IETF Logo Mail Archive

[pcp] channel binding (was Re: Comparison of PCP authentication)

Alper Yegin <alper.yegin@yegin.org> Fri, 17 August 2012 08:22 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3984D21F8535 for <pcp@ietfa.amsl.com>; Fri, 17 Aug 2012 01:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.535
X-Spam-Level:
X-Spam-Status: No, score=-102.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64+PucZPUyBU for <pcp@ietfa.amsl.com>; Fri, 17 Aug 2012 01:22:55 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 5682421F8526 for <pcp@ietf.org>; Fri, 17 Aug 2012 01:22:53 -0700 (PDT)
Received: from [192.168.2.4] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0Lkwt3-1TZy183xi9-00bDVU; Fri, 17 Aug 2012 04:22:42 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <tsly5lf80o6.fsf@mit.edu>
Date: Fri, 17 Aug 2012 11:22:21 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A10FCAE7-AE02-4E3B-9C8A-1694EC274652@yegin.org>
References: <9B57C850BB53634CACEC56EF4853FF653B6EC381@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <7FE144CF-00E3-4451-8CBE-A6A684DB7CC4@yegin.org> <067d01cd73fd$765a6c50$630f44f0$@com> <D6D2DEED-C35A-45AB-8B72-96195C308DB9@yegin.org> <57FF0F8E-1B86-410F-8B6B-C4893A28222F@lilacglade.org> <BB72B80F-0622-4A5B-A985-79D8AED13E0B@apple.com> <003b01cd7587$a111b760$e3352620$@com> <15990E87-2D59-49B1-845C-2A4CB5A1FBD6@lilacglade.org> <008801cd758f$3fd306e0$bf7914a0$@com> <C72CBD9FE3CA604887B1B3F1D145D05E2CE65225@szxeml528-mbx.china.huawei.com> <028801cd75d6$c5765490$5062fdb0$@com> <tsla9y4gptp.fsf@mit.edu> <04c901cd7658$37a740c0$a6f5c240$@com> <tslboikexlv.fsf@mit.edu> <054001cd765d$54c0f3e0$fe42dba0$@com> <0F259BA1-CEFF-4346-AFE5-3D33BB0CF0CC@lilacglade.org> <C72CBD9FE3CA604887B1B3F1D145D05E2CE756EE@szxeml528-mbs.china.huawei.com> <502C6BF0.3030400@toshiba.co.jp> <6F0B4ED8-68F1-44BB-A94B-E5D86E6C7254@lilacglade.org> <tsly5lf80o6.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:53e8QEYqWydCb0Szi6IJsIi6/RC6NEIBtISohJqGZ7o dKnlVKIzrZJEnKYAe1hjKPYSvfRRbq4EZPl6eypqdF524qwKCa B9nHlzNPaKLg6lGz57CA0JIpfvXPzas6SNkCal37hsRAY87NgF K1NJ9JjBlcENavzgNIZ1kMBMGTw+kYICNrZtKnPf1/y9Q2vUkd prEjIQAYA8C1mGzZFvr/gCL+FyC4ivWOb/Pys59FskVPuDQkpg fa2ZunEruDNevielV3UtTv5FN1SibwG9eiJQeRiSOcX3YPlpCw 9pj4agvHJHpBk5vUmbQ+3ECz9M50TBup3FmH4VOqINhTevjrmt VTM8cv9jJyP4ygDaoTWkCBHWWs4zD2OntopsQG+YvS6TbIMGZd FTfG1LA0RomQw==
Cc: pcp@ietf.org
Subject: [pcp] channel binding (was Re: Comparison of PCP authentication)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 08:22:56 -0000

(spinning off a new thread for easier tracking)

What value are you thinking of using for i1 and i2? IP address of the PCP server?
If so, you can do that in any of those solutions. 
Is there a problem?

Alper




On Aug 16, 2012, at 3:46 PM, Sam Hartman wrote:

> I have a question.
> As background reading I recommend taking a look at RFC 6677 section 5.1.
> 
> 
> If we want to use EAP channel binding to bind an authentication to a
> specific PCP server, how will we do that with PANA?
> 
> For all three approaches we need to define i1 or what attributes the client
> sends in the EAP channel binding to give the identity of the PCP
> server. We could for example use the IP address of the PCP server in the
> nas-ip-address (or v6 address) AVP.
> 
> For the PCP specific approach the rest is easy. The PCP server knows it
> is a PCP server, and includes those attributes in the AAA message
> so that  the EAP server has i2.
> 
> How does the PANA server find out i2?
> 
> RFC 6677 strongly recommends that an eap-lower-layer attribute be
> included.  There's a value defined for PANA.  However, that wouldn't
> really be a good choice here because it would not allow an EAP server to
> distinguish PCP authentications from uses of PANA for network access.
> how does the PANA server know which eap-lower-layer to include?
> 
> --Sam
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email