Re: [Ila] Securing pull-based ID/LOC caches
Dino Farinacci <farinacci@gmail.com> Sat, 24 March 2018 12:14 UTC
Return-Path: <farinacci@gmail.com>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D79231250B8; Sat, 24 Mar 2018 05:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SdgYOd7-O-BO; Sat, 24 Mar 2018 05:14:13 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D8661201F2; Sat, 24 Mar 2018 05:14:13 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id s18so14543001wrg.9; Sat, 24 Mar 2018 05:14:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hHpUUucDs3CUrAkLQNULKxjSJ/1LDPZeod+sR3ErHE0=; b=dfFNY4RqyJg5lqtH+hXLZs/5a2pezKaQAPOlqkNuXz+eou9n0mPVviLNjocOLlXapP fFpImgdZWxBIlXT0bbHDDIBaO0gpqnoIzNOePLCgcXI7rtvhfvsLrCzNuedV8EL/IjsL iNnk4ww/ijQQXsUArRlW9nAY52NwTCh7l4wP0j+osYcxmvEn3C7OltYOd4QVFEvMnZsm VXJJXatTa2JZNH812G4UKDPiDst6xleSnu0CyOjeATUkRZLm2xIGxAkoBM/kVI41XHiF nAh9S7Y3LbsaXsDa+HwyLrxeWRwAuLCuxsC0w2y6ceFJIKvgMxbsEehQpL0mAKdGS2Aj LDMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hHpUUucDs3CUrAkLQNULKxjSJ/1LDPZeod+sR3ErHE0=; b=Lr3U3r6NCcsNI7MKxsVdXiedLWzFJPLmlqb8jWY+qF2JjcLeEVVBaiH5X8EDxrtBNd NtRg07tD8frzVng/nGzk2fFmUBgjLAkU7xZo70GegP6CvaUYYjkkCWna1y5tcFEqK6Kw XNnUFbFBZP/p8PcD+FKQQ1ZzPVjETHozk7CN0BirgobST5TrWSlqiB6X6GTjl+LtXQzy nKSdccTKYis2vmOr1gkU2435u6KttUZTZK7Q7qb3J/n3CFeWcvmDuDunsLFf0yWNIHDv RgAiN4gEE5E9OwVdFhB3XXSpSUMMFFxhna6nGKA1QszRKh2t/SE+XJjkXn7A7HjOr2Bc qjWw==
X-Gm-Message-State: AElRT7Gqcol3FcP5brcQYW+MRsxkLboISs/FFgL5GdJIX0AF8/rVbWuw pKHjyqyd9HRndzSpW54aCmM=
X-Google-Smtp-Source: AG47ELt7/BzpiVFQ3rseirpwd8q6op7C6YCFlXsKievcSc/jGU3k87o8Wjh50hInYtCdvsZiTcqYMA==
X-Received: by 10.223.172.226 with SMTP id o89mr13566655wrc.264.1521893651605; Sat, 24 Mar 2018 05:14:11 -0700 (PDT)
Received: from [10.210.32.219] ([31.221.87.75]) by smtp.gmail.com with ESMTPSA id 142sm13026818wmq.47.2018.03.24.05.14.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Mar 2018 05:14:10 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <CAPDqMeq4GgHgy3DxBvMgYvUqTtk9UHA_wjESED4q9pPp6F3mvA@mail.gmail.com>
Date: Sat, 24 Mar 2018 05:14:09 -0700
Cc: Albert Cabellos <albert.cabellos@gmail.com>, ila@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0A6801E9-A199-4034-9179-A300B7343552@gmail.com>
References: <CAGE_QeyRO-o2umJtCWyoAX7E9y8Fi34kTsfUsJ-G_a7ZGnCGrA@mail.gmail.com> <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com> <38247BED-EFAA-4CF3-B554-910122DD1300@gmail.com> <CAPDqMeq4GgHgy3DxBvMgYvUqTtk9UHA_wjESED4q9pPp6F3mvA@mail.gmail.com>
To: Tom Herbert <tom@quantonium.net>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/5dQ_XCi6WjZRnadQehInolZG85Y>
Subject: Re: [Ila] Securing pull-based ID/LOC caches
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 12:14:15 -0000
> On Fri, Mar 23, 2018, 1:01 PM Dino Farinacci <farinacci@gmail.com> wrote: > I believe we have to spec out how CMS could work in more detail and try different fields of the IP header for input to different hash functions to see if the needle (good actors) can get through the haystack (bad actors). > > Dino, > > I'm not sure what else in IP header could help, attackers can spoof any field. If you are saying that users Destination address and possibly QoS. That is, popular destinations or EF QoS could have more strict rate-limters. > need to authenticate with the LISP sub-system that will have a lot of pushback. I am not saying that. > The other possibility is to accept the fact that we can't prevent DoS attacks on public networks, however we can limit the effects of the DoS attack so that it's not worth it to an attacker. The limit of interest is Well if the mapping system doesn’t allow high-rate senders to get RLOCs, that helps a lot more than what we have today. Especially when xTRs/ILA-N nodes are close to the source. By the way, if you call your ILA-N nodes xTRs, you’d be compatible with LISP. That is, “T” in LISP means “Tunnel” and “T” in ILA means “Transformation”. So when we speak we can say that an xTR is on the edge of the overlay that can “tunnel” or “transform”. And this follows nicely with RTRs/ILA-R nodes (“Re-encapsulating Tunnel Routers and “Re-transforming Transforming Routers). > the worst case effect of the DoS attack. The worse case we are targeting for attacks on a mapping cache is that packets for good guys might take a suboptimal route. This should be much better than good users having packets dropped or blocked. Well I think you can do this once the map-cache entry is populated. That is if you see high-rate sources that are not legit, then one of the RLOCs in the RLOC-set could be a honey-pot or third-party that has sufficient bandwidth and capacity to drop packets. Where other sources that are within the rate-limiters can get their packets sent to good RLOCs. But then you have to absorb the low-rate bad actors. But if they are low-rate, one would argue you can classify them as good actors (i.e. they get the same service as low-rate good-actors). The other thing you can do is lower the QoS value for bad actors. With encapsulation you can retain the original QoS value in the inner header and the downgraded value in the outer header. Dino
- [Ila] Securing pull-based ID/LOC caches Albert Cabellos
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert
- Re: [Ila] Securing pull-based ID/LOC caches Dino Farinacci
- Re: [Ila] Securing pull-based ID/LOC caches Albert Cabellos
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert
- Re: [Ila] Securing pull-based ID/LOC caches Dino Farinacci
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert