Re: [pcp] Posted auth req slide that was edited during meeting
<yoshihiro.ohba@toshiba.co.jp> Wed, 27 March 2013 03:32 UTC
Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22EAD21E803F for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 20:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I+V+FTsQi+vU for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 20:32:31 -0700 (PDT)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) by ietfa.amsl.com (Postfix) with ESMTP id F32B621F874C for <pcp@ietf.org>; Tue, 26 Mar 2013 20:32:30 -0700 (PDT)
Received: from tsbmgw-mgw02.tsbmgw-mgw02.toshiba.co.jp ([133.199.200.50]) by imx2.toshiba.co.jp with ESMTP id r2R3WSLv022192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Mar 2013 12:32:28 +0900 (JST)
Received: from tsbmgw-mgw02 (localhost [127.0.0.1]) by tsbmgw-mgw02.tsbmgw-mgw02.toshiba.co.jp (8.13.8/8.14.5) with ESMTP id r2R3WS7W032299; Wed, 27 Mar 2013 12:32:28 +0900
Received: from localhost ([127.0.0.1]) by tsbmgw-mgw02 (JAMES SMTP Server 2.3.1) with SMTP ID 665; Wed, 27 Mar 2013 12:32:27 +0900 (JST)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by tsbmgw-mgw02.tsbmgw-mgw02.toshiba.co.jp (8.13.8/8.14.5) with ESMTP id r2R3WRL8032296; Wed, 27 Mar 2013 12:32:27 +0900
Received: (from root@localhost) by arc1.toshiba.co.jp id r2R3WR0f023901; Wed, 27 Mar 2013 12:32:27 +0900 (JST)
Received: from unknown [133.199.192.144] by arc1.toshiba.co.jp with ESMTP id NAA23900; Wed, 27 Mar 2013 12:32:27 +0900
Received: from mx.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp with ESMTP id r2R3WRNi004021; Wed, 27 Mar 2013 12:32:27 +0900 (JST)
Received: from TGXML330.toshiba.local by toshiba.co.jp id r2R3WQTv001498; Wed, 27 Mar 2013 12:32:26 +0900 (JST)
Received: from TGXML337.toshiba.local ([169.254.3.203]) by TGXML330.toshiba.local ([133.199.60.204]) with mapi id 14.02.0328.009; Wed, 27 Mar 2013 12:32:23 +0900
From: yoshihiro.ohba@toshiba.co.jp
To: dwing@cisco.com
Thread-Topic: [pcp] Posted auth req slide that was edited during meeting
Thread-Index: AQHOI+DTZVo7fOcKTKW7xX5uXeSScpirfAWwgATfK/CABuV4EIAAV0sAgAEFN9D//3tZgIAAmnJg
Date: Wed, 27 Mar 2013 03:32:23 +0000
Message-ID: <674F70E5F2BE564CB06B6901FD3DD78B12CE1155@tgxml337.toshiba.local>
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <5EF8B214-6563-47C7-9D48-621D9D5E1B29@yegin.org> <tslip4r42r3.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CD0A01@tgxml337.toshiba.local> <tslk3p4zyze.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB0CB@tgxml337.toshiba.local> <tsl620ox0zb.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB148@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CDEA18@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CE012A@tgxml337.toshiba.local> <56946F7F-B646-42B1-A421-F2D3559CCEA2@cisco.com> <674F70E5F2BE564CB06B6901FD3DD78B12CE1089@tgxml337.toshiba.local> <68743834-C862-4802-BCDB-8993AB645D8A@cisco.com>
In-Reply-To: <68743834-C862-4802-BCDB-8993AB645D8A@cisco.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-originating-ip: [133.199.147.66]
msscp.transfermailtomossagent: 103
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: pcp@ietf.org
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2013 03:32:32 -0000
-----Original Message----- From: Dan Wing [mailto:dwing@cisco.com] Sent: Wednesday, March 27, 2013 8:42 AM To: ohba yoshihiro Cc: pcp@ietf.org Subject: Re: [pcp] Posted auth req slide that was edited during meeting On Mar 26, 2013, at 4:07 PM, <yoshihiro.ohba@toshiba.co.jp> wrote: > Another way is to let the SA expire, and if the server needs to send a message later on, then it can initiate authentication (and this is not a re-authentication by definition because the SA has expired). I am fine with this way either. Ok. But your proposed wording of the requirement does not allow such an operation. [YO] This is a different requirement option (say option 5). What I meant is I am fine with either requirement, i.e., either server-initiated re-auth before expiration of SA (modified option 1) or server-initiated auth after expiration of SA (option 5). > For those who are interested in security details: > > Depending on the timing of the server-initiated authentication, the client might still have an unexpired SA. Such a client may enter the authentication while keeping the current SA until the authentication succeeds so that it can switch back to the current SA in case the authentication fails, which provides robustness against false authentication trigger DoS attacks (at the cost of maintaining multiple authentication sessions temporarily). PANA supports this robust operation. I don't understand the "depending on the timing" statement. If the server thinks the SA has expired, it has expired and the server won't accept messages with that old SA. [YO] Sure. What I wanted to mention is that the exact timing of SA expiration may be different between the client and server unless strict time synchronization is maintained between them. If you're worried of an attacker sending bogus messages to the client, claiming to the client that its SA has expired, yes, those need to either be protected (using a previous expired SA, as Sam and Stuart have suggested) or need to be treated as 'advisory', which is what I guess PANA does. [YO] This is what I don't understand. If a previous expired SA can be accepted by the client, when the client can consider the SA is invalid? Perhaps a list of pros/cons of the approaches in http://www.ietf.org/mail-archive/web/pcp/current/msg02785.html could be generated, to help the working group make a decision on this point. [YO] I agree on creating a list of pros/cons, including options 1 to 4, modified option 1 (server-initiated re-auth before expiration of SA) and option 5 (server-initiated auth after expiration of SA). Regards, Yoshihiro Ohba -d > Regards, > Yoshihiro Ohba > > -----Original Message----- > From: Dan Wing [mailto:dwing@cisco.com] > Sent: Wednesday, March 27, 2013 1:02 AM > To: ohba yoshihiro > Cc: pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during > meeting > > > On Mar 25, 2013, at 6:55 PM, yoshihiro.ohba@toshiba.co.jp wrote: > >> Here is my suggested change on REQ-5 of draft-reddy-pcp-auth-req-01. >> >> (Current) >> >> REQ-5: PCP allows a server to send multiple responses. If the >> server wants to send an unsolicited message, but the previous >> security association has expired, the server MUST be able to >> trigger re-authentication with the client. >> " >> >> (New) >> >> " >> REQ-5: PCP allows a server to send multiple responses. If the >> server wants to send an unsolicited message, but the previous >> security association is going to expire, the server MUST be able to >> trigger re-authentication with the client prior to expiration of the security association. >> " > > The PCP server does not know, a priori, if it will want or need to send a message later. So the only way to comply with that requirement would be for the PCP server to prevent a security association from expiring at all. Is there some other way to comply with that requirement? > > -d > > >> >> Best Regards, >> Yoshihiro Ohba >> >> -----Original Message----- >> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of >> yoshihiro.ohba@toshiba.co.jp >> Sent: Friday, March 22, 2013 1:42 AM >> To: pcp@ietf.org >> Subject: Re: [pcp] Posted auth req slide that was edited during >> meeting >> >> Can we take silence as agreement about re-auth to happen before the SA expires? >> >> Yoshihiro Ohba >> >> >> -----Original Message----- >> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of >> yoshihiro.ohba@toshiba.co.jp >> Sent: Monday, March 18, 2013 11:12 PM >> To: hartmans@painless-security.com >> Cc: pcp@ietf.org >> Subject: Re: [pcp] Posted auth req slide that was edited during >> meeting >> >> Sam, >> >> -----Original Message----- >> From: Sam Hartman [mailto:hartmans@painless-security.com] >> Sent: Monday, March 18, 2013 11:00 PM >> To: ohba yoshihiro >> Cc: alper.yegin@yegin.org; pcp@ietf.org >> Subject: Re: [pcp] Posted auth req slide that was edited during >> meeting >> >>>>>>> <yoshihiro.ohba@toshiba.co.jp> writes: >> >> >>> In any case, we should follow the definition of EAP >>> re-authentication in RFC 5247 about re-authentication timing. I see >>> absolutely no reason to change the definition. >> >> OK. So you're saying that the goal of the security association expiration is to make sure that a client cannot change the PCP state in a manner that requires authentication outside a time window defined by the AAA infrastructure/PCP server? >> >> [YO] Yes. >> >> So, the sorts of attacks we'd want to prevent are people changing state after credentials have changed or authorizations have changed? >> >> [YO] Yes, unless the credentials or authorizations are changed via a valid re-authentication, that is the whole purpose of re-authentication. >> >> Yoshihiro Ohba >> >> --Sam >> >> _______________________________________________ >> pcp mailing list >> pcp@ietf.org >> https://www.ietf.org/mailman/listinfo/pcp >> >> _______________________________________________ >> pcp mailing list >> pcp@ietf.org >> https://www.ietf.org/mailman/listinfo/pcp >> >> _______________________________________________ >> pcp mailing list >> pcp@ietf.org >> https://www.ietf.org/mailman/listinfo/pcp > >
- [pcp] Posted auth req slide that was edited durin… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… Alper Yegin
- Re: [pcp] Posted auth req slide that was edited d… Rafa Marin Lopez
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba