Re: [pcp] draft-ietf-pcp-proxy-01
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Fri, 15 February 2013 05:46 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1BAC21F86DD for <pcp@ietfa.amsl.com>; Thu, 14 Feb 2013 21:46:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D+tgpDrEC6Xo for <pcp@ietfa.amsl.com>; Thu, 14 Feb 2013 21:46:40 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 1758021F856E for <pcp@ietf.org>; Thu, 14 Feb 2013 21:46:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7187; q=dns/txt; s=iport; t=1360907200; x=1362116800; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=zY8uzeiOz3g9dzJsA3jcexM3nZE5CXXxtq+I++L5hRc=; b=diuwF0gk2PYx+I+WsMysSnUx53drC5TeYjg7ah+jqj73YH4EVadZnktk ieQECkd5ZremEKXn7JykdQK+L/UOr1kJHHXSiOEnDp/TsznbiDzwEOI82 YWhTHKD+mcLtBd+vb6Od6pldFqwzU1S2Tp8mauQaLN0DOSzrq4dA66uVN o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgsFAGvKHVGtJV2b/2dsb2JhbAA7CYN0vHEWc4IfAQEBBAEBAWsXBAIBCBEBAwEBCwMaBycLFAMGCAIEARIIAYgJBwW9Fo0uEoNiYQOIMI8UjzeDB4FrJBg
X-IronPort-AV: E=Sophos;i="4.84,670,1355097600"; d="scan'208";a="177373575"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-2.cisco.com with ESMTP; 15 Feb 2013 05:46:36 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r1F5kanw029727 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 15 Feb 2013 05:46:36 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.195]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0318.004; Thu, 14 Feb 2013 23:46:36 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] draft-ietf-pcp-proxy-01
Thread-Index: AQHN3uybfXVjAbB6bU6t4S6LHaLs+ZgizVgwgClNTICAAAN+wIAqmosggAAJ8YA=
Date: Fri, 15 Feb 2013 05:46:36 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A14918984@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A148C07A6@xmb-rcd-x10.cisco.com> <94C682931C08B048B7A8645303FDC9F36EA601E417@PUEXCB1B.nanterre.francetelecom.fr> <913383AAA69FF945B8F946018B75898A148E56D5@xmb-rcd-x10.cisco.com> <94C682931C08B048B7A8645303FDC9F36EAEE11EF5@PUEXCB1B.nanterre.francetelecom.fr>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F36EAEE11EF5@PUEXCB1B.nanterre.francetelecom.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.77.197]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pcp] draft-ietf-pcp-proxy-01
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2013 05:46:43 -0000
Hi Med, Please see inline. Best Regards, --Tiru. > -----Original Message----- > From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com] > Sent: Tuesday, February 12, 2013 9:50 PM > To: Tirumaleswar Reddy (tireddy); pcp@ietf.org > Subject: RE: [pcp] draft-ietf-pcp-proxy-01 > > Hi Tiru, > > Please see inline. > > Cheers, > Med > > >-----Message d'origine----- > >De : Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] > >Envoyé : jeudi 17 janvier 2013 13:27 > >À : BOUCADAIR Mohamed OLNC/OLN; pcp@ietf.org > >Objet : RE: [pcp] draft-ietf-pcp-proxy-01 > > > >Hi Med, > > > >Please see inline [Tiru] > > > >> -----Original Message----- > >> From: mohamed.boucadair@orange.com > >[mailto:mohamed.boucadair@orange.com] > >> Sent: Wednesday, January 16, 2013 7:00 PM > >> To: Tirumaleswar Reddy (tireddy); pcp@ietf.org > >> Subject: RE: [pcp] draft-ietf-pcp-proxy-01 > >> > >> Hi Tiru, > >> > >> Many thanks for the comments. > >> > >> Please see inline. > >> > >> Cheers, > >> Med > >> > >> >-----Message d'origine----- > >> >De : Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] > >> >Envoyé : vendredi 21 décembre 2012 07:43 > >> >À : BOUCADAIR Mohamed OLNC/OLN; pcp@ietf.org > >> >Objet : Re: [pcp] draft-ietf-pcp-proxy-01 > >> > > >> >Hi Med, > >> > > >> >Comments > >> > > >> >[1] Section 3 PCP Server Discovery and Provisioning : > >> >You may also want to add details that PCP Proxy would use > >> >similar mechanism just like PCP client to discover the PCP server. > >> > >> Med: I updated the text with an explicit ref to Section 8.1 > >of draft-ietf-pcp- > >> base. > >> > >> > > >> >[2] Section 5 Control of the Firewall : > >> >Firewall rules would be typically to block any unsolicited > >> >traffic from outside to inside. For PCP request/response this > >> >will not be a problem, but would have issues with unsolicited > >> >ANNOUNCE. In this case PCP Authentication looks mandatory to > >> >handle man-in-middle attacks trying to act as PCP Server. > >> > >> Med: is that a problem even if the pcp server is known to > >the pcp proxy ? > > > >The PCP server could be in a different administrative domain > >that may or may have IP source guard; attacker can spoof the > >well-known IP address of the PCP server and send ANNOUNCE. PCP > >authentication looks mandatory. > > Med: Why is this specific to PCP Proxy case ? In this leg, the PCP Proxy is > acting as a PCP Client. Security considerations discussed in the base spec > apply here. - The behavior of the PCP proxy needs to be defined to ensure message integrity after updating the PCP message for the use cases described in sections 6 and 7 when PCP Authentication is in place. - PCP proxy must also validate message integrity of messages from PCP client and server (please refer to REQ-15, REQ-16 in http://tools.ietf.org/html/draft-reddy-pcp-auth-req-00 ) - Since PCP proxy is acting as PCP client and communicating with PCP server in a different domain, usage of PCP Authentication needs to be explained not just for PCP Proxy Authentication with the PCP server, message integrity of PCP messages, but also to ensure that PCP Proxy is communicating with a valid PCP server. > > > > >> > >> > > >> >[3] Section 5 : Replace REMOTE_PEER_FILTER with FILTER option > >> > >> Med: Fixed. Thanks. > >> > >> > > >> >[4] Section 8 MAP/PEER handling : you may also want to clarify > >> >PCP proxy behavior when PCP client uses THIRD_PARTY option. > >> > >> Med: I updated the text to explicitly require the PCP server > >follows the pcp > >> server recommendations detailed in section 13.1 of > >draft-ietf-pcp-base. > >> > >> > > >> >[5] Section 10.1 Multiple PCP servers : There could be another > >> >scenarios that PCP proxy would forward the PCP request to one > >> >of the PCP servers depending on the fields set in PCP request > >> >(for specific use cases please refer to > >> >http://tools.ietf.org/html/draft-rpcw-pcp-pmipv6-serv-discovery > >> >-00 , > >> >http://tools.ietf.org/html/draft-chen-pcp-mobile-deployment-02# > >> >section-8)] > >> > > >> > >> Med: what change you want to see in that section? Thanks. > > > >The PCP proxy based on various fields set in the PCP request, > >client identity will forward the PCP request to different PCP > >servers. For example in the case of PMIPv6 based on the UE > >subscription traffic offload rules will be installed on the > >MAG. MAG acting as PCP proxy can either handle the PCP request > >in the local access network itself or relay the PCP request to > >the PCP server in the home network. I guess similar mechanism > >would be needed in 3GPP network with SIPTO. > > Med: I added this sentence: > > "The PCP Proxy MAY rely on some fields (e.g., Zone ID [I-D.penno-pcp-zones] in > the PCP request to redirect the request to a given PCP Server." Yes this new change looks good. Zone ID draft has expired long time back, you may want to change the example or check if this draft will be re-published. > > > > >> > >> >[6] How is it ensured that only the PCP proxy can communicate > >> >with the PCP server and not any other PCP client ? > >> > >> Med: Should this be part of the PCP Proxy spec ? > > > >This can be solved by simple techniques like ACL to block PCP > >client from communicating directly with the PCP server. You > >can mention it in security considerations. > > Med: I added this sentence to the security section: > > "The device embedding the PCP Proxy MAY block PCP requests directly sent to > the PCP Server. This control can be enforced using access control list." Looks good. --Tiru. > > > > >--Tiru. > > > >> > >> > > >> >--Tiru. > >> > > >> >> -----Original Message----- > >> >> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] > >On Behalf Of > >> >> mohamed.boucadair@orange.com > >> >> Sent: Friday, August 17, 2012 5:33 PM > >> >> To: pcp@ietf.org > >> >> Subject: [pcp] draft-ietf-pcp-proxy-01 > >> >> > >> >> Dear all, > >> >> > >> >> A new version is now available online: > >> >> http://tools.ietf.org/html/draft-ietf-pcp-proxy-01 > >> >> > >> >> The main changes in -01 are as follows: > >> >> > >> >> * The reference architecture is updated: the PCP proxy is > >> >not restricted to > >> >> the CP router deployment case. > >> >> * Add a new section to specify the behaviour when the PCP > >> >Proxy is not > >> >> co-located with a NAT function > >> >> * Add a new section for mappings repair > >> >> * More discussion for the multiple PCP Servers scenario > >> >> * Text is cleanup > >> >> > >> >> A detailed diff is available here: > >> >> > >> >> http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-proxy-01 > >> >> > >> >> Please review this new version and provide input. > >> >> > >> >> Cheers, > >> >> Med > >> >> _______________________________________________ > >> >> pcp mailing list > >> >> pcp@ietf.org > >> >> https://www.ietf.org/mailman/listinfo/pcp > >> > > >> > > >
- Re: [pcp] draft-ietf-pcp-proxy-01 Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy-01 mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy-01 Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy-01 mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy-01 Tirumaleswar Reddy (tireddy)