Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with DISCUSS)

I agree with the proposed text and in my opinion it accurately reflects
existing WG consensus.

Dave (as doc shepherd)

> -----Original Message-----
> From: pcp [mailto:pcp-bounces@ietf.org] On Behalf Of
> mohamed.boucadair@orange.com
> Sent: Friday, July 10, 2015 4:13 AM
> To: pcp@ietf.org; The IESG
> Cc: Stephen Farrell
> Subject: Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08: (with
> DISCUSS)
> 
> Dear all,
> 
> Below a text that I suggested offline to Stephen:
> 
>    This document assumes a hop-by-hop PCP authentication scheme.  That
>    is, in reference to Figure 1, the left-most PCP client authenticates
>    with the PCP Proxy, while the PCP Proxy authenticates with the
>    upstream server.  Note that in some deployments, PCP authentication
>    may only be enabled between the PCP Proxy and an upstream PCP server
>    (e.g., a customer premises host may not authenticate with the PCP
>    Proxy but the PCP Proxy may authenticate with the PCP server).  The
>    hop-by-hop authentication scheme is more suitable from a deployment
>    standpoint.  Furthermore, it allows to easily support a PCP Proxy
>    that alters PCP messages (e.g., strip a PCP option, modify a PCP
>    field, etc.).
> 
> Unless there is an objection from the WG, this text will be integrated in the
> draft.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : pcp [mailto:pcp-bounces@ietf.org] De la part de
> > mohamed.boucadair@orange.com Envoyé : jeudi 9 juillet 2015 15:07 À :
> > Stephen Farrell; The IESG Cc : pcp@ietf.org Objet : Re: [pcp] Stephen
> > Farrell's Discuss on draft-ietf-pcp-proxy-08:
> > (with DISCUSS)
> >
> > Re-,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> > > Envoyé : jeudi 9 juillet 2015 14:52
> > > À : BOUCADAIR Mohamed IMT/OLN; The IESG Cc : pcp@ietf.org Objet :
> > > Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-proxy-08:
> > > (with DISCUSS)
> > >
> > >
> > > Hiya.
> > >
> > > On 09/07/15 13:38, mohamed.boucadair@orange.com wrote:
> > > > Re-,
> > > >
> > > > Both modes you mentioned may be envisaged...
> > >
> > > Right. But I think there's no way to support both (as of now at
> > > least), is that correct? (I'm not asking that both be supported -
> > > it's probably over complex for the benefits one could get.)
> > >
> >
> > [Med] I don't have an answer to this question. I will leave it to the
> > PCP auth draft authors.
> >
> > > > but in term of
> > > > requirements the wg discussed mainly the case where the left-most
> > > > client authenticates with the middle server and the case where the
> > > > left-most client does not even authenticate (but still the proxy
> > > > authenticate to the upstream server).
> > >
> > > So that's a credible answer. I do think it ought be stated in this
> > > document though as it rules out a few things that one could
> > > otherwise have done if the leftmost client could be authenticated to
> > > the rightmost server. I'm not saying the WG should have chosen any
> > > of the particular answers there btw, but just that it needs to be
> > > clear, here.
> > >
> >
> > [Med] I would prefer if this is included in the PCP auth draft to be
> > consist with slide 4 of
> > http://www.ietf.org/proceedings/87/slides/slides-
> > 87-pcp-2.pdf.
> >
> > > >
> > > > The PCP auth draft says the following:
> > >
> > > Ah thanks. Sorry for missing/forgetting that. Too much too-quick
> > > reading;-)
> > >
> > > >
> > > > When a PCP proxy is located between a PCP server and PCP clients,
> > > > the proxy may perform authentication with the PCP server before it
> > > > processes requests from the clients.  In addition,
> > > > re-authentication between the PCP proxy and PCP server will not
> > > > interrupt the service that the proxy provides to the clients since
> > > > the proxy is still allowed to send common PCP messages to the PCP
> > > > server during that period.
> > >
> > > Ok. So that doesn't quite preclude the leftmost client
> > > authenticating to the rightmost server though. Shouldn't it?
> >
> > [Med] Yes, it does not preclude it. I don't have an opinion whether it
> > should preclude it or not.
> >
> > >
> > > Cheers,
> > > S.
> > >
> > > >
> > > > Cheers, Med
> > > >
> > > >> -----Message d'origine----- De : Stephen Farrell
> > > >> [mailto:stephen.farrell@cs.tcd.ie] Envoyé : jeudi 9 juillet 2015
> > > >> 14:21 À : BOUCADAIR Mohamed IMT/OLN; The IESG Cc : pcp@ietf.org
> > > >> Objet : Re: [pcp] Stephen Farrell's Discuss on
> > > >> draft-ietf-pcp-proxy-08: (with DISCUSS)
> > > >>
> > > >>
> > > >> Hi Med,
> > > >>
> > > >> On 09/07/15 12:58, mohamed.boucadair@orange.com wrote:
> > > >>> Hi Stephen,
> > > >>>
> > > >>> FWIW, the document does not include any discussion about
> > > >>> authentication as per slide 4 of
> > > >>> http://www.ietf.org/proceedings/87/slides/slides-87-pcp-2.pdf.
> > > >>> Those aspects are out of scope of this document; implication
> > > >>> assessment is supposed to be in the PCP auth draft.
> > > >>
> > > >> Well, I don't believe the PCP auth draft says anything about PCP
> > > >> proxies does it?
> > > >>
> > > >> But I'm not asking about where/how we document stuff but rather
> > > >> about how it is supposed to work.
> > > >>
> > > >>>
> > > >>> The answer to your question is in slide 3
> > > >>> (https://www.ietf.org/proceedings/87/slides/slides-87-pcp-6.pdf).
> > > >>
> > > >>
> > > >>>
> > > Sorry, I don't get an answer to my question from that, can
> > > >> you explain?
> > > >>
> > > >> Ta, S.
> > > >>
> > > >>
> > > >>>
> > > >>> Cheers, Med
> > > >>>
> > > >>>> -----Message d'origine----- De : pcp
> > > >>>> [mailto:pcp-bounces@ietf.org] De la part de Stephen Farrell
> > > >>>> Envoyé : jeudi 9 juillet 2015 13:32 À : The IESG Cc :
> > > >>>> pcp@ietf.org Objet : [pcp] Stephen Farrell's Discuss on
> > > >>>> draft-ietf-pcp-proxy-08: (with DISCUSS)
> > > >>>>
> > > >>>> Stephen Farrell has entered the following ballot position for
> > > >>>> draft-ietf-pcp-proxy-08: Discuss
> > > >>>>
> > > >>>> When responding, please keep the subject line intact and reply
> > > >>>> to all email addresses included in the To and CC lines. (Feel
> > > >>>> free to cut this introductory paragraph, however.)
> > > >>>>
> > > >>>>
> > > >>>> Please refer to
> > > >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for
> > > >>>> more information about IESG DISCUSS and COMMENT positions.
> > > >>>>
> > > >>>>
> > > >>>> The document, along with other ballot positions, can be found
> > > >>>> here: https://datatracker.ietf.org/doc/draft-ietf-pcp-proxy/
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> ---------------------------------------------------------------
> > > >>>> ----
> > --
> > > -
> > > >>>>
> > > >>>>
> > > >>
> > > >>>>
> > > DISCUSS:
> > > >>>> ---------------------------------------------------------------
> > > >>>> ----
> > --
> > > -
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>
> > > >>>>
> > > I have one thing I'd like to check. Maybe this just works fine,
> > > >>>> but how does this function work with PCP authentication?  E.g.
> > > >>>> in Figure 1, is the left-most client authenticating to the
> > > >>>> middle or rightmost server? I think I could imagine either
> > > >>>> answer being desirable and don't see a way that both could be
> > > >>>> supported.
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> _______________________________________________ pcp mailing
> > > >>>> list pcp@ietf.org https://www.ietf.org/mailman/listinfo/pcp
> > _______________________________________________
> > pcp mailing list
> > pcp@ietf.org
> > https://www.ietf.org/mailman/listinfo/pcp
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp