IETF Logo Mail Archive

Re: [pcp] Filter handling in PCP.

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 16 September 2013 07:23 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588A011E81CA for <pcp@ietfa.amsl.com>; Mon, 16 Sep 2013 00:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.199
X-Spam-Level:
X-Spam-Status: No, score=-8.199 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_18=0.6, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsTu6tdf3FV4 for <pcp@ietfa.amsl.com>; Mon, 16 Sep 2013 00:23:18 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 56AEF11E80E3 for <pcp@ietf.org>; Mon, 16 Sep 2013 00:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11545; q=dns/txt; s=iport; t=1379316198; x=1380525798; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=5b+DLY0ICB1+kSwhhpIDRr+uKUFxIyCvqwWe4SMvjUk=; b=DWfMLOckTDfGZOzxI+y3JAHeocsoZMmRyogRAata55mLdin0I9W2hYjt JpR1XtIHA42d9BysS3CWWKmDRNDYIQDcJyfVIW6nwwNsCTaXjq6qR/VLj cnd6ebmx8TU9YGo3wJFnZkQO3sqpRpNvqkfVn1M1LCfsQlDD6Utow0+Qy Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQFADKxNlKtJV2a/2dsb2JhbABagwc4UsB1gRgWdIIlAQEBBAEBASRHFwQCAQgRBAEBAQoDGgcnCxQJCAIEARIIEYdqDLoWjimBGTgGgxiBAAOJAJAqkEWDJIIq
X-IronPort-AV: E=Sophos;i="4.90,913,1371081600"; d="scan'208";a="260174711"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-5.cisco.com with ESMTP; 16 Sep 2013 07:23:17 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r8G7NHeO004782 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 16 Sep 2013 07:23:17 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0318.004; Mon, 16 Sep 2013 02:23:17 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Suresh Kumar Vinapamula Venkata <sureshk@juniper.net>, Simon Perreault <simon.perreault@viagenie.ca>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] Filter handling in PCP.
Thread-Index: AQHOqaD9RdvgW00QC0+tw6F4JikFQpm1CQaAgAG5HYCAAGhBgIAHPf8AgAE9LYCABxgdAIAA2nXWgAAAM3aAAGeg8A==
Date: Mon, 16 Sep 2013 07:23:16 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A190787CD@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A1905DD5A@xmb-rcd-x10.cisco.com> <CE5550F8.1FABC%sureshk@juniper.net>, <913383AAA69FF945B8F946018B75898A190782CA@xmb-rcd-x10.cisco.com>, <EE14751D-4109-4118-82C0-F2C0C7E36A10@juniper.net> <d977079adc214e7bb41b3e15039583a0@BL2PR05MB018.namprd05.prod.outlook.com>
In-Reply-To: <d977079adc214e7bb41b3e15039583a0@BL2PR05MB018.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.55.148]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pcp] Filter handling in PCP.
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2013 07:23:23 -0000

Hi Suresh,

Please see inline

> -----Original Message-----
> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
> Sent: Monday, September 16, 2013 11:22 AM
> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org
> Subject: RE: [pcp] Filter handling in PCP.
> 
> Hi Tiru,
> 
> Please see inline.
> 
> On Sep 15, 2013, at 4:37 AM, "Tirumaleswar Reddy (tireddy)"
> <tireddy@cisco.com> wrote:
> 
> > Hi Suresh,
> >
> > Please see inline.
> >
> >> -----Original Message-----
> >> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
> >> Sent: Wednesday, September 11, 2013 11:47 AM
> >> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org
> >> Subject: Re: [pcp] Filter handling in PCP.
> >>
> >> Hi Tiru,
> >>
> >> Please see inline.
> >>
> >> On 9/9/13 9:21 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
> >> wrote:
> >>
> >>> Hi Suresh,
> >>>
> >>> Please see inline
> >>>
> >>>> -----Original Message-----
> >>>> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net]
> >>>> Sent: Friday, September 06, 2013 2:16 AM
> >>>> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org
> >>>> Subject: Re: [pcp] Filter handling in PCP.
> >>>>
> >>>>
> >>>>
> >>>> On 9/5/13 12:32 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
> >>>> wrote:
> >>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Simon Perreault [mailto:simon.perreault@viagenie.ca]
> >>>>>> Sent: Wednesday, September 04, 2013 10:44 AM
> >>>>>> To: pcp@ietf.org
> >>>>>> Subject: Re: [pcp] Filter handling in PCP.
> >>>>>>
> >>>>>> Le 2013-09-04 01:51, Suresh Kumar Vinapamula Venkata a écrit :
> >>>>>>> a) An existing EIM mapping would be transformed to PCP mapping
> >>>>>> through a
> >>>>>>> MAP request.
> >>>>>>> If that MAP request has filters, and if there are already
> >>>> connections
> >>>>>>> associated with that mapping from hosts that are not matching
> >>>> filters,
> >>>>>>> what should be the fate of those connections? I feel those
> >>>> connections
> >>>>>>> are to be torn down.
> >>>>>>
> >>>>>> I'd say it's up to the implementation. I personally would prefer
> >>>>>> existing connections to stay up and new ones to be refused.
> >>>>>>
> >>>>>>> b) RFC recommends that if there has to be change in filters, there
> >>>> has
> >>>>>>> to be a delete followed by addition of new filters. What should be
> >>>> the
> >>>>>>> fate of the connections from IP addresses of old filters? If those
> >>>>>>> connections are deleted there would be disruption in traffic.
> >>>> Suppose
> >>>>>> I
> >>>>>>> am providing a streaming service, and a new user subscribed. I
> >>>> want to
> >>>>>>> add him to the list, but I would not expect that should not result
> >>>> in
> >>>>>>> disruption for others right? If those connections are not deleted,
> >>>> it
> >>>>>>> would continue to allow connections from addresses that are not
> >>>>>> present
> >>>>>>> in new filters but are present in old filters? Consider some one
> >>>>>> stopped
> >>>>>>> subscription.
> >>>>>>
> >>>>>> Again, up to the implementation.
> >>>>>>
> >>>>>>> Also, if we go with delete followed by add, there is a window where
> >>>>>> any
> >>>>>>> external IP address can connect to internal host during delete and
> >>>> add
> >>>>>>> operation. Why can't there be an explicit delete of individual
> >>>>>> filters?
> >>>>>>> This way client may append to the list of IP addresses in filter,
> >>>> and
> >>>>>>> delete IP addresses without disruption of traffic to others.
> >>>>>>
> >>>>>> That actually might be a shortcoming of the RFC. If you feel that use
> >>>>>> case is important to you, you could propose a way to selectively
> >>>> delete
> >>>>>> filters.
> >>>>>>
> >>>>>>> c) If an existing EIM mapping has EIF configured(admin configured),
> >>>>>> and
> >>>>>>> if there is a PCP mapping request for that mapping but with a
> >>>>>> different
> >>>>>>> set of filters disjoint with admin configured filters, what should
> >>>> be
> >>>>>>> the behavior? I feel PCP should override configured filters.
> >>>>>>
> >>>>>> Up to the implementation.
> >>>>>>
> >>>>>>> d) Filtering option gives option to program allowed list. There is
> >>>> no
> >>>>>>> way to configure inverse of it. Suppose I am providing a service to
> >>>>>>> external world, where anyone can access. My system detected
> >>>> someone is
> >>>>>>> attacking, and it should block only that user. It is not easy to
> >>>> block
> >>>>>>> with the existing constructs as defined in the RFC.
> >>>>>
> >>>>> Firewalls already use various techniques like reputation based
> >>>>> black-listing/white-listing (for example reputation based IP address).
> >>>>> Even if PCP client uses MAP without any FILTER option, it does not mean
> >>>>> it can over-ride the Firewall rules which will block traffic from those
> >>>>> black-listed IP addresses. If Firewall detects that some remote peers
> >>>> are
> >>>>> attacking (for example bots) then it will drop the traffic over-riding
> >>>>> the PCP client request to permit traffic.
> >>>>
> >>>> I agree, and I am not expecting firewall black listed addresses to
> >>>> access
> >>>> my service even if I don't have filters.
> >>>
> >>> Ok.
> >>>
> >>>> But, for some reason if I want to deny access to a specific IP address
> >>>> to
> >>>> reach my service, I don't see a way to do it currently.
> >>>> Wouldn't a new option as mentioned above helps here?
> >>>
> >>> It may help, I am trying to understand the use case. Any specific
> >>> applications that you are thinking of - which would be enhanced to use
> >>> PCP, detects attacks from remote peer and informs the PCP-
> >> First thing that comes to my mind here is bit torrent malware. Once
> >> antivirus detects some malware from some existing connection, I may issue
> >> delete PEER delete request to those connections, but if he is persistently
> >> trying, I think there is no way to block currently on CGN. I may block him
> >> at application level, but he would still consume my resources on CGNAT
> >> box.
> >
> > Ok. But what will be the incentive for anti-virus (AV) to apply this black-
> list filtering rule and reduce the resource utilization on CGNAT ?
> > May be the AV would be interested in this new PCP option because it could
> inform the network to block the incoming traffic and thus save some CPU cycles
> in the host itself.
> 
> My understanding of AV is to protect resources of its user, whether the
> resources are local or remote. Locally it can save CPU cycles, and remote
> resource saved is bandwidth.

Ok.

> >
> >>
> >>> controlled Firewall to block traffic from some specific IP addresses. If
> >>> the application determines that specific IP address is attacking, would
> >>> it apply the blocking rule with a global scope (i.e. block all incoming
> >>> traffic from this specific IP address to any device within the network) ?
> >> Application should block it at the IP level. At the connection level
> >> application may issue a delete PEER request right?
> >>
> >>>
> >>> I suspect some problems with this approach:
> >>>
> >>> a)Both legitimate users and attackers could share the same IPv4 address
> >>> because of NAT - How does this rule ensure that legitimate users are not
> >>> penalized ?
> >> Very valid, that is a generic problem with any IP filtering right?
> >
> > But those rules are typically applied based on IPv4 address reputation
> score. The reputation score has to be bad for the incoming traffic from this
> specific IP addresses to be black-listed. It still has the drawback of unable
> to distinguish legitimate users verses attackers. There are other mechanisms
> proposed like http://tools.ietf.org/html/draft-wing-nat-reveal-option-03 which
> uses USER_HINT TCP option for the TCP server to differentiate between the TCP
> clients sharing the same IP address.
> 
> I was not aware of this draft. Thanks for pointing to me. This works only for
> TCP connections only right ?

Yes, it's for TCP connections only.

> 
> >
> >> Shouldn't we have this issue, where a filter is added to grant access to a
> >> specific IP address and that IP address is shared between attacker and
> >> legitimate user.
> >
> > It's usually the application logic to differentiate b/w attacker and
> legitimate user.
> 
> Consider there are two users sharing same NAT IP address and both are
> legitimate users.
> one is infected with virus causing an attack and another is not. How can
> application prevent access to other user ?

In this attack scenario, Application cannot detect that it is downloading a infected file from a legitimate user. Either host AV or network-based Next Gen FW is needed to detect that the file is infected.

> >
> >>> b)Attacker using IPv6 (for example IPv6 privacy addresses) can easily
> >>> change the IP address and by-pass the black-list rule ?
> >> How is filtering done in case of IPv6? Can't we take same approach here ?
> >
> > I am not sure if reputation based IPv6 filtering is possible because large
> amount of available IPv6 address space.
> >
> >>> c)How will the application determine for how long to block the specific
> >>> black-listed IP addresses ?
> >> For the life time of the mapping or till the filter is deleted, which
> >> application may decide.
> >
> > From your example it's the AV which decides to block the IP addresses and
> not the application.
> My understanding is, a corresponding application would be notified when Anti
> spyware detect a spyware activity on a connection.
> > How will the AV know how long to black-list these IP addresses ?
> Can't exponential approach work here? Where a filter is applied for few
> minutes and withdrawn. If attack still observed, filter is reapplied for more
> minutes. The minutes for which filter is applied in each iteration increases
> exponentially.
> Note, I am not expecting a full fledged protection mechanism through filters.
> I understand filters are permeative. But, it does give some level of defense,
> though suboptimal.

Agreed.

-Tiru.

> 
> >
> > -Tiru.
> >
> >>>
> >>> -Tiru.
> >>>
> >>>>
> >>>>>
> >>>>> -Tiru.
> >>>>>
> >>>>>>> I feel we should
> >>>>>>> support inverse msg type(except the mentioned IP address allow any
> >>>>>> one)
> >>>>>>> for filter option. We can define new message constructs, how this
> >>>> can
> >>>>>> be
> >>>>>>> modified, like say another attacker identified. When this option is
> >>>>>>> communicated, all associated flows of that address are to be
> >>>> deleted.
> >>>>>>
> >>>>>> Makes sense. If you feel that this is important, feel free to
> >>>> propose an
> >>>>>> extension.
> >>>>>>
> >>>>>> Just my 2 cents...
> >>>>>>
> >>>>>> Simon
> >>>>>> --
> >>>>>> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
> >>>>>> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
> >>>>>> STUN/TURN server               --> http://numb.viagenie.ca
> >>>>>
> >>>>> _______________________________________________
> >>>>> pcp mailing list
> >>>>> pcp@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/pcp
> >
> >
> >

v2.23.0 | Report a Bug | By Email