Re: [pcp] I-D Action: draft-ietf-pcp-authentication-05.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 11 September 2014 14:40 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA2431A6FD1 for <pcp@ietfa.amsl.com>; Thu, 11 Sep 2014 07:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.153
X-Spam-Level:
X-Spam-Status: No, score=-16.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cld58iwdb6l for <pcp@ietfa.amsl.com>; Thu, 11 Sep 2014 07:40:22 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95F811A6FCC for <pcp@ietf.org>; Thu, 11 Sep 2014 07:40:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3210; q=dns/txt; s=iport; t=1410446422; x=1411656022; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=OB9aT6N0Lb+4eae4f+58mJhUgkVLL15iUS3CCBM3Svs=; b=fsrIt6bKv06auvkJihrYbqObe2pMH8N+w9zVNQc6tvKtLNyWzt++mZo3 Qg2n7/A61a29TU4ryRZaPVEFZz4iVio9wrz6N1yO1vOKbAg4W400mEObz J7LRjehezP+EDqerJmrIEE6ZC0eoG2PlK15acCDrnurUB7r9LzRVXNw2b Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiUFAFyzEVStJV2a/2dsb2JhbABfgw1TUwQEyDkKh00BgRAWeIQDAQEBBAEBATc0FwYBCBEEAQELFAkuCxQJCQEEEwgBiDkIBZlcpGwBF45pMz6DKYEdBZFJhDCIYpNag2FsAQGBBAIeBhyBBwEBAQ
X-IronPort-AV: E=Sophos;i="5.04,506,1406592000"; d="scan'208";a="354432862"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-5.cisco.com with ESMTP; 11 Sep 2014 14:40:21 +0000
Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s8BEeKk6013926 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <pcp@ietf.org>; Thu, 11 Sep 2014 14:40:20 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.68]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.03.0195.001; Thu, 11 Sep 2014 09:40:20 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] I-D Action: draft-ietf-pcp-authentication-05.txt
Thread-Index: Ac/Nzk0C3Ygwr6IIRjC/uLMxFHnBUQ==
Date: Thu, 11 Sep 2014 14:40:20 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A28327BC4@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.86.167]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/buiMFKjW1wGcCx0G0x1LZiDv_TU
Subject: Re: [pcp] I-D Action: draft-ietf-pcp-authentication-05.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 14:40:23 -0000
Offline, Dan and I were discussing the following problem with PCP authentication: If there is an active attacker on-path b/w the PCP client and PCP server then it can strip-off the stronger HMAC algorithms and thus force the client to pick the weakest one amongst the set of algorithms offered by the PCP Server. One possible way of solving the problem is the client after authentication successful sends list of algorithms it received from the PCP server with authentication tag (integrity protection) back to the server just like it's done in TLS Finished message http://tools.ietf.org/html/rfc5246#section-7.4.9. This way server can validate if any active attacker has modified the list of algorithms it had sent. Let us know if you think this attack should be addressed or not in the draft. -Tiru > -----Original Message----- > From: pcp [mailto:pcp-bounces@ietf.org] On Behalf Of internet- > drafts@ietf.org > Sent: Saturday, August 23, 2014 2:21 PM > To: i-d-announce@ietf.org > Cc: pcp@ietf.org > Subject: [pcp] I-D Action: draft-ietf-pcp-authentication-05.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Port Control Protocol Working Group of the > IETF. > > Title : Port Control Protocol (PCP) Authentication Mechanism > Authors : Margaret Wasserman > Sam Hartman > Dacheng Zhang > Filename : draft-ietf-pcp-authentication-05.txt > Pages : 26 > Date : 2014-08-23 > > Abstract: > An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to > flexibly manage the IP address and port mapping information on > Network Address Translators (NATs) or firewalls, to facilitate > communications with remote hosts. However, the un-controlled > generation or deletion of IP address mappings on such network devices > may cause security risks and should be avoided. In some cases the > client may need to prove that it is authorized to modify, create or > delete PCP mappings. This document proposes an in-band > authentication mechanism for PCP that can be used in those cases. > The Extensible Authentication Protocol (EAP) is used to perform > authentication between PCP devices. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-pcp-authentication/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-pcp-authentication-05 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-authentication-05 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > pcp mailing list > pcp@ietf.org > https://www.ietf.org/mailman/listinfo/pcp
- [pcp] I-D Action: draft-ietf-pcp-authentication-0… internet-drafts
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Zhangdacheng (Dacheng)
- Re: [pcp] I-D Action: draft-ietf-pcp-authenticati… Tirumaleswar Reddy (tireddy)