Re: [pcp] Comparison of PCP authentication

[Yoshihiro Ohba <yoshihiro.ohba@toshiba.co.jp>]

Hi Margaret,

I understand your point.

I think the challenging case is that the same node is acting as PANA
relay for both network access authentication and PCP authentication
where the both types of authentication goes to the same PAA.  In this
case, probably PANA needs to be extended to carry additional
information (a new flag or AVP) for distinguishing the two types of
authentication.  Once the additional information is defined, then the
information may also be used for channel binding purpose.

Yoshihiro Ohba

(2012/08/16 21:53), Margaret Wasserman wrote:
> 
> Hi Yoshi,
> 
> I thought the point of running PANA over/beside PCP, instead of using a PCP-specific mechanism, was that the PCP Server could hand the PANA request to a separate PANA server for processing, just like a PANA Relay would hand-off a PANA request to a PANA Server.
> 
> How will that PANA Server (the one that receives the PANA request from the PCP Server, presumably on the PANA port) know that the request is coming from a PCP Server and concerns PCP access, and that it isn't a network access request from a regular PANA PaC or Relay?  I think it is pretty important that we not set-up a situation where a PANA server could think that it is authorizing network access while it is actually authorizing PCP requests, don't you?
> 
> Margaret
> 
> 
> On Aug 16, 2012, at 8:45 AM, Yoshihiro Ohba wrote:
> 
>> Hi Margaret,
>>
>> In my opinion, PANA should be dedicated to PCP authentication in both
>> cases where PANA runs over PCP port.
>>
>> In other words, we can say that PANA is used for network access
>> authentication only when PANA operates over PANA port, regardless of
>> whether the same or different credentials are used for PCP
>> authentication and network access authentication.
>>
>> Yoshihiro Ohba
>>
>> (2012/08/16 20:41), Margaret Wasserman wrote:
>>>
>>> Hi Yoshi,
>>>
>>> On Aug 15, 2012, at 11:41 PM, Yoshihiro Ohba wrote:
>>>
>>>> Here is a brief comparison on both PANA-based schemes:
>>>>
>>>> Encapsulation/tunneling approach:
>>>> - Pros: No impact on PANA specification
>>>> - Cons: Encapsulation overhead
>>>>
>>>> Demultiplexing/port-sharing approach:
>>>> - Pros: No encapsulation overhead
>>>> - Cons: Impact on PANA specification (an Update of RFC 5191 is needed
>>>> on the use of "Reserved" field.)
>>>
>>> In both cases, I think there is an open question (raised by my regarding your draft) of whether we want to modify PANA so that the server will know that it is performing PCP authentication vs. network access authentication.  I think this could be important, if we want a single PANA server to be able to serve both purposes in a small network.  It is possible that the credentials/criteria used to authenticate a node for PCP will be different than for network access, isn't it?
>>>
>>> Margaret
>>>
>>>
>>>
>>
> 
>