Re: [pcp] Posted auth req slide that was edited during meeting
Dan Wing <dwing@cisco.com> Tue, 26 March 2013 16:02 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C00C921F8B26 for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 09:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.979
X-Spam-Level:
X-Spam-Status: No, score=-109.979 tagged_above=-999 required=5 tests=[AWL=0.620, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oLIUyok-WFKN for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 09:02:20 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF4921F8AF0 for <pcp@ietf.org>; Tue, 26 Mar 2013 09:02:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3420; q=dns/txt; s=iport; t=1364313740; x=1365523340; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=JATk90OioGbMgzvbqvoWw8oRB8fA1xCZbb/D7jRmSTg=; b=iNS9uSl/TFsLU0lyHEO94uQDaWI0+XWROKJ1n9ZsS+a7Y9Rhpu2SjBbY S8yUMW+7wMOw12ynqbAWggn+AxFrhLmJ/MRwq1B4YGtmaXS0yCjmcNg4p Ub0oWAQk7/IhwvbeQ2YQObbq3gl81+BMeSa4X4MAZvvP96LQsM6J5dnYE A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhAFAK3FUVGrRDoI/2dsb2JhbABDgzrASIEGFoEqgh8BAQEDAQEBATc0CwUHBAsRBAEBKAcnHwkIGYgOBQ2xEo9/BI5fKAsHBoJZYQOIeI1vhX+LCIMqHA
X-IronPort-AV: E=Sophos;i="4.84,913,1355097600"; d="scan'208";a="74199810"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 26 Mar 2013 16:02:19 +0000
Received: from [10.32.240.194] ([10.32.240.194]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2QG2IYr000581; Tue, 26 Mar 2013 16:02:18 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B12CE012A@tgxml337.toshiba.local>
Date: Tue, 26 Mar 2013 09:02:18 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <56946F7F-B646-42B1-A421-F2D3559CCEA2@cisco.com>
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <5EF8B214-6563-47C7-9D48-621D9D5E1B29@yegin.org> <tslip4r42r3.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CD0A01@tgxml337.toshiba.local> <tslk3p4zyze.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB0CB@tgxml337.toshiba.local> <tsl620ox0zb.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB148@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CDEA18@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CE012A@tgxml337.toshiba.local>
To: yoshihiro.ohba@toshiba.co.jp
X-Mailer: Apple Mail (2.1503)
Cc: pcp@ietf.org
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 16:02:20 -0000
On Mar 25, 2013, at 6:55 PM, yoshihiro.ohba@toshiba.co.jp wrote: > Here is my suggested change on REQ-5 of draft-reddy-pcp-auth-req-01. > > (Current) > > REQ-5: PCP allows a server to send multiple responses. If the > server wants to send an unsolicited message, but the previous > security association has expired, the server MUST be able to > trigger re-authentication with the client. > " > > (New) > > " > REQ-5: PCP allows a server to send multiple responses. If the > server wants to send an unsolicited message, but the previous > security association is going to expire, the server MUST be able to > trigger re-authentication with the client prior to expiration of the security association. > " The PCP server does not know, a priori, if it will want or need to send a message later. So the only way to comply with that requirement would be for the PCP server to prevent a security association from expiring at all. Is there some other way to comply with that requirement? -d > > Best Regards, > Yoshihiro Ohba > > -----Original Message----- > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of yoshihiro.ohba@toshiba.co.jp > Sent: Friday, March 22, 2013 1:42 AM > To: pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during meeting > > Can we take silence as agreement about re-auth to happen before the SA expires? > > Yoshihiro Ohba > > > -----Original Message----- > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of yoshihiro.ohba@toshiba.co.jp > Sent: Monday, March 18, 2013 11:12 PM > To: hartmans@painless-security.com > Cc: pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during meeting > > Sam, > > -----Original Message----- > From: Sam Hartman [mailto:hartmans@painless-security.com] > Sent: Monday, March 18, 2013 11:00 PM > To: ohba yoshihiro > Cc: alper.yegin@yegin.org; pcp@ietf.org > Subject: Re: [pcp] Posted auth req slide that was edited during meeting > >>>>>> <yoshihiro.ohba@toshiba.co.jp> writes: > > >> In any case, we should follow the definition of EAP >> re-authentication in RFC 5247 about re-authentication timing. I >> see absolutely no reason to change the definition. > > OK. So you're saying that the goal of the security association expiration is to make sure that a client cannot change the PCP state in a manner that requires authentication outside a time window defined by the AAA infrastructure/PCP server? > > [YO] Yes. > > So, the sorts of attacks we'd want to prevent are people changing state after credentials have changed or authorizations have changed? > > [YO] Yes, unless the credentials or authorizations are changed via a valid re-authentication, that is the whole purpose of re-authentication. > > Yoshihiro Ohba > > --Sam > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] Posted auth req slide that was edited durin… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… Alper Yegin
- Re: [pcp] Posted auth req slide that was edited d… Rafa Marin Lopez
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Sam Hartman
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dan Wing
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… Dave Thaler
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba
- Re: [pcp] Posted auth req slide that was edited d… yoshihiro.ohba