Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unknown Options
<mohamed.boucadair@orange.com> Thu, 30 May 2013 14:57 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC2921F8E3C for <pcp@ietfa.amsl.com>; Thu, 30 May 2013 07:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.953
X-Spam-Level:
X-Spam-Status: No, score=-1.953 tagged_above=-999 required=5 tests=[AWL=-0.020, BAYES_00=-2.599, HELO_EQ_FR=0.35, SARE_MILLIONSOF=0.315, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7vw13qtXnWwf for <pcp@ietfa.amsl.com>; Thu, 30 May 2013 07:57:38 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) by ietfa.amsl.com (Postfix) with ESMTP id E1FFB21F907E for <pcp@ietf.org>; Thu, 30 May 2013 07:57:37 -0700 (PDT)
Received: from omfedm05.si.francetelecom.fr (unknown [xx.xx.xx.1]) by omfedm13.si.francetelecom.fr (ESMTP service) with ESMTP id 90A23325677; Thu, 30 May 2013 16:57:36 +0200 (CEST)
Received: from PUEXCH51.nanterre.francetelecom.fr (unknown [10.101.44.31]) by omfedm05.si.francetelecom.fr (ESMTP service) with ESMTP id 7629135C05A; Thu, 30 May 2013 16:57:36 +0200 (CEST)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.12]) by PUEXCH51.nanterre.francetelecom.fr ([10.101.44.31]) with mapi; Thu, 30 May 2013 16:57:36 +0200
From: mohamed.boucadair@orange.com
To: Dan Wing <dwing@cisco.com>
Date: Thu, 30 May 2013 16:57:34 +0200
Thread-Topic: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unknown Options
Thread-Index: Ac5dQ2LIR6pVFOxlS7ipsHh+qIRjSwAAWzCw
Message-ID: <94C682931C08B048B7A8645303FDC9F36ED3A084C5@PUEXCB1B.nanterre.francetelecom.fr>
References: <94C682931C08B048B7A8645303FDC9F36EB735607B@PUEXCB1B.nanterre.francetelecom.fr> <94C682931C08B048B7A8645303FDC9F36ECFB4A912@PUEXCB1B.nanterre.francetelecom.fr> <1455AEDA-6707-4496-8D19-5367CBCB543D@cisco.com> <94C682931C08B048B7A8645303FDC9F36ED3A0819B@PUEXCB1B.nanterre.francetelecom.fr> <1852EA08-8846-4052-B751-5EFCBCB4C2F4@cisco.com>
In-Reply-To: <1852EA08-8846-4052-B751-5EFCBCB4C2F4@cisco.com>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.5.30.143018
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unknown Options
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 14:57:43 -0000
Re-, Please see inline. Cheers, Med >-----Message d'origine----- >De : Dan Wing [mailto:dwing@cisco.com] >Envoyé : jeudi 30 mai 2013 16:39 >À : BOUCADAIR Mohamed OLNC/OLN >Cc : pcp@ietf.org >Objet : Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unknown Options > > >On May 29, 2013, at 11:36 PM, mohamed.boucadair@orange.com wrote: > >> Hi Dan, >> >> >> >>> -----Message d'origine----- >>> De : Dan Wing [mailto:dwing@cisco.com] >>> Envoyé : mercredi 29 mai 2013 19:39 >>> À : BOUCADAIR Mohamed OLNC/OLN >>> Cc : pcp@ietf.org >>> Objet : Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unknown Options >>> >>> >>> On May 22, 2013, at 2:26 AM, mohamed.boucadair@orange.com wrote: >>> >>>> Re-, >>>> >>>> Many thanks for all of you who provided a feedback for this point. As a >>> conclusion of this discussion, below a proposed change: >>>> >>>> OLD: >>>> >>>> 7. PCP Proxy Co-located with a NAT Function >>>> >>>> When the PCP Proxy is co-located with a NAT function, it MUST update >>>> the content of received requests with the mapped port number and the >>>> address belonging to the external interface of the PCP Proxy (i.e., >>>> after the NAT operation) and not as initially positioned by the PCP >>>> Client. For the reverse path, PCP responses MUST be updated by the >>>> PCP Proxy to replace the internal port number to what has been >>>> initially positioned by the PCP Client. For this purpose the PCP >>>> Proxy MUST have an access to the local NAT state maintained locally. >>>> Because PCP messages with an unknown OpCode or Option can carry a >>>> hidden internal address or internal port which will not be >>>> translated: >>>> >>>> o a PCP Proxy co-located with a NAT SHOULD reject by an >>>> UNSUPP_OPCODE error response a received request with an unknown >>>> OpCode; >>>> >>>> o a PCP Proxy co-located with a NAT SHOULD reject by an >>>> UNSUPP_OPTION error response a received request with a mandatory- >>>> to-process unknown Option; >>>> >>>> o a PCP Proxy co-located with a NAT MAY remove any optional-to- >>>> process unknown Options from received requests before forwarding >>>> them. >>>> >>>> Rejecting unknown Options and OpCodes has the drawback of preventing >>>> a PCP Client to make use of new capabilities offered by the PCP >>>> Server but not supported by the PCP Proxy even if no IP address >>>> and/or port is included in the Option/OpCode. >>>> >>>> NEW: >>>> >>>> 7. PCP Proxy Co-located with a NAT Function >>>> >>>> When the PCP Proxy is co-located with a NAT function, it MUST update >>>> the content of received requests with the mapped port number and the >>>> address belonging to the external interface of the PCP Proxy (i.e., >>>> after the NAT operation) and not as initially conveyed by the PCP >>>> Client. For the reverse path, PCP responses MUST be updated by the >>>> PCP Proxy to replace the internal port number to what has been >>>> initially positioned by the PCP Client. For this purpose the PCP >>>> Proxy MUST have an access to the local NAT state maintained locally. >>>> >>>> By default, the PCP Proxy MUST relay unknown OpCodes and mandatory- >>>> to-process unknown Options. Rejecting unknown Options and OpCodes >>>> has the drawback of preventing a PCP Client to make use of new >>>> capabilities offered by the PCP Server but not supported by the PCP >>>> Proxy even if no IP address and/or port is included in the Option/ >>>> OpCode. >>>> >>>> Because PCP messages with an unknown OpCode or mandatory-to-process >>>> unknown Options can carry a hidden internal address or internal port >>>> which will not be translated, A PCP Proxy MUST be configurable to >>>> disable relaying unknown OpCodes and mandatory-to-process unknown >>>> Options. >>> >>> The text needs to be clearer on the suggested default, >> >> [Med] The default and justification are stated in the previous paragraph. > >I have thought about this some more, and I am concerned not with the >wording, but that the industry will not be able to update the configuration >of the millions of deployed PCP proxies to block a new opcode or a new >mandatory-to-process option that really does need processing within the PCP >proxy. [Med] This is a configuration parameter which is available at the proxy. The user can change the config or it can be positioned using any device management protocol TR-69 by the provider (think about managed CPE case). For the remaining cases, this is more problematic. Additionally, PCP proxy developers will be worried about new >opcodes which necessitate updating state in the PCP proxy, and will be >reluctant to follow this part of the (eventual) RFC. > > >How about a different approach: a proxy, when forwarding a PCP request, >indicates whenever it does not support an opcode or does not support a >mandatory-to-process option that it is proxying. This indication would be >using a new option we would define in the pcp-proxy document, lets call it >FORWARDED-WITHOUT-COMPREHENSION. The final PCP server (which is not >proxying) already has to understand any new opcode and any new mandatory- >to-process option (or it will generate an error). The PCP server, which is >processing the new opcode or the new mandatory-to-process option must know >the semantics of that new option (the poor PCP proxy does not), and if the >semantics need PCP proxy involvement, it returns a new error we define, >lets call that error NEEDS_PROXY_COMPREHENSION. This technique has the >advantage that PCP proxies don't need to be updated to block new opcodes or >block new mandatory-to-process options. [Med] This would work too, but I'm sure there will be a demand to have a configuration feature which will allow to reveal unsupported opcodes using FORWARDED-WITHOUT-COMPREHENSION. I'm not sure this alternative is better or worse compared to the one depicted in the proposed text. > >-d > > >> >> >> and why the default >>> is suggested. Otherwise we will have proxies implemented that return an >>> error for unknown opcodes, especially because there are several >sentences >>> explaining what MUST be done when returning an error. >>> >>> >>> I am still uncomfortable with how this will work in practice. We need >to >>> think about a new opcode which has embedded ip address and port >(somewhat >>> like MAP or PEER) and how that could be successfully deployed with a PCP >>> proxy compliant with this document. >>> >>> -d >>> >>> >>>> If the PCP Proxy is configured to disable relaying unknown >>>> OpCodes and mandatory-to-process unknown Options, the PCP Proxy MUST >>>> behave as follows: >>>> >>>> o a PCP Proxy co-located with a NAT MUST reject by an UNSUPP_OPCODE >>>> error response a received request with an unknown OpCode. >>>> >>>> o a PCP Proxy co-located with a NAT MUST reject by an UNSUPP_OPTION >>>> error response a received request with a mandatory-to-process >>>> unknown Option. >>>> >>>> >>>> If there is no objection, this change will be include in the next >version >>> of the spec. >>>> >>>> Cheers, >>>> Med >>>> >>>>> -----Message d'origine----- >>>>> De : pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] De la part de >>>>> mohamed.boucadair@orange.com >>>>> Envoyé : mardi 12 mars 2013 11:44 >>>>> À : pcp@ietf.org >>>>> Objet : [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unknown Options >>>>> >>>>> Dear all, >>>>> >>>>> http://tools.ietf.org/html/draft-ietf-pcp-proxy-02 says: >>>>> >>>>> ================ >>>>> Because PCP messages with an unknown OpCode or Option can carry a >>>>> hidden internal address or internal port which will not be >>>>> translated: >>>>> >>>>> o a PCP Proxy co-located with a NAT SHOULD reject by an >>>>> UNSUPP_OPCODE error response a received request with an unknown >>>>> OpCode; >>>>> >>>>> o a PCP Proxy co-located with a NAT SHOULD reject by an >>>>> UNSUPP_OPTION error response a received request with a mandatory- >>>>> to-process unknown Option; >>>>> >>>>> o a PCP Proxy co-located with a NAT MAY remove any optional-to- >>>>> process unknown Options from received requests before forwarding >>>>> them. >>>>> >>>>> Rejecting unknown Options and OpCodes has the drawback of preventing >>>>> a PCP Client to make use of new capabilities offered by the PCP >>>>> Server but not supported by the PCP Proxy even if no IP address >>>>> and/or port is included in the Option/OpCode. >>>>> ================ >>>>> >>>>> The reasoning above assumes Options which convey an IP address (and/or >>> port >>>>> numbers) are naturally defined as mandatory-to-process option. >>>>> >>>>> Reinaldo suggests the following modifications to the behavior >currently >>>>> defined in the I-D: >>>>> >>>>> (1) A PCP Proxy inserts a "this message was proxied" when sending back >>> to >>>>> the client. Therefore if PCP client detects that the mappings are not >>>>> working as it should, it has a hint as to why. >>>>> >>>>> (2) The client conveys that some options in this message carry IP >>> addresses >>>>> and need proxy processing (some IP addresses might not need any Proxy >>>>> processing).It does not need to say which options, a bit is fine. >>> Therefore >>>>> a Proxy that could not process those options can send back a >meaningful >>>>> error such as "message can not be proxied because contains options >with >>> IP >>>>> address and I do not know how" >>>>> >>>>> Any thoughts? >>>>> >>>>> Thanks. >>>>> Cheers, >>>>> Med >>>>> _______________________________________________ >>>>> pcp mailing list >>>>> pcp@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/pcp >>>> _______________________________________________ >>>> pcp mailing list >>>> pcp@ietf.org >>>> https://www.ietf.org/mailman/listinfo/pcp >>
- [pcp] draft-ietf-pcp-proxy: Unknown OpCode & Unkn… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Reinaldo Penno (repenno)
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Tirumaleswar Reddy (tireddy)
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy: Unknown OpCode & … Tirumaleswar Reddy (tireddy)