[BEHAVE] FW: pcp-base-27: Mapping Nonce change
"Dan Wing" <dwing@cisco.com> Thu, 20 September 2012 18:36 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD92B21F8752 for <behave@ietfa.amsl.com>; Thu, 20 Sep 2012 11:36:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HOu+oACvBdiD for <behave@ietfa.amsl.com>; Thu, 20 Sep 2012 11:36:48 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 3DA8821F874C for <behave@ietf.org>; Thu, 20 Sep 2012 11:36:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2865; q=dns/txt; s=iport; t=1348166208; x=1349375808; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=/93KE/KPe0+/8phOD61MSOwobP36/g7P5XsesMhycyQ=; b=Ztd7cFVkk0fvf3ZqPaEMlje/Zc9HE6yNMj5B9Irmcw7mO8BorHd3jiob VMCg/rirgTe+/RYzf5x4malrvE/2UIXgszsIfehPPHsjvHeX/FlOftwlg KYLV2W6vmxwrNbISe2ikEMJxl74N6BERhXc/DVjsOu+s33KmfiTBRsGMn Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AigFAKphW1CtJV2d/2dsb2JhbABFrSWQBYEIgiABAQEECAoBFxBLAQUJDwIEAQEoICMKBwEBBQQBBBMJAheHYQuYZ4EooBSLHBqDCIMgA4hWhRCJEo0kgWmDB4FD
X-IronPort-AV: E=Sophos;i="4.80,455,1344211200"; d="scan'208";a="123465456"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-1.cisco.com with ESMTP; 20 Sep 2012 18:36:47 +0000
Received: from dwingWS ([10.32.240.198]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q8KIalP1005278 for <behave@ietf.org>; Thu, 20 Sep 2012 18:36:47 GMT
From: Dan Wing <dwing@cisco.com>
To: behave@ietf.org
Date: Thu, 20 Sep 2012 11:36:47 -0700
Message-ID: <11c001cd975e$e4c1ab70$ae450250$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac2XXryEzk+BLRymTgWW27uh+Z/beAAAAV0w
Content-Language: en-us
Subject: [BEHAVE] FW: pcp-base-27: Mapping Nonce change
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 18:36:49 -0000
FYI. This has some impact on draft-ietf-behave-lsn-requirements. -d -----Original Message----- From: Dan Wing [mailto:dwing@cisco.com] Sent: Thursday, September 20, 2012 11:36 AM To: 'pcp@ietf.org' Cc: 'pcp-chairs@tools.ietf.org' Subject: pcp-base-27: Mapping Nonce change Based on IESG feedback and coordinating these changes with draft-ietf-behave-lsn-requirements, an updated version of pcp-base has been posted. The proposed change to Mapping Nonce was announced on August 17, "strengthening PCP with Mapping Nonce", http://www.ietf.org/mail-archive/web/pcp/current/msg02229.html. The significant changes are: 1. Once a MAP or PEER opcode is processed by the PCP server, subsequent changes to that mapping have to use the same Mapping Nonce. This closes the attack that led to REQ-9-A in draft-ietf-behave-lsn-requirements-09. However, this change has a side-effect of disabling two previous MAP features: (a) the ability of a PCP client to delete (clear) PCP mappings created by a previous PCP client using the same IP address, and (b) ability for a PCP client to delete all of the mappings it created by sending one MAP message. To accommodate the loss of (a), pcp-base-27 recommends that when a host joins a network, the network device that allowed the device to join the network should flush PCP-created mappings and non-PCP-created mappings (e.g., DHCP, 802.1x, PPPoE). Towards that end, Stuart has written draft-cheshire-pcp-expire, and there are many other ways to clear PCP and implicit mapping state in NATs and firewalls when a device joins a network. (b) was just an optimization; the PCP client can delete MAP created mappings by issuing separate requests, similar to how it issued separate MAP requests to create the mappings. 2. Clarified that PEER can reduce a mapping lifetime to the same lifetime as active, bi-directional traffic. This allows PEER to extend lifetime of a mapping, then later using the same Mapping Nonce, PEER can rescind (revert) that lifetime extension so the mapping is treated as if PEER was never used. Another significant change, unrelated to Mapping Nonce, is that Mapping Update is now required. This means the PCP server now MUST inform the PCP client of any changes to a mapping; earlier versions of the specification said this was merely a SHOULD. This change makes PCP a more reliable protocol. There are a lot of other minor changes from IESG feedback and from other reviewers. See the changelog in Section B.1, or the side-by-side diffs. URL: http://www.ietf.org/internet-drafts/draft-ietf-pcp-base-27.txt Status: http://datatracker.ietf.org/doc/draft-ietf-pcp-base Htmlized: http://tools.ietf.org/html/draft-ietf-pcp-base-27 Diff: http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-base-27 -d