Re: [pcp] draft-ietf-pcp-base: security impacts of section 6 design note

[Reinaldo Penno <repenno@cisco.com>]

On 3/27/12 4:53 AM, "Sam Hartman" <hartmans@painless-security.com> wrote:

>>>>>> "Reinaldo" == Reinaldo Penno <repenno@cisco.com> writes:
>
>    Reinaldo> I just noticed my sentenced could have two
>    Reinaldo> interpretations. What I meant was:
>
>    Reinaldo> - Nonce should not required for those deployment where PCP
>    Reinaldo> Server and clients and under one administrative domain. In
>    Reinaldo> others words, the current spec is enough.
>
>
>I'm concerned about attacks where one device in the administrative
>domain attacks another.
>
>Section 17.1 talks about cases such as a guest network and a corporate
>network both behind the same firewall  but have different security
>properties.


[reinaldo] I skimmed that section (-24) but did not find this case. But in
my experience although guest networks sit behind the same firewall as
corporate users they are :


- In a separate security 'zone'
- Hosts in the guest 'zone' can not access hosts in the corporate 'zone'
- Probably those two 'zones' would be server by different PCP Servers (or
contexts).

Therefore a guest could not inject a spoofed PCP response. If it could
inject a spoofed packet (in general) then the enterprise has bigger
problems to deal with.


>So, I'm worried about attackers within the same domain.  I think the
>nonce is more important for the simple threat model than the advanced
>threat model.


Given there are deployments with differing trusts and security levels I
would prefer nonce to be an extension.

Also, I'm still trying to understand the impacts of nonce on stateless PCP
clients and PCP Proxy.


Thanks,

Reinaldo