Re: [pcp] draft-ietf-pcp-base: security impacts of section 6 design note
Reinaldo Penno <repenno@cisco.com> Tue, 27 March 2012 12:26 UTC
Return-Path: <repenno@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8419921F890E; Tue, 27 Mar 2012 05:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.308
X-Spam-Level:
X-Spam-Status: No, score=-10.308 tagged_above=-999 required=5 tests=[AWL=0.291, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZflKgUDOwYGC; Tue, 27 Mar 2012 05:26:20 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id 7730D21F8903; Tue, 27 Mar 2012 05:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=repenno@cisco.com; l=1682; q=dns/txt; s=iport; t=1332851180; x=1334060780; h=date:subject:from:to:cc:message-id:in-reply-to: mime-version:content-transfer-encoding; bh=ZqJLEkUdFL8NoL/38S1FFPqLfpMkQ1XFoN/y7JYZNWE=; b=HDvQ53o9YLT/EwFXCseWa30rljPayq/dMOGuzWUY7alqG+fNqVtVtY7f p1Z1UGxL47Lx8BV5n6wA66Iw3xbutaQgU+WUIr1Sdyp6xYYy7AQjyusnc /556FHA9h3TFpEAqgyyvnhYMgPIXFUUXE1MyM132pa9iMVWRIzCMW2GOj k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjIHAH2xcU+rRDoH/2dsb2JhbABEgw61M4EHghASAScCATwTCIEdBg4FIodnmmOfEpEPBIhYjQmFb4hWgWiDBw
X-IronPort-AV: E=Sophos;i="4.73,656,1325462400"; d="scan'208";a="34724956"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-1.cisco.com with ESMTP; 27 Mar 2012 12:26:19 +0000
Received: from [10.21.96.72] (sjc-vpn1-72.cisco.com [10.21.96.72]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id q2RCQGq2032580; Tue, 27 Mar 2012 12:26:19 GMT
User-Agent: Microsoft-MacOutlook/14.13.0.110805
Date: Tue, 27 Mar 2012 05:26:14 -0700
From: Reinaldo Penno <repenno@cisco.com>
To: Sam Hartman <hartmans@painless-security.com>
Message-ID: <CB96FC50.61A%repenno@cisco.com>
Thread-Topic: [pcp] draft-ietf-pcp-base: security impacts of section 6 design note
In-Reply-To: <tsl4nta9s4s.fsf@mit.edu>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: pcp@ietf.org, iesg@ietf.org
Subject: Re: [pcp] draft-ietf-pcp-base: security impacts of section 6 design note
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 12:26:21 -0000
On 3/27/12 4:53 AM, "Sam Hartman" <hartmans@painless-security.com> wrote: >>>>>> "Reinaldo" == Reinaldo Penno <repenno@cisco.com> writes: > > Reinaldo> I just noticed my sentenced could have two > Reinaldo> interpretations. What I meant was: > > Reinaldo> - Nonce should not required for those deployment where PCP > Reinaldo> Server and clients and under one administrative domain. In > Reinaldo> others words, the current spec is enough. > > >I'm concerned about attacks where one device in the administrative >domain attacks another. > >Section 17.1 talks about cases such as a guest network and a corporate >network both behind the same firewall but have different security >properties. [reinaldo] I skimmed that section (-24) but did not find this case. But in my experience although guest networks sit behind the same firewall as corporate users they are : - In a separate security 'zone' - Hosts in the guest 'zone' can not access hosts in the corporate 'zone' - Probably those two 'zones' would be server by different PCP Servers (or contexts). Therefore a guest could not inject a spoofed PCP response. If it could inject a spoofed packet (in general) then the enterprise has bigger problems to deal with. >So, I'm worried about attackers within the same domain. I think the >nonce is more important for the simple threat model than the advanced >threat model. Given there are deployments with differing trusts and security levels I would prefer nonce to be an extension. Also, I'm still trying to understand the impacts of nonce on stateless PCP clients and PCP Proxy. Thanks, Reinaldo
- [pcp] draft-ietf-pcp-base: security impacts of se… Sam Hartman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Margaret Wasserman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Reinaldo Penno
- Re: [pcp] draft-ietf-pcp-base: security impacts o… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Sam Hartman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Reinaldo Penno
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Sam Hartman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Reinaldo Penno
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Margaret Wasserman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Margaret Wasserman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Reinaldo Penno
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Sam Hartman
- Re: [pcp] draft-ietf-pcp-base: security impacts o… Reinaldo Penno