IETF Logo Mail Archive

Re: [pcp] Server's auth policy discovery

Sam Hartman <hartmans@painless-security.com> Fri, 12 October 2012 10:51 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C05E21F8594 for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 03:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.345
X-Spam-Level: ****
X-Spam-Status: No, score=4.345 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNjQjTLANQZJ for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 03:51:07 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id A69CB21F8559 for <pcp@ietf.org>; Fri, 12 Oct 2012 03:51:07 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 992AC2033A; Fri, 12 Oct 2012 06:50:51 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id EF0B14AD5; Fri, 12 Oct 2012 06:51:02 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alper Yegin <alper.yegin@yegin.org>
References: <0BC19EAB-01F2-4AB9-B706-FD7C98FFAE86@yegin.org>
Date: Fri, 12 Oct 2012 06:51:02 -0400
In-Reply-To: <0BC19EAB-01F2-4AB9-B706-FD7C98FFAE86@yegin.org> (Alper Yegin's message of "Fri, 12 Oct 2012 11:29:46 +0300")
Message-ID: <tsl4nm0j755.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: pcp@ietf.org
Subject: Re: [pcp] Server's auth policy discovery
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 10:51:08 -0000

Hi.
As I've mentioned previously, I consider DHCP-based discovery of auth
policy a significant down-side to an approach that requires it.

For many of the same reasons that you want to avoid one port for
authentication and one port for the protocol, you want to avoid one
system for security policy discovery with another system for using that
policy.  Tightly-coupled systems are easier to debug and support.  In
this particular case, if auth policy discovery is in-band, you avoid the
failure modes where the discovery solution has bad information.

--Sam

v2.23.0 | Report a Bug | By Email