Re: [pcp] Server's auth policy discovery
Alper Yegin <alper.yegin@yegin.org> Fri, 12 October 2012 13:29 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4072421F84BF for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 06:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Level:
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSIJdf+cdxL0 for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 06:29:01 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 8884121F84A6 for <pcp@ietf.org>; Fri, 12 Oct 2012 06:29:01 -0700 (PDT)
Received: from [192.168.2.7] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0LiTe0-1TuteT2c8K-00caGt; Fri, 12 Oct 2012 09:28:59 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5DD46DD1-F727-460D-884E-4EA2AC67998E"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <3463AFCA-54F0-4D22-A286-DAEC67C7C852@lilacglade.org>
Date: Fri, 12 Oct 2012 16:28:39 +0300
Message-Id: <B89357DF-10CE-4BC5-9827-DBA1C27FFF70@yegin.org>
References: <0BC19EAB-01F2-4AB9-B706-FD7C98FFAE86@yegin.org> <tsl4nm0j755.fsf@mit.edu> <5077FA0A.9030308@toshiba.co.jp> <tslzk3rj530.fsf@mit.edu> <22CCCEB5-FA7E-474A-B890-5A6EB16E44DB@yegin.org> <tslvcefj3i3.fsf@mit.edu> <F2C651B4-76AB-409E-8540-892E5793ACC0@yegin.org> <3463AFCA-54F0-4D22-A286-DAEC67C7C852@lilacglade.org>
To: Margaret Wasserman <margaretw42@gmail.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:BCnvoUrpQq7bisYfwj2caiOJqf101BDjum6qPXLPZxe O2Ba2iBdFCgFXsfnJEGCnkwl/OGeEnDhSHlCot1TFu1PM7G27B ozPAob8MhdBoMUcEJEAsawzRszKwBazubDUuQ/IByA9WBoWwvp 32Yjz6iB7lczqd0KuwJw1u6TsyMeklAAJ/PGZkQkGlrtPyHLjt tSGSeCofE0FUflyduyJcq4BGyRPDdixyqyoTCZL2OBy30gFZGQ x9z/+Fqh+ajpfvrYTJ/UnGeJr/0HuZHXlVMRhRU7AD+PO4Uogc IlGHD1ZALwTbnbJtroN/O63WfRSTBhyxJm9a3Dc5BEZx6yZVQM Mbs+xkWKUqkVKExr15IILbmf65xmS2rMHu/vrMb6B95R0Otap+ lz1m3kju0Y8iw==
Cc: pcp@ietf.org
Subject: Re: [pcp] Server's auth policy discovery
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 13:29:02 -0000
> > On Oct 12, 2012, at 8:44 AM, Alper Yegin wrote: >> >> As for dealing with discovery for PANA port-sharing, either: >> - We agree that it's OK for all clients to start with "no auth", or > > What does this mean? There are two cases I can think of where a client might "start with" an authenticated request: > > 1) Where a client is configured to do so. > or > 2) Where a client is attempting to renew a mapping that was originally granted via an authenticated request. > > How can we say, in either case, that the client should start with "no auth"? > Let me expand on it. A client that does not know the server's authentication policy needs to discover the server's policy. One of the ways to achieve that discovery (as there are two others below) is for such client to send an unauthenticated PCP request and see what happens. If the server accepts that request (i.e., no auth error is returned), then client now knows this server allows unauthenticated PCP requests. If the server returns an auth error, then now the client knows this server does not allow unauthenticated PCP requests. >> - We use a DHCP-based solution (I know you are not happy with this), or >> - We use an ANNOUNCE-based auth policy discovery solution >> >> At least one of these would handle the issue. > > I think I am confused about what problem you are trying to solve here... > > If a client sends an authenticated request in either of the encapsulated cases (PANA or PCP-Specific), an error will be returned (by the PCP server) indicating (to the PCP client) that the opcode is not supported, and the client will know that authentication is not supported. If the client is willing to try an unauthenticated request, it can do so at that time. > > The only problem that I am aware of is for the demux case, because the error will not be returned to the process that is actually trying to do the authentication (the PANA client_ -- it will go back to the PCP client. Therefore, the PANA client might keep retrying, even though the PCP server has returned an error. Also, the PCP client needs to include special handling of the "unsupported version" error that occurs when authentication is being attempted, so that it knows to try an unauthenticated request. > This is the issue we are addressing with the 3 approaches I enumerated. Alper > Margaret > >
- [pcp] Server's auth policy discovery Alper Yegin
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Yoshihiro Ohba
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Alper Yegin
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Alper Yegin
- Re: [pcp] Server's auth policy discovery Sam Hartman
- Re: [pcp] Server's auth policy discovery Margaret Wasserman
- Re: [pcp] Server's auth policy discovery Alper Yegin