IETF Logo Mail Archive

Re: [pcp] Posted auth req slide that was edited during meeting

Rafa Marin Lopez <rafa@um.es> Fri, 15 March 2013 16:09 UTC

Return-Path: <rafa@um.es>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0017C21F8523 for <pcp@ietfa.amsl.com>; Fri, 15 Mar 2013 09:09:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09UjgAazYJgo for <pcp@ietfa.amsl.com>; Fri, 15 Mar 2013 09:09:30 -0700 (PDT)
Received: from xenon13.um.es (xenon13.um.es [155.54.212.167]) by ietfa.amsl.com (Postfix) with ESMTP id 973D721F8618 for <pcp@ietf.org>; Fri, 15 Mar 2013 09:09:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon13.um.es (Postfix) with ESMTP id 5B70E5D903 for <pcp@ietf.org>; Fri, 15 Mar 2013 17:09:28 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon13.um.es
Received: from xenon13.um.es ([127.0.0.1]) by localhost (xenon13.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JF8is26143JS for <pcp@ietf.org>; Fri, 15 Mar 2013 17:09:27 +0100 (CET)
Received: from inf-205-142.inf.um.es (inf-205-142.inf.um.es [155.54.205.142]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon13.um.es (Postfix) with ESMTPSA id 932FC5D7ED for <pcp@ietf.org>; Fri, 15 Mar 2013 17:09:26 +0100 (CET)
From: Rafa Marin Lopez <rafa@um.es>
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_3DAAD142-6CAE-4250-81C0-592B71CC0CC9"
Date: Fri, 15 Mar 2013 17:09:26 +0100
In-Reply-To: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
To: pcp@ietf.org
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
Message-Id: <1A2B8593-7847-4E96-B9DA-4D3E2FA3D6DA@um.es>
X-Mailer: Apple Mail (2.1283)
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 16:09:31 -0000

Dear all:

I have been trying to understand the requirement 4) but I have failed (probably my problem).

Let me share my view about this.

A security association (SA) is the result of the establishment of some sort of shared security context between two (or more) network entities to perform secure communications. We have IPsec SA, IKE SA, TLS SA, etc... These entities share a security context which imply to share fresh cryptographic material.

So, to me, the statement "Server can use expired SA for a given mapping to protect any unsolicited unicast message it sends regarding that mapping " seems wrong under a security standpoint (maybe it is not intention of the sentence or I do not understand it)

A expired SA means it is not a fresh SA and therefore not valid. Using it creates a security issue.

Apart from this, I was wondering... what is the expiration time of a "expired" SA? Or, in other words, when the "expired" SA is really expired? Is the lifetime set to infinite? If it isn't, how is the extended lifetime SA set? 

This is really confusing to me. As also said in the meeting, then we are not talking about an expired SA.

I believe I also heard in the audio that there were real examples where an expired SA is used. I would like to know some of them. AFAIK, IPsec SA, IKE SA, etc... do not proceed like this way. Is there any standard secure protocol that allows this and it is considered secure?

An example about the usage of certificates was also given. A certificate is a credential. So I do not know how this example applies.

I would really appreciate any clarification.

Best regards.
El 14/03/2013, a las 20:19, Dave Thaler escribió:

> I just uploaded the slide started editing during the meeting into the proceedings:
> http://www.ietf.org/proceedings/86/slides/slides-86-pcp-18.pdf
>  
> During the meeting the chairs heard rough consensus to use option 4 as the
> basis on which to start the discussion on the list.   Feel free to point out problems
> with it.
>  
> -Dave
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

-------------------------------------------------------
Rafael Marin Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email