Re: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22
"Dan Wing" <dwing@cisco.com> Tue, 14 February 2012 01:07 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9725321E8023 for <apps-discuss@ietfa.amsl.com>; Mon, 13 Feb 2012 17:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.59
X-Spam-Level:
X-Spam-Status: No, score=-108.59 tagged_above=-999 required=5 tests=[AWL=2.009, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oikq7VLLNM5l for <apps-discuss@ietfa.amsl.com>; Mon, 13 Feb 2012 17:07:04 -0800 (PST)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 75CC221E8010 for <apps-discuss@ietf.org>; Mon, 13 Feb 2012 17:07:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=9036; q=dns/txt; s=iport; t=1329181624; x=1330391224; h=from:to:references:in-reply-to:subject:date:message-id: mime-version:content-transfer-encoding; bh=O1glOEpODVicmDM8mywpScQRm2eLC5qDvBkBRyFY3og=; b=g0yg1KjyfmbzaOXbELyxDFQBKSgfTCjp6sernvTRiFWNQ5ONzwIPCllq fz4isgsDzuRRfVV5dhDS7FeGOnNA3jq+kUePXmTB9SeIF1kY8vWofpCs5 ATDpEJsgN78fF4rdjFH1TLbHfMnnNgI1i+e77FKEjV48Rrev9mGG6I+ps c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag8FAGGzOU+rRDoI/2dsb2JhbABDoQaPIIEHgXIBAQEDAQEBAQUKARcQNBAHAQMCCQ8CAwEBASgHGQ4VCgkIAQEEARILF4daCZpjAZ8Diz0CBAEKCAcEEAMCAgECAQIFAwQBNQkEBQQbAYNXXRODMASISoUGmmc
X-IronPort-AV: E=Sophos;i="4.73,414,1325462400"; d="scan'208";a="30043902"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-4.cisco.com with ESMTP; 14 Feb 2012 01:07:04 +0000
Received: from dwingWS ([10.32.240.195]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id q1E173DL022597; Tue, 14 Feb 2012 01:07:03 GMT
From: Dan Wing <dwing@cisco.com>
To: "'Vijay K. Gurbani'" <vkg@bell-labs.com>, apps-discuss@ietf.org, draft-ietf-pcp-base@tools.ietf.org
References: <4F3592E5.3080707@bell-labs.com>
In-Reply-To: <4F3592E5.3080707@bell-labs.com>
Date: Mon, 13 Feb 2012 17:07:04 -0800
Message-ID: <0a5701cceab4$f723c070$e56b4150$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AczoPnenEPU4FAVGS+2awcHKeBOU6gCbIqSw
Content-Language: en-us
Subject: Re: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 01:07:05 -0000
> -----Original Message----- > From: apps-discuss-bounces@ietf.org [mailto:apps-discuss- > bounces@ietf.org] On Behalf Of Vijay K. Gurbani > Sent: Friday, February 10, 2012 1:58 PM > To: apps-discuss@ietf.org; draft-ietf-pcp-base@tools.ietf.org > Subject: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22 > > Document: draft-ietf-pcp-base-22 > Title: Port Control Protocol (PCP) > Reviewer: Vijay K. Gurbani > Review Date: Feb-10-2012 > IETF Last Call Date: Not known > IESG Telechat Date: Not known > > Summary: This draft is almost ready for publication as a Proposed > Standard but has a few issues that should be fixed before publication. > > Major issues: 0 > Minor issues: 11 > Major issues: 0 > > Issues listed below are in document order. > > - S5, the all zeroes IPv4 address as defined by the draft is a > contribution of the draft itself, right? That is, at least I am not > aware whether ::ffff:0:0 is generally used as the all-zero IPv4- > mapped > IPv6 address. It may well be, in which case this comment can be > ignored. I attempted to search for the phrase, and for ::ffff:0:0 and :ffff:0.0.0.0, and found no existing RFC using either notation to indicate "all-zeros address". So, this is the first. > But if it is not a general use address and is intended to > be > defined by this draft, I wonder if rfc2119 MUST is appropriate here > (as > in "The all-zeroes IPv4 address MUST be expressed as: 80 bits of > zeros, 16 bits of ones, and 32 bits of zeros (::ffff:0:0)."). Done. Will appear in -24. > - S6.1, the "Opcode-specific information" block of Figure 2 is not > discussed at all in the text following Figure 2. > > - S6.1, the "PCP Options" block of Figure 2 is not discussed at all in > the text following Figure 2. You do provide a Section 6.3 that > discusses options; perhaps it is sufficient to say the following at > the end of the text following Figure 2: "PCP Options: Please see > Section 6.3". > > - Ditto for S6.2 and Figure 3's use of "Opcode-specific response data" > and "Options" block. Added all of three points those described above. Will appear in -24. > - S7.1, second-to-last paragraph: I suspect that if more than one > server > was specified in the server list, the client will cycle through and > try the next server. I also note that this document only considers > one server, so exact guidance is not provided on what to do when a > PCP > client has more than one server. We are purposefully silent on multiple servers, because we expect that to be described in a later document. There are a lot of nuances and details related to multiple servers, including a multi-homed network (where you purposefully want to talk to one server, or both servers, for different reasons). Such a network is purposefully out of scope. However, we wanted the text to allow a list of servers to be returned, so that we could do something with that list in the future. > But I think it possible that the default router list (mentioned > earlier > in the section) creates a list of two servers: an IPv4- and > IPv6-server. Would it be prudent to try the IPv6 server if the IPv4 > server --- and vice-versa --- did not result in any response within > the maximum retransmission interval of 15m? The IPv6 server might do different things than the IPv4 server. For example, the IPv6 server might solely provide IPv6 firewall functionality while the IPv4 server provides IPv4-only NAT functionality. So, the IPv6 server can only deal with IPv6 addresses, and the IPv4 server can only deal with IPv4 addresses. Also, the PCP server's security model expects the requests for a mapping to an address to come from that same address. (There is an exception for THIRD_PARTY, but that is unnecessary in normal PCP deployments and not expected to be implemented.) The reason for that security model is that there is no easy way to know that a certain IPv4 address and a certain IPv6 address are really the same host -- and because of that, the PCP server can't decide to allow a PCP request sent over IPv6 transport to open a mapping to an internal IPv4 address. > - S7.3, the third paragraph from the end of the section ("For both ... > is RECOMMENDED."): Here you say that "A limit of 24 hours for success > responses and 30 minutes for error responses is RECOMMENDED." > > However, in S6.4 you said that, "It is RECOMMENDED that short > lifetime errors use a 30 second lifetime and long lifetime errors > use a 30 minute lifetime." So --- is S7.3 treating *all* error > responses as long lifetime errors? No, it's trying to set an upper limit, so if the server returns a lifetime of 5 years for an error, the client treats it as if it was a 30 minute error. I adjusted the sentence so it now reads: The PCP client SHOULD impose an upper limit on this returned value (to protect against absurdly large values, e.g., 5 years), and the suggested values are 24 hours for success responses and 30 minutes for error responses. which should be clearer? > - S9.1: The algorithm provided is excellent, but can only be used > when writing new servers (since it requires sending and receiving > PCP messages). This should be made clear before the algorithm. (I > believe that this stands to reason, but being explicit does not > hurt.) Existing servers that need to be reachable from the outside, > but > ones whose source code cannot be modified, will need to arrange for > an explicit static mapping to happen before they are started. There was an idea to have a host's IP stack automatically notify firewalls (when authorized by the user) of an application listening on a port. This idea was originally brought up in http://tools.ietf.org/html/draft-woodyatt-ald for the ALD protocol, and could also be done using PCP. I don't see a need to prevent / discourage it in the document. > - I believe that the above issue is true for S9.{2,3} as well. Yes, to get the features of the new protocol, client applications will have to change. I don't think that is unique to PCP, though. > - S16.1.1: I am not sure how to interpret the listed attacks > in this section. Is it the case that these attacks can happen > even if PCP servers comply with the Simple Threat Model? Or is > it the case that the Simple Threat Model mitigates these attacks? Section 16.1.1 enumerates the threats that are considered in the rest of 16.1. > - S16.2: To protect against Advanced Threat Model attacks, the > draft assumes a PCP security mechanism that provides channel > authentication and encryption. However, no further information > is provided for such a mechanism. Will it help to provide > any candidates for such a mechanism (TLS? S/MIME?) or is there > something entirely different in mind? The candidate at this time is draft-wasserman-pcp-authentication, which uses EAP. However, it is not yet a working group document and it seemed premature to cite it. > - S16.3.1: As far as I can see, there is no mitigation for Denial > of Service attack mounted by an attacker on the path between the > PCP client and PCP server, yes? If so, it will be nice to > explicitly state this. Done, will appear in -24. > Nit: > > - S3, while discussing Internal Host: The term "PCP MAP" request is > used > here without further context, like a short definition. Clearly, the > PCP MAP request arranges for a mapping to occur in the NAT ... the > reader can tell that much. But all the same, for the sake of > completeness, it will be good to provide a quick definition when the > term is first used. Good catch; both PEER and MAP can create a new mapping, so I changed it from ... incoming traffic resulting from a PCP MAP request ... to ... incoming traffic resulting from a PCP mapping request ... > - S3, while discussing Explicit static mappings: any reason why a GUI > (distinct from a web-based UI) is omitted? I suspect the answer is > just plain oversight, but just the same, I think it will not hurt to > include it in, or simply take out the text in the brackets. Dropped "web-based", so it now reads (e.g., via command-line interface or other user interface) > - S16.2: s/mechanism which provides/mechanism that provides Thanks for your review! -d > That's it. Thanks! > > - vijay > -- > Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent > 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60563 (USA) > Email: vkg@{bell-labs.com,acm.org} / vijay.gurbani@alcatel-lucent.com > Web: http://ect.bell-labs.com/who/vkg/ > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss
- [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22 Vijay K. Gurbani
- Re: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22 Dan Wing
- Re: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22 S Moonesamy
- Re: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22 Vijay K. Gurbani
- Re: [apps-discuss] APPSDIR rdraft-ietf-pcp-base-22 Dan Wing