IETF Logo Mail Archive

Re: [Ila] Securing pull-based ID/LOC caches

Dino Farinacci <farinacci@gmail.com> Fri, 23 March 2018 13:01 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E398412D948; Fri, 23 Mar 2018 06:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRUKwb1ktCjP; Fri, 23 Mar 2018 06:01:52 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABA8B12D945; Fri, 23 Mar 2018 06:01:51 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id l49so2910989wrl.4; Fri, 23 Mar 2018 06:01:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RrfBkcPX8vi3MsG47dGr2JrCYA903RXWjr2TJAHp4vA=; b=C0CAkWTefMJJPYICt3TyU1l2rxhupCaT4+UCUVOJ1aGtyaH9F8WzbpK5SlmWSVkffv 6Y66jFue3kejfbfv1U+QubV3K80CwOoxZySvj40cFJqmvsmZdlK0w7GQQD7XiVYfL66c HSXrig6ehiMFyUMoYj9TYnaPo6OO18PYySl6KSnBpyRt5fdfvTLzPXeE0Rr+aLkOii/A x2khWz9KXtIa97jfhUv5I1d0EP19yV+aXvmWRmahvBxkNxBDI/IzJIDCLFig/pAh1YiE GI/JEhf0XYK23FtO6rsEkL556rdAYVRZVVgMMT0LW7uNY565Yqh2GyykyAwGzecjaCk9 M7yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RrfBkcPX8vi3MsG47dGr2JrCYA903RXWjr2TJAHp4vA=; b=NjpK2g0/1SzJ+LJyz7I18Ac5cvnNIsxlC4mzH3rUbtKO0vKwfSqqfsxVcYohchHKFG 6WcqRT6BZSDSdD9eDjEjCWUA+UEtddQxCmuAOvtSRPPw+4yBhXdsFRFBbJL4NYrVbPzF lfovHNWFqkd1OOaE7Jt179eYMZXgw6iTjeK8wPSK3yB65o8cq4CE0fp7FbKmk5d0a7P9 09ljaBVhBIuS1qg3JTzB7m/EiZ4/PWgP9tco44RIZMbKh12TDpg368BkF8x4OL0d8kR7 pGJ2ADUbnYQFIw2V6xUEqtHraq+hdUBinRYRN66MLATKFYWFgGfv6mAKYA9lZ4VH4SNM PJAQ==
X-Gm-Message-State: AElRT7HAWxTuCSFN3iZnC7FUQYstTDA2KOEKFaw5RpH9aBIK2fcwQjxv T2u278uGMUWaLaHUMKvPbcHyUH2a
X-Google-Smtp-Source: AG47ELt/g8vczGWzgbL3u1A5Lh9CvhQxNZiQMuYSHfy816aBf5UxzFvopCA6V7wQoMSotIQciYZFvA==
X-Received: by 10.223.188.19 with SMTP id s19mr11920444wrg.213.1521810109937; Fri, 23 Mar 2018 06:01:49 -0700 (PDT)
Received: from [10.108.129.100] (host86-179-108-173.range86-179.btcentralplus.com. [86.179.108.173]) by smtp.gmail.com with ESMTPSA id p68sm9573476wmg.7.2018.03.23.06.01.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Mar 2018 06:01:49 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Dino Farinacci <farinacci@gmail.com>
X-Mailer: iPhone Mail (15D100)
In-Reply-To: <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com>
Date: Fri, 23 Mar 2018 13:01:47 +0000
Cc: Albert Cabellos <albert.cabellos@gmail.com>, ila@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <38247BED-EFAA-4CF3-B554-910122DD1300@gmail.com>
References: <CAGE_QeyRO-o2umJtCWyoAX7E9y8Fi34kTsfUsJ-G_a7ZGnCGrA@mail.gmail.com> <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com>
To: Tom Herbert <tom@quantonium.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/TOxlYvS9Kf86bOO4c1A7s0VqGks>
Subject: Re: [Ila] Securing pull-based ID/LOC caches
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 13:01:54 -0000

I believe we have to spec out how CMS could work in more detail and try different fields of the IP header for input to  different hash functions to see if the needle (good actors) can get through the haystack (bad actors). 

But agree if bad actors are spoofing good actors there is no way to tell. 

Many of us have been thinking about how to use Proof of Work mechanisms so if a bad actor had to do more work to send a packet it could slow down the DoS attack. But just early thoughts. 

Dino

> On Mar 23, 2018, at 11:46 AM, Tom Herbert <tom@quantonium.net> wrote:
> 
> On Thu, Mar 22, 2018 at 9:13 AM, Albert Cabellos
> <albert.cabellos@gmail.com> wrote:
>> Hi all
>> 
>> I am attaching a short paper describing a solution for control-plane
>> denial-of-service & overflowing attacks against pull-based ID/LOC caches.
>> The solution is based on implementing a per-source rate-limiter at the xTR
>> using an efficient Count-Min Sketch structure.
>> 
> Hi Albert,
> 
> Thank you for forwarding the paper. It is an interesting read!
> 
> I have a few comments:
> 
>> From the paper: "In LISP the mapping from the overlay namespaces can
> be done using two mechanisms."
> 
> I believe a third mechanism is exists in secure redirects. This is
> akin to ICMP redirects where a network router informs a sender that
> there is a better path. This is sort of a hybrid of the pull and push
> models.
> 
>> From the paper: "It is worth noting that this solution assumes that
> spoofing source addresses is not possible inside the LISP site". That
> is a big assumption and I'm not sure it will be generally true.
> 
> Even if if spoofing is enabled, trying to identify bad guys by source
> address is still precarious. Consider that there could be complex
> downstream networks of LISP that are possibly behind NAT, delegated
> prefixes, VMs sharing common server IP address, etc.
> 
> You might also want to consider the possibility of a distributed
> denial of service attack where the attacker uses many system to attack
> a cache where no individual systems sends a high enough rate of
> packets to trip the rate limiting threshold. I imagine the code for an
> attack on cache is pretty trivial-- little more than a simple loop
> sending UDP packets to random destinations. This could very easily be
> hidden in some downloaded app.
> 
>> From the paper: "Attackers generate (randomly) between 2 and 3 orders
> of magnitude more control-plane messages than legitimate users.
> Specifically, attackers generate a uniform random number in the range
> of 1k-10k, legitimate users a range in 1-10 and the threshold T is set
> to 1k"
> 
> The job of an attacker is blend in so that their traffic is
> indistinguishable from users. If they know they know what the
> thresholds are that raise suspicion then they'll adjust their attack
> to avoid hitting the thresholds! In this case, for instance, they
> could try a DDOS to avoid detection.
> 
> Caches also have other attack vectors. For instance, if an attacker
> knows they hash algorithm and the cache scheme, they might be able to
> launch and attack to prevent service to specific destinations by
> targeting the hash buckets of the destination. This sort of attack
> comes up a lot in traffic steering which is why all those schemes
> requiring randomizing the hash key and occasionally rekeying.
> 
>> From the paper: "The main design rationale behind the proposed
> solution is to detect and push-back attackers by rate-limiting them in
> aggregating points"
> 
> Unless the identification of attackers is perfect (which again is what
> attackers are working to prevent), at some point legitimate users will
> get swept up in this and they will be subject to the same rate
> limiting. In that case, what is the effect on them? For instance, are
> they completely blocked sending packets for some period of time? How
> would this situation be resolved?
> 
> Thanks,
> Tom
> 
>> Albert
>> 
>> _______________________________________________
>> ila mailing list
>> ila@ietf.org
>> https://www.ietf.org/mailman/listinfo/ila
>> 
> 
> _______________________________________________
> ila mailing list
> ila@ietf.org
> https://www.ietf.org/mailman/listinfo/ila

v2.23.0 | Report a Bug | By Email