[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]
Versions: 01 02 03 04
PCP Working Group T. Reddy
Internet-Draft P. Patil
Intended status: Standards Track D. Wing
Expires: October 24, 2013 R. Penno
Cisco
April 22, 2013
PCP Authentication Requirements
draft-reddy-pcp-auth-req-02
Abstract
In an attempt to reach consensus on a PCP authentication mechanism,
this document describes requirements for PCP authentication. It is
hoped this can serve as the basis for a comparison of PCP
authentication mechanisms.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 24, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
Reddy, et al. Expires October 24, 2013 [Page 1]
Internet-Draft PCP Auth Requirements April 2013
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Third Party Authorization . . . . . . . . . . . . . . . . . . 5
5. Other recommendations . . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 6
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 7
A.1. Change from -01 to -02 . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
This document derives requirements for PCP Authentication from PCP
deployment scenarios and scope described in PCP-base
[I-D.ietf-pcp-base] and other PCP drafts. The document focuses on
requirements and does not make a suggestion on the authentication
mechanism to be used to satisfy requirements.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Requirements
REQ-1: PCP client and server MUST provide client authentication.
The client could be a host running a PCP client or middle box
(e.g., NAT) running a PCP Proxy.
* The identity details of the client could be used by the PCP
server to grant access to certain PCP opcodes or PCP options.
Reddy, et al. Expires October 24, 2013 [Page 2]
Internet-Draft PCP Auth Requirements April 2013
For example GUESTS would not be permitted to use MAP opcode,
ADMINISTRATOR is only permitted to use THIRD_PARTY option.
* The identity details of the client could be used for auditing.
PCP Authentication MUST also generate message authentication key
for integrity protection of PCP request and response.
REQ-2: PCP Servers MUST be able to indicate that a request will not
be processed without authentication.
REQ-3: If the original PCP request/response was authenticated,
a. A client MUST be able to verify the integrity and origin of a
subsequent response from the server.
b. A server MUST be able to send subsequent authenticated
unsolicited responses.
c. If a server wants to send an unsolicited message, but the
previous security association has expired
1. The server can continue to use the same SA to protect
messages pertaining to that mapping, even if the SA is
technically expired.
- Such server notifications will not change state in the
PCP client.
- The notification could be a trigger for the client to
re-authenticate. For example, if the server indicates
that external IP address/port has changed, the PCP
client can then re-authenticate with the server to
confirm if the external IP address/port for the mapping
has indeed changed.
2. The server can optionally trigger re-authentication with
the client.
d. If a PCP response does not include integrity related to a
current security association, then those messages MUST NOT be
trusted without soliciting an integrity protected version.
REQ-4: It is important that PCP not leak privacy information between
the PCP client and PCP server,
a. The authentication mechanism MUST be able to keep credentials
hidden from eavesdroppers on path between client and server.
Reddy, et al. Expires October 24, 2013 [Page 3]
Internet-Draft PCP Auth Requirements April 2013
b. Confidentiality of the PCP messages is OPTIONAL for PCP
request and response of opcodes MAP, PEER, ANNOUNCE and
options THIRD_PARTY, PREFER_FAILURE and FILTER explained in
PCP-base [I-D.ietf-pcp-base]. Other PCP drafts MUST evaluate
if confidentiality is OPTIONAL or not for new PCP opcodes and
options introduced.
c. PCP authentication SHOULD be immune to passive dictionary
attacks.
d. PCP Authentication MUST ensure that an attacker snooping PCP
messages cannot guess the SA.
REQ-5: To ease troubleshooting and ensure fate sharing, PCP
authentication and PCP messages MUST be multiplexed over the same
port.
REQ-6: PCP authentication MUST accommodate authentication between
administrative domains. For example, a PCP client may wish to
communicate directly to an ISP's PCP server, even though the in-
home CPE router does not support PCP. In this scenario the PCP
client needs to directly authenticate with the ISP's PCP server.
REQ-7: PCP client and server MUST be able mutually authenticate,
especially when the PCP server is located in a different
administrative domain from the PCP client. Credentials to gain
access to the network could be different from the credentials used
to authenticate with the PCP server.
REQ-8: For the scenarios described in REQ-6, PCP authentication
mechanism MUST be functional across address and port translation,
including NAPT64 and NAPT44.
REQ-9: A PCP proxy, that modifies PCP request/response before
forwarding messages,
+------------+ |
| PCP Client |-----+ |
+--(Host 1)--+ | +-----------+ | +----------+
+---| | | | |
| PCP Proxy |-------|PCP Server|
+---| | | | |
+------------+ | +-----------+ | +----------+
| PCP Client |-----+ |
+--(Host 2)--+ possible boundary
<- Home side | ISP side ->
Reddy, et al. Expires October 24, 2013 [Page 4]
Internet-Draft PCP Auth Requirements April 2013
a. MUST validate message integrity of PCP messages from the PCP
server and client respectively.
b. MUST ensure message integrity after updating the PCP message
for cases described in sections 6 and 7 of
[I-D.ietf-pcp-proxy].
REQ-10: It is RECOMMENDED that PCP authentication support a
mechanism where only one PCP client on the host authenticates with
the PCP server and other PCP clients be able to reuse the
previously negotiated key for integrity protection. For example,
multiple applications on the host like BitTorrent [BitTorrent],
WebRTC[I-D.ietf-rtcweb-overview]/SIP [RFC3261] using PCP.
Multiple authentication exchanges increase load on the PCP server
and chatter on the network. For example, if 'N' messages are to
be exchanged for PCP authentication and 'M' independent
applications implement their own PCP client, a total of N*M
messages have to be exchanged and 'M' number of SAs maintained for
each host.
REQ-11: All else equal, it is RECOMMENDED to choose a widely
deployed authentication technique with known security properties
rather than inventing a new authentication mechanism.
REQ-12: Changes in PCP to accommodate authentication SHOULD be
minimal so that updates and additions to the authentication
mechanism have no bearing on modifying PCP.
4. Third Party Authorization
In addition to two party authentication that has been discussed in
this draft, a mechanism for third party authorization must also be
supported. This is required in cases where a third party authorizes
the use of a resource on a PCP server for a desired PCP client. For
example, a PCP request to a PCP capable firewall authorized by a SIP
proxy rather than by virtue of the end user making the PCP request.
The PCP server is to permit a PCP MAP request if a user is making a
SIP call with the Enterprise SIP server, otherwise do not allow MAP
request from that particular user. In this scenario the first party
is the user, second party is the PCP server (which is also the
firewall) and the third party is the SIP Server, where the user is
authorized to use MAP request only when making a call using the
trusted SIP Server.
5. Other recommendations
o It is recommended that there be support for a means to provide
integrity protection without user authentication. For example,
Reddy, et al. Expires October 24, 2013 [Page 5]
Internet-Draft PCP Auth Requirements April 2013
upon receiving a challenge with a certain REALM, if the PCP client
does not have credentials for that REALM, the client will attempt
to use a default username and password. Default credentials are
expected to be configured on infrastructure where PCP
authentication is not necessary, but such guest users are given
some (minimal) authorization to use PCP. This addresses the
problem when the client is visiting foreign networks like a hotel,
hot spot etc where it may gain access to the network but does not
know the credentials to authenticate to the ISP's PCP server when
the in-home CPE router does not support PCP and the PCP client
needs to directly authenticate with the ISP's PCP server.
6. IANA Considerations
This document does not require any action from IANA.
7. Security Considerations
This document does not define an architecture nor a protocol; as such
it does not raise any security concerns.
8. References
8.1. Normative References
[I-D.ietf-pcp-base]
Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", draft-ietf-pcp-
base-29 (work in progress), November 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
8.2. Informative References
[BitTorrent]
, "Cohen, B., "The BitTorrent Protocol Specification
Version 11031", February 2008.", September 2012.
[I-D.ietf-pcp-proxy]
Boucadair, M., Penno, R., and D. Wing, "Port Control
Protocol (PCP) Proxy Function", draft-ietf-pcp-proxy-02
(work in progress), February 2013.
[I-D.ietf-rtcweb-overview]
Alvestrand, H., "Overview: Real Time Protocols for Brower-
based Applications", draft-ietf-rtcweb-overview-06 (work
in progress), February 2013.
Reddy, et al. Expires October 24, 2013 [Page 6]
Internet-Draft PCP Auth Requirements April 2013
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
Appendix A. Change History
A.1. Change from -01 to -02
o Requirements reorganized based on commonality
o New requirement 3(c(2)) added.
Authors' Addresses
Tirumaleswar Reddy
Cisco Systems, Inc.
Cessna Business Park, Varthur Hobli
Sarjapur Marathalli Outer Ring Road
Bangalore, Karnataka 560103
India
Email: tireddy@cisco.com
Prashanth Patil
Cisco Systems, Inc.
Bangalore
India
Email: praspati@cisco.com
Dan Wing
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
Email: dwing@cisco.com
Reddy, et al. Expires October 24, 2013 [Page 7]
Internet-Draft PCP Auth Requirements April 2013
Reinaldo Penno
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
Email: repenno@cisco.com
Reddy, et al. Expires October 24, 2013 [Page 8]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/