IETF Logo Mail Archive

Re: [pcp] GET and GETNEXT OpCodes

"Dan Wing" <dwing@cisco.com> Fri, 11 March 2011 18:00 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: pcp@core3.amsl.com
Delivered-To: pcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6DC73A6C43 for <pcp@core3.amsl.com>; Fri, 11 Mar 2011 10:00:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kxnno7AHaOZA for <pcp@core3.amsl.com>; Fri, 11 Mar 2011 10:00:53 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 7D8233A6A5A for <pcp@ietf.org>; Fri, 11 Mar 2011 10:00:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=4873; q=dns/txt; s=iport; t=1299866533; x=1301076133; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=+64QL8TGf43ojH6T304nPFq89G+owh6aI207kOLHrnE=; b=AywiwuLOPRRIPA3+/ZE5XEWuvrpdodYZ79AwrY7uDBYfvsDXPxOg8Lr9 0tDi/qVFOY5MdthAkkwFBGlCxsuzt2Sn7YkHpJY6S354SqdPQFaQvsZi+ HJuA+9AT9DoVPFO5HotPTDX6VHZgkfLI1HMfcHeGVUGkOgdp2nKYrmrno I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0AAGbyeU2tJXHB/2dsb2JhbACYZIFki2l3pgOcJoViBIUp
X-IronPort-AV: E=Sophos;i="4.62,304,1297036800"; d="scan'208";a="274853884"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by sj-iport-4.cisco.com with ESMTP; 11 Mar 2011 18:02:12 +0000
Received: from dwingWS ([10.21.79.146]) by rcdn-core2-6.cisco.com (8.14.3/8.14.3) with ESMTP id p2BI2B17014640; Fri, 11 Mar 2011 18:02:11 GMT
From: Dan Wing <dwing@cisco.com>
To: Francis.Dupont@fdupont.fr
References: Your message of Thu, 10 Mar 2011 10:06:06 PST. <256d01cbdf4d$d4103960$7c30ac20$@com> <201103110056.p2B0umNS085286@givry.fdupont.fr>
In-Reply-To: <201103110056.p2B0umNS085286@givry.fdupont.fr>
Date: Fri, 11 Mar 2011 10:02:11 -0800
Message-ID: <2a8c01cbe016$725ad990$57108cb0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcvfhzfN2KU8vB4RSFeX12a/W9WZ5AAjvFPw
Content-Language: en-us
Cc: xiaohong.deng@orange-ftgroup.com, pcp@ietf.org
Subject: Re: [pcp] GET and GETNEXT OpCodes
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 18:00:54 -0000

> -----Original Message-----
> From: Francis.Dupont@fdupont.fr [mailto:Francis.Dupont@fdupont.fr]
> Sent: Thursday, March 10, 2011 4:57 PM
> To: Dan Wing
> Cc: xiaohong.deng@orange-ftgroup.com; pcp@ietf.org; 'Simon Perreault'
> Subject: Re: [pcp] GET and GETNEXT OpCodes
> 
> 
>  In your previous mail you wrote:
> 
>    Oh!  That must be the security problem you refer us back to, but
>    have not re-explained to us.
> 
> => yes, I am tired to explain it again and again.
> 
>    So, the scenario is:
> 
>      1. PCP client does a MAP
>      2. PCP server (or the CGN) crashes and loses state
>      3. PCP client is, of course, unaware of that state loss until
>         much later (whatever its refresh interval is)
>      4. In that interval, another PCP client (or implicit dynamic
>         mapping) could grab that port.
> 
>    The same problem exists without PCP, of course, with an
>    implicit mapping (e.g., created with a TCP SYN).
> 
> => yes, it exists for implicit dynamic mappings, explicit
> dynamic mappings and static mappings, and its severity increases
> for each kind of mappings.
> IMHO it is unbearable for static mappings (i.e., if one of my ISPs
> fails to protect a static mapping of mine I'll sue it),
> critical for explicit dynamic mappings and perhaps to expensive
> to solve for implicit dynamic mappings (i.e., if one of my ISPs
> fails to protect an implicit dynamic mapping I'll just say it
> is the way of life, @#$* NATs!). Of course this is based on
> relative lifetimes and what is expected from each kind.
> 
>    And the
>    resolution is described in Section 6, "Cold Standby Mode"
>    of draft-xu-behave-stateful-nat-standby-06:  that the
>    CGN needs to use a different public IPv4 address pool
>    when it crashes and loses state.
> 
> => yes, it is a way a solve the problem but it is in fact
> the sacrifice of the operation in order to save the security,
> i.e., IMHO not the best solution. BTW its scalability is
> questionable too. I put a (*) to this solution as I'll refer
> to it below.
> 
>    IMO, that advice
>    belongs in BEHAVE's CGN Requirements document, as it
>    does not solely affect PCP.  Simon Perreault, CC'd,
>    is the editor of the CGN Requirements document.
> 
> => I'd *really* like to get something in the security
> considerations.
> 
>    In the PCP document, adding something along the lines of seems a
>    reasonable addition for the Epoch section:
> 
>       In the time between a PCP server loses state and the PCP client
>       notices the lower-than-expected Epoch value, it is possible that
> the
>       PCP client's mapping will be acquired by another host (via an
>       explicit dynamic mapping or implicit dynamic mapping).  This
> means
>       incoming traffic will be sent to a different host.  A mechanism
> to
>       immediately inform the PCP client of state loss would reduce this
>       interval, but would not eliminate this threat.  The PCP client
> can
>       reduce this interval by using a relatively short lifetime;
> however,
>       increases the amount of PCP chatter.
> 
> => two remarks: what subscribers want is to eliminate the threat and
> at the exception of the cited solution (*) and similar ones the way to
> do
> that is to REQUIRE that PCP Servers controlling NATs which serve
> multiple subscribers and can reassign mappings to save the explicit
> dynamic mapping state in stable/persistent storage.

Is there such a requirement, today, for ISP-provided dynamic
IPv4 addresses (e.g., assigned via PPPoE or DHCP) -- in IETF 
specifications, service level agreements, or similar?

I do not believe there is.  But if there is, let's copy that 
wording from the DHCP RFC.

If there isn't, I do not see why PCP needs to go above and
beyond current industry practice and current behavior for
dynamic IPv4 address assignment.

-d


> (BTW it is well known such NATs have to use stable/persistent storage
> for many other reasons so it is not a problem).
>  And this belongs to security so should be in the security
> considerations
> (at least the security requirements must be).
> 
>       Connection authentication (e.g., TLS) does eliminate this threat.
> 
> => unfortunately it is not the case: a perfectly authenticated
> subscriber can acquire an explicit dynamic mapping of another
> subscriber if the PCP Server lost the fact it was the explicit dynamic
> mapping of another subscriber.
> 
> Thanks
> 
> Francis.Dupont@fdupont.fr
> 
> PS: BTW to explain to subscribers (victims?) of ISP CGNs they should
> use IPsec (network layer), TLS (transport layer) and/or application
> security for all communications is not very kind as they are likely in
> countries where these security solutions are very far to be allowed.

v2.23.0 | Report a Bug | By Email