Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp
<mohamed.boucadair@orange.com> Fri, 26 July 2013 08:05 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9852D21F8947 for <pcp@ietfa.amsl.com>; Fri, 26 Jul 2013 01:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aktpWCGyK3gw for <pcp@ietfa.amsl.com>; Fri, 26 Jul 2013 01:05:45 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias91.francetelecom.com [193.251.215.91]) by ietfa.amsl.com (Postfix) with ESMTP id 1AEDE21F8EEA for <pcp@ietf.org>; Fri, 26 Jul 2013 01:05:43 -0700 (PDT)
Received: from omfedm05.si.francetelecom.fr (unknown [xx.xx.xx.1]) by omfedm11.si.francetelecom.fr (ESMTP service) with ESMTP id 16E6F3B4466; Fri, 26 Jul 2013 10:05:42 +0200 (CEST)
Received: from puexch91.nanterre.francetelecom.fr (unknown [10.101.44.48]) by omfedm05.si.francetelecom.fr (ESMTP service) with ESMTP id ECE7A35C058; Fri, 26 Jul 2013 10:05:41 +0200 (CEST)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.12]) by puexch91.nanterre.francetelecom.fr ([10.101.44.48]) with mapi; Fri, 26 Jul 2013 10:05:42 +0200
From: mohamed.boucadair@orange.com
To: Dan Wing <dwing@cisco.com>
Date: Fri, 26 Jul 2013 10:05:39 +0200
Thread-Topic: [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp
Thread-Index: Ac6JijP4u9dpIZ43SYeeqWZlii00WgAQIcyQ
Message-ID: <94C682931C08B048B7A8645303FDC9F36EE6E83194@PUEXCB1B.nanterre.francetelecom.fr>
References: <09D9F37E-8339-412C-B703-4DBC9A96696A@cisco.com> <94C682931C08B048B7A8645303FDC9F36EE4BA569B@PUEXCB1B.nanterre.francetelecom.fr> <10106ED6-5FF5-4C03-8F2E-8AFCE2D0812A@cisco.com>
In-Reply-To: <10106ED6-5FF5-4C03-8F2E-8AFCE2D0812A@cisco.com>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.7.26.63617
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2013 08:05:49 -0000
Hi Dan, Please see inline. Cheers, Med >-----Message d'origine----- >De : Dan Wing [mailto:dwing@cisco.com] >Envoyé : vendredi 26 juillet 2013 00:56 >À : BOUCADAIR Mohamed OLNC/OLN >Cc : pcp@ietf.org >Objet : Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp > > >On Jul 23, 2013, at 11:08 PM, mohamed.boucadair@orange.com wrote: > >> Hi Dan, >> >> The main reasons why we had that text are as follows: >> >> * The PCP Proxy won't need to inspect every incoming packet. The current >approach makes it easy to redirect PCP responses to the PCP proxy because >PCP responses will be explicitly sent to its external IP address. > >I agree it is different to send the packet to the PCP proxy's public >address than what I described. However, ALG code in NATs and firewalls >today are pretty capable of seeing the response traffic. Thus what I am >suggesting is not new. [Med] I'm not saying this is not possible; the point is that it is much more simple to direct explicitly PCP traffic to the proxy rather than inspecting all incoming traffic. Remember there is no NAT in the case we are discussing here. > > >> * In some scenarios, the address family of the internal IP address is not >the same as the one available in the external interface of the PCP Proxy. A >typical example is DS-Lite. As you know DS-Lite assumes plain IPv6 mode, >internal PCP requests are received over IPv4 while external requests are >sent over IPv6 without requiring in NAT. In such case, internal request >cannot just be relayed to the next PCP server. > >Why can't IPv4 PCP requests be sent over IPv4 (over the DS-Lite IPv6 >tunnel), just like a IPv4 TCP SYNs? [Med] The plain mode is what is implemented in most platforms I'm aware of, and it is the mode adopted by the WG. I recall there was objection to that >and a preference for sending the PCP requests over IPv6, but I am now >worried the security implications of such a decision have not been fully >considered. [Med] FWIW, there is a decent security analysis available at: http://tools.ietf.org/html/draft-ietf-pcp-dslite-00#section-3 > >What of scenarios where IPv6/IPv4 tunneling is not involved -- why does >draft-ietf-pcp-proxy require the proxy insert THIRD_PARTY for those, too? >Just to make the proxy implementation less like an ALG (your first bullet)? [Med] Yes. > > >What are the security implications of a deployment where some subscribers >have a PCP proxy and it adds THIRD_PARTY (legitimately) versus other >subscribers who don't have a PCP proxy and someone on that subscriber's >network (e.g., coffee shop, hotel) is abusing THIRD_PARTY (maliciously). [Med] The same issue can be raised without having the THIRD_PARTY because the malicious user can spoof the source IP address. >How would the service provider's PCP server differentiate between those two >types of subscribers and know to allow one THIRD_PARTY but deny the other >THIRD_PARTY? [Med] The use of THIRD_PARTY assumes the network in which it is used is trusted. This is a generic concern discussed in rfc6887. The problem I see with the PCP proxy inserting THIRD_PARTY is >the upstream PCP server is now doing something different than it was >without a PCP proxy on the path -- the upstream PCP server has to >understand and allow THIRD_PARTY. Imagine a situation, all too common, >where there are two NATs in a home ("look, a fancy blue LED, 802.1ac, and >only $40. My Internet will go really fast") and each is doing PCP proxying >-- now the second one has to do PCP proxying, which it will be surprised to >see from what it thought was an end host. [Med] Your scenario involves NAT... which is not the case we are discussing here. For this particular case, there is no need to insert a THIRD_PARTY by the PCP Proxy because the internal IP address set by the proxy is also the address used by the proxy to relay the request. > >-d > > > >> >> Cheers, >> Med >> >>> -----Message d'origine----- >>> De : pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] De la part de >Dan >>> Wing >>> Envoyé : mercredi 24 juillet 2013 03:41 >>> À : pcp@ietf.org >>> Objet : [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp >>> >>> I am trying to understand the difference between draft-ietf-pcp-proxy >and >>> draft-cheshire-recursive-pcp. One of the significant differences seems >to >>> be if the proxy should function differently from an endpoint. draft- >ietf- >>> pcp-proxy has a proxy operating differently from an endpoint with the >>> sentence starting with "Nevertheless" >>> >>> 6. No NAT is Co-located with the PCP Proxy >>> >>> When no NAT is co-located with the PCP Proxy, the port numbers >>> included in received PCP messages (from the PCP server or PCP >>> client(s)) are not altered by the PCP Proxy. Nevertheless, the PCP >>> client IP Address MUST be changed to the address of the PCP Proxy and >>> a THIRD_PARTY Option inserted to carry the IP address of the source >>> PCP client. >>> >>> The text is under-specified (as the PCP proxy can have have several >>> addresses, even if it is a firewall), but I don't know why the PCP proxy >>> needs to add the THIRD_PARTY option. It could just send the packet as- >is, >>> with the original source IP address. The proxy will see the response >just >>> as it will see the TCP SYNACK response to a TCP SYN. >>> >>> WG thoughts? >>> >>> -d >>> >>> _______________________________________________ >>> pcp mailing list >>> pcp@ietf.org >>> https://www.ietf.org/mailman/listinfo/pcp
- [pcp] draft-ietf-pcp-proxy and draft-cheshire-rec… Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… mohamed.boucadair
- [pcp] DS-Lite "plain mode" (Was: Re: draft-ietf-p… Simon Perreault
- Re: [pcp] DS-Lite "plain mode" (Was: Re: draft-ie… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… Dan Wing