Re: [pcp] Side-by-side or nested protocols (was Re: PANA implementatinos to consider)

Hi Reinaldo,

>> 
>>> +1 all I have seen so far is very complex for simple authentication of
>>> pcp. Let's embed it into pcp.
>>> 
>> 
>> It does not get simplified because you put one inside the other. In fact,
>> it gets more complicated. Please see below.
>> 
>>> 
>>> I've been following this discussion and my preference would be to avoid
>>> having a design that requires a 'control protocol' between PCP and
>>> something else. We should reuse other IETF standards whenever possible
>>> but
>>> I would prefer everything to be part of a single protocol.
>> 
>> This is so un-IETF to me. Here we have two distinct pieces of work (PCP
>> and key management), that can be satisfied using two protocols, we are
>> talking about cobbling them together.
>> Like that was done in the PPP-era, and like it's done in GTP (of 3GPP).
>> Lot of pain with both...
>> I'd understand how other SDOs would think that way, but their priorities
>> are different. But for IETF, we design protocols, and cobbling up
>> protocols unnecessarily gets in the way of modularity, which is very
>> essential to IETF. Right?
>> 
>> More on this below...
>> 
>> 
>>> Having a
>>> separate protocol would mean significant more test and effort for
>>> productization due to interactions, new CLIs, unforeseen state machine
>>> issues, etc. 
>> 
>> Just the opposite.
>> Inventing new EAP-over-UDP as part of PCP is a brand-new design with
>> brand-new code. PANA is a standard with multiple interoperating
>> implementations. 
>> It's obviously more stable then the to-be-designed EAP-over-UDP/PCP.
> 
> I posit that the effort to productize PANA or a yet to be defined
> EAP-over-UDP (or something else) is almost the same. Unless the vendor
> that is implementing
> PCP Server has PANA in production but I'm not aware of any.
> 

So, if I the vendor do not have the protocol implemented in front of me, it makes sense to go back to square one and design my own wheel, get it through IETF standardization (spend lot of engineering cycles), get  it interop'ed, get it open-source implemented. Does this make sense?

But more interestingly, you said you are not aware of any PANA implementations in production.
As we said before, PANA is adopted into Zigbee Smart Energy Profile 2.0
And it passed several interop events, with 10 implementations.
Are you sure you don't have it in Cisco platforms?

> 
>> 
>> 
>> State machines is one of the issues with cobbling up protocols. Two
>> separate protocols, living side by side, the state machines have nothing
>> to conflict.
> 
> 
> Conflict is not the right word. You are low balling this issue. Synching
> two state machines that depend on each other can be tricky.
> 

Yes, it could be tricky, if we had a funky relationship between the two protocols. But in this case, it's a clean separation. PCP needs keys to run, it triggers PANA to generate the keys, PANA does its job and gives back the keys, PCP runs with the keys. This is how separate "key management" works. Natural fit.

But, if we embed one protocol inside the other, then you have to combine the state machines. And that combining is not a simple jump back and forth like in the above case. More specifically, within the PCP state machine, now you have to account for server-side retransmissions, server-side asynchronous requests, etc.

> 
>> 
>> If you put on inside the other, then problems arise.
> 
>> 
>> Specifically in this case: The direction of PCP flow and EAP flow are
>> just the opposite. PCP is host-side driven req/rsp. EAP is network-side
>> driven req/rsp. So, now PCP state machine has to change to support that
>> too. And, EAP can generate asynchronous requests at any time from the
>> network side (re-authentication). Exact same issue that we had with the
>> EAP-over-DHCP (in fact this whole discussion has the same pattern....)
> 
> 
> PCP is capable of sending unsolicited messages (both multicast and
> unicast). So, we are good here.

You are referring to "announcements" right?
They are one-way notifications.
What you need is a server-initiated, multi-round-trip req/rsp exchanges -- to have a working EAP lower-layer.

> 
>> 
>> And I have yet to hear someone saying yes EAP-over-PCP satisfies the EAP
>> lower layer requirements. I had raised this issue 3 times, and don't see
>> anyone doing the work. It's not as simple as defining a container to ship
>> EAP payloads back and forth.
>> 
>> 
>>> 
>>> We will certainly even face all kinds of backward/forward compatibility
>>> issues between PCP, PANA (as an example) and whatever control protocol
>>> will run between them due to different features and evolution timeline.
>>> 
>> 
>> Again, situation is the opposite.
>> Having them separate will allow them to evolve independently.
> 
> If PANA (and PANA<->PCP) are not there then this is a non-issue. Moreover,
> If PANA is an integral part of PCP 'feature' then if PANA evolves, that
> means PCP feature needs to be fully tested, regressed, etc.

When an enhancement is identified to the "end-point authentication and key management" aspect, then PANA gets revised/extended.
PANA revision/extension gets tested, you be done with it. 

If you go with EAP-over-PCP approach, then you gotta test both the EAP-over-PCP and the whole PCP as well. Since they are well-integrated (not isolated like above), you have to make sure you didn't mess up PCP. (Depending on the type of change, we probably also need to revise/extend/test PANA for its other use as well.)

OK, this is simple modular design, protocol re-use, and their benefits.

> 
>> 
>> Adding new features to a revision or extension of PANA is better than
>> adding it to N different protocols which chose to embed equivalent of
>> PANA.
>> 
> 
> The final solution with a PCP specific method might look different than
> PANA.
> 

How much? It's going to carry EAP, it's going to carry it over UDP, it's going to be a EAP lower-layer. Where's the delta?

>> 
>> 
>>> Although one can argue that PCP and PANA will run together as one entity
>>> the next step would be somebody asking for them to be decoupled and able
>>> to run anywhere. This train is never late.
>>> 
>> 
>> They are running separately. They are de-coupled as "protocols". What we
>> are coupling is the "state" generated/used by PANA and PCP.
>> This decoupling is a feature for "protocols", not a bug. Using state
>> generated from one protocol in another is a "architecture design" or
>> "implementation".
> 
> You are missing the point here. The implementation complexity of your
> proposal is considerable because you will have:
> 
> - PANA 
> - PCP
> - PANA <-> PCP protocol
> 

The interaction between the PANA and PCP is not governed by a protocol, but an API. They are on the same stack.

With PANA, you need to deal with how two protocols implemented on the same stack interacts.
With EAP-over-PCP, you need to deal with how two separate parts of the same protocol interact with each other.
How you implement these depend on your implementation environment.
I personally don't see an issue here that'd justify the re-invention of the wheel for IETF and causing complexity for PCP design and implementation.

> 
> But a case in point: I have experience with H.248Ia and Diameter-like to
> do session control through NATs. Something similar to what we are trying
> to achieve. Parallel to H.248 we had an authentication protocol. Dealing
> with those two state machines was complex and can not be ignored.
> 

Cheers,

Alper

> 
> 
>> 
>> Alper
>> 
>> 
>> 
>> 
>> 
>>> 
>>> -----Original Message-----
>>> From: Alper Yegin <alper.yegin@yegin.org>
>>> Date: Fri, 14 Sep 2012 16:38:17 +0300
>>> To: Margaret Wasserman <margaretw42@gmail.com>
>>> Cc: <pcp@ietf.org>
>>> Subject: Re: [pcp] PANA implementatinos to consider
>>> 
>>>> Hi Margaret,
>>>> 
>>>> Your below questions are implementation specific.
>>>> Let me answer them to describe how this can be implemented in one way.
>>>> Certainly there are other ways to implement them.
>>>> 
>>>>> 
>>>>> On Sep 14, 2012, at 2:52 AM, Alper Yegin wrote:
>>>>>> As for the implementation complexity, I don't quite understand why
>>>>>> PANA (which is basically EAP over UDP) would ever be more complicated
>>>>>> then to-be-designed "EAP over UDP within PCP framework". While I
>>>>>> don't
>>>>>> see a reason for former being more complicated, I see reasons for
>>>>>> seeing the latter being more complicated, as the whole thing now
>>>>>> needs
>>>>>> to live within another protocol framework (read: format, flow, state
>>>>>> machine harmonization between the two).
>>>>> 
>>>>> I don't understand how you get away from coupling PANA and PCP, even
>>>>> in
>>>>> the demultiplexing case where they run side-by-side on the same port.
>>>>> I
>>>>> think a number of details are being glossed over in your latest
>>>>> document
>>>>> when you refer to a need for an "API" between PANA and PCPŠ
>>>>> 
>>>> 
>>>> Association or binding of state between PANA and PCP is common on both.
>>>> But there are different degrees of "coupling". Or where you couple
>>>> them.
>>>> Are we coupling the state generated/maintained between the two, or are
>>>> we
>>>> coupling the protocols themselves.
>>>> 
>>>> You could say, a host configures a care-of address using DHCP, and uses
>>>> that IP address with Mobile IP, hence DHCP and Mobile IP are coupled.
>>>> Or, you could invent carrying DHCP over Mobile IP, and call that
>>>> coupling
>>>> too.
>>>> 
>>>> Another more relevant example: Running IKE for IPsec, or running IKE
>>>> over
>>>> IPsec (however you do it).
>>>> 
>>>> 
>>>>> Let's start with a simple case where the PCP Client wants to initiate
>>>>> and authenticated PCP request...
>>>>> 
>>>>> The Client needs to ask the PANA Client to initiate authentication.
>>>>> How?  
>>>> 
>>>> PCP software triggers the PaC to perform authentication.
>>>> Like how IKE gets triggered when IPsec SA needs to be setup.
>>>> 
>>>> 
>>>>> Will that request include any details about the mapping request that
>>>>> is
>>>>> being made?  i.e. will the PANA Client be asking for authentication
>>>>> _and
>>>>> authorization_ to perform a particular action?  Or do we assume that a
>>>>> PCP client is authenticated via PANA, and that authorization for a
>>>>> particular action is a separate step that is performed as part of PCP?
>>>>> If they are separate, do we need a new set of PCP error codes for the
>>>>> situation where an authenticated PCP client performs an unauthorized
>>>>> action, or is that already covered in the PCP spec?
>>>> 
>>>> 
>>>> That trigger I mentioned above will include two pieces of information:
>>>> 1.
>>>> Indication that this is an auth/authz for PCP, 2. IP address of the PAA
>>>> (which is same as the PCP server).
>>>> 
>>>> 
>>>>> When the PCP Client asks the PANA Client to perform authentication,
>>>>> what are the possible results that can be returned from that request,
>>>>> and how are they communicated back to the PCP Client?  You have only
>>>>> described the success case in your document.
>>>> 
>>>> PANA already generates success and failure results. This result will be
>>>> conveyed to the PCP client via the API.
>>>> If the result is success, also the PCP_AUTH_KEY and PANA Session ID and
>>>> PANA Key ID need to be passed via that interface.
>>>> 
>>>> 
>>>> 
>>>>> 
>>>>> How does this work in the case where the PCP Server is not running a
>>>>> PANA Server?  I _think_ that if a PCP Client asks its PANA Client to
>>>>> perform authentication, and the PCP Server does support
>>>>> authentication,
>>>>> some sort of "unsupported version" error code will be returned to the
>>>>> _PCP Client_ (due to the details of your proposed demultiplexing
>>>>> scheme), and that nothing will be returned to the PANA Client, at all.
>>>>> We would need to make sure that secure PCP clients are specified to
>>>>> handle an "unsupported version" error differently when the PANA Client
>>>>> is in this particular state, but how does the PCP Client know that
>>>>> this
>>>>> is why that error was returned?  If this does happen, how does the PCP
>>>>> client inform the PANA Client that it should stop trying to perform
>>>>> authentication with that particular PCP Server?
>>>>> 
>>>> 
>>>> I'd like to first understand how the client-side decides when to use
>>>> authentication, and when not to?
>>>> Can you, or someone, explain that? Once I understand the scenarios we
>>>> are
>>>> trying to cover, I can come back and answer your question.
>>>> 
>>>> 
>>>>> Also, how does the PCP Client know when the _PCP Server_ is ready to
>>>>> receive its request?  Are we assuming that the PANA Server will not
>>>>> return an indication to the PANA Client that the client has been
>>>>> authenticated until _after_ it has provisioned the necessary SA on the
>>>>> PANA Server?  
>>>>> 
>>>> 
>>>> The order of events is:
>>>> 
>>>> 1. PANA is executed
>>>> 2. PaC provides the results to the PCP client
>>>> 3. PCP client contacts PCP server, using  authentication tag generated
>>>> with the SA from step 2.
>>>> 4. Upon encountering new SA, PCP server contacts the PAA to obtain the
>>>> matching parameters (or, the PAA had already pushed those params to PCP
>>>> server after 1. These are different implementation choicesŠ..)
>>>> 
>>>> 
>>>> 
>>>>> What if an additional application on the same PCP Client system wants
>>>>> to perform an authenticated request with the same PCP Server in the
>>>>> meantime?  Will that second request result in a second (interleaved)
>>>>> PANA negotiation, or will the PCP Client be told that a PANA
>>>>> negotiation
>>>>> is already pending?  If the latter, how will the second PCP Client
>>>>> thread by informed when the PANA negotiation has completed?  (Note:
>>>>> The
>>>>> right answer here depends heavily on whether the PANA authentication
>>>>> depends, in any way, on the contents of a specific PCP request -- the
>>>>> authentication vs. authentication/authorization question above).
>>>>> 
>>>> 
>>>> Second API call can be told that there is already an ongoing
>>>> authentication and wait for the result.
>>>> Or, maybe it says "OK" but does not generate a second PANA session
>>>> because the same PANA session (or, more specifically the security
>>>> association generated by it) can be used with both PCP requests.
>>>> 
>>>> 
>>>>> All of these questions will need to be answered, IMO, in a full
>>>>> specification of the PCP/PANA demultiplexing mechanism, precisely
>>>>> _because_ PCP and PANA are running separately.
>>>> 
>>>> Errr, I don't think so. None of these are impacting the over-the-wire
>>>> behavior (i.e., the "protocol"), but they are all about implementation
>>>> --
>>>> not something we need to put in the protocol specs.
>>>> 
>>>> 
>>>> If we were to use EAP over PCP, do you think we need to define how EAP
>>>> methods interface with EAP which interfaces with PCP. How one triggers
>>>> the other and gets the results back. I don't think so.
>>>> 
>>>> 
>>>> 
>>>>> The "API" is where this coupling is provided between the two "state
>>>>> machines", as you refer to them.  Why is this any simpler if PANA and
>>>>> PCP are running side-by side than if we run PANA encapsulated in PCP?
>>>>> (or, if we run PCP directly over EAP, for that matter)
>>>>> 
>>>> 
>>>> 
>>>> Please see the top part about my "coupling" response.
>>>> 
>>>> If you run two protocols side by side, you point how one can trigger
>>>> the
>>>> other. And ideally, triggers target meaningful states. E.g., one
>>>> protocol
>>>> triggers other to run, and at the end of execution the result is
>>>> returned
>>>> (PCP triggers PANA to execute).
>>>> If you run one protocol inside another, then you have to nest their
>>>> state
>>>> machines, and unless you are purely lucky, that cannot work
>>>> automatically
>>>> w/o aligning their state machines. (Like I said, PANA state machine is
>>>> designed the way it is in accordance with the EAP state machine.)
>>>> 
>>>> Alper
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> Margaret
>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> pcp mailing list
>>>> pcp@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/pcp
>>> 
>>> _______________________________________________
>>> pcp mailing list
>>> pcp@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pcp
> 