IETF Logo Mail Archive

Re: [pcp] EAP-over-PCP

Alper Yegin <alper.yegin@yegin.org> Wed, 19 September 2012 07:40 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1196D21F86AB for <pcp@ietfa.amsl.com>; Wed, 19 Sep 2012 00:40:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.445
X-Spam-Level:
X-Spam-Status: No, score=-102.445 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXWZtXOy6U2P for <pcp@ietfa.amsl.com>; Wed, 19 Sep 2012 00:40:00 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 75A8921F86AA for <pcp@ietf.org>; Wed, 19 Sep 2012 00:40:00 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0LoErp-1Tggx034NF-00gf0C; Wed, 19 Sep 2012 03:39:58 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <tslvcfbscqm.fsf_-_@mit.edu>
Date: Wed, 19 Sep 2012 10:39:40 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <20FE79EA-9E75-49E7-9854-4AA24314FC7B@yegin.org>
References: <14C7F4F06DB5814AB0DE29716C4F6D6702E12ABC28@FRMRSSXCHMBSB1.dc-m.alcatel-lucent.com> <CB96F2AF-7545-457D-96EB-F78B7666C00C@yegin.org> <tsl1ui0wvmo.fsf_-_@mit.edu> <E91C9554-FBCF-4324-A1BF-5C4D75F5264A@yegin.org> <9A2322BB-699A-4A71-89D5-9E3E48979272@yegin.org> <tslvcfbscqm.fsf_-_@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:P4tFH0J6OZ61dUd+lozqLnAgeyy4Uxt4k2yqihnOEF1 Ql4mTQWxxewlRHLnmbhi3gPbXQOjpxnejrr5ROYIeH9x+kdblC Y41Sgz+q/TC1UtLJlrD11JIPLcHMpluOahqY0EffOmZlpdR7vz vG/2MhLJo+4fJz5TCNFfPxDhzX/8VQ25PhUuVM9h7j1ePgjv9b 2/HsIR/Ukp8M84IP2k1lTBOFi3LMVONb4D5tZNFnoYrXUP6+b/ eEiDHe33+QicHFQXQ5Zo94oG9KjFof/uxkRN0atSatzcunKhWn wluUM9K9vACWb1jyOY6fwxYAvTRlie27/NxVgyFRynP+CX16LT EVlDiqXiDsk7/sZsyg2zEVU9zOElyMcwCuUc95JGz6UWeds1LH YybKhg7Sa+3MQ==
Cc: "'pcp@ietf.org'" <pcp@ietf.org>
Subject: Re: [pcp] EAP-over-PCP
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2012 07:40:01 -0000

Hi Sam,


> 
> 
> Hi, Alper.
> Thanks for your review.
> We're glad that we were able in your eyes to successfully re-use a lot
> of the work that went into PANA design.
> We really appreciated being able to look at previous lower-layer work
> including PANA and draft-ietf-abfab-gss-eap to make our job easier.
> 
> 
> If the WG believes terminology realignment would be beneficial here,
> then we can work towards that goal.
> 
> I'd appreciate comments from PCP implementors on the state machine
> integration issue that Alper brings up.
> 
> Depending on what's easy for PCP implementations we have a number of
> options.
> 
> In RFC 3748  the conversation is conceptually server driven.
> However, there is typically a client (lower layer) indication to get
> things started.
> 
> However, the only reason that the conversation is server-driven iss
> retransmissions. If you take a look at section 2 of RFC 3748 you note
> that the protocol is lockstep. The server cannot send a new request
> until the client has responded to the previous one.  If you take a look
> at section 4.3, a lower layer may sent the retransmission timeout to
> infinite. In this mode, the server will never generate an unsolicited
> request.
> So, it's entirely possible to  view things as a client-server protocol
> with client-driven retransmissions if that makes things easier for PCP
> implementations.
> 

I don't understand how this works.
EAP authenticator performs rexmits. 
So, if it does not get a response, it'll keep rexmitting. So, how can you achieve "server will never generate an unsolicited request"?

And, furthermore, there'd be EAP re-authentication which can be initiated by the client or server. This is another reason for having to support server-side requests.

Alper








> That's the approach we took in draft-ietf-abfab-gss-eap. That spec is an
> approved EAP lower layer in the RFC editor queue. That spec treats EAP
> as a simple lock-step client-server protocol. We lose a half round trip
> because we ask the server to get started and it then asks us for our
> identity. We came up with mechanisms for including our identity in the
> first request, trimming a half round trip. The decision of that working
> group was that the complexity was not worth it, but that optimization is
> available if it helps with PCP.
> 
> so, feedback from people with PCP state machines would be really helpful
> about which of these issues matter to you.

v2.23.0 | Report a Bug | By Email