IETF Logo Mail Archive

Re: [Spud] endpoint control

🔓Dan Wing <dwing@cisco.com> Tue, 28 June 2016 16:19 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4681912D0D3 for <spud@ietfa.amsl.com>; Tue, 28 Jun 2016 09:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.947
X-Spam-Level:
X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rfshMdw2Mkn for <spud@ietfa.amsl.com>; Tue, 28 Jun 2016 09:19:17 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2137612B055 for <spud@ietf.org>; Tue, 28 Jun 2016 09:19:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4425; q=dns/txt; s=iport; t=1467130757; x=1468340357; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=sVsCjDo/hsRC9mpo3hpJVf4FPDwxs/mVH5VJh4toKLg=; b=L64Cn90iR6Tts7YADyF4UCleXjFQPe6EHRtPIFOYh1gsyxQGNbqRxTSk mQXhOI89HZCoau8KzIitynXQvQ1nHmZ+L5PE64MhElFf6T7ZKVVK8jvdQ zbiX+9/iAL5rG3Zp/R9BdEDHBXr6MLdL2HvE/iLXwiIHg/nHbfqos5T+x I=;
X-Files: signature.asc : 842
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AQAgAjonJX/4ENJK1bgz5Wfbo0gXsXDYV0AoEwOBQBAQEBAQEBZSeETAEBAQMBAQEBJEcEBwULCw4KLicwBhOIKAgOw2YBAQEBAQEBAQEBAQEBAQEBAQEBAQEOCQWGKIF3CIJOhBwOg0KCLwWIDoZhPolVgy6LDIlIhVyPfx42hBAcModsgUQBAQE
X-IronPort-AV: E=Sophos;i="5.26,541,1459814400"; d="asc'?scan'208";a="291124433"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Jun 2016 16:19:16 +0000
Received: from [10.24.3.11] ([10.24.3.11]) (authenticated bits=0) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id u5SGJEMi016516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Jun 2016 16:19:15 GMT
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_20D5D384-BA3F-4ABC-9FB5-13A2895C30CC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: 🔓Dan Wing <dwing@cisco.com>
In-Reply-To: <38EA0207-F18F-4AFC-B2CF-2FD7BA23281A@trammell.ch>
Date: Tue, 28 Jun 2016 09:19:10 -0700
Message-Id: <6B3B89C7-234E-4412-BD83-056A3C69483B@cisco.com>
References: <A4BAAB326B17CE40B45830B745F70F10EE37ACAE@VOEXM17W.internal.vodafone.com> <38EA0207-F18F-4AFC-B2CF-2FD7BA23281A@trammell.ch>
To: Brian Trammell <ietf@trammell.ch>
X-Mailer: Apple Mail (2.3124)
X-Authenticated-User: dwing
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/u1oBj-dW6H_FmggR6DNPYidefaY>
Cc: "Smith, Kevin, (R&D) Vodafone Group" <Kevin.Smith@vodafone.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] endpoint control
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 16:19:19 -0000

On 28-Jun-2016 05:20 am, Brian Trammell <ietf@trammell.ch> wrote:
> 
>> On 28 Jun 2016, at 12:41, Smith, Kevin, (R&D) Vodafone Group <Kevin.Smith@vodafone.com> wrote:
>> 
>> Hi Brian,
>> 
>> I think Mobile Throughput Guidance would be a good candidate for PLUS path-to-endpoint signalling. The latest (albeit expired) MTG draft [1] is bound to TCP Options, and was considering use of TCP-AO for authentication; PLUS could allow MTG for both TCP and UDP-based flows. However it seems that proposed PLUS mechanism:
>> 
>>> (1) For forward signaling, the sending endpoint must place "scratch space" in the packet with a label on it stating that it's okay to modify; this okay-to-modify state is enforced by a MAC which only verifies the length but not the content of the scratch space.
>> 
>> ...may not provide the guarantee that (1) the MTG information was indeed injected by the cellular network and (2) that it has not been modified by another node. Have I got that right?
> 
> Correct. It doesn't provide that guarantee at all, by design.
> 
>> Or would such an authentication/integrity check applicable to path data be in scope of PLUS?
> 
> As I see it now, not at first. The cases where the endpoint reliably has an way to authenticate a middlebox are limited (though mobile access networks are one such case),

How so?

-d


>  and IMO the mechanism should be as general as possible.
> 
> I will point out that integrity and authentication of information from a middlebox where the sending endpoint can authenticate the middlebox can trivially be implemented on top of this proposed mechanism: the definition of the exposed information could be "content plus MAC", where the MAC can be verified using the middlebox's certificate. But these can be implemented in information elements atop PLUS, without requiring additional support in the PLUS header.
> 
> In a mobile access network, on the upstream path this would look like:
> 
> user terminal --[ PLUS mobile-foo: 00000000 ]--> access network --[ PLUS mobile-foo CCCCCCMM ]--> server
> 
> (where mobile-foo is whatever you want the access network to be able to say, 00000000 is scratch space, C is content and M is MAC.)
> 
> The server can act on the throughput guidance (should it choose to, see spud-req 5.9), but since it's the user terminal that has a relationship with the access network, the server may need to feed the content and MAC back to the user terminal (see spud-req 5.5 and 6.4) for verification.
> 
> Cheers,
> 
> Brian
> 
>> Cheers,
>> Kevin
>> Vodafone R&D
>> 
>> [1] https://www.ietf.org/archive/id/draft-flinck-mobile-throughput-guidance-03.txt , expired
>> 
>> _______________________________________________
>> Spud mailing list
>> Spud@ietf.org
>> https://www.ietf.org/mailman/listinfo/spud
> 
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud

v2.23.0 | Report a Bug | By Email