[pcp] pcp-base-27: Mapping Nonce change
"Dan Wing" <dwing@cisco.com> Thu, 20 September 2012 18:35 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478A321E8064 for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 11:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYWA0lcq5DiR for <pcp@ietfa.amsl.com>; Thu, 20 Sep 2012 11:35:41 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 8931B21F8749 for <pcp@ietf.org>; Thu, 20 Sep 2012 11:35:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2572; q=dns/txt; s=iport; t=1348166141; x=1349375741; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=XXFn8DXSl1QqMUHO/l+A2Y7Xt/ZgHHrJXtHxY8GQEfE=; b=jOiT6GRyCLQl49uvf1T2gY7CK0Wqay0Xds8LWgDRPqGAjitKXJXvGoBN LAcwAGtZO8AtPVxh6zudkLthfj3oTpOOhys8kgOh3CDaztRQSecXW+GIR EePIG/wDQKXvn7mjJ17iGH04886maT2h4vSmIPlHmXypzwrx48d7oDQGa c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiYFAHNhW1CtJV2c/2dsb2JhbABFrSWQBYEIgicICgEXED8NBRhQIxwBBBwCF4dhC5oPoBSLNoMIgyADiFaFEIkSjSSBaYMHgUM
X-IronPort-AV: E=Sophos;i="4.80,455,1344211200"; d="scan'208";a="123716932"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-3.cisco.com with ESMTP; 20 Sep 2012 18:35:41 +0000
Received: from dwingWS ([10.32.240.198]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q8KIZe7O010436; Thu, 20 Sep 2012 18:35:40 GMT
From: Dan Wing <dwing@cisco.com>
To: pcp@ietf.org
Date: Thu, 20 Sep 2012 11:35:41 -0700
Message-ID: <11bf01cd975e$bd023190$370694b0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac2XXryEzk+BLRymTgWW27uh+Z/beA==
Content-Language: en-us
Cc: pcp-chairs@tools.ietf.org
Subject: [pcp] pcp-base-27: Mapping Nonce change
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 18:35:42 -0000
Based on IESG feedback and coordinating these changes with draft-ietf-behave-lsn-requirements, an updated version of pcp-base has been posted. The proposed change to Mapping Nonce was announced on August 17, "strengthening PCP with Mapping Nonce", http://www.ietf.org/mail-archive/web/pcp/current/msg02229.html. The significant changes are: 1. Once a MAP or PEER opcode is processed by the PCP server, subsequent changes to that mapping have to use the same Mapping Nonce. This closes the attack that led to REQ-9-A in draft-ietf-behave-lsn-requirements-09. However, this change has a side-effect of disabling two previous MAP features: (a) the ability of a PCP client to delete (clear) PCP mappings created by a previous PCP client using the same IP address, and (b) ability for a PCP client to delete all of the mappings it created by sending one MAP message. To accommodate the loss of (a), pcp-base-27 recommends that when a host joins a network, the network device that allowed the device to join the network should flush PCP-created mappings and non-PCP-created mappings (e.g., DHCP, 802.1x, PPPoE). Towards that end, Stuart has written draft-cheshire-pcp-expire, and there are many other ways to clear PCP and implicit mapping state in NATs and firewalls when a device joins a network. (b) was just an optimization; the PCP client can delete MAP created mappings by issuing separate requests, similar to how it issued separate MAP requests to create the mappings. 2. Clarified that PEER can reduce a mapping lifetime to the same lifetime as active, bi-directional traffic. This allows PEER to extend lifetime of a mapping, then later using the same Mapping Nonce, PEER can rescind (revert) that lifetime extension so the mapping is treated as if PEER was never used. Another significant change, unrelated to Mapping Nonce, is that Mapping Update is now required. This means the PCP server now MUST inform the PCP client of any changes to a mapping; earlier versions of the specification said this was merely a SHOULD. This change makes PCP a more reliable protocol. There are a lot of other minor changes from IESG feedback and from other reviewers. See the changelog in Section B.1, or the side-by-side diffs. URL: http://www.ietf.org/internet-drafts/draft-ietf-pcp-base-27.txt Status: http://datatracker.ietf.org/doc/draft-ietf-pcp-base Htmlized: http://tools.ietf.org/html/draft-ietf-pcp-base-27 Diff: http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-base-27 -d
- [pcp] pcp-base-27: Mapping Nonce change Dan Wing
- Re: [pcp] pcp-base-27: Mapping Nonce change Dave Thaler