IETF Logo Mail Archive

Re: [Ila] Securing pull-based ID/LOC caches

Albert Cabellos <albert.cabellos@gmail.com> Fri, 23 March 2018 14:06 UTC

Return-Path: <albert.cabellos@gmail.com>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA8DD126CBF; Fri, 23 Mar 2018 07:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKVJ_PQOeM6U; Fri, 23 Mar 2018 07:06:15 -0700 (PDT)
Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F4C01200F1; Fri, 23 Mar 2018 07:06:15 -0700 (PDT)
Received: by mail-yb0-x22f.google.com with SMTP id e3-v6so4129064ybk.1; Fri, 23 Mar 2018 07:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4yoDSQes8gUivEwIObT/vMRemvlffMdNqmyJFeHnI8U=; b=NWbKQnCGopl/sHaH298Yj/iOvKF3QCfwM1hTBfGYArgkIyY9uJEwK/OFuHWKpmWROJ EU+cSXt3MTXh5Jp86LmN4AJeKhXGsEg5jaeZ2TaQOqktG+bDy9eH9nlhkSlPw3f37GA4 yxpV7fBn8MHgmy2EDHRnvFVGWsxPU4jrC4ZjNrd0e5oHPjoz7WqdEknBtUk2CKtDjB7m TrijDUOXTVOo6CSXLN0+ux3LbHi9XVCKDcmmWhDhnP8l0FYw6or9VrmaixOF+cTwpni/ +0Mo9AIH2NiKMMarZz/wJ7ffaDnDWcCKdNQGLwoiXCdq+FhSn8BQEsVu6xLcBjNRGimg Tz/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4yoDSQes8gUivEwIObT/vMRemvlffMdNqmyJFeHnI8U=; b=s4sG38y2Hn7xMn4rYt9tQaMikqH8Nc6yVa54OfeuutiP5Q1/OFyNFpdyeWXgpIXN+B xIo6DY4U7u2ZXFSRPC8ZSGGdYi0ygv3nAgMGfpbya5mKuQYe4Cu1r9C45VPiGhzohaHb sLFSNfq1rst+n9HjJoEPhtGuaDrJ9O7VT6PIIbHfSSdncKvWwDRaxdGEA9UAY3eURF6T 4hG4Imqc1XopaSGz7phFc7nGx+cncdrWgo1X/Wdjn6JVMl1YxC+0Dj3f5xQ7cDt4YhM6 SLA9MFVT5UtzK+n/1Z7UV4/A9ri7I220IjZz22SofjGP642PFfQiPZMdrOObUdsp5T0e 59kA==
X-Gm-Message-State: AElRT7HDUsfoTS1ec3Zd1MzzY7cCnm4cOmRgLRuV2AbvijMvTeBTlZzm tOe8h1pyn164v0MGrQ0aZu4G9wvAl5RkyzzZBV9k1meQ
X-Google-Smtp-Source: AG47ELsVFIePDYubhFoe+hEjBQQGrqYJIgz4PpSZw/NjPmGe1Ho53fSYoROdZTN0vR1be9qDd6JcSqz9UvuTmUn08IE=
X-Received: by 2002:a25:b192:: with SMTP id h18-v6mr17071460ybj.170.1521813973947; Fri, 23 Mar 2018 07:06:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:3356:0:0:0:0:0 with HTTP; Fri, 23 Mar 2018 07:06:13 -0700 (PDT)
In-Reply-To: <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com>
References: <CAGE_QeyRO-o2umJtCWyoAX7E9y8Fi34kTsfUsJ-G_a7ZGnCGrA@mail.gmail.com> <CAPDqMerHA3F2_U8Bq+LzhXnQnrYx4yu-oS_esK8PEQEDyAFafA@mail.gmail.com>
From: Albert Cabellos <albert.cabellos@gmail.com>
Date: Fri, 23 Mar 2018 15:06:13 +0100
Message-ID: <CAGE_QexxzoTQnNdvonT+393pz+LPqorXMBENj6eDGS0yumsLvw@mail.gmail.com>
To: Tom Herbert <tom@quantonium.net>
Cc: "lisp@ietf.org list" <lisp@ietf.org>, ila@ietf.org
Content-Type: multipart/alternative; boundary="00000000000054dcc6056814ed0b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/u1M1B5J8Zj8rFWt2c0oOnHInHrw>
Subject: Re: [Ila] Securing pull-based ID/LOC caches
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 14:06:18 -0000

Hi Tom

Thank you very much for your feedback, please see inline:

On Fri, Mar 23, 2018 at 12:46 PM, Tom Herbert <tom@quantonium.net> wrote:

> On Thu, Mar 22, 2018 at 9:13 AM, Albert Cabellos
> <albert.cabellos@gmail.com> wrote:
> > Hi all
> >
> > I am attaching a short paper describing a solution for control-plane
> > denial-of-service & overflowing attacks against pull-based ID/LOC caches.
> > The solution is based on implementing a per-source rate-limiter at the
> xTR
> > using an efficient Count-Min Sketch structure.
> >
> Hi Albert,
>
> Thank you for forwarding the paper. It is an interesting read!
>
> I have a few comments:
>
> From the paper: "In LISP the mapping from the overlay namespaces can
> be done using two mechanisms."
>
> I believe a third mechanism is exists in secure redirects. This is
> akin to ICMP redirects where a network router informs a sender that
> there is a better path. This is sort of a hybrid of the pull and push
> models.
>

Agreed, as we point in the short paper alternative LISP deployment models
are possible [draft-rodrigueznatal-ila-lisp-00] if the assumptions
described in the paper do not hold.

>From the paper: "It is worth noting that this solution assumes that
> spoofing source addresses is not possible inside the LISP site". That
> is a big assumption and I'm not sure it will be generally true.
>
>
We consider it a reasonable assumption, particularly for data-center and 5G
scenarios.


> Even if if spoofing is enabled, trying to identify bad guys by source
> address is still precarious. Consider that there could be complex
> downstream networks of LISP that are possibly behind NAT, delegated
> prefixes, VMs sharing common server IP address, etc.
>
>
The paper focuses on source IP addresses but it can be trivially adapted to
identify users using any information in the packet headers or from the
network infrastructure.

You might also want to consider the possibility of a distributed
> denial of service attack where the attacker uses many system to attack
> a cache where no individual systems sends a high enough rate of
> packets to trip the rate limiting threshold. I imagine the code for an
> attack on cache is pretty trivial-- little more than a simple loop
> sending UDP packets to random destinations. This could very easily be
> hidden in some downloaded app.
>

The threshold determines what is and what is not an attacker, if they are
below T then this means that they are not overflowing the control-plane
channel. In other words, T is related to the maximum throughput of this
channel.

>
> From the paper: "Attackers generate (randomly) between 2 and 3 orders
> of magnitude more control-plane messages than legitimate users.
> Specifically, attackers generate a uniform random number in the range
> of 1k-10k, legitimate users a range in 1-10 and the threshold T is set
> to 1k"
>
> The job of an attacker is blend in so that their traffic is
> indistinguishable from users. If they know they know what the
> thresholds are that raise suspicion then they'll adjust their attack
> to avoid hitting the thresholds! In this case, for instance, they
> could try a DDOS to avoid detection.
>
>
In my view this is orthogonal. You pick T (the threshold) so that it
determines the maximum throughput of your control-plane channel. If they
are below T then you have enough resources to accommodate all control-plane
messages.

Caches also have other attack vectors. For instance, if an attacker
> knows they hash algorithm and the cache scheme, they might be able to
> launch and attack to prevent service to specific destinations by
> targeting the hash buckets of the destination. This sort of attack
> comes up a lot in traffic steering which is why all those schemes
> requiring randomizing the hash key and occasionally rekeying.
>

Yes, but LFU-A or ARC mechanisms require attackers to generate as much
traffic to unpopular destinations as the popular destinations are
receiving. If this happens in your network this roughly means that you have
more traffic from attackers than from legitimate users. Then what is the
'legitimate traffic'? Either you fix your network or you serve what your
users want.

We have seen over and over that traffic is a long-tail distribution, some
destinations are very popular while many other destinations are not
popular. The same applies to the pages accessed by a computer program, etc.
This is the underlying reason why caches are so prevalent in computer
science. With long-tail distributions they are very efficient in terms of
resource consumption.

>From the paper: "The main design rationale behind the proposed
> solution is to detect and push-back attackers by rate-limiting them in
> aggregating points"
>
> Unless the identification of attackers is perfect (which again is what
> attackers are working to prevent), at some point legitimate users will
> get swept up in this and they will be subject to the same rate
> limiting. In that case, what is the effect on them? For instance, are
> they completely blocked sending packets for some period of time? How
> would this situation be resolved?
>

If anti-spoofing mechanisms are not in place then the solution proposed in
the paper does not work.

The rate-limiter allows you to send T messages per period of time p. After
p seconds you can send T additional control-plane messages. The
rate-limiter is T/p control-plane messages per second.

Thanks!

Albert

>
> Thanks,
> Tom
>
> > Albert
> >
> > _______________________________________________
> > ila mailing list
> > ila@ietf.org
> > https://www.ietf.org/mailman/listinfo/ila
> >
>

v2.23.0 | Report a Bug | By Email