IETF Logo Mail Archive

Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 07 August 2014 10:20 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51441B2A47 for <pcp@ietfa.amsl.com>; Thu, 7 Aug 2014 03:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCLMnGzHDqlD for <pcp@ietfa.amsl.com>; Thu, 7 Aug 2014 03:20:13 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F1011B2A45 for <pcp@ietf.org>; Thu, 7 Aug 2014 03:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5985; q=dns/txt; s=iport; t=1407406813; x=1408616413; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=GEahKj2tadL6nMC7Jm8209oGk7ag+QMGROmciIdfND0=; b=nFZ54uMo3u/7r5z3Vq3wGP5cE191WDipIYlpPs82xBR8QKB9QBUDErRm Zm9J7HpL6ii0L92wbUAgn4I7fFNSUatccTOUNDw4rP1tXN+cSjA1vuG2S OgLYJjb3HzBXgxgtQMswWBHocJaJ8xoSB0voRlTdgnDf7bndSy+GkWMWB M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjoFAJtS41OtJA2G/2dsb2JhbABagw1SUwQEsGabYAqHSAGBFRZ3hAMBAQEEAQEBNzQXBAIBCBEEAQELFAkHJwsUCQgCBAESCAGIJQMRCAXDeReNH4FJMzgGgymBHAWVMIRig1qMbIYtg1dsgQRC
X-IronPort-AV: E=Sophos;i="5.01,817,1400025600"; d="scan'208";a="345704141"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-2.cisco.com with ESMTP; 07 Aug 2014 10:19:49 +0000
Received: from xhc-rcd-x04.cisco.com (xhc-rcd-x04.cisco.com [173.37.183.78]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s77AJnBU023970 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 7 Aug 2014 10:19:49 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.102]) by xhc-rcd-x04.cisco.com ([fe80::200:5efe:173.37.183.34%12]) with mapi id 14.03.0123.003; Thu, 7 Aug 2014 05:19:49 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Dacheng Zhang <zhang_dacheng@hotmail.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
Thread-Index: AQHPpRYTRB0aq7GvdEyX1sQzFPvl6pvE+rdg
Date: Thu, 07 Aug 2014 10:19:48 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A283027A9@xmb-rcd-x10.cisco.com>
References: <20140721132717.8597.69523.idtracker@ietfa.amsl.com> <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl>
In-Reply-To: <BLU436-SMTP17122E359DE03F7D50A210888F00@phx.gbl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.65.66]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/kTGwGQsiemNtho2_MqMWDK81aHI
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 10:20:16 -0000

Hi Dacheng,

My comments:

[1] ID Indicator: The value for a PCP client to choose proper
      credentials for authentication.  The method of generating this
      value is out of scope of this document.  Note this field MUST end
      on a 32-bit boundary, padded with 0's when necessary.

Comment> ID indicator should be user-friendly. For example check out A-ID-Info in EAP-FAST.

[2] Each PA message is attached with an
   Authentication OpCode and may optionally contain a set of Options for
   various purposes (e.g., transporting authentication messages and
   session managements).

Nit> replace session managements with session management

[3]   o  On security infrastructure equipment, such as corporate firewalls,
      that does not create implicit mappings.

Comment> The above line is very clear, are you referring to firewalls not creating implicit mapping for specific traffic like UDP

[4] This mechanism can be used to
   secure PCP in the following situations::

Nit> Remove extra ":"

[5]
The draft says fragmentation and re-assembly is handled by EAP methods but http://tools.ietf.org/html/rfc3748 explains that it's only handled by EAP-TLS.  

Does that make EAP-TLS mandatory to support ?

[6] In this case, before sending
   out the PA-Server, the PCP server must update the SA and use the new
   key to generate digests to protect the integrity and authenticity of
   the PA-Server and any subsequent PCP message.

Nit> replace digests with digest

[7]  Because there is no authenticaiton OpCode in common PCP messages, the
   authentication tag for common PCP messages needs to provide the
   inforamtion of session ID and sequence numbers.

Nit> Fix spelling mistakes for authenticaiton, inforamtion.

[8] The generation of the digest can be various according to the algorithms specified in different PCP SAs.
Comment> Replace the above line with
"The generation of the digest varies according to the algorithm finalized in different PCP SAs"

[9] Do the Authentication tag option for PCP authentication message and authentication tag option for common PCP have different option codes ? 

[10] Update IANA Considerations with the new PCP option, opcode and result codes introduced in the draft.

[11]   This section applies only to the in-band key management mechanism.
 It will need to be updated if the WG choose to pursue the out-of-band
 key management mechanism discussed above.

Comment> I think the above paragraph can be removed.

[12] I think a section is required to explain how PCP authentication works in the presence of PCP proxies ?
        In specific explain what happens when PCP proxy and PCP server are involved in re-authentication while PCP clients are sending PCP requests.

Cheers,
-Tiru

> -----Original Message-----
> From: Dacheng Zhang [mailto:zhang_dacheng@hotmail.com]
> Sent: Monday, July 21, 2014 8:35 PM
> To: pcp@ietf.org
> Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-04.txt
> 
> Hi, in this version of the document, we try to address the comments got since
> the last meeting.  Particularly, we:
>    o  Refine the retransmission policies.
> 
>    o  Provide the discussion about how to instruct a PCP client to
>       choose proper credential during authenticaiton, and an ID
>       Indication Option is defined for that purpose.
> In addition, it is advised that we should remove the key ID from the PCP
> authentication message, and only use one key for a PCP session. However,
> this indicates we will use the MSK to generate MACs for PCP message directly.
> We would like to check with the group again before including it into the
> document.
> 
> Any comments and suggestions are appreciated.
> 
> Cheers
> 
> Dacheng
> 
> 
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Port Control Protocol Working Group of the
> IETF.
> >
> >        Title           : Port Control Protocol (PCP) Authentication Mechanism
> >        Authors         : Margaret Wasserman
> >                          Sam Hartman
> >                          Dacheng Zhang
> > 	Filename        : draft-ietf-pcp-authentication-04.txt
> > 	Pages           : 24
> > 	Date            : 2014-07-21
> >
> > Abstract:
> >   An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to
> >   flexibly manage the IP address and port mapping information on
> >   Network Address Translators (NATs) or firewalls, to facilitate
> >   communications with remote hosts.  However, the un-controlled
> >   generation or deletion of IP address mappings on such network devices
> >   may cause security risks and should be avoided.  In some cases the
> >   client may need to prove that it is authorized to modify, create or
> >   delete PCP mappings.  This document proposes an in-band
> >   authentication mechanism for PCP that can be used in those cases.
> >   The Extensible Authentication Protocol (EAP) is used to perform
> >   authentication between PCP devices.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication/
> >
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-ietf-pcp-authentication-04
> >
> > A diff from the previous version is available at:
> > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication-04
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > pcp mailing list
> > pcp@ietf.org
> > https://www.ietf.org/mailman/listinfo/pcp
> >
>

v2.23.0 | Report a Bug | By Email