IETF Logo Mail Archive

Re: [pcp] strengthening PCP with Mapping Nonce

Sam Hartman <hartmans@painless-security.com> Mon, 27 August 2012 02:15 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E30F21F8533 for <pcp@ietfa.amsl.com>; Sun, 26 Aug 2012 19:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.288
X-Spam-Level: ****
X-Spam-Status: No, score=4.288 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id doa2pw6wJHxA for <pcp@ietfa.amsl.com>; Sun, 26 Aug 2012 19:15:01 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6C721F84E2 for <pcp@ietf.org>; Sun, 26 Aug 2012 19:15:00 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (gain1-180.nortex.net [63.160.158.180]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 5F36B21255; Sun, 26 Aug 2012 22:14:55 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9AE264350; Sun, 26 Aug 2012 22:14:55 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: "Zhangzongjian (Thomas)" <zhangzhongjian@huawei.com>
References: <028301cd7cdb$966780a0$c33681e0$@com> <0B2F754289D27B449F7F1B95456B77544EDC4FFE@szxeml524-mbs.china.huawei.com> <002301cd807d$e8d9fd40$ba8df7c0$@com> <0B2F754289D27B449F7F1B95456B77544EDC5131@szxeml524-mbs.china.huawei.com> <042601cd814f$421c41c0$c654c540$@com> <0B2F754289D27B449F7F1B95456B77544EDC53B3@szxeml524-mbs.china.huawei.com> <07c901cd8214$39a4c970$acee5c50$@com> <0B2F754289D27B449F7F1B95456B77544EDC558E@szxeml524-mbs.china.huawei.com>
Date: Sun, 26 Aug 2012 22:14:55 -0400
In-Reply-To: <0B2F754289D27B449F7F1B95456B77544EDC558E@szxeml524-mbs.china.huawei.com> (Zhangzongjian's message of "Sat, 25 Aug 2012 02:22:04 +0000")
Message-ID: <tslvcg5hyhs.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 'Stuart Cheshire' <cheshire@apple.com>, "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] strengthening PCP with Mapping Nonce
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 02:15:02 -0000

Hi.
Margaret Wasserman and I got together for about 1.5 hours to look at the
security implications of this proposal.
I've been pondering it since that meeting.

I believe that this proposal does improve the PCP protocol.
In  particular once we have a widely implemented security mechanism, a
proposal like this could help give deployers a better set of options
under the advanced threat model.
That is, people who do need a security mechanism could turn it
on. More people would find PCP met their security needs with  the nonce
mapping change than without it even if those people did not turn on a
security mechanism.

However, Margaret and I found that this change did not remove several of
the attacks that most concern us  when a security mechanism is not used.
So, I'm strongly against the idea of relaxing the restrictions in
section 17.1 of the  base specification even if this proposal is
adopted.

>From a process standpoint, I think several people in the security
community (myself included) supported the draft because of the
compromise we reached in the simple threat model. I think we'd need to
open up the document to fairly wide review if we changed those
restrictions to seek a new security balance. I think that would add
significant delay. I'd rather see us publish the base spec with as few
changes as possible and move on with the authentication work.  In that
document or a future document we can update security restrictions if we
gain consensus to do so.

Beyond the process issues, I continue to support the technical direction
of the simple thread model.

The most serious attacks are present when there are multiple layers of
NAT involved and the outer-most NAT has a PCP server.  PCP or some other
NAT control protocol really assists the attacker in that situation.  At
least with PCP we've thought through the security implications and we've
given recommendations.  Other NAT control protocols are worse than PCP
in their security impact on the Internet.
(I don't consider this justification for weakening the simple threat
model: when we standardize things in the IETF, we often find we're
considering security implications that pre-standardization efforts
didn't consider. That's part of our value add)

Even creating a very long-lived mapping in the PCP NAT can assist an
attacker. If there is  a longer-lived outer mapping, it can assist an
attacker behind the inner NAT in capturing traffic when the inner
mapping (but not outer mapping) expires.
These attacks are somewhat complex to analyze because you have to assume
things about application behavior.
That's one of the reasons we want a very conservative stance prior to
having a mandatory to implement security mechanism.

Being able to create a mapping can also be valuable in capturing
traffic.

A and B are behind the same two nats, N1 and N2. N1, the inner NAT does
not  support PCP; N2, the outer NAT does.

A is about to contact C.  Note that from the prospective of N2, B and A
have the same source address. So, B can create mappings on A's behalf if
it can guess the port A will use.  There are a number of cases where
this is probable, especially if you consider that B can create multiple
mappings.


So, B creates a mapping that A will happen to use. B is an attacker; it
can easily deal with PCP through an inner NAT. A, even if it does
support PCP probably will not choose to use it through N1.

Later as A's session is in progress, B deletes its mapping and attempts
to create a new mapping that will reuse the same external port on N2.

Obviously several factors affect this: N2's port allocation strategy,
the application characteristics, etc etc.  It's easy to decide that the
attack is too difficult in practice.  Unfortunately, people tend to find
ways to exploit resource allocation strategies, mount timing attacks,
etc in order to mount such attacks.  Once the attack has been scripted
in a convenient tool and argument that the attack is difficult to mount
holds little weight.

Yes, there are doubtless environments where being concerned with these
attacks is not necessary.  I strongly support moving as fast as we can
to a point where we have a security mechanism and we can give customers
the choice to either use the security mechanism or turn off restrictions
required by the simple threat model.  I do not support relaxing the
simple threat model to get there.  I do not support delaying the PCP
base spec significantly at this point in the process.

v2.23.0 | Report a Bug | By Email