Re: [pcp] strengthening PCP with Mapping Nonce
Sam Hartman <hartmans@painless-security.com> Mon, 27 August 2012 02:15 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E30F21F8533 for <pcp@ietfa.amsl.com>; Sun, 26 Aug 2012 19:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.288
X-Spam-Level: ****
X-Spam-Status: No, score=4.288 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id doa2pw6wJHxA for <pcp@ietfa.amsl.com>; Sun, 26 Aug 2012 19:15:01 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6C721F84E2 for <pcp@ietf.org>; Sun, 26 Aug 2012 19:15:00 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (gain1-180.nortex.net [63.160.158.180]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 5F36B21255; Sun, 26 Aug 2012 22:14:55 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9AE264350; Sun, 26 Aug 2012 22:14:55 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: "Zhangzongjian (Thomas)" <zhangzhongjian@huawei.com>
References: <028301cd7cdb$966780a0$c33681e0$@com> <0B2F754289D27B449F7F1B95456B77544EDC4FFE@szxeml524-mbs.china.huawei.com> <002301cd807d$e8d9fd40$ba8df7c0$@com> <0B2F754289D27B449F7F1B95456B77544EDC5131@szxeml524-mbs.china.huawei.com> <042601cd814f$421c41c0$c654c540$@com> <0B2F754289D27B449F7F1B95456B77544EDC53B3@szxeml524-mbs.china.huawei.com> <07c901cd8214$39a4c970$acee5c50$@com> <0B2F754289D27B449F7F1B95456B77544EDC558E@szxeml524-mbs.china.huawei.com>
Date: Sun, 26 Aug 2012 22:14:55 -0400
In-Reply-To: <0B2F754289D27B449F7F1B95456B77544EDC558E@szxeml524-mbs.china.huawei.com> (Zhangzongjian's message of "Sat, 25 Aug 2012 02:22:04 +0000")
Message-ID: <tslvcg5hyhs.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 'Stuart Cheshire' <cheshire@apple.com>, "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] strengthening PCP with Mapping Nonce
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 02:15:02 -0000
Hi. Margaret Wasserman and I got together for about 1.5 hours to look at the security implications of this proposal. I've been pondering it since that meeting. I believe that this proposal does improve the PCP protocol. In particular once we have a widely implemented security mechanism, a proposal like this could help give deployers a better set of options under the advanced threat model. That is, people who do need a security mechanism could turn it on. More people would find PCP met their security needs with the nonce mapping change than without it even if those people did not turn on a security mechanism. However, Margaret and I found that this change did not remove several of the attacks that most concern us when a security mechanism is not used. So, I'm strongly against the idea of relaxing the restrictions in section 17.1 of the base specification even if this proposal is adopted. >From a process standpoint, I think several people in the security community (myself included) supported the draft because of the compromise we reached in the simple threat model. I think we'd need to open up the document to fairly wide review if we changed those restrictions to seek a new security balance. I think that would add significant delay. I'd rather see us publish the base spec with as few changes as possible and move on with the authentication work. In that document or a future document we can update security restrictions if we gain consensus to do so. Beyond the process issues, I continue to support the technical direction of the simple thread model. The most serious attacks are present when there are multiple layers of NAT involved and the outer-most NAT has a PCP server. PCP or some other NAT control protocol really assists the attacker in that situation. At least with PCP we've thought through the security implications and we've given recommendations. Other NAT control protocols are worse than PCP in their security impact on the Internet. (I don't consider this justification for weakening the simple threat model: when we standardize things in the IETF, we often find we're considering security implications that pre-standardization efforts didn't consider. That's part of our value add) Even creating a very long-lived mapping in the PCP NAT can assist an attacker. If there is a longer-lived outer mapping, it can assist an attacker behind the inner NAT in capturing traffic when the inner mapping (but not outer mapping) expires. These attacks are somewhat complex to analyze because you have to assume things about application behavior. That's one of the reasons we want a very conservative stance prior to having a mandatory to implement security mechanism. Being able to create a mapping can also be valuable in capturing traffic. A and B are behind the same two nats, N1 and N2. N1, the inner NAT does not support PCP; N2, the outer NAT does. A is about to contact C. Note that from the prospective of N2, B and A have the same source address. So, B can create mappings on A's behalf if it can guess the port A will use. There are a number of cases where this is probable, especially if you consider that B can create multiple mappings. So, B creates a mapping that A will happen to use. B is an attacker; it can easily deal with PCP through an inner NAT. A, even if it does support PCP probably will not choose to use it through N1. Later as A's session is in progress, B deletes its mapping and attempts to create a new mapping that will reuse the same external port on N2. Obviously several factors affect this: N2's port allocation strategy, the application characteristics, etc etc. It's easy to decide that the attack is too difficult in practice. Unfortunately, people tend to find ways to exploit resource allocation strategies, mount timing attacks, etc in order to mount such attacks. Once the attack has been scripted in a convenient tool and argument that the attack is difficult to mount holds little weight. Yes, there are doubtless environments where being concerned with these attacks is not necessary. I strongly support moving as fast as we can to a point where we have a security mechanism and we can give customers the choice to either use the security mechanism or turn off restrictions required by the simple threat model. I do not support relaxing the simple threat model to get there. I do not support delaying the PCP base spec significantly at this point in the process.
- Re: [pcp] strengthening PCP with Mapping Nonce Dan Wing
- Re: [pcp] strengthening PCP with Mapping Nonce Zhangzongjian (Thomas)
- Re: [pcp] strengthening PCP with Mapping Nonce Dan Wing
- [pcp] strengthening PCP with Mapping Nonce Dan Wing
- Re: [pcp] strengthening PCP with Mapping Nonce Zhangzongjian (Thomas)
- Re: [pcp] strengthening PCP with Mapping Nonce Simon Perreault
- Re: [pcp] strengthening PCP with Mapping Nonce Zhangzongjian (Thomas)
- Re: [pcp] strengthening PCP with Mapping Nonce Dan Wing
- Re: [pcp] strengthening PCP with Mapping Nonce Zhangzongjian (Thomas)
- Re: [pcp] strengthening PCP with Mapping Nonce Sam Hartman
- Re: [pcp] strengthening PCP with Mapping Nonce Dan Wing
- Re: [pcp] strengthening PCP with Mapping Nonce Zhangzongjian (Thomas)
- Re: [pcp] strengthening PCP with Mapping Nonce Dan Wing
- Re: [pcp] strengthening PCP with Mapping Nonce Reinaldo Penno (repenno)