IETF Logo Mail Archive

Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 18 July 2013 15:50 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF7811E8176 for <pcp@ietfa.amsl.com>; Thu, 18 Jul 2013 08:50:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pK7vQ4zEz0Uf for <pcp@ietfa.amsl.com>; Thu, 18 Jul 2013 08:49:57 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id D960411E8171 for <pcp@ietf.org>; Thu, 18 Jul 2013 08:49:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=56523; q=dns/txt; s=iport; t=1374162597; x=1375372197; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BOnwPpszwPAw6KYciVitdteH8r83ZMM5Eul69Br83lU=; b=PUZKHznWks3WfGV0wHaXi57QKwGZ5PyzfSlGJqcuqPizpZP/5vD3AZh6 b8iRVrp/KsuKsapkRrCX3H5ZayMPtsWgysnB3GbwXC+H438SwjV/5FjDI kgw/g0LYHNo1O/S0Uo4r6SctIHph9fnTTQcI9/PrJazIqtZy4gveRrcLy A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsYFAOcM6FGtJV2c/2dsb2JhbABRCYJCRDVQuAiIPIERFnSCJAEBAQEDAQEBJAZBCwwEAgEIEQQBAQsWAQYHJwsUCQgCBA4FCBOHdQy2HI5UgQotBAYBBoMIbgOBTZc5kCSDEoFqJBw
X-IronPort-AV: E=Sophos; i="4.89,694,1367971200"; d="scan'208,217"; a="233501413"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-9.cisco.com with ESMTP; 18 Jul 2013 15:49:56 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id r6IFntf2032121 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 18 Jul 2013 15:49:55 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.56]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0318.004; Thu, 18 Jul 2013 10:49:55 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Alper Yegin <alper.yegin@yegin.org>
Thread-Topic: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)
Thread-Index: AQHOgryVRJrEKluwhkGxicRNVT19rJlpENsAgAAZ5wCAABmpgIAAsyPggABySYCAAFaSgIAAB2MA///KVbA=
Date: Thu, 18 Jul 2013 15:49:54 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A14B9C898@xmb-rcd-x10.cisco.com>
References: <B235506D63D65E43B2E40FD27715372E1CE32669@xmb-rcd-x07.cisco.com> <3F203C46-59BE-4F5B-A4D5-B6DDADB107E7@yegin.org> <913383AAA69FF945B8F946018B75898A14B9C327@xmb-rcd-x10.cisco.com> <3F1B99E5-B6A0-4149-A58E-0A80838874C1@yegin.org> <913383AAA69FF945B8F946018B75898A14B9C776@xmb-rcd-x10.cisco.com> <DD78AF33-5B11-4DAF-8368-DA815AD9C120@yegin.org>
In-Reply-To: <DD78AF33-5B11-4DAF-8368-DA815AD9C120@yegin.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.48.187]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A14B9C898xmbrcdx10ciscoc_"
MIME-Version: 1.0
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 15:50:02 -0000

Hi Alper,

Please see inline [TR]

From: Alper Yegin [mailto:alper.yegin@yegin.org]
Sent: Thursday, July 18, 2013 7:13 PM
To: Tirumaleswar Reddy (tireddy)
Cc: pcp@ietf.org
Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)

Hi Tiru,

I'd expect the PCP proxy to be as transparent and as light-weight as possible.

[TR] Yes, PCP proxy is transparent. But it is acting as PCP server to the client; client does not have to know that the PCP proxy it is communicating with is acting as PCP proxy to upstream PCP server. Further PCP Proxy is stateful it will create NAT mapping etc. In all the PCP proxy scenarios mentioned in the http://tools.ietf.org/id/draft-ietf-pcp-proxy-03.txt PCP proxy will update the PCP message from the PCP client before forwarding to the PCP server; so if the PCP proxy authenticates with the PCP server it must have a separate SA so that it can update the Authenticate Data with the new MAC.

Therefore, I'd normally expect the policy-based decision be made and executed on the PCP server.

[TR] In my previous mails we discussed why it is not a problem with Home/Enterprise Networks which would have a PCP Proxy. If you could explain the "Public Wifi Hotspot" use case with more details, it will help us understand the scenario better.

--Tiru.

Besides, PCP server is the real end-point consuming requests of the PCP client. Therefore it is simpler to let the PCP server apply the policy on its own responses.

Btw, can the PCP proxy and the PCP server belong to two separate ISPs?
If so, would the PCP server be satisfied if it receives the "user's authenticated ID", or would it require to authenticate the user itself?

Alper




On Jul 18, 2013, at 4:16 PM, Tirumaleswar Reddy (tireddy) wrote:


Hi Alper,

Please see inline [TR]

From: Alper Yegin [mailto:alper.yegin@yegin.org]
Sent: Thursday, July 18, 2013 1:37 PM
To: Tirumaleswar Reddy (tireddy)
Cc: pcp@ietf.org<mailto:pcp@ietf.org>
Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)

Tiru,

I'm talking about "public WiFi hotspot". Like in coffee shops.
The PCP proxy and the PCP server are either owned by the same ISP, or two separate business entities.
The users who attach to the hotspot are all distinct subscribers with distinct service plans. This is different than how all members of my house appears to the ISP, or all employees appears to the enterprise network administration.
So, the PCP service provided to each user may differ. Maybe not all users are allowed to control some certain ports.  For PCP server to be able to act based on the Id of the users, it needs to know who they are as the requests are proxies by the PCP proxy.

[TR]

If the PCP Proxy and PCP server belong to the same ISP, why can't the PCP Proxy itself enforce the subscriber-based policy ?
I do not understand why PCP Proxy cannot enforce identity-based policies for PCP, if you could explain or point to more details how the topology looks like ?, How PCP Auth works in this use with PCP proxy works in this use case ? it will help.

Thanks and Regards,
--Tiru.

Alper






On Jul 18, 2013, at 9:37 AM, Tirumaleswar Reddy (tireddy) wrote:




From: Alper Yegin [mailto:alper.yegin@yegin.org]
Sent: Wednesday, July 17, 2013 8:07 PM
To: Prashanth Patil (praspati)
Cc: Tirumaleswar Reddy (tireddy); pcp@ietf.org<mailto:pcp@ietf.org>
Subject: Re: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)

For the home gateway case, yes I'd think so.
Could we not apply PCP proxy case to public WiFi hotspots? There in that case the terminals attaching to the AP are distinct subscribers.

I did not get the use case, though there are distinct subscribers attached to the WLC (MAG), wouldn't WLC act as PCP Proxy and communicate with the PCP Server in ISP to which it's a single subscriber.

This looks just like Enterprise deployment where there are multiple users (similar to distinct subscribers attached to AP) communicating with the PCP server in the Enterprise Network, the PCP server in the campus would act as PCP proxy communicating with the ISP (PCP Server) to which it's a single subscriber.

--Tiru.

Alper



On Jul 17, 2013, at 4:04 PM, Prashanth Patil (praspati) wrote:




Hi Alper,
In the example below, wont the ISP consider all users behind the home router as a single subscriber and not differentiate among individual users? Essentially, the PCP Server would treat the proxy (i.e the home router) as a single subscriber.

-Prashanth

On 17/07/13 5:02 PM, "Alper Yegin" <alper.yegin@yegin.org<mailto:alper.yegin@yegin.org>> wrote:

If the PCP server wants to provide some sort of differentiated service to the subscribers (e.g., different mapping lifetime), then it needs to know the authenticated ID of the subscriber.

Alper


On Jul 17, 2013, at 10:09 AM, Tirumaleswar Reddy (tireddy) wrote:




Please see inline [TR]

From: Alper Yegin [mailto:alper.yegin@yegin.org]
Sent: Wednesday, July 17, 2013 12:24 PM
To: Prashanth Patil (praspati)
Cc: pcp@ietf.org<mailto:pcp@ietf.org>; Tirumaleswar Reddy (tireddy)
Subject: [pcp] Proxy security (was Re: CONSENSUS CALL on PCP security)

Hi Prashanth,






I'm not sure if enough thought went into the PCP Proxy security. As much as I'd love to be DONE! with this discussion, I also want to make sure people feel comfortable having thought all aspects around the proxy use. For (very important) example, what kind of security associations are needed for securing the proxy use: An SA btw client and server, an SA btw client and proxy, an SA btw proxy and server -- which combinations of these are needed?

We've included this in the updated version of auth req:

REQ-9: A PCP proxy that modifies PCP messages SHOULD have the
ability to independently authenticate with the PCP client and PCP
server. The presence of a PCP proxy hence requires two separately
authenticates SAs. As a consequence, the PCP proxy:

A. MUST be able to validate message integrity of PCP messages
from the PCP server and client respectively.

B. MUST be able to ensure message integrity after updating the
PCP message for cases described in sections 6 of ietf-pcp-proxy.

The PCP proxy MUST also permit authentication on only one side of
the proxy. For example, a customer premises host may not
authenticate with the PCP proxy but the PCP proxy may authenticate
with the PCP server.



So:

- We have two types of SAs. One between the client and the proxy, another between the proxy and the server.
- None of them are mandatory to use.

For each one that needs to be used, we need to perform authentication between the end-points.
(e.g., between client and proxy).

So, in a way, we are dealing with security in two independent parts; client to proxy, and proxy to server.
They are totally segregated from security perspective.


Right?

Hmm, one thing: The server may need to know the authenticated ID of the client. Since it's not part of the client authentication, it won't know that value readily. So, we may need to define an option to carry that piece of information from the proxy to the server.

[TR]

Why would the PCP server need to know the authentication ID of the client. For example Home network;   Alice (PCP client) -> Home Router (PCP Proxy) -> ISP (PCP Server)
Why would PCP Server in ISP care about the authentication ID of Alice ?

--Tiru.

Alper








-Prashanth

Then we need to talk about how we dynamically create those using any one of these solutions.

Alper





On Jul 16, 2013, at 7:50 PM, Dave Thaler wrote:

-----Original Message-----
From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
Sent: Monday, July 15, 2013 10:51 PM
To: Dave Thaler; pcp@ietf.org<mailto:pcp@ietf.org>
Subject: RE: [pcp] CONSENSUS CALL on PCP security
Hi Dave,
In the poll when you refer to PANA, please clarify the draft you are referring
to http://tools.ietf.org/html/draft-ohba-pcp-pana-04 or
http://tools.ietf.org/html/draft-ohba-pcp-pana-encap-01 ?
--Tiru.
The question is intentionally agnostic as this is about a general approach,
not which specific implementation.  If it helps, you can interpret the
answer as "which of the two you think is better".
If the consensus is PANA rather than direct EAP-in-PCP, then we could
ask as a follow-up question which of the two we should go with. If
you'd like to include your answer to that now though, feel free to
include that in your response to the call.
-Dave
_______________________________________________
pcp mailing list
pcp@ietf.org<mailto:pcp@ietf.org>
https://www.ietf.org/mailman/listinfo/pcp

_______________________________________________
pcp mailing list
pcp@ietf.org<mailto:pcp@ietf.org>
https://www.ietf.org/mailman/listinfo/pcp

v2.23.0 | Report a Bug | By Email