Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 07 August 2014 10:20 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51441B2A47 for <pcp@ietfa.amsl.com>; Thu, 7 Aug 2014 03:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCLMnGzHDqlD for <pcp@ietfa.amsl.com>; Thu, 7 Aug 2014 03:20:13 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F1011B2A45 for <pcp@ietf.org>; Thu, 7 Aug 2014 03:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5985; q=dns/txt; s=iport; t=1407406813; x=1408616413; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=GEahKj2tadL6nMC7Jm8209oGk7ag+QMGROmciIdfND0=; b=nFZ54uMo3u/7r5z3Vq3wGP5cE191WDipIYlpPs82xBR8QKB9QBUDErRm Zm9J7HpL6ii0L92wbUAgn4I7fFNSUatccTOUNDw4rP1tXN+cSjA1vuG2S OgLYJjb3HzBXgxgtQMswWBHocJaJ8xoSB0voRlTdgnDf7bndSy+GkWMWB M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjoFAJtS41OtJA2G/2dsb2JhbABagw1SUwQEsGabYAqHSAGBFRZ3hAMBAQEEAQEBNzQXBAIBCBEEAQELFAkHJwsUCQgCBAESCAGIJQMRCAXDeReNH4FJMzgGgymBHAWVMIRig1qMbIYtg1dsgQRC
X-IronPort-AV: E=Sophos;i="5.01,817,1400025600"; d="scan'208";a="345704141"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-2.cisco.com with ESMTP; 07 Aug 2014 10:19:49 +0000
Received: from xhc-rcd-x04.cisco.com (xhc-rcd-x04.cisco.com [173.37.183.78]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s77AJnBU023970 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 7 Aug 2014 10:19:49 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.102]) by xhc-rcd-x04.cisco.com ([fe80::200:5efe:173.37.183.34%12]) with mapi id 14.03.0123.003; Thu, 7 Aug 2014 05:19:49 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Dacheng Zhang <zhang_dacheng@hotmail.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
Thread-Index: AQHPpRYTRB0aq7GvdEyX1sQzFPvl6pvE+rdg
Date: Thu, 07 Aug 2014 10:19:48 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com>
References: <20140721132717.8597.69523.idtracker@ietfa.amsl.com> <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl>
In-Reply-To: <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.65.66]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/kTGwGQsiemNtho2_MqMWDK81aHI
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 10:20:16 -0000
Hi Dacheng, My comments: [1] ID Indicator: The value for a PCP client to choose proper credentials for authentication. The method of generating this value is out of scope of this document. Note this field MUST end on a 32-bit boundary, padded with 0's when necessary. Comment> ID indicator should be user-friendly. For example check out A-ID-Info in EAP-FAST. [2] Each PA message is attached with an Authentication OpCode and may optionally contain a set of Options for various purposes (e.g., transporting authentication messages and session managements). Nit> replace session managements with session management [3] o On security infrastructure equipment, such as corporate firewalls, that does not create implicit mappings. Comment> The above line is very clear, are you referring to firewalls not creating implicit mapping for specific traffic like UDP [4] This mechanism can be used to secure PCP in the following situations:: Nit> Remove extra ":" [5] The draft says fragmentation and re-assembly is handled by EAP methods but http://tools.ietf.org/html/rfc3748 explains that it's only handled by EAP-TLS. Does that make EAP-TLS mandatory to support ? [6] In this case, before sending out the PA-Server, the PCP server must update the SA and use the new key to generate digests to protect the integrity and authenticity of the PA-Server and any subsequent PCP message. Nit> replace digests with digest [7] Because there is no authenticaiton OpCode in common PCP messages, the authentication tag for common PCP messages needs to provide the inforamtion of session ID and sequence numbers. Nit> Fix spelling mistakes for authenticaiton, inforamtion. [8] The generation of the digest can be various according to the algorithms specified in different PCP SAs. Comment> Replace the above line with "The generation of the digest varies according to the algorithm finalized in different PCP SAs" [9] Do the Authentication tag option for PCP authentication message and authentication tag option for common PCP have different option codes ? [10] Update IANA Considerations with the new PCP option, opcode and result codes introduced in the draft. [11] This section applies only to the in-band key management mechanism. It will need to be updated if the WG choose to pursue the out-of-band key management mechanism discussed above. Comment> I think the above paragraph can be removed. [12] I think a section is required to explain how PCP authentication works in the presence of PCP proxies ? In specific explain what happens when PCP proxy and PCP server are involved in re-authentication while PCP clients are sending PCP requests. Cheers, -Tiru > -----Original Message----- > From: Dacheng Zhang [mailto:zhang_dacheng@hotmail.com] > Sent: Monday, July 21, 2014 8:35 PM > To: pcp@ietf.org > Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt > > Hi, in this version of the document, we try to address the comments got since > the last meeting. Particularly, we: > o Refine the retransmission policies. > > o Provide the discussion about how to instruct a PCP client to > choose proper credential during authenticaiton, and an ID > Indication Option is defined for that purpose. > In addition, it is advised that we should remove the key ID from the PCP > authentication message, and only use one key for a PCP session. However, > this indicates we will use the MSK to generate MACs for PCP message directly. > We would like to check with the group again before including it into the > document. > > Any comments and suggestions are appreciated. > > Cheers > > Dacheng > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Port Control Protocol Working Group of the > IETF. > > > > Title : Port Control Protocol (PCP) Authentication Mechanism > > Authors : Margaret Wasserman > > Sam Hartman > > Dacheng Zhang > > Filename : draft-ietf-pcp-authentication-04.txt > > Pages : 24 > > Date : 2014-07-21 > > > > Abstract: > > An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to > > flexibly manage the IP address and port mapping information on > > Network Address Translators (NATs) or firewalls, to facilitate > > communications with remote hosts. However, the un-controlled > > generation or deletion of IP address mappings on such network devices > > may cause security risks and should be avoided. In some cases the > > client may need to prove that it is authorized to modify, create or > > delete PCP mappings. This document proposes an in-band > > authentication mechanism for PCP that can be used in those cases. > > The Extensible Authentication Protocol (EAP) is used to perform > > authentication between PCP devices. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication/ > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-pcp-authentication-04 > > > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication-04 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > pcp mailing list > > pcp@ietf.org > > https://www.ietf.org/mailman/listinfo/pcp > > >
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… internet-drafts
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dave Thaler
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Dacheng Zhang
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)