Re: [pcp] Comments on PCP Extension for Third Party Authorization (http://www.ietf.org/internet-drafts/draft-wing-pcp-third-party-authz-01.txt)
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 03 February 2014 14:07 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36D4D1A00C7 for <pcp@ietfa.amsl.com>; Mon, 3 Feb 2014 06:07:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.436
X-Spam-Level:
X-Spam-Status: No, score=-9.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_35=0.6, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBoqeAhql4-O for <pcp@ietfa.amsl.com>; Mon, 3 Feb 2014 06:07:20 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by ietfa.amsl.com (Postfix) with ESMTP id 285A81A01CF for <pcp@ietf.org>; Mon, 3 Feb 2014 06:04:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4923; q=dns/txt; s=iport; t=1391436291; x=1392645891; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=8pq/V6YQ9DUxr1STJAdmYRErqkfkJno6C3j3yOOjX8o=; b=B0ZLpFDmyXLSPPYuhLYLNggG36IS8WaSk/SR0MQeMs6gbVF6E/V8NEiV yiGkc8ep4Gb1qIxjcyKCRAQex1shmOBUCHgK6N575zJq1VREKtC64d9MM /32Z0ZjX5P1tSwcQeqagLH1ZMtyNxx/L0b16mKwjZ3RTUAnW1fzpx4joW 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah0FAIqh71KtJXHA/2dsb2JhbABPCoMMOEsMvgiBCBZ0giUBAQEEeRIBCBEEAQELGT0dCQEEAQ0FCAGHfA3MQxeOLSsxgyuBFASJEZBLkG+Bb4E+gWgCHgIEHBE
X-IronPort-AV: E=Sophos;i="4.95,772,1384300800"; d="scan'208";a="17525685"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by alln-iport-4.cisco.com with ESMTP; 03 Feb 2014 14:04:50 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id s13E4ook016409 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <pcp@ietf.org>; Mon, 3 Feb 2014 14:04:51 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.36]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.03.0123.003; Mon, 3 Feb 2014 08:04:50 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "Anca Zamfir (ancaz)" <ancaz@cisco.com>, "Reinaldo Penno (repenno)" <repenno@cisco.com>, "Dan Wing (dwing)" <dwing@cisco.com>, "Prashanth Patil (praspati)" <praspati@cisco.com>
Thread-Topic: [pcp] Comments on PCP Extension for Third Party Authorization (http://www.ietf.org/internet-drafts/draft-wing-pcp-third-party-authz-01.txt)
Thread-Index: Ac8g6OM9iZ7sffF+Q5SWt1ojcC5EYg==
Date: Mon, 03 Feb 2014 14:04:50 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A242A5956@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.51.29]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Comments on PCP Extension for Third Party Authorization (http://www.ietf.org/internet-drafts/draft-wing-pcp-third-party-authz-01.txt)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 14:07:25 -0000
Hi Anca, Thanks for the review. Please see inline [TR] From: Anca Zamfir (ancaz) Sent: Wednesday, January 29, 2014 4:56 PM To: Tirumaleswar Reddy (tireddy); Reinaldo Penno (repenno); Dan Wing (dwing); Prashanth Patil (praspati) Cc: pcp@ietf.org Subject: [pcp] Comments on PCP Extension for Third Party Authorization (http://www.ietf.org/internet-drafts/draft-wing-pcp-third-party-authz-01.txt) Hi Tiru et al, A few comments and questions on this draft. Section 4: . Figure 1: could you identify the entities you mention in the text below it? Like PCP Client (Alice box), Oauth 2.0 server (does it have to be the WebRTC or could it be separate?) [TR] Yes, updated. . I don't understand the paragraph after bullet 4 and how is relevant to this section/ draft? What do you mean by "This technique"? [TR] Replaced "This technique" with " The technique proposed in the specification". The paragraph explains how this technique can be used with PCP-aware NAT to permit MAP request after the client has got the token. Section 5: . Figure 3: Show a bidirectional Request/ Response on (1). Show a (5) arrow with PCP Response so the loop is closed. [TR] Fixed. . Same question as above. Does the Auth Server has to be the WebRTC Server (or app server in general)? Or is this figure just a possible scenario ? [TR] Yes, The authorization server in this specific example has to be the WebRTC server because only it will be aware of call termination details to revoke the token. . Create section 5.1 for the option detail and say something like "This specification defines the new PCP ACCESS_TOKEN Option." [TR] ok. . Option Length: Is this like any PCP option (i.e. length of Option Data, must be multiple of 4, etc). Maybe just refer to RFC6887 Section 7.3 [TR] Yes and its variable length. . "Reserved1": set to 0 by sender and ignored by the receiver? [TR] Added Lifetime: Why does the PCP Client need to tell the PCP Server about the lifetime? Is this the expires_in value that the PCP Client got from the Auth Server? Can this be "extended" later in a PCP Request by the PCP Client/ Alice or Mallory? And what would happen? I thought the PCP Server must ensure that the token has not expired by interacting with the authorization server (e.g. on arrow (4) in your Figure 3, the Auth server would also include the lifetime). I don't understand why it's needed in the PCP Option. [TR] The PCP servers uses the lifetime field to do local validation before interacting with the Authorization Server for further checks. Yes, this is the expires_in value that the PCP Client got from the Authorization server. Performing local validation is just a minor benefit and anyways the PCP Server will ensure that the token has not expired by interacting with the authorization server. . Timestamp : This assumes some sort of synchronization, right? Then I don't understand how the Timestamp on its own can prevent replay attacks. Maybe you can elaborate on this a bit? [TR] Sure. Using the formula "Lifetime + Delta > abs(RDnew - TSnew)" defined in section 7 of the draft, PCP server can find out if the Timestamp field in the ACCESS_TOKEN option is too old when compared to the receipt of the PCP request. . May appear in: response...I don't see any explanation on when PCP Server would include it in response and what is the PCP Client supposed to do/ check. Maybe you can say a few words about this in Sections 5.2 and 5.3 [TR] If the token is valid then the PCP server generates a success PCP response (it's the same as in RFC 6887, no changes) . Probably out of scope but what happens on mapping refresh, PCP server restart, etc? Will PCP Client get new token, reuse the old one, etc? Maybe give some hints on good practices? [TR] It's covered in Section 7 "Security Considerations" <snip> A PCP server will delete explicit dynamic mappings after the lifetime of the cryptographic token expires. The PCP client must obtain a new cryptographic token from the authorization server before the current token becomes invalid or expires. The PCP client must propagate the new cryptographic token to the PCP server to refresh lifetime of mappings before the current token becomes invalid or expires </snip> Section 6: . PCP Proxy question: What are the possible actions here wrt to the TOKEN option? Just forward or drop (e.g. if unknown and configured to drop unknowns)? [TR] PCP Proxy will replay the ACCESS_TOKEN option because it's a mandatory-to-process option. For more information on the PCP proxy behavior w.r.t mandatory-to-process option please refer to section 7 in http://tools.ietf.org/html/draft-ietf-pcp-proxy-04#section-7 Cheers, -Tiru. thanks, -anca
- [pcp] Comments on PCP Extension for Third Party A… Suresh Kumar Vinapamula Venkata
- Re: [pcp] Comments on PCP Extension for Third Par… Zhangdacheng (Dacheng)
- Re: [pcp] Comments on PCP Extension for Third Par… Tirumaleswar Reddy (tireddy)
- Re: [pcp] Comments on PCP Extension for Third Par… Tirumaleswar Reddy (tireddy)
- Re: [pcp] Comments on PCP Extension for Third Par… Suresh Kumar Vinapamula Venkata
- Re: [pcp] Comments on PCP Extension for Third Par… Parthasarathi R
- Re: [pcp] Comments on PCP Extension for Third Par… Tirumaleswar Reddy (tireddy)
- Re: [pcp] Comments on PCP Extension for Third Par… Tirumaleswar Reddy (tireddy)
- [pcp] Comments on PCP Extension for Third Party A… Anca Zamfir (ancaz)
- Re: [pcp] Comments on PCP Extension for Third Par… Tirumaleswar Reddy (tireddy)