IETF Logo Mail Archive

Re: [pcp] EAP retransmits and re-authentication

Alper Yegin <alper.yegin@yegin.org> Fri, 21 September 2012 11:05 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A93F21F873C for <pcp@ietfa.amsl.com>; Fri, 21 Sep 2012 04:05:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.489
X-Spam-Level:
X-Spam-Status: No, score=-102.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfBCGiZFAaIC for <pcp@ietfa.amsl.com>; Fri, 21 Sep 2012 04:05:27 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 8A2A021F8734 for <pcp@ietf.org>; Fri, 21 Sep 2012 04:05:27 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0M7p5U-1TSIfn2MMq-00vD50; Fri, 21 Sep 2012 07:05:18 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <505B5DEF.8030801@toshiba.co.jp>
Date: Fri, 21 Sep 2012 14:04:57 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <30CCA552-891E-41AB-959C-2356198B7D1D@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <tslipbap18s.fsf@mit.edu> <09E52F80-2292-42CB-9833-957D16DCF2AB@yegin.org> <tsl392clv10.fsf_-_@mit.edu> <505B35E4.5020108@toshiba.co.jp> <tslfw6ciuan.fsf@mit.edu> <505B4077.3030802@toshiba.co.jp> <6CDC61E8-2811-4D44-959E-0F01BEA5C7EF@lilacglade.org> <505B5131.3000400@toshiba.co.jp> <tslipb8ha5o.fsf@mit.edu> <505B5DEF.8030801@toshiba.co.jp>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:YvdENb0LdnxZCTqIH13evlA1fHC+YojOiD/BqOTLhqa zqqHeAV12BHuYYnEDCxJtUCERPgFy78tgWaN+zM8AyMRvtEuCg yP2xQrfHe060xTEzt9W5G9EYQFukUcBlT9x/odx6lkW3DPvJJ+ Z0DipDBcjXRSeePmsxZIv5z43Dhs1G43l9cn7oXITvU6EjWasR RFo5KMYqzb4h/x9BCEftlivrjqE+jWZIr6RYEF6OFBD5qBhdpA O9Ux3Yf4OtCjz1HVB+7/urJE/eGeKTaMA1d9AXQQAErhlaVg5+ m17pv8w18L5Siya4vABKk6qgIMqVuF7Jkh8DT2oQE/1mIgoFRN l9UVywIekGCR5e54xfJsEiW6XxbowH+eGW9H0v8qT7CfL8QV0d 8atTLkTL+VJ+w==
Cc: pcp@ietf.org
Subject: Re: [pcp] EAP retransmits and re-authentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2012 11:05:28 -0000

Sam,

This whole trying to decouple authentication from authorization couldn't more more wrong.

Non-PCP-specific background:
Authentication is done for the sake of authorization. The server (whether it's the PCP server, or Foo server) does not really care if you are really "Bob". They care what you are authorized to access. It's the backend policy server (e.g., RADIUS server) that knows Bob --> authorization parameters mapping. 

So, when PCP Client is authenticated as "Bob's PC", PCP server also learns the authorization parameters "allow him to use X ports for Y minutes". In AAA systems, authorization always has finite lifetime (for better resource management). Bob needs to "re-authenticate" before Y minutes passes, otherwise his authorization is yanked. Ports are closed. Whatever state PCP server has created/allocated for "Bob's PC" are freed. That's it.

As soon as authorized lifetime expires, PCP server stops serving the client. That's the meaning of "lifetime" in AAA systems.

You have to re-authenticate before that happens.

This is how it's for any EAP-based system, this is how it's for any AAA (RADIUS/Diameter)-based system. 


How can you think PCP does not need re-authentication? 


Alper















On Sep 20, 2012, at 9:18 PM, Yoshihiro Ohba wrote:

> Sam,
> 
> Since PCP authentication is not part of base specification,
> authentication is already optional, which is fine.  But when
> authentication is used it needs to be tied with authorization.
> 
> Yoshihiro Ohba
> 
> 
> (2012/09/21 2:33), Sam Hartman wrote:
>> One thing to consider is that in many cases, PCP users will not be using
>> authentication; they will be using unauthenticated PCP.  So, especially
>> for PCP, it seems undesirable to tie authorization to authentication.
>> 
>> If an authorization revocation event happens--that is, a service
>> provider wants to stop providing service to a customer--they will
>> typically want to drop both unauthenticated and authenticated mappings.
>> The sort of things that might trigger this are  administrative action
>> (customer account suspended for immediate cause), address renumbering,
>> or lease expire.
>> 
>> For PCP it seems much more likely that these events will be tied to a
>> provisioning/authorization system than any event in an authentication
>> system.
>> 
>> Tieing this to authentication seems like it will miss important PCP use
>> cases.
>> Duplicating the same logic both for authentication and authorization
>> seems to introduce complexity that PCP does not need.
>> 
>> --Sam
>> 
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email