IETF Logo Mail Archive

Re: [Ideas] [lisp] FW: Technical plenary: Attacks against the architecture - implications for the Network Mapping System

"Joel M. Halpern" <jmh@joelhalpern.com> Sat, 29 October 2016 16:02 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62541295C5; Sat, 29 Oct 2016 09:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIVOySnB4gsS; Sat, 29 Oct 2016 09:02:42 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69B6129536; Sat, 29 Oct 2016 09:02:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id AE3A624261A; Sat, 29 Oct 2016 09:02:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1477756962; bh=xuv/Z1tRrNCqH3or3+O3L+Tzou5w021N7XJEdRNXiRU=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=HBiOwE77BquAN9RoYDlXKnI8ryhMMyfJ1tVtWWgyAQ54ExXZzu9ki3BrJgT+VrQi7 BDWFYIsptcI10cO8Jfy+SaprQbtIWADjqI5vA4hmH/L7E0+oAHz0wbBG0rj/9TcvhE 3CobZvPOODCZp8hE+ynrtLswJ7Wl3LzN6jSf65fY=
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (209-255-163-147.ip.mcleodusa.net [209.255.163.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id ECE92241298; Sat, 29 Oct 2016 09:02:41 -0700 (PDT)
To: Padma Pillay-Esnault <padma.ietf@gmail.com>
References: <EC7A99B9A59C1B4695037EEB5036666B012C63D0@dfweml501-mbb> <85dd645c-37ca-0839-a175-2fb05539fbf2@joelhalpern.com> <CAG-CQxr8gXiQi_D1PNN6HMk7NVc6P62kPsZicLdm1PgfL41prA@mail.gmail.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <9147701f-8395-7b2e-d370-111200ce2656@joelhalpern.com>
Date: Sat, 29 Oct 2016 12:03:13 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CAG-CQxr8gXiQi_D1PNN6HMk7NVc6P62kPsZicLdm1PgfL41prA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/xW9oxRY4XWOfRJ3zjzRlExTAmRQ>
Cc: "ideas@ietf.org" <ideas@ietf.org>, Padmadevi Pillay Esnault <padma@huawei.com>, "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [Ideas] [lisp] FW: Technical plenary: Attacks against the architecture - implications for the Network Mapping System
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2016 16:02:45 -0000

Remember that with LISP, the mapping system is somewhat insulated due to 
the fact that queries are only accepted from MR, not directly from 
anything claiming to be an ITR.  And it is normally expected that the 
association between mapping system internals and MR/MS is authenticated 
(otherwise there are lots of other issues.)

This does not provide complete protection, as there are many situations 
where the MR does not have  an authentication relationship with the 
querying ITR.  Having said that, it can be noted that in many cases 
there is such a relationship.  Such a relationship prevents a random 
outside attack.

Even when there is no such relationship, and even if the MR does not 
rate limit, an effective DoS attack would have to target multiple MR to 
cause significant difficulty.

Also, it seems to me that if all you want to do is break a single MR, 
then rate limiting is irrelevant.  In the absence of limits on who can 
query a specific MR, you can bombard it with more queries than it can 
handle and you will take it out of service.  So a rate limit helps the 
system while harming the MR capability only slightly.

Trying to infer whether an entity is allowed to undertake specific 
operations without authentication, using information such as the IP 
address, seems fraught with failure.  Trying to classify all entities 
into types (onotology?) seems unlikely to produce correct results, as 
classes are not cleanly defined.

As I said, I look forward to the technical presentation at the IETF 
meeting to see if they have any ideas that can help.  Yes, there is work 
to be done.  Putting authorization into the identity seems to be asking 
for trouble.

Yours,
Joel

On 10/29/16 11:40 AM, Padma Pillay-Esnault wrote:
> Hi Joel
>
> The security section has the following recommendations for overload issues
> 1. Rate limit the sending of messages to the mapping system.
> 2.To improve resiliency and reduce the overall number of
> messagesexchanged, LISP offers the possibility to leak information, such
> as reachabilty of locators, directly into data plane packets
> 3. Using trustable Map-Servers that strictly respect [RFC6833] and the
> lightweight authentication mechanism proposed byLISP-Sec
> [I-D.ietf-lisp-sec] reduces the risk of attacks
>
> Here are the potential problems I see with these
> 1. Rate limiting messages has the same result the DDOS attack was aiming at.
> 2. Leaking the information may have consequences for the privacy unless
> we are using ephemeral EIDs
> 3. We can trick the system to legitimately make a lot of updates. For
> example a large number of IDs distributed that keep on registering that
> they have changed locations frequently and an equally large number of
> devices trying to access them.
>
> There has been a lot of digital ink about IoT devices being vulnerable
> to be compromised and that the sheer number of devices (several
> billions) to be the easy target for bonnets.  Discussions about use of
> rfc2728 or how ISP could handle these attacks. It is a difficult problem
> to solve and in the end we are pushing the responsibility to other
> entities to do the right thing ...
>
> In section 5 of draft-padma-ideas-problem-statement, there is a section
> in the table which specifically discuss about the structure of IDs and
> whether we should used them for specific classes or as the Network
> Mapping system is proposing to attach metadata to ID.
>
> I am inclined to think if we can give ID some inherent class which can
> restrict what these devices can do. Why would a fridge ever try to
> access a bank account unless something is seriously wrong? In the case
> of IoT, it would have been possible to drop request from a camera or
> sensor requesting to map netflix or twitter.
>
> With IP addresses, it is difficult to differentiate who is what.
> Structured IDs allocations or metadata in the NMS may be an opportunity
> to simplify some of this operational complexity.
>
> Thoughts?
> Padma
>
>
>
> On Fri, Oct 28, 2016 at 8:15 PM, Joel M. Halpern <jmh@joelhalpern.com
> <mailto:jmh@joelhalpern.com>> wrote:
>
>     There are some preliminary thoughts on overload issues in the
>     security considerations of draft-ietf-lisp-introduction.
>
>     I will also be curious to see what the presentations at the
>     technical plenary in Seoul have to suggest on the issue, if anything.
>
>     There probably is more with considering.
>
>     Yours,
>     Joel
>
>
>     On 10/28/16 7:39 PM, Padmadevi Pillay Esnault wrote:
>
>         The recent Denial-of-service attacks is a scenario we should
>         have in mind when building robustness in the network mapping system.
>         In draft-padma-ideas-problem-statement-00.txt, there is a
>         section on mapping system security requirements that
>         specifically cover
>         this case.
>
>         One of the questions that comes to mind is whether the
>         robustness of such a mapping system should drop/throttle
>         responses when it is
>         Overloaded or should we expect it always to handle the load no
>         matter what?
>         While we do propose to rate-limit the messages in the problem
>         statement, isn't this playing into the hands of the attackers?
>
>         Requesting feedback from the list and ccing wg with expertise in
>         the area or interest in mapping system technology.
>
>         Thanks in advance
>         Padma
>
>         Below an excerpt from the draft
>         6.4.  Mapping System Security
>
>            The secure mapping system must have the following requirements:
>
>            1.  The components of the mapping system need to be robust
>         against
>                direct and indirect attacks.  If any component is
>         attacked, the
>                rest of the system should act with integrity and scale
>         and only
>                the information associated with the compromised component
>         is made
>                unavailable.
>
>            2.  The addition and removal of components of the mapping
>         system must
>                be performed in a secure matter so as to not violate the
>                integrity and operation of the system and service it
>         provides.
>
>            3.  The information returned by components of the mapping system
>                needs to be authenticated as to detect spoofing from
>                masqueraders.
>
>            4.  Information registered (by publishers) to the mapping
>         system must
>                be authenticated so the registering entity or the
>         information is
>                not spoofed.
>
>            5.  The mapping system must allow request access (for
>         subscribers) to
>                be open and public.  However, it is optional to provide
>                confidentiality and authentication of the requesters and the
>                information they are requesting.
>
>            6.  Any information provided by components of the mapping
>         system must
>                be cryptographically signed by the provider and verified
>         by the
>                consumer.
>
>            7.  Message rate-limiting and other heuristics must be part
>         of the
>                foundational support of the mapping system to protect the
>         system
>                from invalid overloaded conditions.
>
>            8.  The mapping system should support some form of provisioned
>                policy.  Either internal to the system or via mechanisms for
>                users of the system to describe policy rules.  Access control
>                should not use traditional granular-based access lists
>         since they
>                do not scale and are hard to manage.  By the use of token- or
>                key- based authentication methods as well as deploying
>         multiple
>                instances of the mapping system will allow acceptable policy
>                profiles.  Machine learning techniques could automate these
>                mechanisms.
>
>
>         -----Original Message-----
>         From: IETF-Announce [mailto:ietf-announce-bounces@ietf.org
>         <mailto:ietf-announce-bounces@ietf.org>] On Behalf Of IETF Chair
>         Sent: Friday, October 28, 2016 9:21 AM
>         To: IETF Announcement List
>         Cc: ietf@ietf.org <mailto:ietf@ietf.org>
>         Subject: Technical plenary: Attacks against the architecture
>
>         The technical plenary in Seoul will be about the recent
>         Denial-of-Service
>         attacks involving the use of compromised or misconfigured nodes or
>         “things”, and the architectural issues associated with the network
>         being vulnerable to these attacks.
>
>         See
>
>
>         https://www.ietf.org/blog/2016/10/attack-against-the-architecture/
>         <https://www.ietf.org/blog/2016/10/attack-against-the-architecture/>
>
>         and join us for the discussion on Wednesday 16:40-19:10,
>         November 16,
>         2016 either in person or remotely. You can register for the
>         meeting here:
>
>           https://www.ietf.org/meeting/97/index.html
>         <https://www.ietf.org/meeting/97/index.html>
>
>         Jari Arkko, IETF Chair
>
>         _______________________________________________
>         lisp mailing list
>         lisp@ietf.org <mailto:lisp@ietf.org>
>         https://www.ietf.org/mailman/listinfo/lisp
>         <https://www.ietf.org/mailman/listinfo/lisp>
>
>
>     _______________________________________________
>     Ideas mailing list
>     Ideas@ietf.org <mailto:Ideas@ietf.org>
>     https://www.ietf.org/mailman/listinfo/ideas
>     <https://www.ietf.org/mailman/listinfo/ideas>
>
>

v2.8.7 | Report a Bug | By Email