Re: [Ila] Securing pull-based ID/LOC caches
Tom Herbert <tom@quantonium.net> Sat, 24 March 2018 11:56 UTC
Return-Path: <tom@quantonium.net>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF1591205D3 for <ila@ietfa.amsl.com>; Sat, 24 Mar 2018 04:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=quantonium-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNPlIQAcDQUR for <ila@ietfa.amsl.com>; Sat, 24 Mar 2018 04:56:48 -0700 (PDT)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69C11201F2 for <ila@ietf.org>; Sat, 24 Mar 2018 04:56:47 -0700 (PDT)
Received: by mail-wr0-x22e.google.com with SMTP id l49so5389196wrl.4 for <ila@ietf.org>; Sat, 24 Mar 2018 04:56:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xHU5TZ8Tlbt/7DTXBMOgQlyp1uTmePnCjX2a7TQAsIE=; b=mvC+G7hSs750V40z4edHe7MUvCN4XeasemTsulNhMTmtCQRf3PkDZOg/SVTrO1xM5V 2kEW3N95StigX/hQr2DbgQo/HeP3cpeVAPH8bILLDDQa7hPjIqKIEmuvHNr/S4aqeFd8 QSeSqSOk3oC6AICMtlCiq6ivDvUnzULx5gcDd+7Ie6NCbQAU9QQx7FXtMWxAVyyR72Mk /wINzQb4JRU3BX9rrS+4zsYn428clwdkrbDl+v6mfr3cfKIKO+ZL4jUt0QjjKBfJrkGa TrfatU5qq/ghZ7F4s7jIppkhbytOPyClun73KDYlqUADQe9iI7isKX3xyemhoHJSReNF krqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xHU5TZ8Tlbt/7DTXBMOgQlyp1uTmePnCjX2a7TQAsIE=; b=Hp1/XMkbqFRQjI+x37PCT2BUA3nrScXimtAZuRv82y/F/TykppSSVlLXMG8uRK9Fbt LNY5FkIJE2rXX7w8M9SNPqUYkzXhcxUoSsVdSCtXpQhkQ4KKXgRLF5GBFjrJKMeCUt8d Ius+3qNdxVQmXpEbPoN7ZFR9rQvnETz2dNEgD8qFb74GV/yitD0CaW/FPU2LWZzi92AS kTdr5O0+DExHX5wJkx3p7VgPoroZfK9QoHGJGrqL9DYN9NYCy/2Tba1y/ppWiQP66n2S KIV/1yGYdWm2NbNoc9d0GUiveAenCX1vlFT/jJjRaqd8SNKMiYwpxhZWW3avW4O9n3EV a0Lg==
X-Gm-Message-State: AElRT7HKpQX2Ytisvcp6S4zGw3rCz/zx3hruPtm88GWMYT6KDlT2vl4c 3m4Px4QTNXw2FvqSxryGcwXMSDp/1a1CCLHW1hqsnQ==
X-Google-Smtp-Source: AG47ELu4xOKgBmJBRLPcd80K7QrxvvgvGCo+7VYtQ4XYa6qmuHCX6kyPTGtEKxwHZtmfQB+uMk1xIigDJyEj4O9iv00=
X-Received: by 10.223.150.117 with SMTP id c50mr25894823wra.196.1521892606317; Sat, 24 Mar 2018 04:56:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAGE_QeyRO-o2umJtCWyoAX7E9y8Fi34kTsfUsJ-G_a7ZGnCGrA@mail.gmail.com> <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com> <38247BED-EFAA-4CF3-B554-910122DD1300@gmail.com>
In-Reply-To: <38247BED-EFAA-4CF3-B554-910122DD1300@gmail.com>
From: Tom Herbert <tom@quantonium.net>
Date: Sat, 24 Mar 2018 11:56:35 +0000
Message-ID: <CAPDqMeq4GgHgy3DxBvMgYvUqTtk9UHA_wjESED4q9pPp6F3mvA@mail.gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
Cc: Albert Cabellos <albert.cabellos@gmail.com>, ila@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Type: multipart/alternative; boundary="001a11468ffa2fab140568273cbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/sE6kOskYMH_SXw54qrutmuXaeC8>
Subject: Re: [Ila] Securing pull-based ID/LOC caches
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 11:56:51 -0000
On Fri, Mar 23, 2018, 1:01 PM Dino Farinacci <farinacci@gmail.com> wrote: > I believe we have to spec out how CMS could work in more detail and try > different fields of the IP header for input to different hash functions to > see if the needle (good actors) can get through the haystack (bad actors). > Dino, I'm not sure what else in IP header could help, attackers can spoof any field. If you are saying that users need to authenticate with the LISP sub-system that will have a lot of pushback. > But agree if bad actors are spoofing good actors there is no way to tell. > > Many of us have been thinking about how to use Proof of Work mechanisms so > if a bad actor had to do more work to send a packet it could slow down the > DoS attack. But just early thoughts. The other possibility is to accept the fact that we can't prevent DoS attacks on public networks, however we can limit the effects of the DoS attack so that it's not worth it to an attacker. The limit of interest is the worst case effect of the DoS attack. The worse case we are targeting for attacks on a mapping cache is that packets for good guys might take a suboptimal route. This should be much better than good users having packets dropped or blocked. Tom > > > > Dino > > > On Mar 23, 2018, at 11:46 AM, Tom Herbert <tom@quantonium.net> wrote: > > > > On Thu, Mar 22, 2018 at 9:13 AM, Albert Cabellos > > <albert.cabellos@gmail.com> wrote: > >> Hi all > >> > >> I am attaching a short paper describing a solution for control-plane > >> denial-of-service & overflowing attacks against pull-based ID/LOC > caches. > >> The solution is based on implementing a per-source rate-limiter at the > xTR > >> using an efficient Count-Min Sketch structure. > >> > > Hi Albert, > > > > Thank you for forwarding the paper. It is an interesting read! > > > > I have a few comments: > > > >> From the paper: "In LISP the mapping from the overlay namespaces can > > be done using two mechanisms." > > > > I believe a third mechanism is exists in secure redirects. This is > > akin to ICMP redirects where a network router informs a sender that > > there is a better path. This is sort of a hybrid of the pull and push > > models. > > > >> From the paper: "It is worth noting that this solution assumes that > > spoofing source addresses is not possible inside the LISP site". That > > is a big assumption and I'm not sure it will be generally true. > > > > Even if if spoofing is enabled, trying to identify bad guys by source > > address is still precarious. Consider that there could be complex > > downstream networks of LISP that are possibly behind NAT, delegated > > prefixes, VMs sharing common server IP address, etc. > > > > You might also want to consider the possibility of a distributed > > denial of service attack where the attacker uses many system to attack > > a cache where no individual systems sends a high enough rate of > > packets to trip the rate limiting threshold. I imagine the code for an > > attack on cache is pretty trivial-- little more than a simple loop > > sending UDP packets to random destinations. This could very easily be > > hidden in some downloaded app. > > > >> From the paper: "Attackers generate (randomly) between 2 and 3 orders > > of magnitude more control-plane messages than legitimate users. > > Specifically, attackers generate a uniform random number in the range > > of 1k-10k, legitimate users a range in 1-10 and the threshold T is set > > to 1k" > > > > The job of an attacker is blend in so that their traffic is > > indistinguishable from users. If they know they know what the > > thresholds are that raise suspicion then they'll adjust their attack > > to avoid hitting the thresholds! In this case, for instance, they > > could try a DDOS to avoid detection. > > > > Caches also have other attack vectors. For instance, if an attacker > > knows they hash algorithm and the cache scheme, they might be able to > > launch and attack to prevent service to specific destinations by > > targeting the hash buckets of the destination. This sort of attack > > comes up a lot in traffic steering which is why all those schemes > > requiring randomizing the hash key and occasionally rekeying. > > > >> From the paper: "The main design rationale behind the proposed > > solution is to detect and push-back attackers by rate-limiting them in > > aggregating points" > > > > Unless the identification of attackers is perfect (which again is what > > attackers are working to prevent), at some point legitimate users will > > get swept up in this and they will be subject to the same rate > > limiting. In that case, what is the effect on them? For instance, are > > they completely blocked sending packets for some period of time? How > > would this situation be resolved? > > > > Thanks, > > Tom > > > >> Albert > >> > >> _______________________________________________ > >> ila mailing list > >> ila@ietf.org > >> https://www.ietf.org/mailman/listinfo/ila > >> > > > > _______________________________________________ > > ila mailing list > > ila@ietf.org > > https://www.ietf.org/mailman/listinfo/ila >
- [Ila] Securing pull-based ID/LOC caches Albert Cabellos
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert
- Re: [Ila] Securing pull-based ID/LOC caches Dino Farinacci
- Re: [Ila] Securing pull-based ID/LOC caches Albert Cabellos
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert
- Re: [Ila] Securing pull-based ID/LOC caches Dino Farinacci
- Re: [Ila] Securing pull-based ID/LOC caches Tom Herbert