IETF Logo Mail Archive

Re: [pcp] Server's auth policy discovery

Margaret Wasserman <margaretw42@gmail.com> Fri, 12 October 2012 12:57 UTC

Return-Path: <margaretw42@gmail.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5633C21F84EF for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 05:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRMJZ0pr474l for <pcp@ietfa.amsl.com>; Fri, 12 Oct 2012 05:57:07 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 86BE421F84CE for <pcp@ietf.org>; Fri, 12 Oct 2012 05:57:07 -0700 (PDT)
Received: by mail-qc0-f172.google.com with SMTP id s14so2571256qcg.31 for <pcp@ietf.org>; Fri, 12 Oct 2012 05:57:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=YH0ZOyPgb/jHp7F1YfKDQT1H+xjQOZUsbA6zfEnmMWg=; b=dhsJnN/itps4iwDqTFwWVmWJHfd5zxJlNYzuhA/OrBPOe1BpzpMEeKsANFIw1wt/VZ 4egHEBxqQF/ZQhAoEQ41l6gtwv2lQrl8Hnl5dlKqMkM2BkGyfuXkFm2r2LrkaorKTIqT T2sIn4cpmznM1DNgU6l3wMW+9+pnAer71BCSbnSEK/zcUn3ChLo97GPGhi4ZqEpFgsKV cLCnTQzlKTpOnEzAs2DDMh0xQMXCa/EGGVxF3c0DRK+FEHZx+KxbLqcisO7w789j+u5w KeTHTjyA+v1oFdBq0PdAY5eelPOrnQ2kDZUESX1dqoa5bYLJwa7FOe4BAtUkw+3ri07u u5Iw==
Received: by 10.224.138.143 with SMTP id a15mr7151804qau.64.1350046627092; Fri, 12 Oct 2012 05:57:07 -0700 (PDT)
Received: from lilac-too.home (pool-71-184-79-25.bstnma.fios.verizon.net. [71.184.79.25]) by mx.google.com with ESMTPS id gd19sm6448410qeb.0.2012.10.12.05.56.54 (version=SSLv3 cipher=OTHER); Fri, 12 Oct 2012 05:57:01 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-51-224742783"
From: Margaret Wasserman <margaretw42@gmail.com>
In-Reply-To: <F2C651B4-76AB-409E-8540-892E5793ACC0@yegin.org>
Date: Fri, 12 Oct 2012 08:56:53 -0400
Message-Id: <3463AFCA-54F0-4D22-A286-DAEC67C7C852@lilacglade.org>
References: <0BC19EAB-01F2-4AB9-B706-FD7C98FFAE86@yegin.org> <tsl4nm0j755.fsf@mit.edu> <5077FA0A.9030308@toshiba.co.jp> <tslzk3rj530.fsf@mit.edu> <22CCCEB5-FA7E-474A-B890-5A6EB16E44DB@yegin.org> <tslvcefj3i3.fsf@mit.edu> <F2C651B4-76AB-409E-8540-892E5793ACC0@yegin.org>
To: Alper Yegin <alper.yegin@yegin.org>
X-Mailer: Apple Mail (2.1084)
Cc: pcp@ietf.org
Subject: Re: [pcp] Server's auth policy discovery
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 12:57:08 -0000

On Oct 12, 2012, at 8:44 AM, Alper Yegin wrote:
> 
> As for dealing with discovery for PANA port-sharing, either:
> - We agree that it's OK for all clients to start with "no auth", or

What does this mean?  There are two cases I can think of where a client might "start with" an authenticated request:

1) Where a client is configured to do so.
or
2) Where a client is attempting to renew a mapping that was originally granted via an authenticated request.

How can we say, in either case, that the client should start with "no auth"?

> - We use a DHCP-based solution (I know you are not happy with this), or
> - We use an ANNOUNCE-based auth policy discovery solution
> 
> At least one of these would handle the issue.

I think I am confused about what problem you are trying to solve here...

If a client sends an authenticated request in either of the encapsulated cases (PANA or PCP-Specific), an error will be returned (by the PCP server) indicating (to the PCP client) that the opcode is not supported, and the client will know that authentication is not supported.  If the client is willing to try an unauthenticated request, it can do so at that time.

The only problem that I am aware of is for the demux case, because the error will not be returned to the process that is actually trying to do the authentication (the PANA client_ -- it will go back to the PCP client.  Therefore, the PANA client might keep retrying, even though the PCP server has returned an error.  Also, the PCP client needs to include special handling of the "unsupported version" error that occurs when authentication is being attempted, so that it knows to try an unauthenticated request.  

Margaret

v2.23.0 | Report a Bug | By Email