IETF Logo Mail Archive

Re: [pcp] Implementation Analysis: strong preference for PCP-specific approach

Sam Hartman <hartmans@painless-security.com> Mon, 17 September 2012 15:06 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3594221F86F9 for <pcp@ietfa.amsl.com>; Mon, 17 Sep 2012 08:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.68
X-Spam-Level: ****
X-Spam-Status: No, score=4.68 tagged_above=-999 required=5 tests=[AWL=-0.208, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, J_CHICKENPOX_23=0.6, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BBjJKsV5O5BP for <pcp@ietfa.amsl.com>; Mon, 17 Sep 2012 08:06:35 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id A5B3421F86F7 for <pcp@ietf.org>; Mon, 17 Sep 2012 08:06:35 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 039D42003E; Mon, 17 Sep 2012 11:06:26 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C7E004149; Mon, 17 Sep 2012 11:06:09 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alper Yegin <alper.yegin@yegin.org>
References: <tslipbdzzwy.fsf@mit.edu> <74FC8E41-02D8-4BFC-A15F-035FA328DDC1@yegin.org>
Date: Mon, 17 Sep 2012 11:06:09 -0400
In-Reply-To: <74FC8E41-02D8-4BFC-A15F-035FA328DDC1@yegin.org> (Alper Yegin's message of "Mon, 17 Sep 2012 12:24:32 +0300")
Message-ID: <tsltxuwvgda.fsf_-_@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: pcp@ietf.org
Subject: Re: [pcp] Implementation Analysis: strong preference for PCP-specific approach
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 15:06:36 -0000

>>>>> "Alper" == Alper Yegin <alper.yegin@yegin.org> writes:
    >> Parts of the demultiplexing approach look simpler. You could run
    >> a PAA and PAC as separate processes. If the PCP server received
    >> an authentication request it could forward it to the PAA over a
    >> local socket. You'd need to make a slight change so that the
    >> return address could be preserved. In this mode, the PCP server
    >> would not need to change its state machine to wait for
    >> authentication.  Except then it gets complicated, because you
    >> need coordination between PCP and the PAC/PAA.  You need to
    >> design an implementation-specific protocol to:
    >> 
    >> * Trigger authentications on the PAC when PCP wants to talk to a
    >> server
    >> 

>Yes, we'd need to add a new trigger (PCP trigger).


    >> * update the PCP client on authentication state including session
    >> ID,key ID, and negotiated algorithms
    >> 
    >> * Provide error feedback from the PAC to PCP server so the user
    >> gets a consistent error reporting experience
    >> 

>We do not send error codes in PANA. Not sure which error reporting you are referring to.

Margaret has gone into this detail somewhat.
The issue is that  you want a consistent experience  for the client.
So, you need to do things like map PANA failures because the server
doesn't support PANA into authentication not supported PCP errors.
You need to log PANA and PCP errors in the same place.
You need to provide consistent tools for looking at them.
These are implementation not protocol issues.



    >> * Update the PCP server on new authentication sessions at the PAA
    >> including IDs, keys and algorithm identifiers
    >> 
    >> If you do all that work you're going to end up with a fork of
    >> OpenPANA, not just get a library you can use and potentially
    >> refresh for new products/product releases.  Security analysis
    >> will be different especially for things like denial of service.

    Alper> Can you expand on this "DoS"?


Sure.
So, even in the demultiplexing case, we're coupling the state machines
together.
As an example we're creating a new PCP client state that is basically
waiting for PANA.
We need to do the security analysis for that.

One of the simpler issues is a question like can an malicious server
cause a PCP client to block indefinitely by swapping back and forth
between PCP and PANA.

--Sam

v2.23.0 | Report a Bug | By Email