IETF Logo Mail Archive

Re: [pcp] draft-ietf-pcp-proxy-01

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 17 January 2013 12:27 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DCA21F88CB for <pcp@ietfa.amsl.com>; Thu, 17 Jan 2013 04:27:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRCs1+pKe0XQ for <pcp@ietfa.amsl.com>; Thu, 17 Jan 2013 04:27:26 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id DD11021F88CA for <pcp@ietf.org>; Thu, 17 Jan 2013 04:27:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4643; q=dns/txt; s=iport; t=1358425646; x=1359635246; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=bBfmkcDrexRQx1Oti7lFPNe/J7xvI0Cf56wJFpHo+fs=; b=GNKtNzcrrjSGOa2FcX+CpaVjM5OgJz728BZ/4TV1DJMHbk3QPUEkbkId nvhmFZW24wYXIqCxsZpsja+qmR8fQlpyCkstkaYocxTM4xyQvEwqhIHkn UN7KY64okt7EXomzLqU7+iIa6e80hnZLEaqgevj1KyV0uiGoF39JviUbV g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAITt91CtJXG8/2dsb2JhbAA7CYN1ui4Wc4IeAQEBBAEBAWsXBAIBCBEBAwEBCwMaBycLFAMGCAIEARIIAYgQBwW5V4x1EoNQYQOILI58jy2CdYIk
X-IronPort-AV: E=Sophos;i="4.84,486,1355097600"; d="scan'208";a="163794587"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-3.cisco.com with ESMTP; 17 Jan 2013 12:27:25 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id r0HCRPvi018333 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 17 Jan 2013 12:27:25 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.229]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0318.004; Thu, 17 Jan 2013 06:27:24 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] draft-ietf-pcp-proxy-01
Thread-Index: AQHN3uybfXVjAbB6bU6t4S6LHaLs+ZgizVgwgClNTICAAAN+wA==
Date: Thu, 17 Jan 2013 12:27:24 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A148E56D5@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A148C07A6@xmb-rcd-x10.cisco.com> <94C682931C08B048B7A8645303FDC9F36EA601E417@PUEXCB1B.nanterre.francetelecom.fr>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F36EA601E417@PUEXCB1B.nanterre.francetelecom.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.29.127]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pcp] draft-ietf-pcp-proxy-01
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2013 12:27:27 -0000

Hi Med,

Please see inline [Tiru]

> -----Original Message-----
> From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
> Sent: Wednesday, January 16, 2013 7:00 PM
> To: Tirumaleswar Reddy (tireddy); pcp@ietf.org
> Subject: RE: [pcp] draft-ietf-pcp-proxy-01
> 
> Hi Tiru,
> 
> Many thanks for the comments.
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> >-----Message d'origine-----
> >De : Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> >Envoyé : vendredi 21 décembre 2012 07:43
> >À : BOUCADAIR Mohamed OLNC/OLN; pcp@ietf.org
> >Objet : Re: [pcp] draft-ietf-pcp-proxy-01
> >
> >Hi Med,
> >
> >Comments
> >
> >[1] Section 3 PCP Server Discovery and Provisioning :
> >You may also want to add details that PCP Proxy would use
> >similar mechanism just like PCP client to discover the PCP server.
> 
> Med: I updated the text with an explicit ref to Section 8.1 of draft-ietf-pcp-
> base.
> 
> >
> >[2] Section 5 Control of the Firewall :
> >Firewall rules would be typically to block any unsolicited
> >traffic from outside to inside. For PCP request/response this
> >will not be a problem, but would have issues with unsolicited
> >ANNOUNCE. In this case PCP Authentication looks mandatory to
> >handle man-in-middle attacks trying to act as PCP Server.
> 
> Med: is that a problem even if the pcp server is known to the pcp proxy ?

The PCP server could be in a different administrative domain that may or may have IP source guard; attacker can spoof the well-known IP address of the PCP server and send ANNOUNCE. PCP authentication looks mandatory.

> 
> >
> >[3] Section 5 : Replace REMOTE_PEER_FILTER with FILTER option
> 
> Med: Fixed. Thanks.
> 
> >
> >[4] Section 8 MAP/PEER handling : you may also want to clarify
> >PCP proxy behavior when PCP client uses THIRD_PARTY option.
> 
> Med: I updated the text to explicitly require the PCP server follows the pcp
> server recommendations detailed in section 13.1 of draft-ietf-pcp-base.
> 
> >
> >[5] Section 10.1 Multiple PCP servers : There could be another
> >scenarios that PCP proxy would forward the PCP request to one
> >of the PCP servers depending on the fields set in PCP request
> >(for specific use cases please refer to
> >http://tools.ietf.org/html/draft-rpcw-pcp-pmipv6-serv-discovery
> >-00 ,
> >http://tools.ietf.org/html/draft-chen-pcp-mobile-deployment-02#
> >section-8)]
> >
> 
> Med: what change you want to see in that section? Thanks.

The PCP proxy based on various fields set in the PCP request, client identity will forward the PCP request to different PCP servers. For example in the case of PMIPv6 based on the UE subscription traffic offload rules will be installed on the MAG. MAG acting as PCP proxy can either handle the PCP request in the local access network itself or relay the PCP request to the PCP server in the home network. I guess similar mechanism would be needed in 3GPP network with SIPTO.

> 
> >[6] How is it ensured that only the PCP proxy can communicate
> >with the PCP server and not any other PCP client ?
> 
> Med: Should this be part of the PCP Proxy spec ?

This can be solved by simple techniques like ACL to block PCP client from communicating directly with the PCP server. You can mention it in security considerations.

--Tiru.

> 
> >
> >--Tiru.
> >
> >> -----Original Message-----
> >> From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of
> >> mohamed.boucadair@orange.com
> >> Sent: Friday, August 17, 2012 5:33 PM
> >> To: pcp@ietf.org
> >> Subject: [pcp] draft-ietf-pcp-proxy-01
> >>
> >> Dear all,
> >>
> >> A new version is now available online:
> >> http://tools.ietf.org/html/draft-ietf-pcp-proxy-01
> >>
> >> The main changes in -01 are as follows:
> >>
> >> * The reference architecture is updated: the PCP proxy is
> >not restricted to
> >> the CP router deployment case.
> >> * Add a new section to specify the behaviour when the PCP
> >Proxy is not
> >> co-located with a NAT function
> >> * Add a new section for mappings repair
> >> * More discussion for the multiple PCP Servers scenario
> >> * Text is cleanup
> >>
> >> A detailed diff is available here:
> >>
> >>  http://www.ietf.org/rfcdiff?url2=draft-ietf-pcp-proxy-01
> >>
> >> Please review this new version and provide input.
> >>
> >> Cheers,
> >> Med
> >> _______________________________________________
> >> pcp mailing list
> >> pcp@ietf.org
> >> https://www.ietf.org/mailman/listinfo/pcp
> >
> >

v2.23.0 | Report a Bug | By Email