Re: [pcp] Server's auth policy discovery
Sam Hartman <hartmans@painless-security.com> Fri, 12 October 2012 10:51 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C05E21F8594 for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 03:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.345
X-Spam-Level: ****
X-Spam-Status: No, score=4.345 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNjQjTLANQZJ for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 03:51:07 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id A69CB21F8559 for <pcp@ietf.org>; Fri, 12 Oct 2012 03:51:07 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 992AC2033A; Fri, 12 Oct 2012 06:50:51 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id EF0B14AD5; Fri, 12 Oct 2012 06:51:02 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alper Yegin <alper.yegin@yegin.org>
References: <0BC19EAB-01F2-4AB9-B706-FD7C98FFAE86@yegin.org>
Date: Fri, 12 Oct 2012 06:51:02 -0400
In-Reply-To: <0BC19EAB-01F2-4AB9-B706-FD7C98FFAE86@yegin.org> (Alper Yegin's message of "Fri, 12 Oct 2012 11:29:46 +0300")
Message-ID: <tsl4nm0j755.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: pcp@ietf.org
Subject: Re: [pcp] Server's auth policy discovery
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 10:51:08 -0000
Hi. As I've mentioned previously, I consider DHCP-based discovery of auth policy a significant down-side to an approach that requires it. For many of the same reasons that you want to avoid one port for authentication and one port for the protocol, you want to avoid one system for security policy discovery with another system for using that policy. Tightly-coupled systems are easier to debug and support. In this particular case, if auth policy discovery is in-band, you avoid the failure modes where the discovery solution has bad information. --Sam
- [pcp] Server's auth policy discovery Alper Yegin
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Yoshihiro Ohba
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Alper Yegin
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Alper Yegin
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Margaret Wasserman
- Re: [pcp] Server's auth policy discovery Alper Yegin