IETF Logo Mail Archive

Re: [pcp] Posted auth req slide that was edited during meeting

Dan Wing <dwing@cisco.com> Tue, 26 March 2013 16:02 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C00C921F8B26 for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 09:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.979
X-Spam-Level:
X-Spam-Status: No, score=-109.979 tagged_above=-999 required=5 tests=[AWL=0.620, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oLIUyok-WFKN for <pcp@ietfa.amsl.com>; Tue, 26 Mar 2013 09:02:20 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF4921F8AF0 for <pcp@ietf.org>; Tue, 26 Mar 2013 09:02:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3420; q=dns/txt; s=iport; t=1364313740; x=1365523340; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=JATk90OioGbMgzvbqvoWw8oRB8fA1xCZbb/D7jRmSTg=; b=iNS9uSl/TFsLU0lyHEO94uQDaWI0+XWROKJ1n9ZsS+a7Y9Rhpu2SjBbY S8yUMW+7wMOw12ynqbAWggn+AxFrhLmJ/MRwq1B4YGtmaXS0yCjmcNg4p Ub0oWAQk7/IhwvbeQ2YQObbq3gl81+BMeSa4X4MAZvvP96LQsM6J5dnYE A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhAFAK3FUVGrRDoI/2dsb2JhbABDgzrASIEGFoEqgh8BAQEDAQEBATc0CwUHBAsRBAEBKAcnHwkIGYgOBQ2xEo9/BI5fKAsHBoJZYQOIeI1vhX+LCIMqHA
X-IronPort-AV: E=Sophos;i="4.84,913,1355097600"; d="scan'208";a="74199810"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 26 Mar 2013 16:02:19 +0000
Received: from [10.32.240.194] ([10.32.240.194]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2QG2IYr000581; Tue, 26 Mar 2013 16:02:18 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B12CE012A@tgxml337.toshiba.local>
Date: Tue, 26 Mar 2013 09:02:18 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <56946F7F-B646-42B1-A421-F2D3559CCEA2@cisco.com>
References: <341064315C6D0D498193B256F238CF9747C9C9@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com> <5EF8B214-6563-47C7-9D48-621D9D5E1B29@yegin.org> <tslip4r42r3.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CD0A01@tgxml337.toshiba.local> <tslk3p4zyze.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB0CB@tgxml337.toshiba.local> <tsl620ox0zb.fsf@mit.edu> <674F70E5F2BE564CB06B6901FD3DD78B12CDB148@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CDEA18@tgxml337.toshiba.local> <674F70E5F2BE564CB06B6901FD3DD78B12CE012A@tgxml337.toshiba.local>
To: yoshihiro.ohba@toshiba.co.jp
X-Mailer: Apple Mail (2.1503)
Cc: pcp@ietf.org
Subject: Re: [pcp] Posted auth req slide that was edited during meeting
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 16:02:20 -0000

On Mar 25, 2013, at 6:55 PM, yoshihiro.ohba@toshiba.co.jp wrote:

> Here is my suggested change on REQ-5 of draft-reddy-pcp-auth-req-01.
> 
> (Current)
> 
>   REQ-5:  PCP allows a server to send multiple responses.  If the
>      server wants to send an unsolicited message, but the previous
>      security association has expired, the server MUST be able to
>      trigger re-authentication with the client.
> "
> 
> (New)
> 
> "
>   REQ-5:  PCP allows a server to send multiple responses.  If the
>      server wants to send an unsolicited message, but the previous
>      security association is going to expire, the server MUST be able to
>      trigger re-authentication with the client prior to expiration of the security association.
> "

The PCP server does not know, a priori, if it will want or need to send a message later.  So the only way to comply with that requirement would be for the PCP server to prevent a security association from expiring at all.  Is there some other way to comply with that requirement?

-d


> 
> Best Regards,
> Yoshihiro Ohba
> 
> -----Original Message-----
> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of yoshihiro.ohba@toshiba.co.jp
> Sent: Friday, March 22, 2013 1:42 AM
> To: pcp@ietf.org
> Subject: Re: [pcp] Posted auth req slide that was edited during meeting
> 
> Can we take silence as agreement about re-auth to happen before the SA expires?
> 
> Yoshihiro Ohba
> 
> 
> -----Original Message-----
> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of yoshihiro.ohba@toshiba.co.jp
> Sent: Monday, March 18, 2013 11:12 PM
> To: hartmans@painless-security.com
> Cc: pcp@ietf.org
> Subject: Re: [pcp] Posted auth req slide that was edited during meeting
> 
> Sam,
> 
> -----Original Message-----
> From: Sam Hartman [mailto:hartmans@painless-security.com] 
> Sent: Monday, March 18, 2013 11:00 PM
> To: ohba yoshihiro
> Cc: alper.yegin@yegin.org; pcp@ietf.org
> Subject: Re: [pcp] Posted auth req slide that was edited during meeting
> 
>>>>>>  <yoshihiro.ohba@toshiba.co.jp> writes:
> 
> 
>> In any case, we should follow the definition of EAP
>> re-authentication in RFC 5247 about re-authentication timing.  I
>> see absolutely no reason to change the definition.
> 
> OK. So you're saying that the goal of the security association expiration is to make sure that a client cannot change the PCP state in a manner that requires authentication outside a time window defined by the AAA infrastructure/PCP server?
> 
> [YO] Yes.
> 
> So, the sorts of attacks we'd want to prevent are people changing state after credentials have changed or authorizations have changed?
> 
> [YO] Yes, unless the credentials or authorizations are changed via a valid re-authentication, that is the whole purpose of re-authentication.
> 
> Yoshihiro Ohba
> 
> --Sam
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp
> 
> _______________________________________________
> pcp mailing list
> pcp@ietf.org
> https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email