IETF Logo Mail Archive

Re: [pcp] draft-ietf-pcp-proxy-01

<mohamed.boucadair@orange.com> Tue, 12 February 2013 16:19 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45FF021F8F76 for <pcp@ietfa.amsl.com>; Tue, 12 Feb 2013 08:19:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[AWL=0.161, BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkIk4ysjJuZI for <pcp@ietfa.amsl.com>; Tue, 12 Feb 2013 08:19:56 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias91.francetelecom.com [193.251.215.91]) by ietfa.amsl.com (Postfix) with ESMTP id 00F3E21F8F6C for <pcp@ietf.org>; Tue, 12 Feb 2013 08:19:53 -0800 (PST)
Received: from omfedm08.si.francetelecom.fr (unknown [xx.xx.xx.4]) by omfedm10.si.francetelecom.fr (ESMTP service) with ESMTP id B0FC6264148; Tue, 12 Feb 2013 17:19:52 +0100 (CET)
Received: from PUEXCH51.nanterre.francetelecom.fr (unknown [10.101.44.31]) by omfedm08.si.francetelecom.fr (ESMTP service) with ESMTP id 917D7238062; Tue, 12 Feb 2013 17:19:52 +0100 (CET)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.8]) by PUEXCH51.nanterre.francetelecom.fr ([10.101.44.31]) with mapi; Tue, 12 Feb 2013 17:19:52 +0100
From: mohamed.boucadair@orange.com
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "pcp@ietf.org" <pcp@ietf.org>
Date: Tue, 12 Feb 2013 17:19:51 +0100
Thread-Topic: [pcp] draft-ietf-pcp-proxy-01
Thread-Index: AQHN3uybfXVjAbB6bU6t4S6LHaLs+ZgizVgwgClNTICAAAN+wIAqmosg
Message-ID: <94C682931C08B048B7A8645303FDC9F36EAEE11EF5@PUEXCB1B.nanterre.francetelecom.fr>
References: <913383AAA69FF945B8F946018B75898A148C07A6@xmb-rcd-x10.cisco.com> <94C682931C08B048B7A8645303FDC9F36EA601E417@PUEXCB1B.nanterre.francetelecom.fr> <913383AAA69FF945B8F946018B75898A148E56D5@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A148E56D5@xmb-rcd-x10.cisco.com>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.2.12.154518
Subject: Re: [pcp] draft-ietf-pcp-proxy-01
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2013 16:19:58 -0000

Hi Tiru,

Please see inline.

Cheers,
Med 

>-----Message d'origine-----
>De : Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] 
>Envoyé : jeudi 17 janvier 2013 13:27
>À : BOUCADAIR Mohamed OLNC/OLN; pcp@ietf.org
>Objet : RE: [pcp] draft-ietf-pcp-proxy-01
>
>Hi Med,
>
>Please see inline [Tiru]
>
>> -----Original Message-----
>> From: mohamed.boucadair@orange.com 
>[mailto:mohamed.boucadair@orange.com]
>> Sent: Wednesday, January 16, 2013 7:00 PM
>> To: Tirumaleswar Reddy (tireddy); pcp@ietf.org
>> Subject: RE: [pcp] draft-ietf-pcp-proxy-01
>> 
>> Hi Tiru,
>> 
>> Many thanks for the comments.
>> 
>> Please see inline.
>> 
>> Cheers,
>> Med
>> 
>> >-----Message d'origine-----
>> >De : Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
>> >Envoyé : vendredi 21 décembre 2012 07:43
>> >À : BOUCADAIR Mohamed OLNC/OLN; pcp@ietf.org
>> >Objet : Re: [pcp] draft-ietf-pcp-proxy-01
>> >
>> >Hi Med,
>> >
>> >Comments
>> >
>> >[1] Section 3 PCP Server Discovery and Provisioning :
>> >You may also want to add details that PCP Proxy would use
>> >similar mechanism just like PCP client to discover the PCP server.
>> 
>> Med: I updated the text with an explicit ref to Section 8.1 
>of draft-ietf-pcp-
>> base.
>> 
>> >
>> >[2] Section 5 Control of the Firewall :
>> >Firewall rules would be typically to block any unsolicited
>> >traffic from outside to inside. For PCP request/response this
>> >will not be a problem, but would have issues with unsolicited
>> >ANNOUNCE. In this case PCP Authentication looks mandatory to
>> >handle man-in-middle attacks trying to act as PCP Server.
>> 
>> Med: is that a problem even if the pcp server is known to 
>the pcp proxy ?
>
>The PCP server could be in a different administrative domain 
>that may or may have IP source guard; attacker can spoof the 
>well-known IP address of the PCP server and send ANNOUNCE. PCP 
>authentication looks mandatory.

Med: Why is this specific to PCP Proxy case? In this leg, the PCP Proxy is acting as a PCP Client. Security considerations discussed in the base spec apply here.

>
>> 
>> >
>> >[3] Section 5 : Replace REMOTE_PEER_FILTER with FILTER option
>> 
>> Med: Fixed. Thanks.
>> 
>> >
>> >[4] Section 8 MAP/PEER handling : you may also want to clarify
>> >PCP proxy behavior when PCP client uses THIRD_PARTY option.
>> 
>> Med: I updated the text to explicitly require the PCP server 
>follows the pcp
>> server recommendations detailed in section 13.1 of 
>draft-ietf-pcp-base.
>> 
>> >
>> >[5] Section 10.1 Multiple PCP servers : There could be another
>> >scenarios that PCP proxy would forward the PCP request to one
>> >of the PCP servers depending on the fields set in PCP request
>> >(for specific use cases please refer to
>> >http://tools.ietf.org/html/draft-rpcw-pcp-pmipv6-serv-discovery
>> >-00 ,
>> >http://tools.ietf.org/html/draft-chen-pcp-mobile-deployment-02#
>> >section-8)]
>> >
>> 
>> Med: what change you want to see in that section? Thanks.
>
>The PCP proxy based on various fields set in the PCP request, 
>client identity will forward the PCP request to different PCP 
>servers. For example in the case of PMIPv6 based on the UE 
>subscription traffic offload rules will be installed on the 
>MAG. MAG acting as PCP proxy can either handle the PCP request 
>in the local access network itself or relay the PCP request to 
>the PCP server in the home network. I guess similar mechanism 
>would be needed in 3GPP network with SIPTO.

Med: I added this sentence: 

"The PCP Proxy MAY rely on some fields (e.g., Zone ID [I-D.penno-pcp-zones] in the PCP request to redirect the request to a given PCP Server."

>
>> 
>> >[6] How is it ensured that only the PCP proxy can communicate
>> >with the PCP server and not any other PCP client ?
>> 
>> Med: Should this be part of the PCP Proxy spec ?
>
>This can be solved by simple techniques like ACL to block PCP 
>client from communicating directly with the PCP server. You 
>can mention it in security considerations.

Med: I added this sentence to the security section: 

"The device embedding the PCP Proxy MAY block PCP requests directly sent to the PCP Server. This control can be enforced using access control list."

>
>--Tiru.
>
>> 
>> >
>> >--Tiru.
>> >
>> >> -----Original Message-----
>> >> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] 
>On Behalf Of
>> >> mohamed.boucadair@orange.com
>> >> Sent: Friday, August 17, 2012 5:33 PM
>> >> To: pcp@ietf.org
>> >> Subject: [pcp] draft-ietf-pcp-proxy-01
>> >>
>> >> Dear all,
>> >>
>> >> A new version is now available online:
>> >> http://tools.ietf.org/html/draft-ietf-pcp-proxy-01
>> >>
>> >> The main changes in -01 are as follows:
>> >>
>> >> * The reference architecture is updated: the PCP proxy is
>> >not restricted to
>> >> the CP router deployment case.
>> >> * Add a new section to specify the behaviour when the PCP
>> >Proxy is not
>> >> co-located with a NAT function
>> >> * Add a new section for mappings repair
>> >> * More discussion for the multiple PCP Servers scenario
>> >> * Text is cleanup
>> >>
>> >> A detailed diff is available here:
>> >>
>> >>  http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-proxy-01
>> >>
>> >> Please review this new version and provide input.
>> >>
>> >> Cheers,
>> >> Med
>> >> _______________________________________________
>> >> pcp mailing list
>> >> pcp@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/pcp
>> >
>> >
>

v2.23.0 | Report a Bug | By Email