Re: [pcp] issue#61: Unsolicited reauthentication
Alper Yegin <alper.yegin@yegin.org> Mon, 05 November 2012 11:25 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76CD621F85EE for <pcp@ietfa.amsl.com>; Mon, 5 Nov 2012 03:25:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.398
X-Spam-Level:
X-Spam-Status: No, score=-102.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fr66MMfLfFZZ for <pcp@ietfa.amsl.com>; Mon, 5 Nov 2012 03:25:36 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 21D4021F85A8 for <pcp@ietf.org>; Mon, 5 Nov 2012 03:25:36 -0800 (PST)
Received: from [192.168.2.4] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0M093M-1TEmSO3DmG-00u7AQ; Mon, 05 Nov 2012 06:25:35 -0500
From: Alper Yegin <alper.yegin@yegin.org>
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D244C193-1EB6-4972-8F65-9D77AF202613"
Date: Mon, 05 Nov 2012 13:25:18 +0200
In-Reply-To: <A0F7F765-4E5B-494E-B4D0-7BDD8325D08A@yegin.org>
To: pcp@ietf.org
References: <A0F7F765-4E5B-494E-B4D0-7BDD8325D08A@yegin.org>
Message-Id: <53E15237-EFBC-4D02-9681-2420E176DB7E@yegin.org>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:HhWG/e2U34ly3nrzj9erih003vC/LTui2OC3XjgyICo DvD9dfyYit0xZ/7IE4uCgDOv0f8oUZB9atiGXsTANvArKETQNx X0yUKDcMReG4xbPHfyz45RX+3dNfIOSQpw4aFgK+65EogsTLNO tnknLICi3ZKa8iNIKYqQq7Bpn8+UQ63xqw+cM6jab14Mk+Laoz KBo4GLUVGi0dTIe0iNde1zJQ57fj6seZCXKVzWDaxuXEC9eyMH jGPDlGnAQlNiuf3bgHg001fpudQW9H0utDff0jesc5a1vqNyt5 qufWU/PwCUvrdzanki/sqvOFi3fR2sGckkLv5dFjGyZF3KoJ8y AJGjLokspYr904IP0niSR2ZJToknnMW3gBFa88OAzhBuExlxv0 fDpTmh28kSJNw==
Subject: Re: [pcp] issue#61: Unsolicited reauthentication
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 11:25:37 -0000
I realized I missed the additional text on the issue tracker: Should a client need to remain reachable in order to defend/retain its mappings? Alper> Depends on the deployment. The "architecture/protocol design" shall not assume the client needing to remain reachable in order to defend its mappings. Alper> Supporting "re-authentication" in the "arch/protocol design" does not imply otherwise. Alper> Even though re-auth is supported in the design, deployment can decide to use it or not. Alper> This is a deployment decision. Not to be dictated by the protocol design. Consider case where client periodically goes to sleep but wants the mapping to exist whenever it's awake. Is this scenario important? On Nov 5, 2012, at 1:21 PM, Alper Yegin wrote: > > > Would it be desirable to support unsolicited re-authentication? > > – May depend on answer to issue #60 – is there a need to renew authentication information when no requests are being issued? > > Alper> As we discovered over the mailing list, there are cases where the PCP server sends unsolicited messages to the PCP client (e.g., when the mapping lifetime is updated). Such messages too need to be secured. So, tossing the PCP SA as soon as the first PCP request/response is completed after the EAP authentication does not work. PCP SA is needed later too. > > Alper> Besides, I don't understand why you'd want to toss the PCP SA away. Keep it around because you are likely to need it even at least for the subsequent requests from the PCP client. > > Alper> And, finally, RADIUS and Diameter support EAP re-authentication initiated by the AAA server. Unless we explicitly forbid that, they are there to be supported by any EAP lower-layer. > > > Or is it preferable to wait until a new mapping request is issued, and start a new authentication process then, if needed? > > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] issue#61: Unsolicited reauthentication Alper Yegin
- Re: [pcp] issue#61: Unsolicited reauthentication Alper Yegin
- Re: [pcp] issue#61: Unsolicited reauthentication Alper Yegin