IETF Logo Mail Archive

Re: [pcp] issue#61: Unsolicited reauthentication

Alper Yegin <alper.yegin@yegin.org> Fri, 16 November 2012 23:05 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9514521F8715 for <pcp@ietfa.amsl.com>; Fri, 16 Nov 2012 15:05:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.156
X-Spam-Level:
X-Spam-Status: No, score=-102.156 tagged_above=-999 required=5 tests=[AWL=-0.443, BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQdtoviCsmyt for <pcp@ietfa.amsl.com>; Fri, 16 Nov 2012 15:05:25 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id D05E721F866D for <pcp@ietf.org>; Fri, 16 Nov 2012 15:05:24 -0800 (PST)
Received: from [10.119.24.8] (178-32-60-104.ovh.net [178.32.60.104]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MBEMf-1TPuBY2jlV-00A2oN; Fri, 16 Nov 2012 18:05:23 -0500
From: Alper Yegin <alper.yegin@yegin.org>
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5051DFF6-54D7-4B82-8C34-B6F06B9903F2"
Date: Sat, 17 Nov 2012 01:05:23 +0200
In-Reply-To: <A0F7F765-4E5B-494E-B4D0-7BDD8325D08A@yegin.org>
To: pcp@ietf.org
References: <A0F7F765-4E5B-494E-B4D0-7BDD8325D08A@yegin.org>
Message-Id: <5BD1DCCC-774C-468F-8B34-9B23DDDF47FB@yegin.org>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:lazW6Dimj9c83qUHLpHjJ/QJv/h0N6rxo/cdEf4O6Uu fTLrGiP+CZgLQ4FWi29riKLqnPKaihqilxwwcDmCdEoAs0D7nf mL04gwjoq7GyWT3NpKLe7d+O+vQM2xiomCvlC97LhJOLSKZfDp pUl2DS14iSLdELSGdSUce/OjLugTFwWwIAoGQJMzSrIDAqvPhH fclZZFxiwHvsCeX+xnytZ4o7EfcXhFprewcMVtwfXiPTDfbKGd OLFgWhcN4/Vi3cg1fM7k1eUJKJa+qPpuSAVOOm45taski8Rfl7 qvg9M/ZoYL93oTE4s6RIv7yf5DhnYBdU7bHkp8TpABoRapDl57 j7KirINDE0H+ZZw73kQg/1NIbymgwGrObyKrWFnetLR0n7+5Ak YnGwqudzzBHtw==
Subject: Re: [pcp] issue#61: Unsolicited reauthentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2012 23:05:25 -0000

> 
> Would it be desirable to support unsolicited re-authentication?
> 
> – May depend on answer to issue #60 – is there a need to renew authentication information when no requests are being issued?
> 
> Alper> As we discovered over the mailing list, there are cases where the PCP server sends unsolicited messages to the PCP client (e.g., when the mapping lifetime is updated). Such messages too need to be secured. So, tossing the PCP SA as soon as the first PCP request/response is completed after the EAP authentication does not work. PCP SA is needed later too. 
> 
> Alper> Besides, I don't understand why you'd want to toss the PCP SA away. Keep it around because you are likely to need it even at least for the subsequent requests from the PCP client. 
> 
> Alper> And, finally, RADIUS and Diameter support EAP re-authentication initiated by the AAA server. Unless we explicitly forbid that, they are there to be supported by any EAP lower-layer. 
> 
> 

Sam/Alan Dekok had pointed that EAP message carried in CoA can only be an EAP Notification. 
Correct, I missed that.

Nevertheless, "RADIUS and Diameter support EAP re-authentication initiated by the AAA server." still holds true. See below:

Diameter (RFC 4072):

"A home Diameter server MAY request EAP re-authentication by issuing
the Re-Auth-Request [BASE] message to the Diameter client."


For RADIUS, Termination-Action=RADIUS-Request is used for getting the NAS to initiation re-authentication.

v2.23.0 | Report a Bug | By Email