IETF Logo Mail Archive

Re: [pcp] Official reviewers Request for Learn NAT64 PREFIX64s using PCP

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Sat, 18 May 2013 06:40 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E17B21F8F61 for <pcp@ietfa.amsl.com>; Fri, 17 May 2013 23:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3E1gxS3KHRlH for <pcp@ietfa.amsl.com>; Fri, 17 May 2013 23:40:35 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 5676921F8E56 for <pcp@ietf.org>; Fri, 17 May 2013 23:40:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4017; q=dns/txt; s=iport; t=1368859235; x=1370068835; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=qzQzSx9qg+9HyprSV9bie6cI8d1eokVNIEhNGmXDAdI=; b=mrv9W1QaMgZbwiEiNeU0lnff+xOZZd+HnGbxu+FkMFfBhk7L7Zi6hTUz xteIMtH0VClOlAYv6JNOm0G5jCJb6CHnLlbwjBMhXMgjzdtrIZ3TwY4I5 Q21jg4n+oooAY7B//lMiE491FMTskBMfUbrhNx+8a0r7Zsb0K6nwXQhzr 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnQFAOchl1GtJV2Y/2dsb2JhbABbgwgwwU+BARZ0gh8BAQEDATo/DAQCAQgRBAEBAQoOBgkHMhQJCAIEAQ0FCId+Bgy9MI5wMQcGEoJbYQOTZ4R6kBeDD4Im
X-IronPort-AV: E=Sophos;i="4.87,698,1363132800"; d="scan'208";a="212127498"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-4.cisco.com with ESMTP; 18 May 2013 06:40:15 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r4I6eDEZ003583 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 18 May 2013 06:40:13 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.56]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0318.004; Sat, 18 May 2013 01:40:13 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>, "Reinaldo Penno (repenno)" <repenno@cisco.com>
Thread-Topic: [pcp] Official reviewers Request for Learn NAT64 PREFIX64s using PCP
Thread-Index: AQHOUzDEbXMBRF62MEG/jn6xPv84lpkKenjA
Date: Sat, 18 May 2013 06:40:12 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A14B6EEAC@xmb-rcd-x10.cisco.com>
References: <45A697A8FFD7CF48BCF2BE7E106F0604090861C4@xmb-rcd-x04.cisco.com> <751A0C06-CDD7-4FCD-84D0-C0E5BFFE12A7@muada.com>
In-Reply-To: <751A0C06-CDD7-4FCD-84D0-C0E5BFFE12A7@muada.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.71.192]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pcp@ietf.org" <pcp@ietf.org>, "draft-ietf-pcp-nat64-prefix64@tools.ietf.org" <draft-ietf-pcp-nat64-prefix64@tools.ietf.org>
Subject: Re: [pcp] Official reviewers Request for Learn NAT64 PREFIX64s using PCP
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 May 2013 06:40:40 -0000

> -----Original Message-----
> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
> Sent: Friday, May 17, 2013 6:28 PM
> To: Reinaldo Penno (repenno)
> Cc: pcp@ietf.org; draft-ietf-pcp-nat64-prefix64@tools.ietf.org
> Subject: Re: [pcp] Official reviewers Request for Learn NAT64 PREFIX64s using
> PCP
> 
> On 16 mei 2013, at 13:19, Reinaldo Penno (repenno) <repenno@cisco.com> wrote:
> 
> >> Title  : Learn NAT64 PREFIX64s using PCP
> >> URL    : http://tools.ietf.org/html/draft-ietf-pcp-nat64-prefix64-00
> >> Authors: M. Boucadair
> 
> Ok, here is a brief review. Brief in the sense that I didn't re-familiarize
> myself with the related RFCs.
> 
> This is clearly useful.
> 
> I found 3.2, and especially 3.2.2 very sparse, I was looking to learn more
> about how this mechanism is useful in practice here. Some more
> applications/protocols could be listed. However, a lot of information is
> provided in 3.3. Unfortunately, there are two issues with this:
> 
> 1. SIP is a very complex protocol that not everyone may be familiar with
> 
> 2. Unless I misunderstood, a lot of what happens here is pure NAT64, and
> unrelated to the knowledge of the Pref64:
> 
> "the PCP Client issues a PCP MAP request with
>    PORT_RESERVATION_OPTION to reserve a pair of ports preserving parity
>    and contiguity [I-D.boucadair-pcp-rtp-rtcp].  A pair of ports and an
>    external IPv4 address are then returned by the PCP server to the
>    requesting PCP Client."
> 
> It would be more useful to concentrate on the functionality that is only
> possible when the Pref64 is known at this point. For instance, in the case of
> BitTorrent, IPv4 addresses of prospective peers may be learned from a tracker.
> In order for the client to connect to those peers, it needs to synthesize IPv6
> representations for those IPv4 addresses by combining them with the Pref64.
> 
> It would be useful to spell out that the ability to reserve ports and learn
> the external IPv4 address used by the NAT64 (or any NAT) allows for receiving
> incoming sessions. For this, the Pref64 is not needed. The Pref64, on the
> other hand, allows for setting up outgoing connections to systems for which
> only a literal IPv4 address (and not a fully qualified domain name) is known.
> But for this, no other PCP functionality is required. (Although in practice it
> gets more complex when ports are used in both directions simultaneously.)
> 
> The abstract starts with "This document defines a new PCP extension to learn
> the IPv6 prefix(es) used by a PCP-controlled NAT64 device" but the PREFIX64
> option only allows for one Pref64 and the option may only appear once, so the
> (es) part shouldn't be there. (Would the ability to learn multiple Pref64s be
> useful?? I guess load balancing across NAT64s with each a Pref64 of their own
> is possible.)
> 
> In 4.1 a reference to section 7.3 of RFC 6887 would be useful.
> 
> Although I was unhappy with the SIP example earlier, I think it's appropriate
> in section 5 as it shows the full complexity of a real-world system now that
> we've learned all the details of the mechanism. I think the section title
> should have "SIP" in it, though.
> 
> In the security considerations, I would expect a discussion about what happens
> when a malicious third party impersonates a PCP server and provides a fake
> Pref64.

This is not a problem when ICE is used. If during ICE connectivity checks, STUN request is sent to attacker. The attacker cannot send a valid
STUN response because it will not be aware the password using for STUN message integrity. Further RTCWEB (use case mentioned in 3.1) recommends SRTP, so DTLS will also fail. 

Anyway PCP client and server can be mutually authenticated using PCP authentication. This avoids the problem of attacker posing as PCP server.

--Tiru. 

> 
> Iljitsch

v2.23.0 | Report a Bug | By Email