Re: [pcp] Filter handling in PCP.
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Sun, 15 September 2013 11:36 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1553821E80E6 for <pcp@ietfa.amsl.com>; Sun, 15 Sep 2013 04:36:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.492
X-Spam-Level:
X-Spam-Status: No, score=-8.492 tagged_above=-999 required=5 tests=[AWL=-0.907, BAYES_40=-0.185, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynbSV5hWB+nG for <pcp@ietfa.amsl.com>; Sun, 15 Sep 2013 04:36:51 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 116EA21E80D6 for <pcp@ietf.org>; Sun, 15 Sep 2013 04:36:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9231; q=dns/txt; s=iport; t=1379245010; x=1380454610; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=YCEiYM9meaMQTBkiz5fhE0jkUXVEPmRbvSDTy9BMryA=; b=cG9gFmdgFiEAefD9Zp/cUT2IdHKn0zTODd82+MPGJt5znNqFEePRRSCC QPYZOC3Pslp3fU7jZM5m61MpKIIVHlONd2Dim/oXKymJtSFDH+xrF8mFb 7QQxsDRyToSy+ojfjM8IUcR0aTxY+fyeY03YMz0xdcvXgI9kyFIrKui+4 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aj4FAH2bNVKtJV2a/2dsb2JhbABbgwc4UsBpgRcWdIIlAQEBAwEBAQEkRxAHBAIBCBEEAQEBCgMaBycLFAkIAgQBEggRh2QGDLlgjimBGTgGgxiBAAOJAJAqkEWDJIIq
X-IronPort-AV: E=Sophos;i="4.90,909,1371081600"; d="scan'208";a="259965000"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-3.cisco.com with ESMTP; 15 Sep 2013 11:36:38 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r8FBabA5010848 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 15 Sep 2013 11:36:37 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0318.004; Sun, 15 Sep 2013 06:36:36 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Suresh Kumar Vinapamula Venkata <sureshk@juniper.net>, Simon Perreault <simon.perreault@viagenie.ca>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] Filter handling in PCP.
Thread-Index: AQHOqaD9RdvgW00QC0+tw6F4JikFQpm2uq4ggAE3oACAA0HPUIAFOV+AgANKgkA=
Date: Sun, 15 Sep 2013 11:36:36 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A190782CA@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A1905DD5A@xmb-rcd-x10.cisco.com> <CE5550F8.1FABC%sureshk@juniper.net>
In-Reply-To: <CE5550F8.1FABC%sureshk@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.68.47]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pcp] Filter handling in PCP.
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2013 11:36:56 -0000
Hi Suresh, Please see inline. > -----Original Message----- > From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] > Sent: Wednesday, September 11, 2013 11:47 AM > To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org > Subject: Re: [pcp] Filter handling in PCP. > > Hi Tiru, > > Please see inline. > > On 9/9/13 9:21 PM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> > wrote: > > >Hi Suresh, > > > >Please see inline > > > >> -----Original Message----- > >> From: Suresh Kumar Vinapamula Venkata [mailto:sureshk@juniper.net] > >> Sent: Friday, September 06, 2013 2:16 AM > >> To: Tirumaleswar Reddy (tireddy); Simon Perreault; pcp@ietf.org > >> Subject: Re: [pcp] Filter handling in PCP. > >> > >> > >> > >> On 9/5/13 12:32 AM, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> > >> wrote: > >> > >> >> -----Original Message----- > >> >> From: Simon Perreault [mailto:simon.perreault@viagenie.ca] > >> >> Sent: Wednesday, September 04, 2013 10:44 AM > >> >> To: pcp@ietf.org > >> >> Subject: Re: [pcp] Filter handling in PCP. > >> >> > >> >> Le 2013-09-04 01:51, Suresh Kumar Vinapamula Venkata a écrit : > >> >> > a) An existing EIM mapping would be transformed to PCP mapping > >> >>through a > >> >> > MAP request. > >> >> > If that MAP request has filters, and if there are already > >>connections > >> >> > associated with that mapping from hosts that are not matching > >>filters, > >> >> > what should be the fate of those connections? I feel those > >>connections > >> >> > are to be torn down. > >> >> > >> >> I'd say it's up to the implementation. I personally would prefer > >> >> existing connections to stay up and new ones to be refused. > >> >> > >> >> > b) RFC recommends that if there has to be change in filters, there > >>has > >> >> > to be a delete followed by addition of new filters. What should be > >>the > >> >> > fate of the connections from IP addresses of old filters? If those > >> >> > connections are deleted there would be disruption in traffic. > >>Suppose > >> >>I > >> >> > am providing a streaming service, and a new user subscribed. I > >>want to > >> >> > add him to the list, but I would not expect that should not result > >>in > >> >> > disruption for others right? If those connections are not deleted, > >>it > >> >> > would continue to allow connections from addresses that are not > >> >>present > >> >> > in new filters but are present in old filters? Consider some one > >> >>stopped > >> >> > subscription. > >> >> > >> >> Again, up to the implementation. > >> >> > >> >> > Also, if we go with delete followed by add, there is a window where > >> >>any > >> >> > external IP address can connect to internal host during delete and > >>add > >> >> > operation. Why can't there be an explicit delete of individual > >> >>filters? > >> >> > This way client may append to the list of IP addresses in filter, > >>and > >> >> > delete IP addresses without disruption of traffic to others. > >> >> > >> >> That actually might be a shortcoming of the RFC. If you feel that use > >> >> case is important to you, you could propose a way to selectively > >>delete > >> >> filters. > >> >> > >> >> > c) If an existing EIM mapping has EIF configured(admin configured), > >> >>and > >> >> > if there is a PCP mapping request for that mapping but with a > >> >>different > >> >> > set of filters disjoint with admin configured filters, what should > >>be > >> >> > the behavior? I feel PCP should override configured filters. > >> >> > >> >> Up to the implementation. > >> >> > >> >> > d) Filtering option gives option to program allowed list. There is > >>no > >> >> > way to configure inverse of it. Suppose I am providing a service to > >> >> > external world, where anyone can access. My system detected > >>someone is > >> >> > attacking, and it should block only that user. It is not easy to > >>block > >> >> > with the existing constructs as defined in the RFC. > >> > > >> >Firewalls already use various techniques like reputation based > >> >black-listing/white-listing (for example reputation based IP address). > >> >Even if PCP client uses MAP without any FILTER option, it does not mean > >> >it can over-ride the Firewall rules which will block traffic from those > >> >black-listed IP addresses. If Firewall detects that some remote peers > >>are > >> >attacking (for example bots) then it will drop the traffic over-riding > >> >the PCP client request to permit traffic. > >> > >> I agree, and I am not expecting firewall black listed addresses to > >>access > >> my service even if I don't have filters. > > > >Ok. > > > >> But, for some reason if I want to deny access to a specific IP address > >>to > >> reach my service, I don't see a way to do it currently. > >> Wouldn't a new option as mentioned above helps here? > > > >It may help, I am trying to understand the use case. Any specific > >applications that you are thinking of - which would be enhanced to use > >PCP, detects attacks from remote peer and informs the PCP- > First thing that comes to my mind here is bit torrent malware. Once > antivirus detects some malware from some existing connection, I may issue > delete PEER delete request to those connections, but if he is persistently > trying, I think there is no way to block currently on CGN. I may block him > at application level, but he would still consume my resources on CGNAT > box. Ok. But what will be the incentive for anti-virus (AV) to apply this black-list filtering rule and reduce the resource utilization on CGNAT ? May be the AV would be interested in this new PCP option because it could inform the network to block the incoming traffic and thus save some CPU cycles in the host itself. > > >controlled Firewall to block traffic from some specific IP addresses. If > >the application determines that specific IP address is attacking, would > >it apply the blocking rule with a global scope (i.e. block all incoming > >traffic from this specific IP address to any device within the network) ? > Application should block it at the IP level. At the connection level > application may issue a delete PEER request right? > > > > >I suspect some problems with this approach: > > > >a)Both legitimate users and attackers could share the same IPv4 address > >because of NAT - How does this rule ensure that legitimate users are not > >penalized ? > Very valid, that is a generic problem with any IP filtering right? But those rules are typically applied based on IPv4 address reputation score. The reputation score has to be bad for the incoming traffic from this specific IP addresses to be black-listed. It still has the drawback of unable to distinguish legitimate users verses attackers. There are other mechanisms proposed like http://tools.ietf.org/html/draft-wing-nat-reveal-option-03 which uses USER_HINT TCP option for the TCP server to differentiate between the TCP clients sharing the same IP address. > Shouldn't we have this issue, where a filter is added to grant access to a > specific IP address and that IP address is shared between attacker and > legitimate user. It's usually the application logic to differentiate b/w attacker and legitimate user. > >b)Attacker using IPv6 (for example IPv6 privacy addresses) can easily > >change the IP address and by-pass the black-list rule ? > How is filtering done in case of IPv6? Can't we take same approach here ? I am not sure if reputation based IPv6 filtering is possible because large amount of available IPv6 address space. > >c)How will the application determine for how long to block the specific > >black-listed IP addresses ? > For the life time of the mapping or till the filter is deleted, which > application may decide. >From your example it's the AV which decides to block the IP addresses and not the application. How will the AV know how long to black-list these IP addresses ? -Tiru. > > > >-Tiru. > > > >> > >> > > >> >-Tiru. > >> > > >> >> > I feel we should > >> >> > support inverse msg type(except the mentioned IP address allow any > >> >>one) > >> >> > for filter option. We can define new message constructs, how this > >>can > >> >>be > >> >> > modified, like say another attacker identified. When this option is > >> >> > communicated, all associated flows of that address are to be > >>deleted. > >> >> > >> >> Makes sense. If you feel that this is important, feel free to > >>propose an > >> >> extension. > >> >> > >> >> Just my 2 cents... > >> >> > >> >> Simon > >> >> -- > >> >> DTN made easy, lean, and smart --> http://postellation.viagenie.ca > >> >> NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca > >> >> STUN/TURN server --> http://numb.viagenie.ca > >> > > >> >_______________________________________________ > >> >pcp mailing list > >> >pcp@ietf.org > >> >https://www.ietf.org/mailman/listinfo/pcp > >> > > >> > > >> > > > > > > >
- [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Simon Perreault
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- Re: [pcp] Filter handling in PCP. Suresh Kumar Vinapamula Venkata
- Re: [pcp] Filter handling in PCP. Tirumaleswar Reddy (tireddy)
- [pcp] Comments on draft-ietf-pcp-optimize-keepali… Reinaldo Penno (repenno)
- Re: [pcp] Comments on draft-ietf-pcp-optimize-kee… Prashanth Patil (praspati)
- Re: [pcp] Comments on draft-ietf-pcp-optimize-kee… Tirumaleswar Reddy (tireddy)
- Re: [pcp] Comments on draft-ietf-pcp-optimize-kee… Reinaldo Penno (repenno)