Re: [pcp] EAP retransmits and re-authentication
Alper Yegin <alper.yegin@yegin.org> Fri, 21 September 2012 11:05 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A93F21F873C for <pcp@ietfa.amsl.com>; Fri, 21 Sep 2012 04:05:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.489
X-Spam-Level:
X-Spam-Status: No, score=-102.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfBCGiZFAaIC for <pcp@ietfa.amsl.com>; Fri, 21 Sep 2012 04:05:27 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 8A2A021F8734 for <pcp@ietf.org>; Fri, 21 Sep 2012 04:05:27 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0M7p5U-1TSIfn2MMq-00vD50; Fri, 21 Sep 2012 07:05:18 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <505B5DEF.8030801@toshiba.co.jp>
Date: Fri, 21 Sep 2012 14:04:57 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <30CCA552-891E-41AB-959C-2356198B7D1D@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <tslipbap18s.fsf@mit.edu> <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org> <tsl392clv10.fsf_-_@mit.edu> <505B35E4.5020108@toshiba.co.jp> <tslfw6ciuan.fsf@mit.edu> <505B4077.3030802@toshiba.co.jp> <6CDC61E8-2811-4D44-959E-0F01BEA5C7EF@lilacglade.org> <505B5131.3000400@toshiba.co.jp> <tslipb8ha5o.fsf@mit.edu> <505B5DEF.8030801@toshiba.co.jp>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:YvdENb0LdnxZCTqIH13evlA1fHC+YojOiD/BqOTLhqa zqqHeAV12BHuYYnEDCxJtUCERPgFy78tgWaN+zM8AyMRvtEuCg yP2xQrfHe060xTEzt9W5G9EYQFukUcBlT9x/odx6lkW3DPvJJ+ Z0DipDBcjXRSeePmsxZIv5z43Dhs1G43l9cn7oXITvU6EjWasR RFo5KMYqzb4h/x9BCEftlivrjqE+jWZIr6RYEF6OFBD5qBhdpA O9Ux3Yf4OtCjz1HVB+7/urJE/eGeKTaMA1d9AXQQAErhlaVg5+ m17pv8w18L5Siya4vABKk6qgIMqVuF7Jkh8DT2oQE/1mIgoFRN l9UVywIekGCR5e54xfJsEiW6XxbowH+eGW9H0v8qT7CfL8QV0d 8atTLkTL+VJ+w==
Cc: pcp@ietf.org
Subject: Re: [pcp] EAP retransmits and re-authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2012 11:05:28 -0000
Sam, This whole trying to decouple authentication from authorization couldn't more more wrong. Non-PCP-specific background: Authentication is done for the sake of authorization. The server (whether it's the PCP server, or Foo server) does not really care if you are really "Bob". They care what you are authorized to access. It's the backend policy server (e.g., RADIUS server) that knows Bob --> authorization parameters mapping. So, when PCP Client is authenticated as "Bob's PC", PCP server also learns the authorization parameters "allow him to use X ports for Y minutes". In AAA systems, authorization always has finite lifetime (for better resource management). Bob needs to "re-authenticate" before Y minutes passes, otherwise his authorization is yanked. Ports are closed. Whatever state PCP server has created/allocated for "Bob's PC" are freed. That's it. As soon as authorized lifetime expires, PCP server stops serving the client. That's the meaning of "lifetime" in AAA systems. You have to re-authenticate before that happens. This is how it's for any EAP-based system, this is how it's for any AAA (RADIUS/Diameter)-based system. How can you think PCP does not need re-authentication? Alper On Sep 20, 2012, at 9:18 PM, Yoshihiro Ohba wrote: > Sam, > > Since PCP authentication is not part of base specification, > authentication is already optional, which is fine. But when > authentication is used it needs to be tied with authorization. > > Yoshihiro Ohba > > > (2012/09/21 2:33), Sam Hartman wrote: >> One thing to consider is that in many cases, PCP users will not be using >> authentication; they will be using unauthenticated PCP. So, especially >> for PCP, it seems undesirable to tie authorization to authentication. >> >> If an authorization revocation event happens--that is, a service >> provider wants to stop providing service to a customer--they will >> typically want to drop both unauthenticated and authenticated mappings. >> The sort of things that might trigger this are administrative action >> (customer account suspended for immediate cause), address renumbering, >> or lease expire. >> >> For PCP it seems much more likely that these events will be tied to a >> provisioning/authorization system than any event in an authentication >> system. >> >> Tieing this to authentication seems like it will miss important PCP use >> cases. >> Duplicating the same logic both for authentication and authorization >> seems to introduce complexity that PCP does not need. >> >> --Sam >> > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Reinaldo Penno (repenno)
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Dan Wing
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Sam Hartman
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Henderickx, Wim (Wim)
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- [pcp] Authentication scenarios (was Re: PANA impl… Alper Yegin
- [pcp] Side-by-side or nested protocols (was Re: P… Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Henderickx, Wim (Wim)
- Re: [pcp] Authentication scenarios (was Re: PANA … Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] [ Side-by-side or nested protocols Sam Hartman
- Re: [pcp] Authentication scenarios (was Re: PANA … Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] [ Side-by-side or nested protocols Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Zhangdacheng (Dacheng)
- Re: [pcp] [ Side-by-side or nested protocols Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols Sam Hartman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Alper Yegin
- [pcp] EAP retransmits and re-authentication Sam Hartman
- [pcp] gss-eap Alper Yegin
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Margaret Wasserman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Margaret Wasserman
- Re: [pcp] gss-eap & client-side rexmit only Sam Hartman
- Re: [pcp] gss-eap & client-side rexmit only Yoshihiro Ohba
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin