Re: [pcp] Filter handling in PCP.
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 16 September 2013 07:23 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588A011E81CA for <pcp@ietfa.amsl.com>; Mon, 16 Sep 2013 00:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.199
X-Spam-Level:
X-Spam-Status: No, score=-8.199 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_18=0.6, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsTu6tdf3FV4 for <pcp@ietfa.amsl.com>; Mon, 16 Sep 2013 00:23:18 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 56AEF11E80E3 for <pcp@ietf.org>; Mon, 16 Sep 2013 00:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11545; q=dns/txt; s=iport; t=1379316198; x=1380525798; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=5b+DLY0ICB1+kSwhhpIDRr+uKUFxIyCvqwWe4SMvjUk=; b=DWfMLOckTDfGZOzxI+y3JAHeocsoZMmRyogRAata55mLdin0I9W2hYjt JpR1XtIHA42d9BysS3CWWKmDRNDYIQDcJyfVIW6nwwNsCTaXjq6qR/VLj cnd6ebmx8TU9YGo3wJFnZkQO3sqpRpNvqkfVn1M1LCfsQlDD6Utow0+Qy Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQFADKxNlKtJV2a/2dsb2JhbABagwc4UsB1gRgWdIIlAQEBBAEBASRHFwQCAQgRBAEBAQoDGgcnCxQJCAIEARIIEYdqDLoWjimBGTgGgxiBAAOJAJAqkEWDJIIq
X-IronPort-AV: E=Sophos;i="4.90,913,1371081600"; d="scan'208";a="260174711"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-5.cisco.com with ESMTP; 16 Sep 2013 07:23:17 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r8G7NHeO004782 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 16 Sep 2013 07:23:17 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0318.004; Mon, 16 Sep 2013 02:23:17 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Suresh Kumar Vinapamula Venkata <sureshk@juniper.net>, Simon Perreault <simon.perreault@viagenie.ca>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] Filter handling in PCP.
Thread-Index: AQHOqaD9RdvgW00QC0+tw6F4JikFQpm1CQaAgAG5HYCAAGhBgIAHPf8AgAE9LYCABxgdAIAA2nXWgAAAM3aAAGeg8A==
Date: Mon, 16 Sep 2013 07:23:16 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A190787CD@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A1905DD5A@xmb-rcd-x10.cisco.com> <CE5550F8.1FABC%sureshk@juniper.net>, <913383AAA69FF945B8F946018B75898A190782CA@xmb-rcd-x10.cisco.com>, <EE14751D-4109-4118-82C0-F2C0C7E36A10@juniper.net> <d977079adc214e7bb41b3e15039583a0@BL2PR05MB018.namprd05.prod.outlook.com>
In-Reply-To: <d977079adc214e7bb41b3e15039583a0@BL2PR05MB018.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.55.148]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pcp] Filter handling in PCP.
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2013 07:23:23 -0000
Hi Suresh, Please see inline > -----Original Message----- > From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] > Sent: Monday, September 16, 2013 11:22 AM > To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org > Subject: RE: [pcp] Filter handling in PCP. > > Hi Tiru, > > Please see inline. > > On Sep 15, 2013, at 4:37 AM, "Tirumaleswar Reddy (tireddy)" > <tireddy@cisco.com> wrote: > > > Hi Suresh, > > > > Please see inline. > > > >> -----Original Message----- > >> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] > >> Sent: Wednesday, September 11, 2013 11:47 AM > >> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org > >> Subject: Re: [pcp] Filter handling in PCP. > >> > >> Hi Tiru, > >> > >> Please see inline. > >> > >> On 9/9/13 9:21 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> > >> wrote: > >> > >>> Hi Suresh, > >>> > >>> Please see inline > >>> > >>>> -----Original Message----- > >>>> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] > >>>> Sent: Friday, September 06, 2013 2:16 AM > >>>> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org > >>>> Subject: Re: [pcp] Filter handling in PCP. > >>>> > >>>> > >>>> > >>>> On 9/5/13 12:32 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> > >>>> wrote: > >>>> > >>>>>> -----Original Message----- > >>>>>> From: Simon Perreault [mailto:simon.perreault@viagenie.ca] > >>>>>> Sent: Wednesday, September 04, 2013 10:44 AM > >>>>>> To: pcp@ietf.org > >>>>>> Subject: Re: [pcp] Filter handling in PCP. > >>>>>> > >>>>>> Le 2013-09-04 01:51, Suresh Kumar Vinapamula Venkata a écrit : > >>>>>>> a) An existing EIM mapping would be transformed to PCP mapping > >>>>>> through a > >>>>>>> MAP request. > >>>>>>> If that MAP request has filters, and if there are already > >>>> connections > >>>>>>> associated with that mapping from hosts that are not matching > >>>> filters, > >>>>>>> what should be the fate of those connections? I feel those > >>>> connections > >>>>>>> are to be torn down. > >>>>>> > >>>>>> I'd say it's up to the implementation. I personally would prefer > >>>>>> existing connections to stay up and new ones to be refused. > >>>>>> > >>>>>>> b) RFC recommends that if there has to be change in filters, there > >>>> has > >>>>>>> to be a delete followed by addition of new filters. What should be > >>>> the > >>>>>>> fate of the connections from IP addresses of old filters? If those > >>>>>>> connections are deleted there would be disruption in traffic. > >>>> Suppose > >>>>>> I > >>>>>>> am providing a streaming service, and a new user subscribed. I > >>>> want to > >>>>>>> add him to the list, but I would not expect that should not result > >>>> in > >>>>>>> disruption for others right? If those connections are not deleted, > >>>> it > >>>>>>> would continue to allow connections from addresses that are not > >>>>>> present > >>>>>>> in new filters but are present in old filters? Consider some one > >>>>>> stopped > >>>>>>> subscription. > >>>>>> > >>>>>> Again, up to the implementation. > >>>>>> > >>>>>>> Also, if we go with delete followed by add, there is a window where > >>>>>> any > >>>>>>> external IP address can connect to internal host during delete and > >>>> add > >>>>>>> operation. Why can't there be an explicit delete of individual > >>>>>> filters? > >>>>>>> This way client may append to the list of IP addresses in filter, > >>>> and > >>>>>>> delete IP addresses without disruption of traffic to others. > >>>>>> > >>>>>> That actually might be a shortcoming of the RFC. If you feel that use > >>>>>> case is important to you, you could propose a way to selectively > >>>> delete > >>>>>> filters. > >>>>>> > >>>>>>> c) If an existing EIM mapping has EIF configured(admin configured), > >>>>>> and > >>>>>>> if there is a PCP mapping request for that mapping but with a > >>>>>> different > >>>>>>> set of filters disjoint with admin configured filters, what should > >>>> be > >>>>>>> the behavior? I feel PCP should override configured filters. > >>>>>> > >>>>>> Up to the implementation. > >>>>>> > >>>>>>> d) Filtering option gives option to program allowed list. There is > >>>> no > >>>>>>> way to configure inverse of it. Suppose I am providing a service to > >>>>>>> external world, where anyone can access. My system detected > >>>> someone is > >>>>>>> attacking, and it should block only that user. It is not easy to > >>>> block > >>>>>>> with the existing constructs as defined in the RFC. > >>>>> > >>>>> Firewalls already use various techniques like reputation based > >>>>> black-listing/white-listing (for example reputation based IP address). > >>>>> Even if PCP client uses MAP without any FILTER option, it does not mean > >>>>> it can over-ride the Firewall rules which will block traffic from those > >>>>> black-listed IP addresses. If Firewall detects that some remote peers > >>>> are > >>>>> attacking (for example bots) then it will drop the traffic over-riding > >>>>> the PCP client request to permit traffic. > >>>> > >>>> I agree, and I am not expecting firewall black listed addresses to > >>>> access > >>>> my service even if I don't have filters. > >>> > >>> Ok. > >>> > >>>> But, for some reason if I want to deny access to a specific IP address > >>>> to > >>>> reach my service, I don't see a way to do it currently. > >>>> Wouldn't a new option as mentioned above helps here? > >>> > >>> It may help, I am trying to understand the use case. Any specific > >>> applications that you are thinking of - which would be enhanced to use > >>> PCP, detects attacks from remote peer and informs the PCP- > >> First thing that comes to my mind here is bit torrent malware. Once > >> antivirus detects some malware from some existing connection, I may issue > >> delete PEER delete request to those connections, but if he is persistently > >> trying, I think there is no way to block currently on CGN. I may block him > >> at application level, but he would still consume my resources on CGNAT > >> box. > > > > Ok. But what will be the incentive for anti-virus (AV) to apply this black- > list filtering rule and reduce the resource utilization on CGNAT ? > > May be the AV would be interested in this new PCP option because it could > inform the network to block the incoming traffic and thus save some CPU cycles > in the host itself. > > My understanding of AV is to protect resources of its user, whether the > resources are local or remote. Locally it can save CPU cycles, and remote > resource saved is bandwidth. Ok. > > > >> > >>> controlled Firewall to block traffic from some specific IP addresses. If > >>> the application determines that specific IP address is attacking, would > >>> it apply the blocking rule with a global scope (i.e. block all incoming > >>> traffic from this specific IP address to any device within the network) ? > >> Application should block it at the IP level. At the connection level > >> application may issue a delete PEER request right? > >> > >>> > >>> I suspect some problems with this approach: > >>> > >>> a)Both legitimate users and attackers could share the same IPv4 address > >>> because of NAT - How does this rule ensure that legitimate users are not > >>> penalized ? > >> Very valid, that is a generic problem with any IP filtering right? > > > > But those rules are typically applied based on IPv4 address reputation > score. The reputation score has to be bad for the incoming traffic from this > specific IP addresses to be black-listed. It still has the drawback of unable > to distinguish legitimate users verses attackers. There are other mechanisms > proposed like http://tools.ietf.org/html/draft-wing-nat-reveal-option-03 which > uses USER_HINT TCP option for the TCP server to differentiate between the TCP > clients sharing the same IP address. > > I was not aware of this draft. Thanks for pointing to me. This works only for > TCP connections only right ? Yes, it's for TCP connections only. > > > > >> Shouldn't we have this issue, where a filter is added to grant access to a > >> specific IP address and that IP address is shared between attacker and > >> legitimate user. > > > > It's usually the application logic to differentiate b/w attacker and > legitimate user. > > Consider there are two users sharing same NAT IP address and both are > legitimate users. > one is infected with virus causing an attack and another is not. How can > application prevent access to other user ? In this attack scenario, Application cannot detect that it is downloading a infected file from a legitimate user. Either host AV or network-based Next Gen FW is needed to detect that the file is infected. > > > >>> b)Attacker using IPv6 (for example IPv6 privacy addresses) can easily > >>> change the IP address and by-pass the black-list rule ? > >> How is filtering done in case of IPv6? Can't we take same approach here ? > > > > I am not sure if reputation based IPv6 filtering is possible because large > amount of available IPv6 address space. > > > >>> c)How will the application determine for how long to block the specific > >>> black-listed IP addresses ? > >> For the life time of the mapping or till the filter is deleted, which > >> application may decide. > > > > From your example it's the AV which decides to block the IP addresses and > not the application. > My understanding is, a corresponding application would be notified when Anti > spyware detect a spyware activity on a connection. > > How will the AV know how long to black-list these IP addresses ? > Can't exponential approach work here? Where a filter is applied for few > minutes and withdrawn. If attack still observed, filter is reapplied for more > minutes. The minutes for which filter is applied in each iteration increases > exponentially. > Note, I am not expecting a full fledged protection mechanism through filters. > I understand filters are permeative. But, it does give some level of defense, > though suboptimal. Agreed. -Tiru. > > > > > -Tiru. > > > >>> > >>> -Tiru. > >>> > >>>> > >>>>> > >>>>> -Tiru. > >>>>> > >>>>>>> I feel we should > >>>>>>> support inverse msg type(except the mentioned IP address allow any > >>>>>> one) > >>>>>>> for filter option. We can define new message constructs, how this > >>>> can > >>>>>> be > >>>>>>> modified, like say another attacker identified. When this option is > >>>>>>> communicated, all associated flows of that address are to be > >>>> deleted. > >>>>>> > >>>>>> Makes sense. If you feel that this is important, feel free to > >>>> propose an > >>>>>> extension. > >>>>>> > >>>>>> Just my 2 cents... > >>>>>> > >>>>>> Simon > >>>>>> -- > >>>>>> DTN made easy, lean, and smart --> http://postellation.viagenie.ca > >>>>>> NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca > >>>>>> STUN/TURN server --> http://numb.viagenie.ca > >>>>> > >>>>> _______________________________________________ > >>>>> pcp mailing list > >>>>> pcp@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/pcp > > > > > >
- [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Simon Perreault
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- [pcp] Comments on draft-ietf-pcp-optimize-keepali… Reinaldo Penno (repenno)
- Re: [pcp] Comments on draft-ietf-pcp-optimize-kee… Prashanth Patil (praspati)
- Re: [pcp] Comments on draft-ietf-pcp-optimize-kee… Tirumaleswar Reddy (tireddy)
- Re: [pcp] Comments on draft-ietf-pcp-optimize-kee… Reinaldo Penno (repenno)