IETF Logo Mail Archive

Re: [AVT] Token draft rev'ed (other than security)

"Ali C. Begen (abegen)" <abegen@cisco.com> Tue, 09 November 2010 03:06 UTC

Return-Path: <abegen@cisco.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5077E3A69FF for <avt@core3.amsl.com>; Mon, 8 Nov 2010 19:06:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDASLocgL1RR for <avt@core3.amsl.com>; Mon, 8 Nov 2010 19:06:35 -0800 (PST)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 39B6F3A6A2E for <avt@ietf.org>; Mon, 8 Nov 2010 19:06:35 -0800 (PST)
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAN9J2EyrR7H+/2dsb2JhbACiHHGgept8hUgEhFiJDQ
X-IronPort-AV: E=Sophos;i="4.59,172,1288569600"; d="scan'208";a="378915243"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-1.cisco.com with ESMTP; 09 Nov 2010 03:06:58 +0000
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id oA936wbR019088; Tue, 9 Nov 2010 03:06:58 GMT
Received: from xmb-sjc-215.amer.cisco.com ([171.70.151.169]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 8 Nov 2010 19:06:58 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 08 Nov 2010 19:06:49 -0800
Message-ID: <04CAD96D4C5A3D48B1919248A8FE0D540D9B46A1@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <03350E41-ADE3-4FB8-AC73-6BDF387531BF@vidyo.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [AVT] Token draft rev'ed (other than security)
Thread-Index: Act/qEYLa6qtFipGQw6/wYXVF75ANAAEh0ng
References: <04CAD96D4C5A3D48B1919248A8FE0D540D9B42E4@xmb-sjc-215.amer.cisco.com> <03350E41-ADE3-4FB8-AC73-6BDF387531BF@vidyo.com>
From: "Ali C. Begen (abegen)" <abegen@cisco.com>
To: Jonathan Lennox <jonathan@vidyo.com>
X-OriginalArrivalTime: 09 Nov 2010 03:06:58.0170 (UTC) FILETIME=[2BDCE5A0:01CB7FBB]
Cc: avt@ietf.org
Subject: Re: [AVT] Token draft rev'ed (other than security)
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2010 03:06:37 -0000

> -----Original Message-----
> From: Jonathan Lennox [mailto:jonathan@vidyo.com]
> Sent: Tuesday, November 09, 2010 8:54 AM
> To: Ali C. Begen (abegen)
> Cc: avt@ietf.org
> Subject: Re: [AVT] Token draft rev'ed (other than security)
> 
> I had a few other points on the draft, unrelated to security, that I noticed on my latest re-read.  If people agree with my
> conclusions about the behavior, I don't think any of them should block adoption of Tokens by the WG to replace cookies.
> 
> 
> First of all, for the Address Pooling NATs section, you assert that “As long as an internal host maintains an active mapping in
> the NAT, the same [external] IPv4 address is assigned to new connections.”  This is certainly a nice property — RFC 4787 calls
> it an IP address pooling policy of "Paired".  However, it's only RECOMMENDED by RFC 4787, not required.  Additionally,
> there's no keepalive on the *cT - PT connection, since as you mention the client can acquire a Token during initialization,
> which may be well before it joins any multicast groups.

That's why we encourage to use ct=c0=c1.
 
> Thus, if an Address Pooling NAT has an "Arbitrary" policy in RFC 4787's terminology, or if the binding expired, it's possible
> that the external mapping of *cT and the external mapping of *c1 will get assigned to different external IP addresses.  In this
> case, the Token acquired with *cT will be considered invalid by the server for requests from *c1, and Token Verification will
> fail.

Yes, it will fail. And the client will realize it needs to get a new one.
 
> This is a failure case that clients may need to be prepared to deal with.  If this happens, the client needs to send a new port
> mapping request.  It might be a good idea to say that in this case the client SHOULD send the new port mapping request from
> *c1, and use it before *c1's NAT bindings expire.  (Essentially, behind an Arbitrary Address Pooling NAT, the client will end up
> behaving as though Tokens were really Cookies, as a fallback mechanism following failures.)

Rather than saying like this, we encouraged to have ct=c0=c1. Is not this a better approach? It deals with this problem in the first place.
 
> If your NAT has both Arbitrary Address Pooling and Address and Port-Dependent Mapping, though, this still may not work if
> PT != P3.  (Such a NAT is not BEHAVE-compliant, since Endpoint-Independent Mapping is a MUST in RFC 4787.)  Does PT = P3
> therefore need to be SHOULD strength, rather than MAY?  At any rate, this should probably be pointed out.

I am fine with making it SHOULD, but if the NAT is not compliant, who knows what other stupid things it will do. One thing we need to note is that P3 is (often) different for different unicast sessions (the feedback target on the server), so in this case, the port in the "a=portmapping-req" line will be equal to the port in the "a=rtcp:" line for the SSM session (which is fine of course).

-acbegen

> 
> 
> Other minor points:
> 
> For the token, should there be a magic expiry time value, or other indication in the Port Mapping Response, that indicates
> that the Token is intended as for one use only?  Or do you just want to have a very short timeout for it, e.g. on the order of
> seconds?
> 
> 
> I need to think about this some more to be sure, but it may be necessary to say that servers SHOULD NOT set Token expiry
> times to be less than the Regular RTCP Interval for their associated sessions.
> 
> 
> Would there be any benefit to having separate RAMS error codes for the various reasons why a Token might be invalid
> (expired/wrong source IP/unrecognized)?  I guess the question is whether either a client might want to take different action
> in the different cases, or if it would significantly help to diagnose problems.
> 
> 
> On Nov 8, 2010, at 5:23 PM, Ali C. Begen (abegen) wrote:
> 
> > After the session, we got together to agree on the text for the attacks Magnus described in the session. I rev'ed the draft:
> > http://www.ietf.org/id/draft-begen-avt-token-for-portmapping-03.txt
> >
> > if you have remaining concerns, please speak up.
> >
> > Chairs,
> >
> > Please confirm the next step to make this draft move as fast as possible.
> >
> > Thanks,
> > -acbegen
> > _______________________________________________
> > Audio/Video Transport Working Group
> > avt@ietf.org
> > https://www.ietf.org/mailman/listinfo/avt
> >
> 
> --
> Jonathan Lennox
> jonathan@vidyo.com
>

v2.23.0 | Report a Bug | By Email