Re: [pcp] GET and GETNEXT OpCodes
Francis Dupont <Francis.Dupont@fdupont.fr> Fri, 11 March 2011 00:55 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: pcp@core3.amsl.com
Delivered-To: pcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 535373A6A9B for <pcp@core3.amsl.com>; Thu, 10 Mar 2011 16:55:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.249
X-Spam-Level:
X-Spam-Status: No, score=-3.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LvjQjJZmMX3 for <pcp@core3.amsl.com>; Thu, 10 Mar 2011 16:55:31 -0800 (PST)
Received: from givry.fdupont.fr (givry.fdupont.fr [91.121.26.85]) by core3.amsl.com (Postfix) with ESMTP id CBEDA3A6A03 for <pcp@ietf.org>; Thu, 10 Mar 2011 16:55:30 -0800 (PST)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id p2B0umNS085286; Fri, 11 Mar 2011 01:56:48 +0100 (CET) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201103110056.p2B0umNS085286@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Dan Wing <dwing@cisco.com>
In-reply-to: Your message of Thu, 10 Mar 2011 10:06:06 PST. <256d01cbdf4d$d4103960$7c30ac20$@com>
Date: Fri, 11 Mar 2011 01:56:48 +0100
Sender: Francis.Dupont@fdupont.fr
Cc: xiaohong.deng@orange-ftgroup.com, pcp@ietf.org
Subject: Re: [pcp] GET and GETNEXT OpCodes
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 00:55:32 -0000
In your previous mail you wrote: Oh! That must be the security problem you refer us back to, but have not re-explained to us. => yes, I am tired to explain it again and again. So, the scenario is: 1. PCP client does a MAP 2. PCP server (or the CGN) crashes and loses state 3. PCP client is, of course, unaware of that state loss until much later (whatever its refresh interval is) 4. In that interval, another PCP client (or implicit dynamic mapping) could grab that port. The same problem exists without PCP, of course, with an implicit mapping (e.g., created with a TCP SYN). => yes, it exists for implicit dynamic mappings, explicit dynamic mappings and static mappings, and its severity increases for each kind of mappings. IMHO it is unbearable for static mappings (i.e., if one of my ISPs fails to protect a static mapping of mine I'll sue it), critical for explicit dynamic mappings and perhaps to expensive to solve for implicit dynamic mappings (i.e., if one of my ISPs fails to protect an implicit dynamic mapping I'll just say it is the way of life, @#$* NATs!). Of course this is based on relative lifetimes and what is expected from each kind. And the resolution is described in Section 6, "Cold Standby Mode" of draft-xu-behave-stateful-nat-standby-06: that the CGN needs to use a different public IPv4 address pool when it crashes and loses state. => yes, it is a way a solve the problem but it is in fact the sacrifice of the operation in order to save the security, i.e., IMHO not the best solution. BTW its scalability is questionable too. I put a (*) to this solution as I'll refer to it below. IMO, that advice belongs in BEHAVE's CGN Requirements document, as it does not solely affect PCP. Simon Perreault, CC'd, is the editor of the CGN Requirements document. => I'd *really* like to get something in the security considerations. In the PCP document, adding something along the lines of seems a reasonable addition for the Epoch section: In the time between a PCP server loses state and the PCP client notices the lower-than-expected Epoch value, it is possible that the PCP client's mapping will be acquired by another host (via an explicit dynamic mapping or implicit dynamic mapping). This means incoming traffic will be sent to a different host. A mechanism to immediately inform the PCP client of state loss would reduce this interval, but would not eliminate this threat. The PCP client can reduce this interval by using a relatively short lifetime; however, increases the amount of PCP chatter. => two remarks: what subscribers want is to eliminate the threat and at the exception of the cited solution (*) and similar ones the way to do that is to REQUIRE that PCP Servers controlling NATs which serve multiple subscribers and can reassign mappings to save the explicit dynamic mapping state in stable/persistent storage. (BTW it is well known such NATs have to use stable/persistent storage for many other reasons so it is not a problem). And this belongs to security so should be in the security considerations (at least the security requirements must be). Connection authentication (e.g., TLS) does eliminate this threat. => unfortunately it is not the case: a perfectly authenticated subscriber can acquire an explicit dynamic mapping of another subscriber if the PCP Server lost the fact it was the explicit dynamic mapping of another subscriber. Thanks Francis.Dupont@fdupont.fr PS: BTW to explain to subscribers (victims?) of ISP CGNs they should use IPsec (network layer), TLS (transport layer) and/or application security for all communications is not very kind as they are likely in countries where these security solutions are very far to be allowed.
- [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont