Re: [pcp] pcp-base-27: Mapping Nonce change
Dave Thaler <dthaler@microsoft.com> Thu, 20 September 2012 23:37 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C31A11E80A2 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 16:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.465
X-Spam-Level:
X-Spam-Status: No, score=-105.465 tagged_above=-999 required=5 tests=[AWL=1.134, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5aYo1l5eGm2 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 16:37:24 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id CD3F111E8099 for <pcp@ietf.org>; Thu, 20 Sep 2012 16:37:23 -0700 (PDT)
Received: from mail39-tx2-R.bigfish.com (10.9.14.241) by TX2EHSOBE006.bigfish.com (10.9.40.26) with Microsoft SMTP Server id 14.1.225.23; Thu, 20 Sep 2012 23:37:23 +0000
Received: from mail39-tx2 (localhost [127.0.0.1]) by mail39-tx2-R.bigfish.com (Postfix) with ESMTP id 022C418015A; Thu, 20 Sep 2012 23:37:23 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -31
X-BigFish: VS-31(zz9371I542M154dM1432Id6f1izz1202h1d1ah1d2ahzz1033IL17326ah8275dhz2fh2a8h668h839h944hd25hf0ah107ah1220h1288h12a5h12a9h12bdh137ah1155h)
Received-SPF: pass (mail39-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=dthaler@microsoft.com; helo=TK5EX14HUBC104.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail39-tx2 (localhost.localdomain [127.0.0.1]) by mail39-tx2 (MessageSwitch) id 1348184240229888_9073; Thu, 20 Sep 2012 23:37:20 +0000 (UTC)
Received: from TX2EHSMHS040.bigfish.com (unknown [10.9.14.236]) by mail39-tx2.bigfish.com (Postfix) with ESMTP id 262DE3C0047; Thu, 20 Sep 2012 23:37:20 +0000 (UTC)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS040.bigfish.com (10.9.99.140) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 20 Sep 2012 23:37:19 +0000
Received: from TK5EX14MLTW653.wingroup.windeploy.ntdev.microsoft.com (157.54.24.14) by TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 20 Sep 2012 23:37:04 +0000
Received: from TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com ([169.254.4.129]) by TK5EX14MLTW653.wingroup.windeploy.ntdev.microsoft.com ([157.54.24.14]) with mapi id 14.02.0318.003; Thu, 20 Sep 2012 16:37:04 -0700
From: Dave Thaler <dthaler@microsoft.com>
To: Dan Wing <dwing@cisco.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: pcp-base-27: Mapping Nonce change
Thread-Index: Ac2XXryEzk+BLRymTgWW27uh+Z/beAAKX6wA
Date: Thu, 20 Sep 2012 23:37:03 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF653B7C0A8A@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com>
References: <11bf01cd975e$bd023190$370694b0$@com>
In-Reply-To: <11bf01cd975e$bd023190$370694b0$@com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.90]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [pcp] pcp-base-27: Mapping Nonce change
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 23:37:24 -0000
Thanks Dan for the nice summary. Hopefully we can have a good discussion on the call tomorrow, primarily on #1 (the security point). -Dave > -----Original Message----- > From: Dan Wing [mailto:dwing@cisco.com] > Sent: Thursday, September 20, 2012 11:36 AM > To: pcp@ietf.org > Cc: pcp-chairs@tools.ietf.org > Subject: pcp-base-27: Mapping Nonce change > > Based on IESG feedback and coordinating these changes with draft-ietf- > behave-lsn-requirements, an updated version of pcp-base has been posted. > The proposed change to Mapping Nonce was announced on August 17, > "strengthening PCP with Mapping Nonce", http://www.ietf.org/mail- > archive/web/pcp/current/msg02229.html. > > > The significant changes are: > > 1. Once a MAP or PEER opcode is processed by the PCP server, subsequent > changes to that mapping have to use the same Mapping Nonce. This closes > the attack that led to REQ-9-A in draft-ietf-behave-lsn-requirements-09. > > However, this change has a side-effect of disabling two previous MAP > features: (a) the ability of a PCP client to delete (clear) PCP mappings > created by a previous PCP client using the same IP address, and (b) ability for > a PCP client to delete all of the mappings it created by sending one MAP > message. To accommodate the loss of (a), pcp-base-27 recommends that > when a host joins a network, the network device that allowed the device to > join the network should flush PCP-created mappings and non-PCP-created > mappings (e.g., DHCP, 802.1x, PPPoE). Towards that end, Stuart has written > draft-cheshire-pcp-expire, and there are many other ways to clear PCP and > implicit mapping state in NATs and firewalls when a device joins a network. > (b) was just an optimization; the PCP client can delete MAP created mappings > by issuing separate requests, similar to how it issued separate MAP requests > to create the mappings. > > 2. Clarified that PEER can reduce a mapping lifetime to the same lifetime as > active, bi-directional traffic. This allows PEER to extend lifetime of a > mapping, then later using the same Mapping Nonce, PEER can rescind > (revert) that lifetime extension so the mapping is treated as if PEER was > never used. > > > Another significant change, unrelated to Mapping Nonce, is that Mapping > Update is now required. This means the PCP server now MUST inform the > PCP client of any changes to a mapping; earlier versions of the specification > said this was merely a SHOULD. This change makes PCP a more reliable > protocol. > > > There are a lot of other minor changes from IESG feedback and from other > reviewers. See the changelog in Section B.1, or the side-by-side diffs. > > > URL: > http://www.ietf.org/internet-drafts/draft-ietf-pcp-base-27.txt > Status: http://datatracker.ietf.org/doc/draft-ietf-pcp-base > Htmlized: http://tools.ietf.org/html/draft-ietf-pcp-base-27 > Diff: http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-base-27 > > -d
- [pcp] pcp-base-27: Mapping Nonce change Dan Wing
- Re: [pcp] pcp-base-27: Mapping Nonce change Dave Thaler