Message613

Issues
Show Unassigned
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Author pcalhoun
Recipients
Date 2008-10-09.21:29:30
Content
>> Is there a conflict between the guidance given in NAT Considerations
> Case 2 (Section 11, paragraph 2, last sentence) and the guidance in 
> section 12.2 "Session ID Security"?
>>
>> From section 11:
>>
>>                                     The CAPWAP Data Check state, 
>> which
>>    establishes the data plane connection and communicates the CAPWAP
>>    Data Channel Keepalive, includes the Session Identifier message
>>    element, which is used to bind the control and data plane.  Use of
>>    the Session Identifier message element enables the AC to match the
>>    control and data plane flows from multiple WTPs behind the same 
>> NAT
>>    system (multiple WTPs sharing the same IP address).
>>
>> From  section 12:
>>
>>                    For example, an AC MUST NOT associate decrypted
> DTLS
>>    control packets with a particular WTP session based solely on the
>>    Session ID in the packet header.  Instead, identification should 
>> be
>>    done based on which DTLS session decrypted the packet.  Otherwise
> one
>>    authenticated WTP could spoof another authenticated WTP by 
>> altering
>>    the Session ID in the encrypted CAPWAP header.
>
> I see. Well, both of these sections are covering different cases. The 
> first is to cover the correlation of the control and data plane - 
> which is why the Session Identifier exists. The second one is 
> different, which is to differentiate different control plane packets. 
> That said, it does make sense to ensure that we have some consistency 
> in the use of the Session ID field. The text would look like:
>
> <proposed text>
> 11.  NAT Considerations
> [...]
>    The CAPWAP Data
>    Check state, which establishes the data plane connection and
>    communicates the CAPWAP Data Channel Keepalive, includes the 
> Session
>    Identifier message element, which is used to bind the control and
>    data plane.  Use of the Session Identifier message element enables
>    the AC to match the control and data plane flows from multiple WTPs
>    behind the same NAT system (multiple WTPs sharing the same IP
>    address).  CAPWAP implementations MUST also use DTLS session
>    information on any encrypted CAPWAP channel to validate the source 
> of
>    both the control and data plane, as described in Section 12.2.
> </proposed text>
History
Date User Action Args
2008-10-09 21:29:31pcalhounlinkissue221 messages
2008-10-09 21:29:31pcalhouncreate