Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
Dave Thaler <dthaler@microsoft.com> Fri, 10 July 2015 19:52 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A72A1B2AB9; Fri, 10 Jul 2015 12:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.902
X-Spam-Level:
X-Spam-Status: No, score=-101.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3uSU4JsUohT; Fri, 10 Jul 2015 12:52:07 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0111.outbound.protection.outlook.com [65.55.169.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2202E1B2ABB; Fri, 10 Jul 2015 12:52:07 -0700 (PDT)
Received: from BY2PR03MB412.namprd03.prod.outlook.com (10.141.141.25) by BY2PR03MB411.namprd03.prod.outlook.com (10.141.141.22) with Microsoft SMTP Server (TLS) id 15.1.213.10; Fri, 10 Jul 2015 19:52:05 +0000
Received: from BY2PR03MB412.namprd03.prod.outlook.com ([10.141.141.25]) by BY2PR03MB412.namprd03.prod.outlook.com ([10.141.141.25]) with mapi id 15.01.0213.000; Fri, 10 Jul 2015 19:52:04 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "pcp@ietf.org" <pcp@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
Thread-Index: AQHQukG5kzVNbdMq8UqdWBoefEjPaZ3TE+6AgAADkgCAAARWgIABclQAgACQ6BA=
Date: Fri, 10 Jul 2015 19:52:04 +0000
Message-ID: <BY2PR03MB41285FF697DDECD758C68E9A39F0@BY2PR03MB412.namprd03.prod.outlook.com>
References: <20150709113220.17494.888.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B933005359436@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <559E6722.7000504@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B9330053594DD@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <559E6E60.8080405@cs.tcd.ie> <787AE7BB302AE849A7480A190F8B93300535959B@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93300535A11B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93300535A11B@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: orange.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e0:ee43::3]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB411; 5:Y/zfB+xWlAekBMS43D5HcYmuWF7aOPrIfmlV3PbRzjgzfLqCrkPNOep2X3NKBXDbxeoSL7CMcrcxPXkTilW2k0fk5H6SzU7k9RWv5fjubITRXuma37p6resiodvaZj2qU8dGbo5LNW3hQ5BnnIVwdw==; 24:9d9tiqGm5ifH90Kvw2PNPePooFA0T6ytf32CX/cry3lGUf9QAAcMUDXGpExrrCagY3lhPo98SBcUGDHY4Gw6/mgnjYfDl9nFGTK+RH8S7jo=; 20:GpcKexjkI2EZoB7ff5x0XxB9A9+KPg9Lr7PFca0+26z+oJ6wwCgI3Hli4Z7bSxExQS5z72KjGCSO9MFJE+rZEQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB411;
by2pr03mb411: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BY2PR03MB411CA568A80457844E0B221A39F0@BY2PR03MB411.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB411; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB411;
x-forefront-prvs: 06339BAE63
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(479174004)(24454002)(76576001)(77156002)(93886004)(74316001)(62966003)(54356999)(40100003)(50986999)(1720100001)(76176999)(46102003)(2950100001)(33656002)(2900100001)(15975445007)(102836002)(77096005)(86612001)(122556002)(2501003)(19580395003)(19580405001)(87936001)(189998001)(230783001)(5002640100001)(5001960100002)(5001770100001)(5003600100002)(99286002)(106116001)(92566002)(86362001)(2656002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB411; H:BY2PR03MB412.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2015 19:52:04.4908 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB411
Archived-At: <http://mailarchive.ietf.org/arch/msg/pcp/gxI5Xuld49B1hdV65l1U2Gk_NgQ>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 19:52:10 -0000
I agree with the proposed text and in my opinion it accurately reflects existing WG consensus. Dave (as doc shepherd) > -----Original Message----- > From: pcp [mailto:pcp-bounces@ietf.org] On Behalf Of > mohamed.boucadair@orange.com > Sent: Friday, July 10, 2015 4:13 AM > To: pcp@ietf.org; The IESG > Cc: Stephen Farrell > Subject: Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with > DISCUSS) > > Dear all, > > Below a text that I suggested offline to Stephen: > > This document assumes a hop-by-hop PCP authentication scheme. That > is, in reference to Figure 1, the left-most PCP client authenticates > with the PCP Proxy, while the PCP Proxy authenticates with the > upstream server. Note that in some deployments, PCP authentication > may only be enabled between the PCP Proxy and an upstream PCP server > (e.g., a customer premises host may not authenticate with the PCP > Proxy but the PCP Proxy may authenticate with the PCP server). The > hop-by-hop authentication scheme is more suitable from a deployment > standpoint. Furthermore, it allows to easily support a PCP Proxy > that alters PCP messages (e.g., strip a PCP option, modify a PCP > field, etc.). > > Unless there is an objection from the WG, this text will be integrated in the > draft. > > Cheers, > Med > > > -----Message d'origine----- > > De : pcp [mailto:pcp-bounces@ietf.org] De la part de > > mohamed.boucadair@orange.com Envoyé : jeudi 9 juillet 2015 15:07 À : > > Stephen Farrell; The IESG Cc : pcp@ietf.org Objet : Re: [pcp] Stephen > > Farrell's Discuss on draft-ietf-pcp-proxy-08: > > (with DISCUSS) > > > > Re-, > > > > Please see inline. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > > > Envoyé : jeudi 9 juillet 2015 14:52 > > > À : BOUCADAIR Mohamed IMT/OLN; The IESG Cc : pcp@ietf.org Objet : > > > Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: > > > (with DISCUSS) > > > > > > > > > Hiya. > > > > > > On 09/07/15 13:38, mohamed.boucadair@orange.com wrote: > > > > Re-, > > > > > > > > Both modes you mentioned may be envisaged... > > > > > > Right. But I think there's no way to support both (as of now at > > > least), is that correct? (I'm not asking that both be supported - > > > it's probably over complex for the benefits one could get.) > > > > > > > [Med] I don't have an answer to this question. I will leave it to the > > PCP auth draft authors. > > > > > > but in term of > > > > requirements the wg discussed mainly the case where the left-most > > > > client authenticates with the middle server and the case where the > > > > left-most client does not even authenticate (but still the proxy > > > > authenticate to the upstream server). > > > > > > So that's a credible answer. I do think it ought be stated in this > > > document though as it rules out a few things that one could > > > otherwise have done if the leftmost client could be authenticated to > > > the rightmost server. I'm not saying the WG should have chosen any > > > of the particular answers there btw, but just that it needs to be > > > clear, here. > > > > > > > [Med] I would prefer if this is included in the PCP auth draft to be > > consist with slide 4 of > > http://www.ietf.org/proceedings/87/slides/slides- > > 87-pcp-2.pdf. > > > > > > > > > > The PCP auth draft says the following: > > > > > > Ah thanks. Sorry for missing/forgetting that. Too much too-quick > > > reading;-) > > > > > > > > > > > When a PCP proxy is located between a PCP server and PCP clients, > > > > the proxy may perform authentication with the PCP server before it > > > > processes requests from the clients. In addition, > > > > re-authentication between the PCP proxy and PCP server will not > > > > interrupt the service that the proxy provides to the clients since > > > > the proxy is still allowed to send common PCP messages to the PCP > > > > server during that period. > > > > > > Ok. So that doesn't quite preclude the leftmost client > > > authenticating to the rightmost server though. Shouldn't it? > > > > [Med] Yes, it does not preclude it. I don't have an opinion whether it > > should preclude it or not. > > > > > > > > Cheers, > > > S. > > > > > > > > > > > Cheers, Med > > > > > > > >> -----Message d'origine----- De : Stephen Farrell > > > >> [mailto:stephen.farrell@cs.tcd.ie] Envoyé : jeudi 9 juillet 2015 > > > >> 14:21 À : BOUCADAIR Mohamed IMT/OLN; The IESG Cc : pcp@ietf.org > > > >> Objet : Re: [pcp] Stephen Farrell's Discuss on > > > >> draft-ietf-pcp-proxy-08: (with DISCUSS) > > > >> > > > >> > > > >> Hi Med, > > > >> > > > >> On 09/07/15 12:58, mohamed.boucadair@orange.com wrote: > > > >>> Hi Stephen, > > > >>> > > > >>> FWIW, the document does not include any discussion about > > > >>> authentication as per slide 4 of > > > >>> http://www.ietf.org/proceedings/87/slides/slides-87-pcp-2.pdf. > > > >>> Those aspects are out of scope of this document; implication > > > >>> assessment is supposed to be in the PCP auth draft. > > > >> > > > >> Well, I don't believe the PCP auth draft says anything about PCP > > > >> proxies does it? > > > >> > > > >> But I'm not asking about where/how we document stuff but rather > > > >> about how it is supposed to work. > > > >> > > > >>> > > > >>> The answer to your question is in slide 3 > > > >>> (https://www.ietf.org/proceedings/87/slides/slides-87-pcp-6.pdf). > > > >> > > > >> > > > >>> > > > Sorry, I don't get an answer to my question from that, can > > > >> you explain? > > > >> > > > >> Ta, S. > > > >> > > > >> > > > >>> > > > >>> Cheers, Med > > > >>> > > > >>>> -----Message d'origine----- De : pcp > > > >>>> [mailto:pcp-bounces@ietf.org] De la part de Stephen Farrell > > > >>>> Envoyé : jeudi 9 juillet 2015 13:32 À : The IESG Cc : > > > >>>> pcp@ietf.org Objet : [pcp] Stephen Farrell's Discuss on > > > >>>> draft-ietf-pcp-proxy-08: (with DISCUSS) > > > >>>> > > > >>>> Stephen Farrell has entered the following ballot position for > > > >>>> draft-ietf-pcp-proxy-08: Discuss > > > >>>> > > > >>>> When responding, please keep the subject line intact and reply > > > >>>> to all email addresses included in the To and CC lines. (Feel > > > >>>> free to cut this introductory paragraph, however.) > > > >>>> > > > >>>> > > > >>>> Please refer to > > > >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for > > > >>>> more information about IESG DISCUSS and COMMENT positions. > > > >>>> > > > >>>> > > > >>>> The document, along with other ballot positions, can be found > > > >>>> here: https://datatracker.ietf.org/doc/draft-ietf-pcp-proxy/ > > > >>>> > > > >>>> > > > >>>> > > > >>>> --------------------------------------------------------------- > > > >>>> ---- > > -- > > > - > > > >>>> > > > >>>> > > > >> > > > >>>> > > > DISCUSS: > > > >>>> --------------------------------------------------------------- > > > >>>> ---- > > -- > > > - > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >> > > > >>>> > > > I have one thing I'd like to check. Maybe this just works fine, > > > >>>> but how does this function work with PCP authentication? E.g. > > > >>>> in Figure 1, is the left-most client authenticating to the > > > >>>> middle or rightmost server? I think I could imagine either > > > >>>> answer being desirable and don't see a way that both could be > > > >>>> supported. > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> _______________________________________________ pcp mailing > > > >>>> list pcp@ietf.org https://www.ietf.org/mailman/listinfo/pcp > > _______________________________________________ > > pcp mailing list > > pcp@ietf.org > > https://www.ietf.org/mailman/listinfo/pcp > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] Stephen Farrell's Discuss on draft-ietf-pcp… Stephen Farrell
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… Stephen Farrell
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… Stephen Farrell
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… mohamed.boucadair
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… 🔓Dan Wing
- Re: [pcp] Stephen Farrell's Discuss on draft-ietf… Dave Thaler