Re: [pcp] GET and GETNEXT OpCodes
<xiaohong.deng@orange-ftgroup.com> Fri, 11 March 2011 10:14 UTC
Return-Path: <xiaohong.deng@orange-ftgroup.com>
X-Original-To: pcp@core3.amsl.com
Delivered-To: pcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 017E63A6822 for <pcp@core3.amsl.com>; Fri, 11 Mar 2011 02:14:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.606
X-Spam-Level:
X-Spam-Status: No, score=-1.606 tagged_above=-999 required=5 tests=[AWL=0.643, BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dM9YBz6BF7o for <pcp@core3.amsl.com>; Fri, 11 Mar 2011 02:14:28 -0800 (PST)
Received: from r-mail1.rd.francetelecom.com (r-mail1.rd.francetelecom.com [217.108.152.41]) by core3.amsl.com (Postfix) with ESMTP id CE44E3A6817 for <pcp@ietf.org>; Fri, 11 Mar 2011 02:14:27 -0800 (PST)
Received: from r-mail1.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 2E0086D8008; Fri, 11 Mar 2011 11:16:18 +0100 (CET)
Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by r-mail1.rd.francetelecom.com (Postfix) with ESMTP id 223AD6C8002; Fri, 11 Mar 2011 11:16:18 +0100 (CET)
Received: from ch-mailsrv.rd.francetelecom.fr ([10.193.250.27]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Fri, 11 Mar 2011 11:15:45 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 11 Mar 2011 18:15:41 +0800
Message-ID: <0962B0BEF842A24191AD9BE41A8DD2FC015EBCB1@ch-mailsrv.rd.francetelecom.fr>
In-Reply-To: <256d01cbdf4d$d4103960$7c30ac20$@com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RE:[pcp] GET and GETNEXT OpCodes
Thread-Index: AcvfMNcTuTa7eAMhSLeGY3u0r3iFWwAGmonQACIzuUA=
References: Your message of Thu, 10 Mar 2011 11:55:34 +0800. <0962B0BEF842A24191AD9BE41A8DD2FC015EB84F@ch-mailsrv.rd.francetelecom.fr> <201103101438.p2AEcPva047524@givry.fdupont.fr> <256d01cbdf4d$d4103960$7c30ac20$@com>
From: xiaohong.deng@orange-ftgroup.com
To: dwing@cisco.com, Francis.Dupont@fdupont.fr
X-OriginalArrivalTime: 11 Mar 2011 10:15:45.0545 (UTC) FILETIME=[48F84790:01CBDFD5]
Cc: pcp@ietf.org
Subject: Re: [pcp] GET and GETNEXT OpCodes
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 10:14:29 -0000
|Oh! That must be the security problem you refer us back to, |but have not re-explained to us. | |So, the scenario is: | | 1. PCP client does a MAP | 2. PCP server (or the CGN) crashes and loses state | 3. PCP client is, of course, unaware of that state loss until | much later (whatever its refresh interval is) | 4. In that interval, another PCP client (or implicit dynamic | mapping) could grab that port. | |The same problem exists without PCP, of course, with an |implicit mapping (e.g., created with a TCP SYN). And the |resolution is described in Section 6, "Cold Standby Mode" |of draft-xu-behave-stateful-nat-standby-06: that the CGN |needs to use a different public IPv4 address pool |when it crashes and loses state. IMO, that advice |belongs in BEHAVE's CGN Requirements document, as it does not |solely affect PCP. Simon Perreault, CC'd, is the editor of |the CGN Requirements document. | | |In the PCP document, adding something along the lines of seems |a reasonable addition for the Epoch section: | | In the time between a PCP server loses state and the PCP client | notices the lower-than-expected Epoch value, it is possible that the | PCP client's mapping will be acquired by another host (via an | explicit dynamic mapping or implicit dynamic mapping). This means | incoming traffic will be sent to a different host. A mechanism to | immediately inform the PCP client of state loss would reduce this | interval, but would not eliminate this threat. The PCP client can | reduce this interval by using a relatively short lifetime; however, xiaohong: that could help, but how long would be the perfect lifetime that niether too long for healing nor too short to limit the amount of PCP chatter? | increases the amount of PCP chatter. Connection authentication | BR, Xiaohong opensource A+P: http://opensourceaplusp.weebly.com/
- [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes xiaohong.deng
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Dan Wing
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont
- Re: [pcp] GET and GETNEXT OpCodes Francis Dupont