IETF Logo Mail Archive

Re: [pcp] Filter handling in PCP.

Suresh Kumar Vinapamula Venkata <sureshk@juniper.net> Mon, 16 September 2013 05:52 UTC

Return-Path: <sureshk@juniper.net>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 416A311E8200 for <pcp@ietfa.amsl.com>; Sun, 15 Sep 2013 22:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.599
X-Spam-Level:
X-Spam-Status: No, score=-1.599 tagged_above=-999 required=5 tests=[AWL=-1.400, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_18=0.6, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-iskF-IsLAJ for <pcp@ietfa.amsl.com>; Sun, 15 Sep 2013 22:52:06 -0700 (PDT)
Received: from db8outboundpool.messaging.microsoft.com (mail-db8lp0188.outbound.messaging.microsoft.com [213.199.154.188]) by ietfa.amsl.com (Postfix) with ESMTP id D0AD311E81F9 for <pcp@ietf.org>; Sun, 15 Sep 2013 22:52:05 -0700 (PDT)
Received: from mail53-db8-R.bigfish.com (10.174.8.226) by DB8EHSOBE013.bigfish.com (10.174.4.76) with Microsoft SMTP Server id 14.1.225.22; Mon, 16 Sep 2013 05:52:05 +0000
Received: from mail53-db8 (localhost [127.0.0.1]) by mail53-db8-R.bigfish.com (Postfix) with ESMTP id F31402C01C7; Mon, 16 Sep 2013 05:52:04 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT005.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -26
X-BigFish: VPS-26(zzbb2dI98dI9371Ic89bh936eI1454I148cI542I1432Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL17326ah1de097h186068h1954cbh8275bh8275dhz2fh2a8h839h947hd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh1fe8h1ff5h9a9j1155h)
Received-SPF: pass (mail53-db8: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=sureshk@juniper.net; helo=BL2PRD0510HT005.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(377454003)(479174003)(377424004)(51704005)(13464003)(52604005)(189002)(199002)(24454002)(52044002)(47976001)(69226001)(19580395003)(47736001)(65816001)(49866001)(50986001)(19580405001)(80976001)(83322001)(81542001)(46102001)(33646001)(4396001)(66066001)(56816003)(74366001)(16601075003)(63696002)(47446002)(74876001)(31966008)(74502001)(74706001)(74662001)(81816001)(76786001)(83072001)(81686001)(51856001)(76482001)(76796001)(53806001)(15202345003)(76576001)(56776001)(81342001)(54356001)(77096001)(15975445006)(59766001)(80022001)(54316002)(79102001)(74316001)(77982001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR05MB018; H:BL2PR05MB018.namprd05.prod.outlook.com; CLIP:66.129.224.36; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail53-db8 (localhost.localdomain [127.0.0.1]) by mail53-db8 (MessageSwitch) id 1379310722913788_5476; Mon, 16 Sep 2013 05:52:02 +0000 (UTC)
Received: from DB8EHSMHS005.bigfish.com (unknown [10.174.8.231]) by mail53-db8.bigfish.com (Postfix) with ESMTP id DA4BE6A0048; Mon, 16 Sep 2013 05:52:02 +0000 (UTC)
Received: from BL2PRD0510HT005.namprd05.prod.outlook.com (157.56.240.101) by DB8EHSMHS005.bigfish.com (10.174.4.15) with Microsoft SMTP Server (TLS) id 14.16.227.3; Mon, 16 Sep 2013 05:52:02 +0000
Received: from BL2PR05MB018.namprd05.prod.outlook.com (10.255.228.145) by BL2PRD0510HT005.namprd05.prod.outlook.com (10.255.100.40) with Microsoft SMTP Server (TLS) id 14.16.353.4; Mon, 16 Sep 2013 05:51:59 +0000
Received: from BL2PR05MB018.namprd05.prod.outlook.com (10.255.228.145) by BL2PR05MB018.namprd05.prod.outlook.com (10.255.228.145) with Microsoft SMTP Server (TLS) id 15.0.775.9; Mon, 16 Sep 2013 05:51:58 +0000
Received: from BL2PR05MB018.namprd05.prod.outlook.com ([169.254.5.185]) by BL2PR05MB018.namprd05.prod.outlook.com ([169.254.5.185]) with mapi id 15.00.0775.005; Mon, 16 Sep 2013 05:51:58 +0000
From: Suresh Kumar Vinapamula Venkata <sureshk@juniper.net>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Simon Perreault <simon.perreault@viagenie.ca>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] Filter handling in PCP.
Thread-Index: AQHOqP8l/gDjL94R6E6EsUhoQvHVo5m1CQaAgAG5HYCAAGhBgIAHPf8AgAE9LYCABxgdAIAA2nXWgAAAM3Y=
Date: Mon, 16 Sep 2013 05:51:57 +0000
Message-ID: <d977079adc214e7bb41b3e15039583a0@BL2PR05MB018.namprd05.prod.outlook.com>
References: <913383AAA69FF945B8F946018B75898A1905DD5A@xmb-rcd-x10.cisco.com> <CE5550F8.1FABC%sureshk@juniper.net>, <913383AAA69FF945B8F946018B75898A190782CA@xmb-rcd-x10.cisco.com>, <EE14751D-4109-4118-82C0-F2C0C7E36A10@juniper.net>
In-Reply-To: <EE14751D-4109-4118-82C0-F2C0C7E36A10@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.224.36]
x-forefront-prvs: 0971922F40
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [pcp] Filter handling in PCP.
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2013 05:52:11 -0000

Hi Tiru, 

Please see inline.

On Sep 15, 2013, at 4:37 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> wrote:

> Hi Suresh,
>
> Please see inline.
>
>> -----Original Message-----
>> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
>> Sent: Wednesday, September 11, 2013 11:47 AM
>> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org
>> Subject: Re: [pcp] Filter handling in PCP.
>>
>> Hi Tiru,
>>
>> Please see inline.
>>
>> On 9/9/13 9:21 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
>> wrote:
>>
>>> Hi Suresh,
>>>
>>> Please see inline
>>>
>>>> -----Original Message-----
>>>> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
>>>> Sent: Friday, September 06, 2013 2:16 AM
>>>> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org
>>>> Subject: Re: [pcp] Filter handling in PCP.
>>>>
>>>>
>>>>
>>>> On 9/5/13 12:32 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
>>>> wrote:
>>>>
>>>>>> -----Original Message-----
>>>>>> From: Simon Perreault [mailto:simon.perreault@viagenie.ca]
>>>>>> Sent: Wednesday, September 04, 2013 10:44 AM
>>>>>> To: pcp@ietf.org
>>>>>> Subject: Re: [pcp] Filter handling in PCP.
>>>>>>
>>>>>> Le 2013-09-04 01:51, Suresh Kumar Vinapamula Venkata a écrit :
>>>>>>> a) An existing EIM mapping would be transformed to PCP mapping
>>>>>> through a
>>>>>>> MAP request.
>>>>>>> If that MAP request has filters, and if there are already
>>>> connections
>>>>>>> associated with that mapping from hosts that are not matching
>>>> filters,
>>>>>>> what should be the fate of those connections? I feel those
>>>> connections
>>>>>>> are to be torn down.
>>>>>>
>>>>>> I'd say it's up to the implementation. I personally would prefer
>>>>>> existing connections to stay up and new ones to be refused.
>>>>>>
>>>>>>> b) RFC recommends that if there has to be change in filters, there
>>>> has
>>>>>>> to be a delete followed by addition of new filters. What should be
>>>> the
>>>>>>> fate of the connections from IP addresses of old filters? If those
>>>>>>> connections are deleted there would be disruption in traffic.
>>>> Suppose
>>>>>> I
>>>>>>> am providing a streaming service, and a new user subscribed. I
>>>> want to
>>>>>>> add him to the list, but I would not expect that should not result
>>>> in
>>>>>>> disruption for others right? If those connections are not deleted,
>>>> it
>>>>>>> would continue to allow connections from addresses that are not
>>>>>> present
>>>>>>> in new filters but are present in old filters? Consider some one
>>>>>> stopped
>>>>>>> subscription.
>>>>>>
>>>>>> Again, up to the implementation.
>>>>>>
>>>>>>> Also, if we go with delete followed by add, there is a window where
>>>>>> any
>>>>>>> external IP address can connect to internal host during delete and
>>>> add
>>>>>>> operation. Why can't there be an explicit delete of individual
>>>>>> filters?
>>>>>>> This way client may append to the list of IP addresses in filter,
>>>> and
>>>>>>> delete IP addresses without disruption of traffic to others.
>>>>>>
>>>>>> That actually might be a shortcoming of the RFC. If you feel that use
>>>>>> case is important to you, you could propose a way to selectively
>>>> delete
>>>>>> filters.
>>>>>>
>>>>>>> c) If an existing EIM mapping has EIF configured(admin configured),
>>>>>> and
>>>>>>> if there is a PCP mapping request for that mapping but with a
>>>>>> different
>>>>>>> set of filters disjoint with admin configured filters, what should
>>>> be
>>>>>>> the behavior? I feel PCP should override configured filters.
>>>>>>
>>>>>> Up to the implementation.
>>>>>>
>>>>>>> d) Filtering option gives option to program allowed list. There is
>>>> no
>>>>>>> way to configure inverse of it. Suppose I am providing a service to
>>>>>>> external world, where anyone can access. My system detected
>>>> someone is
>>>>>>> attacking, and it should block only that user. It is not easy to
>>>> block
>>>>>>> with the existing constructs as defined in the RFC.
>>>>>
>>>>> Firewalls already use various techniques like reputation based
>>>>> black-listing/white-listing (for example reputation based IP address).
>>>>> Even if PCP client uses MAP without any FILTER option, it does not mean
>>>>> it can over-ride the Firewall rules which will block traffic from those
>>>>> black-listed IP addresses. If Firewall detects that some remote peers
>>>> are
>>>>> attacking (for example bots) then it will drop the traffic over-riding
>>>>> the PCP client request to permit traffic.
>>>>
>>>> I agree, and I am not expecting firewall black listed addresses to
>>>> access
>>>> my service even if I don't have filters.
>>>
>>> Ok.
>>>
>>>> But, for some reason if I want to deny access to a specific IP address
>>>> to
>>>> reach my service, I don't see a way to do it currently.
>>>> Wouldn't a new option as mentioned above helps here?
>>>
>>> It may help, I am trying to understand the use case. Any specific
>>> applications that you are thinking of - which would be enhanced to use
>>> PCP, detects attacks from remote peer and informs the PCP-
>> First thing that comes to my mind here is bit torrent malware. Once
>> antivirus detects some malware from some existing connection, I may issue
>> delete PEER delete request to those connections, but if he is persistently
>> trying, I think there is no way to block currently on CGN. I may block him
>> at application level, but he would still consume my resources on CGNAT
>> box.
>
> Ok. But what will be the incentive for anti-virus (AV) to apply this black-list filtering rule and reduce the resource utilization on CGNAT ?
> May be the AV would be interested in this new PCP option because it could inform the network to block the incoming traffic and thus save some CPU cycles in the host itself.

My understanding of AV is to protect resources of its user, whether the resources are local or remote. Locally it can save CPU cycles, and remote resource saved is bandwidth.
>
>>
>>> controlled Firewall to block traffic from some specific IP addresses. If
>>> the application determines that specific IP address is attacking, would
>>> it apply the blocking rule with a global scope (i.e. block all incoming
>>> traffic from this specific IP address to any device within the network) ?
>> Application should block it at the IP level. At the connection level
>> application may issue a delete PEER request right?
>>
>>>
>>> I suspect some problems with this approach:
>>>
>>> a)Both legitimate users and attackers could share the same IPv4 address
>>> because of NAT - How does this rule ensure that legitimate users are not
>>> penalized ?
>> Very valid, that is a generic problem with any IP filtering right?
>
> But those rules are typically applied based on IPv4 address reputation score. The reputation score has to be bad for the incoming traffic from this specific IP addresses to be black-listed. It still has the drawback of unable to distinguish legitimate users verses attackers. There are other mechanisms proposed like http://tools.ietf.org/html/draft-wing-nat-reveal-option-03 which uses USER_HINT TCP option for the TCP server to differentiate between the TCP clients sharing the same IP address.

I was not aware of this draft. Thanks for pointing to me. This works only for TCP connections only right?

>
>> Shouldn't we have this issue, where a filter is added to grant access to a
>> specific IP address and that IP address is shared between attacker and
>> legitimate user.
>
> It's usually the application logic to differentiate b/w attacker and legitimate user.

Consider there are two users sharing same NAT IP address and both are legitimate users.
one is infected with virus causing an attack and another is not. How can application prevent access to other user? 
>
>>> b)Attacker using IPv6 (for example IPv6 privacy addresses) can easily
>>> change the IP address and by-pass the black-list rule ?
>> How is filtering done in case of IPv6? Can't we take same approach here ?
>
> I am not sure if reputation based IPv6 filtering is possible because large amount of available IPv6 address space.
>
>>> c)How will the application determine for how long to block the specific
>>> black-listed IP addresses ?
>> For the life time of the mapping or till the filter is deleted, which
>> application may decide.
>
> From your example it's the AV which decides to block the IP addresses and not the application.
My understanding is, a corresponding application would be notified when Anti spyware detect a spyware activity on a connection. 
> How will the AV know how long to black-list these IP addresses ?
Can't exponential approach work here? Where a filter is applied for few minutes and withdrawn. If attack still observed, filter is reapplied for more minutes. The minutes for which filter is applied in each iteration increases exponentially. 
Note, I am not expecting a full fledged protection mechanism through filters. I understand filters are permeative. But, it does give some level of defense, though suboptimal.  

>
> -Tiru.
>
>>>
>>> -Tiru.
>>>
>>>>
>>>>>
>>>>> -Tiru.
>>>>>
>>>>>>> I feel we should
>>>>>>> support inverse msg type(except the mentioned IP address allow any
>>>>>> one)
>>>>>>> for filter option. We can define new message constructs, how this
>>>> can
>>>>>> be
>>>>>>> modified, like say another attacker identified. When this option is
>>>>>>> communicated, all associated flows of that address are to be
>>>> deleted.
>>>>>>
>>>>>> Makes sense. If you feel that this is important, feel free to
>>>> propose an
>>>>>> extension.
>>>>>>
>>>>>> Just my 2 cents...
>>>>>>
>>>>>> Simon
>>>>>> --
>>>>>> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
>>>>>> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
>>>>>> STUN/TURN server               --> http://numb.viagenie.ca
>>>>>
>>>>> _______________________________________________
>>>>> pcp mailing list
>>>>> pcp@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/pcp
>
>
>

v2.23.0 | Report a Bug | By Email