Re: [pcp] EAP-over-PCP
Sam Hartman <hartmans@painless-security.com> Wed, 19 September 2012 13:54 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0EE921F861D for <pcp@ietfa.amsl.com>; Wed, 19 Sep 2012 06:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.395
X-Spam-Level: ****
X-Spam-Status: No, score=4.395 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjwCSP7BvS-9 for <pcp@ietfa.amsl.com>; Wed, 19 Sep 2012 06:54:26 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 3C11021F8620 for <pcp@ietf.org>; Wed, 19 Sep 2012 06:54:25 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id A649120178; Wed, 19 Sep 2012 09:54:15 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 6060C4149; Wed, 19 Sep 2012 09:53:55 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alper Yegin <alper.yegin@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org>
Date: Wed, 19 Sep 2012 09:53:55 -0400
In-Reply-To: <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> (Alper Yegin's message of "Wed, 19 Sep 2012 10:39:40 +0300")
Message-ID: <tslipbap18s.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "'pcp@ietf.org'" <pcp@ietf.org>
Subject: Re: [pcp] EAP-over-PCP
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2012 13:54:27 -0000
>>>>> "Alper" == Alper Yegin <alper.yegin@yegin.org> writes: >> Depending on what's easy for PCP implementations we have a number >> of options. >> >> In RFC 3748 the conversation is conceptually server driven. >> However, there is typically a client (lower layer) indication to >> get things started. >> >> However, the only reason that the conversation is server-driven >> iss retransmissions. If you take a look at section 2 of RFC 3748 >> you note that the protocol is lockstep. The server cannot send a >> new request until the client has responded to the previous one. >> If you take a look at section 4.3, a lower layer may sent the >> retransmission timeout to infinite. In this mode, the server will >> never generate an unsolicited request. So, it's entirely >> possible to view things as a client-server protocol with >> client-driven retransmissions if that makes things easier for PCP >> implementations. >> Alper>I don't understand how this works. Alper> EAP authenticator performs rexmits. So, if it does not get a Alper> response, it'll keep rexmitting. So, how can you achieve Alper> "server will never generate an unsolicited request"? There are three aspects to this: why does it work in practice, why does it comply with the spec, and why do I think it's been reviewed adequately to suggest it? For the first, EAP libraries tend to have a way to ignore retransmits or set the retransmission timeout to infinite. Consider what happens in an AAA server. There, your EAP server cannot (and is not supposed to) handle retransmits. RADIUS at least is a lock-step protocol. Ignoring things like COA, a RADIUS server cannot send an unsolicited response to a client. So any EAP server library basically has to have a way to disable retransmits. I guess it's possible that you could have a passthrough authenticator library that doesn't pull this off. IN practice we've not run into this problem; see below for why. Also, as I understand it (without close reading) the IKEv2 EAP support works this way as well. So, why does it comply with the spec? Take a look at RFC 3748 section 4.3. That section points out a lower layer can set the retransmit timeout to infinite if it is reliable itself. Why do I think the whole idea of assuming you'll never get an unsolicited server request has been adequately reviewed? It's part of draft-ietf-abfab-gss-eap, which has already been approved and is waiting publication. I've personally walked through what we were doing with Bernard; I know Joe is familiar with the work enough that he understands our state machine constraints. Klaas is one of the chairs; he also has a lot of EAP experience. Josh Howlett, my co-author has many more years of EAP experience than I do. So, I believe that this idea has received adequate review that if I were somehow misreading the base EAP spec we would have noticed it. Alper> And, furthermore, there'd be EAP re-authentication which can Alper> be initiated by the client or server. This is another reason Alper> for having to support server-side requests. I'm not entirely sure what you're talking about when you say EAP re-authentication. Do you mean the EAP re-authentication protocol (the one done in HOKEY?) The base EAP spec mentions re-authentication once or twice but does not define it. My best reading of that text is that they simply mean there can be later EAP conversations if you want to access a new resource or the like, or the network wants to re-key, or prove fresh access to tokens or whatever. When you look at the peer state machine in RFC 4137, you note that the success state is a final state. It's going to require lower layer interactions to get out of that state. If you look at the commen open-source supplicants (all I have access to) you see that tends to be how people implement things. You expect a disassociation or something else to trigger new authentication. And when that happens, yes, depending on who's doing the trigger and what's going on, the first *EAP* message may be from the server. In our proposal, PCP is the same way. A server can throw away a session and give a client an error that they must authenticate again if it wants an EAP exchange. This is intended to deal with wanting to expire sessions or servers that lose state. However it also deals with a server wanting to confirm freshness, or getting a re-authentication demand via some complex AAA infrastructure that seems unlikely to be used with PCP in practice.
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Reinaldo Penno (repenno)
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Dan Wing
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Sam Hartman
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Hannes Tschofenig
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Alper Yegin
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Henderickx, Wim (Wim)
- Re: [pcp] PANA implementatinos to consider Yoshihiro Ohba
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- Re: [pcp] PANA implementatinos to consider Margaret Wasserman
- [pcp] Authentication scenarios (was Re: PANA impl… Alper Yegin
- [pcp] Side-by-side or nested protocols (was Re: P… Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Henderickx, Wim (Wim)
- Re: [pcp] Authentication scenarios (was Re: PANA … Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] [ Side-by-side or nested protocols Sam Hartman
- Re: [pcp] Authentication scenarios (was Re: PANA … Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] [ Side-by-side or nested protocols Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Zhangdacheng (Dacheng)
- Re: [pcp] [ Side-by-side or nested protocols Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols Sam Hartman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] Side-by-side or nested protocols (was R… Reinaldo Penno (repenno)
- Re: [pcp] EAP-over-PCP Sam Hartman
- Re: [pcp] Side-by-side or nested protocols (was R… Yoshihiro Ohba
- Re: [pcp] Side-by-side or nested protocols (was R… Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Alper Yegin
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Margaret Wasserman
- Re: [pcp] EAP-over-PCP Alper Yegin
- [pcp] EAP retransmits and re-authentication Sam Hartman
- [pcp] gss-eap Alper Yegin
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Margaret Wasserman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Sam Hartman
- Re: [pcp] EAP retransmits and re-authentication Yoshihiro Ohba
- Re: [pcp] EAP retransmits and re-authentication Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin
- Re: [pcp] gss-eap & client-side rexmit only Margaret Wasserman
- Re: [pcp] gss-eap & client-side rexmit only Sam Hartman
- Re: [pcp] gss-eap & client-side rexmit only Yoshihiro Ohba
- Re: [pcp] gss-eap & client-side rexmit only Alper Yegin