Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-third-party-id-option-04: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 27 January 2016 01:43 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10901B2F4C; Tue, 26 Jan 2016 17:43:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zfr0JBK53ajP; Tue, 26 Jan 2016 17:43:20 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0D5B1B2F38; Tue, 26 Jan 2016 17:43:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D57D1BE35; Wed, 27 Jan 2016 01:43:17 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2NsR5fQFz2v; Wed, 27 Jan 2016 01:43:16 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.16.108]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9B980BE33; Wed, 27 Jan 2016 01:43:14 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1453858995; bh=7OtMK+BDGQJWKJ/NLrOBdnUZVIR2ahWw30L3d5FK5HI=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=l25nx6byctPViRcvowPR8UdI1kEC1A6xdHojz+Ts9TnjOf//AWPqHX2YIwEemQKM2 l6KDDfl0F2NgIIeyVZFMFPCplIdKK52igU0SLPnnzD6FZxx8r+hL3PLgxH9zUg0FeR xri3afWhRlkZ6G1469sf5l3tdtkYE3DXOOtR2d3E=
To: Rolf Winter <Rolf.Winter@neclab.eu>, The IESG <iesg@ietf.org>
References: <20151119005841.24419.23001.idtracker@ietfa.amsl.com> <791AD3077F94194BB2BDD13565B6295DA9D00E13@PALLENE.office.hd>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56A820B1.4000700@cs.tcd.ie>
Date: Wed, 27 Jan 2016 01:43:13 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <791AD3077F94194BB2BDD13565B6295DA9D00E13@PALLENE.office.hd>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pcp/uscWzUtCtUkKkUYg15KI9OraHjA>
Cc: "pcp@ietf.org" <pcp@ietf.org>, "draft-ietf-pcp-third-party-id-option@ietf.org" <draft-ietf-pcp-third-party-id-option@ietf.org>, "pcp-chairs@ietf.org" <pcp-chairs@ietf.org>
Subject: Re: [pcp] Stephen Farrell's Discuss on draft-ietf-pcp-third-party-id-option-04: (with DISCUSS and COMMENT)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 01:43:23 -0000

Hiya,

On 24/01/16 12:20, Rolf Winter wrote:
> Hi Stephen,
> 
> please see inline:
> 
> NEC Europe Ltd | Registered Office: Athene, Odyssey Business Park,
> West End  Road, London, HA4 6QE, GB | Registered in England 2832014
> 
>> Stephen Farrell has entered the following ballot position for 
>> draft-ietf-pcp-third-party-id-option-04: Discuss
>> 
>> When responding, please keep the subject line intact and reply to
>> all email addresses included in the To and CC lines. (Feel free to
>> cut this introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss- 
>> criteria.html for more information about IESG DISCUSS and COMMENT
>> positions.
>> 
>> 
>> The document, along with other ballot positions, can be found
>> here: 
>> https://datatracker.ietf.org/doc/draft-ietf-pcp-third-party-id-option/
>>
>>
>>
>>
>> 
----------------------------------------------------------------------
>> DISCUSS: 
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
(1) The THIRD_PARTY stuff in PCP was always a bit concerning from a
>> security point of view. RFC 6887 says that you MUST NOT implement
>> or use that except in some specific environments. At the time we
>> would have liked to say that you MUST use PCP authentication when
>> using that but RFC 7652 wasn't done until some time later. My
>> DISCUSS question though is: why can't you distinguish based on a
>> Key ID used with PCP authentication?
> 
> Because you'll need a tunnel technology specific ID. 

Yet the current draft says that the value used is just
agreed out of band between pcp client and server with
no typing. Seems the same to me.

> The
> PCP-controlled device needs to know to which tunnel this requested
> mapping (IP in the third party option) belongs.
> 
> We added some text to the document which hopefully makes this
> clearer:
> 
> The THIRD_PARTY option carries a value of an internal IP address of
> a NAT map entry.  The THIRD_PARTY_ID carries a value of an internal 
> realm of a NAT map entry.
> 
> Upon receiving a valid request with a legal THIRD_PARTY_ID option 
> identifier, the message is processed as specified in [RFC6887], 
> except that the identifier contained in the THIRD_PARTY_ID is used
> in addition when accessing a mapping table.  Instead of just using
> the value contained in the THIRD_PARTY option when accessing the
> internal Internet address of a mapping table, now the combination of
> the two values contained in the THIRD_PARTY option and in the
> THIRD_PARTY_ID option is used to access the combination of internal
> Internet address and internal realm of a NAT map entry.
> 

Yes, that's clear but doesn't answer the question about 7652.

> 
>> Wouldn't that help with the privacy concerns (one can manage Key
>> IDs well if one wants) and also with the secrity concerns, and I
>> would guess it should solve the tunnel issues that this is intended
>> to address as well? (There may be good reasons why that doesn't
>> work of course, but I'd like to understand them.)
> 
> I am not sure how that would solve the overall problem. Say someone
> uses L2TPv3 or GRE (or any other protocol really) as the tunneling
> protocol, then you're bound to use IDs from those protocols. They are
> not linked to the PCP sessions (indeed the scenario in the draft
> shows that PCP messages are not even delivered over the tunnel).

That's a fair point actually. Ok, I agree that PCP authentication
isn't designed for these use cases. (It could I guess be made to
work but yeah, that'd I agree be a pretty odd implementation.)

I'll clear this point.

> 
> Regarding authentication, we added text to the security
> considerations section and used normative language to mandate
> authenticated access to the PCP client function.
>

Yet with no reference to 7652? Pity.

> 
>> 
>> (2) Section 7: The "must be fully trusted" phrase is not a good one
>> to use - iirc that was a compromise figured out to allow PCP to
>> proceed ahead of the PCP auth spec.  And of course, it's really a
>> nonsense. I think you should properly characterise the issues or
>> else delete the unfortunate phrase.
> 
> We added text to the security considerations section (incl. normative
> language).
> 
>> I also think you should not encourage the use of this for carrying
>> location or profile information.  What "Means" exist that could be
>> used to really protect this? And why do you want to "protect
>> unauthorized access"? that's oddly phrased at best. All in all I
>> think you need better text for section 7, and I'm happy to try
>> help find that.
> 
> We now restrict the usage of the option as defined in this document
> to the exact use case as described. In particular, the document now
> clearly states:
> 
> However, the use of the THIRD_PARTY_ID option as specified in this
> document is restricted to scenarios where the option is needed for
> the purpose of uniquely identifying an internal host in addition to
> the information found in the THIRD_PARTY option.

Well, the current text has a bunch of SHOULD statements saying to
be good and not send this stuff out of the operator network. I
don't get why those aren't MUST NOT statements. Why is that?

Couldn't you just simplify and say that this option MUST NOT be
sent outside an operator network?

S

> 
>> 
>> 
>> ----------------------------------------------------------------------
>>
>> 
COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
I share the concerns relating to possible use of long term identifiers
>> here and thus support the DISCUSSes from Alissa and Joel.
> 
> We have text that discusses this now in the security considerations
> section.
> 
> Best,
> 
> Rolf
> 
> 
>> 
>> 
>> _______________________________________________ pcp mailing list 
>> pcp@ietf.org https://www.ietf.org/mailman/listinfo/pcp
>