Re: [Ila] Securing pull-based ID/LOC caches
Tom Herbert <tom@quantonium.net> Fri, 23 March 2018 11:46 UTC
Return-Path: <tom@quantonium.net>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3625912D779 for <ila@ietfa.amsl.com>; Fri, 23 Mar 2018 04:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=quantonium-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LKYVc4RCaVsh for <ila@ietfa.amsl.com>; Fri, 23 Mar 2018 04:46:29 -0700 (PDT)
Received: from mail-wr0-x243.google.com (mail-wr0-x243.google.com [IPv6:2a00:1450:400c:c0c::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51C7B12D7F3 for <ila@ietf.org>; Fri, 23 Mar 2018 04:46:29 -0700 (PDT)
Received: by mail-wr0-x243.google.com with SMTP id l49so2679289wrl.4 for <ila@ietf.org>; Fri, 23 Mar 2018 04:46:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hYjK1HgQKU0QWJ/gqnDoHgPQfER8C+fJxcFaUyWj6DA=; b=q0fpsxtXdSNDWy2zZa9TrvBFbDGTDqGkNTtBgJTQm3RqTZX2vPtObAPV1T6GRPVMv2 onYaOlHb91DRkq2THNvR3oNcgxpbnV7hNZqTNAgDKVebQYBqoUIjD/pmACuYzF8f4l7J gKcL5dlB6cCoYllLkO/h1MiAE8aS223GLJ2n0oYV3SHHy0Jb7H65Z7Sp4umjMIzKnk9+ BAwB/pRzsXwgK2Z52FX3sJdkpTs/K7RspFhIi7acujYuuuIApzrTQFlTHSOeIRVE3i+D X5BTVFQugItFBWKNbT1J2HVsV10YxXxFg+LN7gWfuFxaY9A/BSHMnevCrhNvjj58iQ9h 4TdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hYjK1HgQKU0QWJ/gqnDoHgPQfER8C+fJxcFaUyWj6DA=; b=Zp+m85GmO2kgPp3i+VNvccQbbXK6L9+hFw4ayy5lm4XAIBhDazopPCZlbli46vXXEd 98sJ/Vq6el2HKwf+ZtDoMEh2LCQMd3tNqHu5rHms4bm9j7THg35VLSp++dIO3VLyoTJ1 2gF0E5xMPoVGYPOEmUZYdEHt/iaaQ7pQI77vKOJ5MY0E/B4a8k5vbHgU9hoNl4AV7cxN Jmw+qQEjzx2XBpc1VHuZXyev56IWW8TEg2OIGCgK0Zrq0O1vtzlpmX/3SJP3Ln5Dq7wE CsuFaSzRndXFFw8EjYq5tDHxAnSbRXAesBGQYfz1n0W0Msv5DLEK248es5ucq+C7rv7T EBVQ==
X-Gm-Message-State: AElRT7EmoLdDAVxLPENtVrRuhHOB8AaErbZt7YfXrZzDS5z1Md8JfbC+ gMke9XiwvqhkXzN13WSNOT29cCu4SKYMS80Q8dVl1g==
X-Google-Smtp-Source: AG47ELuPxIu3JLX9ygGT7LMlOSBEjziPrjoy4bR1ffE08eLaNUh1X3UVyEIoV4Y7aGe7gFAFCagWPkv928zgP8G7bmA=
X-Received: by 10.223.160.78 with SMTP id l14mr20918122wrl.153.1521805587650; Fri, 23 Mar 2018 04:46:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.186.137 with HTTP; Fri, 23 Mar 2018 04:46:27 -0700 (PDT)
In-Reply-To: <CAGE_QeyRO-o2umJtCWyoAX7E9y8Fi34kTsfUsJ-G_a7ZGnCGrA@mail.gmail.com>
References: <CAGE_QeyRO-o2umJtCWyoAX7E9y8Fi34kTsfUsJ-G_a7ZGnCGrA@mail.gmail.com>
From: Tom Herbert <tom@quantonium.net>
Date: Fri, 23 Mar 2018 04:46:27 -0700
Message-ID: <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com>
To: Albert Cabellos <albert.cabellos@gmail.com>
Cc: "lisp@ietf.org list" <lisp@ietf.org>, ila@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/rRdZSgyDRKO9on5P8dg0iUV7FQU>
Subject: Re: [Ila] Securing pull-based ID/LOC caches
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 11:46:31 -0000
On Thu, Mar 22, 2018 at 9:13 AM, Albert Cabellos <albert.cabellos@gmail.com> wrote: > Hi all > > I am attaching a short paper describing a solution for control-plane > denial-of-service & overflowing attacks against pull-based ID/LOC caches. > The solution is based on implementing a per-source rate-limiter at the xTR > using an efficient Count-Min Sketch structure. > Hi Albert, Thank you for forwarding the paper. It is an interesting read! I have a few comments: >From the paper: "In LISP the mapping from the overlay namespaces can be done using two mechanisms." I believe a third mechanism is exists in secure redirects. This is akin to ICMP redirects where a network router informs a sender that there is a better path. This is sort of a hybrid of the pull and push models. >From the paper: "It is worth noting that this solution assumes that spoofing source addresses is not possible inside the LISP site". That is a big assumption and I'm not sure it will be generally true. Even if if spoofing is enabled, trying to identify bad guys by source address is still precarious. Consider that there could be complex downstream networks of LISP that are possibly behind NAT, delegated prefixes, VMs sharing common server IP address, etc. You might also want to consider the possibility of a distributed denial of service attack where the attacker uses many system to attack a cache where no individual systems sends a high enough rate of packets to trip the rate limiting threshold. I imagine the code for an attack on cache is pretty trivial-- little more than a simple loop sending UDP packets to random destinations. This could very easily be hidden in some downloaded app. >From the paper: "Attackers generate (randomly) between 2 and 3 orders of magnitude more control-plane messages than legitimate users. Specifically, attackers generate a uniform random number in the range of 1k-10k, legitimate users a range in 1-10 and the threshold T is set to 1k" The job of an attacker is blend in so that their traffic is indistinguishable from users. If they know they know what the thresholds are that raise suspicion then they'll adjust their attack to avoid hitting the thresholds! In this case, for instance, they could try a DDOS to avoid detection. Caches also have other attack vectors. For instance, if an attacker knows they hash algorithm and the cache scheme, they might be able to launch and attack to prevent service to specific destinations by targeting the hash buckets of the destination. This sort of attack comes up a lot in traffic steering which is why all those schemes requiring randomizing the hash key and occasionally rekeying. >From the paper: "The main design rationale behind the proposed solution is to detect and push-back attackers by rate-limiting them in aggregating points" Unless the identification of attackers is perfect (which again is what attackers are working to prevent), at some point legitimate users will get swept up in this and they will be subject to the same rate limiting. In that case, what is the effect on them? For instance, are they completely blocked sending packets for some period of time? How would this situation be resolved? Thanks, Tom > Albert > > _______________________________________________ > ila mailing list > ila@ietf.org > https://www.ietf.org/mailman/listinfo/ila >
- [Ila] Securing pull-based ID/LOC caches Albert Cabellos
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert
- Re: [Ila] Securing pull-based ID/LOC caches Dino Farinacci
- Re: [Ila] Securing pull-based ID/LOC caches Albert Cabellos
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert
- Re: [Ila] Securing pull-based ID/LOC caches Dino Farinacci
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert