Re: [pcp] WG status on PCP authentication
Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp> Fri, 14 September 2012 15:03 UTC
Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B7ED21F8532 for <pcp@ietfa.amsl.com>; Fri, 14 Sep 2012 08:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.306
X-Spam-Level:
X-Spam-Status: No, score=-7.306 tagged_above=-999 required=5 tests=[AWL=0.283, BAYES_00=-2.599, GB_ABOUTYOU=0.5, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_HI=-8, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9n+zL5qrA7Cu for <pcp@ietfa.amsl.com>; Fri, 14 Sep 2012 08:02:59 -0700 (PDT)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by ietfa.amsl.com (Postfix) with ESMTP id 880D821F8523 for <pcp@ietf.org>; Fri, 14 Sep 2012 08:02:59 -0700 (PDT)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by imx12.toshiba.co.jp with ESMTP id q8EF2uWM000745; Sat, 15 Sep 2012 00:02:56 +0900 (JST)
Received: (from root@localhost) by arc11.toshiba.co.jp id q8EF2ufC007965; Sat, 15 Sep 2012 00:02:56 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by arc11.toshiba.co.jp with ESMTP id AAA07964; Sat, 15 Sep 2012 00:02:56 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id q8EF2tY1024956; Sat, 15 Sep 2012 00:02:55 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id q8EF2tWd011708; Sat, 15 Sep 2012 00:02:55 +0900 (JST)
Received: from [133.199.17.52] by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTPA id <0MAC009Q5HSUL1K0@mail.po.toshiba.co.jp>; Sat, 15 Sep 2012 00:02:55 +0900 (JST)
Date: Sat, 15 Sep 2012 00:03:00 +0900
From: Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>
In-reply-to: <tslboh865pa.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
Message-id: <50534724.3050602@toshiba.co.jp>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-2022-JP"
Content-transfer-encoding: 7bit
References: <9B57C850BB53634CACEC56EF4853FF653B7B205A@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <B27AE62F-1ADF-44DE-AF33-0B7A3AD6ACDB@yegin.org> <D6230CDE-E869-406F-B194-8E9B626CA8D8@lilacglade.org> <5052D3F3.8000605@toshiba.co.jp> <C72CBD9FE3CA604887B1B3F1D145D05E39E372B6@szxeml528-mbx.china.huawei.com> <50532345.4060109@toshiba.co.jp> <tslboh865pa.fsf@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] WG status on PCP authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2012 15:03:00 -0000
(2012/09/14 23:26), Sam Hartman wrote: > > Yoshihiro> Hi Dacheng, A good question. Actually both approaches > Yoshihiro> has some impact on RFC 5191 to allow PANA to run over a > Yoshihiro> non-PANA port (which would require updating RFC 5191). > Yoshihiro> This made me think that the need for updating RFC 5191 to > Yoshihiro> use the Reserved field in the demultiplexing approach is > Yoshihiro> not considered as a cons. > > > Hi. > I have two questions about your comparison: > > 1) How the encapsulation approach requires tight coupling As I mentioned in my comparison, I see the following two issues: "One issue is that some workaround is needed to carry a PCI (PANA-Client-Initiation) message which does not fit PCP's request-response type messaging. Another issue is that double integrity protection can happen after establishing a PCP SA, where a PANA message carried in the PCP message is protected by a PANA AUTH AVP and the PCP message itself is protected by a PCP Authentication Tag. Double integrity protection can be considered as overhead." To add more to the 2nd issue, tight coupling of PCP and PANA would be needed to avoid double integrity protection (e.g., omitting AUTH AVP when there is a PCP Authentication Tag, etc...) > > 2) Why tight coupling is a bad thing given that we've ruled relays out > of scope. As far as I understand, we ruled out relays to deal with EAP channel binding without need to tightly couple PCP and PANA (such as carrying PCP-specific information in a PANA message). Tight coupling is better to avoid, IMO. Yoshihiro Ohba > > --Sam >
- [pcp] WG status on PCP authentication Dave Thaler
- Re: [pcp] WG status on PCP authentication Alper Yegin
- Re: [pcp] WG status on PCP authentication Margaret Wasserman
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] WG status on PCP authentication Alper Yegin
- [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)
- Re: [pcp] WG status on PCP authentication Zhangdacheng (Dacheng)
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] WG status on PCP authentication Sam Hartman
- Re: [pcp] WG status on PCP authentication Yoshihiro Ohba
- Re: [pcp] PCP mapping for 5350 and 5351 ports Dan Wing
- Re: [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)
- Re: [pcp] PCP mapping for 5350 and 5351 ports Zhangzongjian (Thomas)