IETF Logo Mail Archive

[pcp] strengthening PCP with Mapping Nonce

"Dan Wing" <dwing@cisco.com> Sat, 18 August 2012 00:51 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B725621E809C for <pcp@ietfa.amsl.com>; Fri, 17 Aug 2012 17:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.488
X-Spam-Level:
X-Spam-Status: No, score=-110.488 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mr0801ZeAqim for <pcp@ietfa.amsl.com>; Fri, 17 Aug 2012 17:51:27 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA5421E808D for <pcp@ietf.org>; Fri, 17 Aug 2012 17:51:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=5164; q=dns/txt; s=iport; t=1345251082; x=1346460682; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=TcrzGwYVgpa8449NXBOtq7PqrsxPUEEGs/Pcz2o/M5o=; b=Fp3Whw6dbLoKJ/HIvhU2qq3gDfvRoTmg3ktk7+whfSg/L0M0PyFaBait oKJ1I9ZAsGOsGFULHUEBohucJqYiriyz6Nb6YDqt8Kn8GyPYamV/fQFyG LEAhT+24+nLL06J6ss8TQM5cJxd+VscHBpbJA21Tste5sDqgpBNs5vBuc k=;
X-IronPort-AV: E=Sophos;i="4.77,789,1336348800"; d="scan'208";a="55412195"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-2.cisco.com with ESMTP; 18 Aug 2012 00:51:22 +0000
Received: from dwingWS ([10.21.75.132]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q7I0pMIE007431; Sat, 18 Aug 2012 00:51:22 GMT
From: Dan Wing <dwing@cisco.com>
To: pcp@ietf.org
Date: Fri, 17 Aug 2012 17:51:22 -0700
Message-ID: <028301cd7cdb$966780a0$c33681e0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac1825YgdqnKbKRsQbGswo9PpQX9dg==
Content-Language: en-us
Cc: 'Stuart Cheshire' <cheshire@apple.com>
Subject: [pcp] strengthening PCP with Mapping Nonce
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2012 00:51:29 -0000

We incorporated changes to draft-ietf-behave-pcp-base from IESG review.

After reading the PCP restrictions in REQ-9-A through E in
draft-ietf-behave-lsn-requirements-09 (copied below for reference), we had a
productive phone call this week between Stuart Cheshire, Simon Perreault,
Sam Hartman, and myself.  During that discussion, we found a way to
strengthen security of PCP against a specific attack and hopefully soften
some of the restrictions in both draft-ietf-behave-lsn-requirements (REQ-9-A
through E) and draft-ietf-pcp-base for the PCP Basic Threat Model, when PCP
is not using authentication.

To achieve this, we need to improve how draft-ietf-pcp-base handles Mapping
Nonce values.  Currently, draft-ietf-pcp-base is pretty silent on how and
when the PCP client chooses its Mapping Nonce value, and says this about
server processing, which sort of implies the PCP client is free to change
the Mapping Nonce value whenever it likes,
http://tools.ietf.org/html/draft-ietf-pcp-base-26#section-11.3,

   The PCP server only needs to remember one Mapping Nonce value for
   each mapping (that is, the most recent Mapping Nonce value overwrites
   the previous Mapping Nonce value).

We would replace the above text with something like:

   If the Internal port, Protocol, and Internal Address match an
   existing explicit dynamic mapping, but the Mapping Nonce does not
   match, the request MUST be rejected with a NOT_AUTHORIZED error with
   the Lifetime of the error indicating duration of that existing
   mapping.  The PCP server only needs to remember one Mapping Nonce
   value for each explicit dynamic mapping.

with this change (and corresponding text for the PCP client's generation of
a Mapping Nonce, and corresponding text for PEER), we avoid the attack
described in detail below.


Attack:  The attack is a traffic-stealing attack.  The diagram below may
help with the textual description.  The attack scenario is where there is a
CGN running PCP and a home NAT not running PCP, and two hosts on separate
networks behind the same home NAT.  The hosts are on separate networks.  One
host is running a server (the victim) on the wired network, the other host
is the attacker on the guest Wi-Fi network.  The host running the server has
a mapping created in the NAT, which was created with UPnP IGD or created
manually, and has a PCP-created mapping in the CGN.  The attacker uses UPnP
IGD, NAT-PMP, STUN (RFC5389), or STUNT
(http://nutss.gforge.cis.cornell.edu/stunt.php) to create a mapping in the
home NAT and learn the home NAT's "WAN" address.  The attacker formulates a
PCP MAP request with the NAT's WAN address in the PCP Client IP Address
field, Lifetime=0, and sends that to the CGN, deleting the CGN's existing
mapping that goes to the victim machine.  That attack packet is sent without
address spoofing.  120 seconds later (per REQ-8 of
draft-ietf-behave-lsn-requirements-09), the attacker sends a new PCP MAP
request to try to acquire the (old) mapping of the victim host.  In this
way, the attacker steals incoming traffic intended to go to the victim host.


Diagram:

                  +-------------+    +----------+
  attacker -------+             |    |          |
  (guest network) |             |    |          |
                  |   home NAT  +----+    CGN   +----{Internet}
  victim ---------+(without PCP)|    |(with PCP)|
  (wired network) |             |    |          |
                  +-------------+    +----------+


Please provide us feedback.  I expect to publish -27 soon with these
changes, but we are doing some text coordination before publishing -27.

-d

-----

   REQ-9:  A CGN MUST implement a protocol giving subscribers explicit
           control over NAT mappings.  That protocol SHOULD be the Port
           Control Protocol [I-D.ietf-pcp-base], in which case the PCP
           server MUST obey the following constraints on its behavior:

           A.  It MUST NOT permit the lifetime of a mapping to be
               reduced beyond its current life or be set to zero
               (deleted).

           B.  It MUST NOT permit a NAT mapping to be created with a
               lifetime less than the lifetime used for implicit
               mappings.

           C.  It MUST NOT support the THIRD_PARTY option except for
               requests received from "trusted" sources where it is
               impractical for those sources to be spoofed.

           D.  The MAP opcode MAY be permitted if the recommendation of
               endpoint independent filtering behavior described in
               REQ-7 is adopted; the map opcode MUST NOT be permitted in
               other circumstances.  These constraints MAY be relaxed if
               a security mechanism consistent with PCP's Advanced
               Threat Model (see Section 17.2 of [I-D.ietf-pcp-base]) is
               used; this is expected to be rare for CGN deployments.

           E.  Mappings created by PCP MUST follow the same deallocation
               behavior (REQ-8) as implicitly mapped traffic.

v2.23.0 | Report a Bug | By Email