Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp
Dan Wing <dwing@cisco.com> Thu, 25 July 2013 22:56 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD2DD21F8F07 for <pcp@ietfa.amsl.com>; Thu, 25 Jul 2013 15:56:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wb9zt-Tlb4LV for <pcp@ietfa.amsl.com>; Thu, 25 Jul 2013 15:56:27 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 76F3521F8426 for <pcp@ietf.org>; Thu, 25 Jul 2013 15:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4331; q=dns/txt; s=iport; t=1374792987; x=1376002587; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=L8Ny2i/5/g/7e1xs6O4a07BdB3JWzd81OcO43tgDDm0=; b=dZ+ESHUW6c3pQXLJCANbNQS7nnKAf+iwCBxGn/M8uv1Svsq+W9Q0y0ej fD9UyyD8l/wh37jg8zMXwjM68aomfcg5d5V/h9GldrEekup+U/GdFoWkN n5bqETl0KgZiI7v2ezu7oMjBWsFNsYbtX6CxRvdqz4Bf3Gi7HWwKIGlRf o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhEFANas8VGrRDoG/2dsb2JhbABagwY1vjSBFRZ0giQBAQEDAQEBAWsLBQsLPwcnHxEZiAoFDbh5BI9KMweDEm4DiSqONZFNgzQc
X-IronPort-AV: E=Sophos;i="4.89,746,1367971200"; d="scan'208";a="87230123"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-4.cisco.com with ESMTP; 25 Jul 2013 22:56:18 +0000
Received: from sjc-vpn7-549.cisco.com (sjc-vpn7-549.cisco.com [10.21.146.37]) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r6PMuGjG007687; Thu, 25 Jul 2013 22:56:17 GMT
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F36EE4BA569B@PUEXCB1B.nanterre.francetelecom.fr>
Date: Thu, 25 Jul 2013 15:56:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <10106ED6-5FF5-4C03-8F2E-8AFCE2D0812A@cisco.com>
References: <09D9F37E-8339-412C-B703-4DBC9A96696A@cisco.com> <94C682931C08B048B7A8645303FDC9F36EE4BA569B@PUEXCB1B.nanterre.francetelecom.fr>
To: mohamed.boucadair@orange.com
X-Mailer: Apple Mail (2.1508)
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 22:56:32 -0000
On Jul 23, 2013, at 11:08 PM, mohamed.boucadair@orange.com wrote: > Hi Dan, > > The main reasons why we had that text are as follows: > > * The PCP Proxy won't need to inspect every incoming packet. The current approach makes it easy to redirect PCP responses to the PCP proxy because PCP responses will be explicitly sent to its external IP address. I agree it is different to send the packet to the PCP proxy's public address than what I described. However, ALG code in NATs and firewalls today are pretty capable of seeing the response traffic. Thus what I am suggesting is not new. > * In some scenarios, the address family of the internal IP address is not the same as the one available in the external interface of the PCP Proxy. A typical example is DS-Lite. As you know DS-Lite assumes plain IPv6 mode, internal PCP requests are received over IPv4 while external requests are sent over IPv6 without requiring in NAT. In such case, internal request cannot just be relayed to the next PCP server. Why can't IPv4 PCP requests be sent over IPv4 (over the DS-Lite IPv6 tunnel), just like a IPv4 TCP SYNs? I recall there was objection to that and a preference for sending the PCP requests over IPv6, but I am now worried the security implications of such a decision have not been fully considered. What of scenarios where IPv6/IPv4 tunneling is not involved -- why does draft-ietf-pcp-proxy require the proxy insert THIRD_PARTY for those, too? Just to make the proxy implementation less like an ALG (your first bullet)? What are the security implications of a deployment where some subscribers have a PCP proxy and it adds THIRD_PARTY (legitimately) versus other subscribers who don't have a PCP proxy and someone on that subscriber's network (e.g., coffee shop, hotel) is abusing THIRD_PARTY (maliciously). How would the service provider's PCP server differentiate between those two types of subscribers and know to allow one THIRD_PARTY but deny the other THIRD_PARTY? The problem I see with the PCP proxy inserting THIRD_PARTY is the upstream PCP server is now doing something different than it was without a PCP proxy on the path -- the upstream PCP server has to understand and allow THIRD_PARTY. Imagine a situation, all too common, where there are two NATs in a home ("look, a fancy blue LED, 802.1ac, and only $40. My Internet will go really fast") and each is doing PCP proxying -- now the second one has to do PCP proxying, which it will be surprised to see from what it thought was an end host. -d > > Cheers, > Med > >> -----Message d'origine----- >> De : pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] De la part de Dan >> Wing >> Envoyé : mercredi 24 juillet 2013 03:41 >> À : pcp@ietf.org >> Objet : [pcp] draft-ietf-pcp-proxy and draft-cheshire-recursive-pcp >> >> I am trying to understand the difference between draft-ietf-pcp-proxy and >> draft-cheshire-recursive-pcp. One of the significant differences seems to >> be if the proxy should function differently from an endpoint. draft-ietf- >> pcp-proxy has a proxy operating differently from an endpoint with the >> sentence starting with "Nevertheless" >> >> 6. No NAT is Co-located with the PCP Proxy >> >> When no NAT is co-located with the PCP Proxy, the port numbers >> included in received PCP messages (from the PCP server or PCP >> client(s)) are not altered by the PCP Proxy. Nevertheless, the PCP >> client IP Address MUST be changed to the address of the PCP Proxy and >> a THIRD_PARTY Option inserted to carry the IP address of the source >> PCP client. >> >> The text is under-specified (as the PCP proxy can have have several >> addresses, even if it is a firewall), but I don't know why the PCP proxy >> needs to add the THIRD_PARTY option. It could just send the packet as-is, >> with the original source IP address. The proxy will see the response just >> as it will see the TCP SYNACK response to a TCP SYN. >> >> WG thoughts? >> >> -d >> >> _______________________________________________ >> pcp mailing list >> pcp@ietf.org >> https://www.ietf.org/mailman/listinfo/pcp
- [pcp] draft-ietf-pcp-proxy and draft-cheshire-rec… Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… Dan Wing
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… mohamed.boucadair
- [pcp] DS-Lite "plain mode" (Was: Re: draft-ietf-p… Simon Perreault
- Re: [pcp] DS-Lite "plain mode" (Was: Re: draft-ie… mohamed.boucadair
- Re: [pcp] draft-ietf-pcp-proxy and draft-cheshire… Dan Wing