I agree with the discussion and propose the following text to address the comments.
NEW: If a PCP server resets or loses the PCP SA due to reboot, power failure, or any reason then it sends unsolicited ANNOUNCE response as explained in section 14.1.3 of [RFC6887] to the PCP client. Upon receiving the ANNOUNCE response with an anomalous Epoch time, PCP client deduces that the server may have lost state. PCP client sends re-authentication request to the PCP server to check if the PCP server has indeed lost the state or an attacker has sent the ANNOUNCE response. If the response from the PCP server is integrity-protected then PCP client discards the re-authentication process and the PCP server MUST NOT delete the PCP SA. If the PCP server responds to the re-authentication request with UNKNOWN_SESSION_ID error code then the PCP client MUST discard the re-authentication process and initiate full EAP authentication with the PCP server as explained in Section 3.1.1. After EAP authentication is successful PCP client updates the PCP SA and issues new common PCP requests to recreate any lost mapping state. In a scenario where the PCP server has lost the PCP SA but did not inform the PCP client, if the PCP client sends PCP request integrity-protected then the PCP server rejects the request with UNKNOWN_SESSION_ID error code. The PCP client then initiates full EAP authentication with the PCP server as explained in Section 3.1.1 and updates the PCP SA after successful authentication. If the PCP client resets or loses the PCP SA due to reboot, power failure, or any reason and sends common PCP request then the PCP server rejects the request with AUTHENTICATION_REQUIRED error code. The PCP client MUST authenticate with the PCP server and after EAP authentication is successful retry the common PCP request with AUTHENTICATION_TAG option. The PCP server MUST update the PCP SA after successful EAP authentication. -Tiru > -----Original Message----- > From: Sam Hartman [mailto:hartm...@painless-security.com] > Sent: Wednesday, July 08, 2015 6:35 AM > To: Paul Kyzivat > Cc: Tirumaleswar Reddy (tireddy); draft-ietf-pcp- > authentication....@tools.ietf.org; General Area Review Team > Subject: Re: Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt > > Yes. > At this point I think you and I understand what we're talking about. > > I haven't been involved in this doc in a while. > I think we need to let Tirumaleswar comment as well as get feedback from the > rest of the group. > Some of this may have been discussed in the WG while I was not watching, and > you and I have been intentionally abstract. > > Unless you and I have both missed something obvious it seems unlikely we'll be > done with this issue by the telechat. > > I am attending the Prague IETF and would be happy to spend significant cycles > that week wordsmithing/discussing this issue with PCP folks if we don't clear > before then. _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www.ietf.org/mailman/listinfo/gen-art
