IETF Logo Mail Archive

Re: [pcp] Implementation Analysis: strong preference for PCP-specific approach

Alper Yegin <alper.yegin@yegin.org> Tue, 18 September 2012 07:41 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56CBD21F8658 for <pcp@ietfa.amsl.com>; Tue, 18 Sep 2012 00:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.129
X-Spam-Level:
X-Spam-Status: No, score=-102.129 tagged_above=-999 required=5 tests=[AWL=-0.130, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CgZqXTX2HeEo for <pcp@ietfa.amsl.com>; Tue, 18 Sep 2012 00:41:47 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id B28D321F8644 for <pcp@ietf.org>; Tue, 18 Sep 2012 00:41:47 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0Lp4oe-1TjvOc2HYa-00euYh; Tue, 18 Sep 2012 03:41:45 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="windows-1252"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <tsltxuwvgda.fsf_-_@mit.edu>
Date: Tue, 18 Sep 2012 10:41:28 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <162F9DEB-572F-46D9-A34E-7C8576916F5F@yegin.org>
References: <tslipbdzzwy.fsf@mit.edu> <74FC8E41-02D8-4BFC-A15F-035FA328DDC1@yegin.org> <tsltxuwvgda.fsf_-_@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:f1fcDw9Hw5vuyKmKrE0YqAu93oZMhP8stXyYqiG9zu3 +UWWUZghNX0Dem6qNGsIyEJhoEmz2fRYfzzqb2xTXD3BUPJq9d 3oVU8q4BYZtSUt5vBpTdwtBoy0Pl1ooO6crTUS10zuElZLV5Hd tIdRSzjFHXSQwkIfSiNxLiSA/e8DagM4hzyoEFJkRqFI/BcBxW SNHdcKGP19zm9ZAsgWiZO4z+KK24FojBKcZBQDYAyUnfmCzL+v uRrDIMpQNrJbMacaqH/UsjLZYJ97QR0Symnylz9GdhXTHyWTER BoW15Eo2xva1VT82KgLVQ4K7itq0tRwvfpsgQBozJyggP2+qqp kysrYQbJdB3wnxCCCdpYBEd348P9gp4Sp0mIr/Xe3TaxPwgq6x 0C2HhLN6CWIQw==
Cc: pcp@ietf.org
Subject: Re: [pcp] Implementation Analysis: strong preference for PCP-specific approach
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2012 07:41:48 -0000

On Sep 17, 2012, at 6:06 PM, Sam Hartman wrote:

>>>>>> "Alper" == Alper Yegin <alper.yegin@yegin.org> writes:
>>> Parts of the demultiplexing approach look simpler. You could run
>>> a PAA and PAC as separate processes. If the PCP server received
>>> an authentication request it could forward it to the PAA over a
>>> local socket. You'd need to make a slight change so that the
>>> return address could be preserved. In this mode, the PCP server
>>> would not need to change its state machine to wait for
>>> authentication.  Except then it gets complicated, because you
>>> need coordination between PCP and the PAC/PAA.  You need to
>>> design an implementation-specific protocol to:
>>> 
>>> * Trigger authentications on the PAC when PCP wants to talk to a
>>> server
>>> 
> 
>> Yes, we'd need to add a new trigger (PCP trigger).
> 
> 
>>> * update the PCP client on authentication state including session
>>> ID,key ID, and negotiated algorithms
>>> 
>>> * Provide error feedback from the PAC to PCP server so the user
>>> gets a consistent error reporting experience
>>> 
> 
>> We do not send error codes in PANA. Not sure which error reporting you are referring to.
> 
> Margaret has gone into this detail somewhat.
> The issue is that  you want a consistent experience  for the client.
> So, you need to do things like map PANA failures because the server
> doesn't support PANA into authentication not supported PCP errors.
> You need to log PANA and PCP errors in the same place.
> You need to provide consistent tools for looking at them.
> These are implementation not protocol issues.
> 

Right, these are implementation considerations.
Logging with the proper info, whether it's coming from PCP or PANA is what we need.
So that tools can parse them properly.


> 
> 
>>> * Update the PCP server on new authentication sessions at the PAA
>>> including IDs, keys and algorithm identifiers
>>> 
>>> If you do all that work you're going to end up with a fork of
>>> OpenPANA, not just get a library you can use and potentially
>>> refresh for new products/product releases.  Security analysis
>>> will be different especially for things like denial of service.
> 
>    Alper> Can you expand on this "DoS"?
> 
> 
> Sure.
> So, even in the demultiplexing case, we're coupling the state machines
> together.
> As an example we're creating a new PCP client state that is basically
> waiting for PANA.
> We need to do the security analysis for that.
> 

That state is "retrieve security parameters" for PCP.
Those parameters could be:
- retrieved from a configuration file (static)
- retrieved from dynamic store (from last unexpired authentication)
- if both are empty, then PANA is triggered to generate fresh parameters

Given that PANA is already analyzed, not sure what other threats might be in here.
(on the other hand, if you want to re-invent PANA within PCP from scratch, you've got lot of security analysis to make. That's a lot of work.)


> One of the simpler issues is a question like can an malicious server
> cause a PCP client to block indefinitely by swapping back and forth
> between PCP and PANA.
> 

Not sure if I understand the scenario… Can you elaborate?

Alper


> --Sam

v2.23.0 | Report a Bug | By Email