server.  

How will that PANA Server (the one that receives the PANA request from the PCP Server, presumably on the PANA port) know that the request is coming from a PCP Server and concerns PCP access, and that it isn't a network access request from a regular PANA PaC or Relay?  I think it is pretty important that we not set-up a situation where a PANA server could think that it is authorizing network access while it is actually authorizing PCP requests, don't you?

Margaret


On Aug 16, 2012, at 8:45 AM, Yoshihiro Ohba wrote:

> Hi Margaret,
> 
> In my opinion, PANA should be dedicated to PCP authentication in both
> cases where PANA runs over PCP port.
> 
> In other words, we can say that PANA is used for network access
> authentication only when PANA operates over PANA port, regardless of
> whether the same or different credentials are used for PCP
> authentication and network access authentication.
> 
> Yoshihiro Ohba
> 
> (2012/08/16 20:41), Margaret Wasserman wrote:
>> 
>> Hi Yoshi,
>> 
>> On Aug 15, 2012, at 11:41 PM, Yoshihiro Ohba wrote:
>> 
>>> Here is a brief comparison on both PANA-based schemes:
>>> 
>>> Encapsulation/tunneling approach:
>>> - Pros: No impact on PANA specification
>>> - Cons: Encapsulation overhead
>>> 
>>> Demultiplexing/port-sharing approach:
>>> - Pros: No encapsulation overhead
>>> - Cons: Impact on PANA specification (an Update of RFC 5191 is needed
>>> on the use of "Reserved" field.)
>> 
>> In both cases, I think there is an open question (raised by my regarding your draft) of whether we want to modify PANA so that the server will know that it is performing PCP authentication vs. network access authentication.  I think this could be important, if we want a single PANA server to be able to serve both purposes in a small network.  It is possible that the credentials/criteria used to authenticate a node for PCP will be different than for network access, isn't it?
>> 
>> Margaret
>> 
>> 
>> 
>

v2.23.0 | Report a Bug | By Email