Re: [Gen-art] Gen-ART review of draft-ietf-pcp-base-23

"Dan Wing" <dwing@cisco.com> Tue, 13 March 2012 23:58 UTC

From: Dan Wing <dwing@cisco.com>
To: 'Richard Barnes' <rbarnes@bbn.com>, gen-art@ietf.org, draft-ietf-pcp-base@tools.ietf.org
References: <199ACCDB-1B9A-4C44-BEB6-BCE9253513CB@bbn.com>
In-Reply-To: <199ACCDB-1B9A-4C44-BEB6-BCE9253513CB@bbn.com>
Date: Tue, 13 Mar 2012 16:58:00 -0700
Message-ID: <0a3401cd0175$1f6a8b50$5e3fa1f0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: Acz1UUekV3r1tZkTTsSiwOrKRcVY7QMIS1Tg
Content-Language: en-us
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-pcp-base-23
Precedence: list

> -----Original Message-----
> From: Richard Barnes [mailto:rbarnes@bbn.com]
> Sent: Monday, February 27, 2012 5:11 AM
> To: gen-art@ietf.org; draft-ietf-pcp-base@tools.ietf.org
> Subject: Gen-ART review of draft-ietf-pcp-base-23
> 
> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Document: draft-ietf-pcp-base-23.txt
> Reviewer:  Richard Barnes
> Review Date:  27 Feb 2012
> IETF LC End Date: 27 Feb 2012
> IESG Telechat Date: 01 March 2012
> 
> Summary: Almost ready

Thanks for your review.  Comments below.

> Major issues:
> 
> -- As I think others have noted during LC, it seems like it would
> simplify several aspects of the protocol if requests and responses
> could be correlated by means of a transaction identifier, instead of
> just by matching fields. 

We added a section that explains this design decision, which
is at http://tools.ietf.org/html/draft-ietf-pcp-base-24#section-6

> In addition to simplifying response
> processing and clarifying the meaning of lifetime parameters, this
> would also provide a measure of protection against address spoofing.
> 
> -- It would be helpful for the document to say a little more about
> risks posed from spoofed packets.  It seems like there are some cases
> where an off-path attacker could break synchronization in state between
> clients and servers, e.g., by sending gratuitous responses. 

To accomplish that attack the off-path attacker would need to spoof the 
PCP server's IP address, which means spoofing the default router's IP 
address and causing that packet to be routed to the victim.  For IPv6,
Simple CPE Security [RFC6092] says filtering has to be employed (which 
prevents this attack).  For IPv4, existing practice of NAT devices and 
ISP filtering prevents attackers from using source address of internal 
nodes.

Are you looking for guidance that PCP deployments follow Simple CPE
Security, and that we write similar guidance for IPv4 -- or perhaps
there something to cite for IPv4 that says filters should drop packets
from the Internet that spoof infrastructure IP addresses.

> This is a
> rather serious attack, as it could be used by an off-path attacker to
> steal traffic:
> 1. Attacker obtains mapping from address:port=A:P on PCP controlled
> device to one of its ports B:Q
> 2. Attacker convinces client that it has a mapping from A:P to its port
> C:R
> 3. Attacker acts as a man in the middle: remote -> A:P -> B:Q -> C:R
> Also, it seems the ANNOUNCE method provides an opportunity for an
> attacker capable of spoofing to cause an arbitrary number clients to
> flood the server with requests.

Yes, such an attacker would need to be able to spoof the PCP server's
IP address, as above.


> Minor issues:
> 
> -- The document says that v4-mapped addresses are not used as source or
> destination addresses for real IPv6 packets.  This is empirically not
> the case; in some work we have done on IPv6 traceroute scanning, we
> have encountered numerous routers that will respond from v4-mapped
> addresses.  It probably would be accurate to say that these addresses
> would never appear in a mapping.

Adjusted in -24, thanks.

> -- In Section 6.4, the first paragraph says that each error is "long"
> or "short", but they're not all marked.  Is there a default?  It also
> seems like some of these errors are effectively permanent, e.g.,
> UNSUPP_VERSION; the PCP NAT isn't going to support a new version of the
> protocol half an hour from now.

Adjusted in -24, thanks.

> -- In Section 7.1, you first say that "only a single PCP server address
> is supported", but then in a couple of other places mention a "list of
> PCP servers".  Which is it?

During IESG review, there were two Comments of a similar nature.  It seemed
the "list" is what triggered the confusion, so I added the sentence starting
with "Thus," which tries to explain what we meant by the "default router 
list".  -24 now reads:

  2. the default router list (for IPv4 and IPv6) is used as the list	
  of PCP Server(s). Thus, if a PCP client has both an IPv4 and	
  IPv6 address, it will have an IPv4 PCP server (its IPv4 default	
  router) for its IPv4 mappings, and an IPv6 PCP server (its IPv6	
  default router) for its IPv6 mappings.

> -- In Section 7.1, it seems like it would be pretty unusual for the PCP
> server to be the first-hop router, at least outside of the CPE case.
> Would it be better to use an anycast address to find the server?

We seriously considered using an IANA-assigned address to go 'up'
towards the Internet.  It has some useful advantages.  However,
a disadvantage is we could not identify non-PCP-speaking firewalls
on the path, so it would be difficult to establish state in those
firewalls without knowing they are on path.  As PCP is intended
to work with IPv6 firewalls as well as NAT64 (and a NAT64 might 
have embedded IPv4 firewall or NAPT44-like function), we needed
a mechanism that touched all the stateful packet filtering devices
on the path towards the Internet.

> -- I did not find that the code samples in Section 9 added any
> information.  The one case where one would have been helpful (9.4),
> there was none.

-d

[Gen-art] Gen-ART review of draft-ietf-pcp-base-23 Richard Barnes
Re: [Gen-art] Gen-ART review of draft-ietf-pcp-ba… Dan Wing