IETF Logo Mail Archive

Re: [pcp] Capability discovery

Alper Yegin <alper.yegin@yegin.org> Sat, 06 October 2012 06:56 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28E121F8669 for <pcp@ietfa.amsl.com>; Fri, 5 Oct 2012 23:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.51
X-Spam-Level:
X-Spam-Status: No, score=-102.51 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckS3WxO1CC3w for <pcp@ietfa.amsl.com>; Fri, 5 Oct 2012 23:56:50 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA1A21F85E7 for <pcp@ietf.org>; Fri, 5 Oct 2012 23:56:50 -0700 (PDT)
Received: from [192.168.2.5] (88.247.135.202.static.ttnet.com.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MYhC6-1Sxmz749cw-00Vqc7; Sat, 06 Oct 2012 02:56:46 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Alper Yegin <alper.yegin@yegin.org>
In-Reply-To: <tslsj9sy82s.fsf@mit.edu>
Date: Sat, 06 Oct 2012 09:56:24 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <661F3891-C8CE-498E-ACAA-1BBAE9DE4480@yegin.org>
References: <506E4E07.3000807@toshiba.co.jp> <034101cda301$4972d690$dc5883b0$@com> <506EF948.40303@toshiba.co.jp> <9B57C850BB53634CACEC56EF4853FF653B8101A7@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <E13227DD-3096-4D38-B9EF-93342335B7F2@yegin.org> <tslsj9sy82s.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1278)
X-Provags-ID: V02:K0:vqsDCLDlx/1IVwnIl0x+pLIs6K9uC6UKY5rgPzcyDRF iI7pHZRGNY6DeGMgm+2tqvXER5c/Wh12Pjzc9Ijv2migcc8BDI RVgyWdbW/JWHMq99XUiL0J0X69BFw6HFWkKAabWUdPRA2aIq/k VX0K8wluDIcADA+F9lWJQ72Oh1i2trovxSMROqN/9Z6Ay1lXMc JTJPdpgug3/j9FYMjyPqlYRv9QjiYNazh78LkNhO27q9Qj5mMc 9l1EUetxxuhyZGCB2sbmlRd9u2d8HzQtBAcIm3LtlVmPOg1yHi MEKi1Ek5oUv6MWoxiQ7t50fL8L1Y3YYBnS4BkUNkUpwAyA6kXZ 4P50yoPkkzmv8lMS5NZjxRM5/msZpqr1ZNLb1of6hK4Ox2xf2V qcG+jwhI38Ztg==
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Capability discovery
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Oct 2012 06:56:51 -0000

> 
>    Alper> Let's look at the whole space and see where the issue arises.
> 
>    Alper> 1. PANA tunneling No problem.
> Agreed. If by tunneling you mean encapsulation.
> 
>    Alper> 2. PANA port-sharing (side-by-side)
> 
>    Alper> 2.1. DHCP-based PCP server discovery Not a problem, we can
>    Alper> easily define auth_requirement as an attribute of the PCP
>    Alper> server.
> 
> I don't think this is a reasonable thing to do.
> It requires the DHCP servenr to be aware of capability changes in the
> PANA server.
> I think DHCP is good for discovering the identities of services, but not
> for capability discovery.
> 

That's so not true. 
DHCP is defined and used for not only delivering "identities" but also a whole bunch of configuration parameters.
Just browse any few DHCP RFCs, you'll see immediately.


>    Alper> 2.2.d. Client supports auth, server does not support auth.
>    Alper> Earlier example to cause an issue was when the client starts
>    Alper> with auth, and the server does not understand what was going
>    Alper> on (server would think the client is talking version PCP
>    Alper> 128).
> 
>    Alper> But, we can easily require "clients that do not know the
>    Alper> server's capability and policy" to start with "no auth" and
>    Alper> see what happens.  Either the PCP goes thru, which is fine;
>    Alper> or the client receives a PCP auth error in which case it
>    Alper> learns to go back and try with auth.
> 
> This does not work for clients who have a security requirement of
> requiring authentication even if the server does not require this.
> If the client wants integrity protection of the response, this is
> important.
> 
> For example the client can have confidence that its mapping is created
> and that the response is not spoofed.
> For nat traversal, this is not a big deal.
> For firewall policy changes this can be a huge deal.


In this case you are already using DHCP for PCP server discovery (because firewall does not have to be on the first hop).
And with the PCP server attribute we provide in DHCP option, issue would be addressed.

(And if we were not using DHCP, then PANA client would timeout and indicate auth failure to the PCP client. Not as fast as figuring out the problem using DHCP, but still an acceptable result when dealing with misconfigured networks such as in this example)

Alper

v2.23.0 | Report a Bug | By Email