Re: [pcp] GET and GETNEXT OpCodes
"Dan Wing" <dwing@cisco.com> Fri, 11 March 2011 18:00 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@core3.amsl.com
Delivered-To: pcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6DC73A6C43 for <pcp@core3.amsl.com>; Fri, 11 Mar 2011 10:00:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kxnno7AHaOZA for <pcp@core3.amsl.com>; Fri, 11 Mar 2011 10:00:53 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 7D8233A6A5A for <pcp@ietf.org>; Fri, 11 Mar 2011 10:00:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=4873; q=dns/txt; s=iport; t=1299866533; x=1301076133; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=+64QL8TGf43ojH6T304nPFq89G+owh6aI207kOLHrnE=; b=AywiwuLOPRRIPA3+/ZE5XEWuvrpdodYZ79AwrY7uDBYfvsDXPxOg8Lr9 0tDi/qVFOY5MdthAkkwFBGlCxsuzt2Sn7YkHpJY6S354SqdPQFaQvsZi+ HJuA+9AT9DoVPFO5HotPTDX6VHZgkfLI1HMfcHeGVUGkOgdp2nKYrmrno I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0AAGbyeU2tJXHB/2dsb2JhbACYZIFki2l3pgOcJoViBIUp
X-IronPort-AV: E=Sophos;i="4.62,304,1297036800"; d="scan'208";a="274853884"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by sj-iport-4.cisco.com with ESMTP; 11 Mar 2011 18:02:12 +0000
Received: from dwingWS ([10.21.79.146]) by rcdn-core2-6.cisco.com (8.14.3/8.14.3) with ESMTP id p2BI2B17014640; Fri, 11 Mar 2011 18:02:11 GMT
From: Dan Wing <dwing@cisco.com>
To: Francis.Dupont@fdupont.fr
References: Your message of Thu, 10 Mar 2011 10:06:06 PST. <256d01cbdf4d$d4103960$7c30ac20$@com> <201103110056.p2B0umNS085286@givry.fdupont.fr>
In-Reply-To: <201103110056.p2B0umNS085286@givry.fdupont.fr>
Date: Fri, 11 Mar 2011 10:02:11 -0800
Message-ID: <2a8c01cbe016$725ad990$57108cb0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcvfhzfN2KU8vB4RSFeX12a/W9WZ5AAjvFPw
Content-Language: en-us
Cc: xiaohong.deng@orange-ftgroup.com, pcp@ietf.org
Subject: Re: [pcp] GET and GETNEXT OpCodes
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 18:00:54 -0000
> -----Original Message----- > From: Francis.Dupont@fdupont.fr [mailto:Francis.Dupont@fdupont.fr] > Sent: Thursday, March 10, 2011 4:57 PM > To: Dan Wing > Cc: xiaohong.deng@orange-ftgroup.com; pcp@ietf.org; 'Simon Perreault' > Subject: Re: [pcp] GET and GETNEXT OpCodes > > > In your previous mail you wrote: > > Oh! That must be the security problem you refer us back to, but > have not re-explained to us. > > => yes, I am tired to explain it again and again. > > So, the scenario is: > > 1. PCP client does a MAP > 2. PCP server (or the CGN) crashes and loses state > 3. PCP client is, of course, unaware of that state loss until > much later (whatever its refresh interval is) > 4. In that interval, another PCP client (or implicit dynamic > mapping) could grab that port. > > The same problem exists without PCP, of course, with an > implicit mapping (e.g., created with a TCP SYN). > > => yes, it exists for implicit dynamic mappings, explicit > dynamic mappings and static mappings, and its severity increases > for each kind of mappings. > IMHO it is unbearable for static mappings (i.e., if one of my ISPs > fails to protect a static mapping of mine I'll sue it), > critical for explicit dynamic mappings and perhaps to expensive > to solve for implicit dynamic mappings (i.e., if one of my ISPs > fails to protect an implicit dynamic mapping I'll just say it > is the way of life, @#$* NATs!). Of course this is based on > relative lifetimes and what is expected from each kind. > > And the > resolution is described in Section 6, "Cold Standby Mode" > of draft-xu-behave-stateful-nat-standby-06: that the > CGN needs to use a different public IPv4 address pool > when it crashes and loses state. > > => yes, it is a way a solve the problem but it is in fact > the sacrifice of the operation in order to save the security, > i.e., IMHO not the best solution. BTW its scalability is > questionable too. I put a (*) to this solution as I'll refer > to it below. > > IMO, that advice > belongs in BEHAVE's CGN Requirements document, as it > does not solely affect PCP. Simon Perreault, CC'd, > is the editor of the CGN Requirements document. > > => I'd *really* like to get something in the security > considerations. > > In the PCP document, adding something along the lines of seems a > reasonable addition for the Epoch section: > > In the time between a PCP server loses state and the PCP client > notices the lower-than-expected Epoch value, it is possible that > the > PCP client's mapping will be acquired by another host (via an > explicit dynamic mapping or implicit dynamic mapping). This > means > incoming traffic will be sent to a different host. A mechanism > to > immediately inform the PCP client of state loss would reduce this > interval, but would not eliminate this threat. The PCP client > can > reduce this interval by using a relatively short lifetime; > however, > increases the amount of PCP chatter. > > => two remarks: what subscribers want is to eliminate the threat and > at the exception of the cited solution (*) and similar ones the way to > do > that is to REQUIRE that PCP Servers controlling NATs which serve > multiple subscribers and can reassign mappings to save the explicit > dynamic mapping state in stable/persistent storage. Is there such a requirement, today, for ISP-provided dynamic IPv4 addresses (e.g., assigned via PPPoE or DHCP) -- in IETF specifications, service level agreements, or similar? I do not believe there is. But if there is, let's copy that wording from the DHCP RFC. If there isn't, I do not see why PCP needs to go above and beyond current industry practice and current behavior for dynamic IPv4 address assignment. -d > (BTW it is well known such NATs have to use stable/persistent storage > for many other reasons so it is not a problem). > And this belongs to security so should be in the security > considerations > (at least the security requirements must be). > > Connection authentication (e.g., TLS) does eliminate this threat. > > => unfortunately it is not the case: a perfectly authenticated > subscriber can acquire an explicit dynamic mapping of another > subscriber if the PCP Server lost the fact it was the explicit dynamic > mapping of another subscriber. > > Thanks > > Francis.Dupont@fdupont.fr > > PS: BTW to explain to subscribers (victims?) of ISP CGNs they should > use IPsec (network layer), TLS (transport layer) and/or application > security for all communications is not very kind as they are likely in > countries where these security solutions are very far to be allowed.
- [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont