IETF Logo Mail Archive

Re: [pcp] EAP-over-PCP

Margaret Wasserman <margaretw42@gmail.com> Thu, 20 September 2012 11:09 UTC

Return-Path: <margaretw42@gmail.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E7E21F8751 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 04:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-k0WvIPGn8M for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 04:09:22 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 15EAF21F8778 for <pcp@ietf.org>; Thu, 20 Sep 2012 04:09:21 -0700 (PDT)
Received: by qaec10 with SMTP id c10so272461qae.10 for <pcp@ietf.org>; Thu, 20 Sep 2012 04:09:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=ltRXLjR1uX4ajAnrnV7gmpvnswkai4xgDvGuggLkhsA=; b=hkuh+GCl9vatW5W0OjCEsFMQlCFNfWoYzh3WY2npFhwU8/VJlNOjEZHukIONBEbmxS 7iGTnihnCVDwTy5aVWKpJBqaEqi9ZMBUysl9ARU/Fq80eChZYR3HI1ecaIrTfIDi1Um+ 7LYeKJDFGWz0lDQhZXvL2oegk4yKf4TJc07+HNC96+tO12g1XMIatovWiYjtb2hcMZAB dschUR/UQmITXqPp+i/efs7SRzFmNeM4qtZkR4X0cIGo9Plu0pY+K0yxfqrycTl/lyCV 6rKAZYfX7YX5zeqZ/7MhJP/lXYS+pLfOc2M1qtOhZFIwi1lQRYOW1XwKElr13VzxQrzp U/Jw==
Received: by 10.224.31.210 with SMTP id z18mr3671031qac.95.1348139361572; Thu, 20 Sep 2012 04:09:21 -0700 (PDT)
Received: from lilac-too.home (pool-71-184-79-25.bstnma.fios.verizon.net. [71.184.79.25]) by mx.google.com with ESMTPS id et6sm7783620qab.8.2012.09.20.04.09.17 (version=SSLv3 cipher=OTHER); Thu, 20 Sep 2012 04:09:18 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Margaret Wasserman <margaretw42@gmail.com>
In-Reply-To: <E2495458-DA1F-4BF3-9ACE-0AAEB3836907@yegin.org>
Date: Thu, 20 Sep 2012 07:09:16 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <96744887-68C7-4F9A-813E-A5563E4356E2@gmail.com>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu> <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org> <36E9DFAC-47D5-4942-937F-A88CD2AD75D0@lilacglade.org> <E2495458-DA1F-4BF3-9ACE-0AAEB3836907@yegin.org>
To: Alper Yegin <alper.yegin@yegin.org>
X-Mailer: Apple Mail (2.1084)
Cc: "'pcp@ietf.org'" <pcp@ietf.org>
Subject: Re: [pcp] EAP-over-PCP
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 11:09:22 -0000

Hi Alper,

On Sep 20, 2012, at 5:01 AM, Alper Yegin wrote:
>> Why do you think that we need to support EAP re-authentication? 
>> 
> 
> EAP re-authentication is one of the EAP events, and any EAP lower-layer has to support that.
> Otherwise, what? Your sessions have infinite lifetime? Authorization never changes? Never need to re-key? Never need to challenge the end-point again?
> These are the things that call for "re-authenticaiton", and why EAP has that, and why EAP lower-layers need to support that.

Sorry, I didn't see this response before I asked the question again...

EAP re-authentication is an optional extension to EAP -- it isn't part of the base EAP spec.  I understand why it is useful, in general, but it is not inherently part of EAP.  It has always been possible to start EAP over again from the beginning to do a new round of authentication, and that can be done periodically, as desired.  In other words, support for EAP re-authentication is not required to support re-keying or non-infinite lifetimes.

_Because_ PCP is a request/response protocol, it would be possible for either end to periodically throw away the existing authentication information for a peer, and perform/request a new round of authentication for the next request.  EAP re-authentication is not necessary for that purpose and, in fact, wouldn't be all that useful for that purpose with PCP -- we wouldn't want "sessions" to attempt to re-key repeatedly if there were no requests being sent back and forth, would we?  Please remember that PCP is a UDP request/response protocol, and the server may keep mappings open long after the client computers have gone home...  So, there is no hard concept of a PCP "session" that has a specific session lifetime.  Authentication may be required (in secure deployments) to create a mapping, but there is no notion that an authenticated session has to remain active for the mapping to remain in place for it's indicated lifetime.  In fact, it would be undesirable to create such a dependency, especially in the THIRD_PARTY/proxy case, because we would not want to create a situation where communication between two other nodes depends on the reliability/reachability of the PCP proxy.

You have asserted several times that EAP lower layers need to support retransmission and reauthentication, and Sam has asserted several times that they do not.  How do we resolve this disagreement?

Sam has pointed to an example of a recently approved EAP lower layer (more recent than PANA), gss-eap, that is simpler than PANA, supports a request/response model similar to PCP, and does not include those things.  So, it does not seem that the IETF (either the security area, or the IESG) currently enforces the rules that you are asserting.  Can you point to an RFC or some other reference that indicates that support for these things is required?  Or is it just your opinion that it is desirable to support these things for PCP?  If so, could you explain what benefits PCP would get from supporting them?

Could you perhaps look at gss-eap and consider whether a similar model could apply to PCP?  Would it be possible to achieve a similar model using PANA?  If so, what updates would be need to the PANA specification in order to do that?

Margaret

v2.23.0 | Report a Bug | By Email