Re: [lisp] [Ila] LISP for ILA

Dino Farinacci <> Fri, 16 March 2018 18:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A05E129515; Fri, 16 Mar 2018 11:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2rC8FP-7aaFf; Fri, 16 Mar 2018 11:41:43 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF46A12D7ED; Fri, 16 Mar 2018 11:41:43 -0700 (PDT)
Received: by with SMTP id h11so4484540pfn.4; Fri, 16 Mar 2018 11:41:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=AaZm0r9E/WeUt9DQV7wlYQDCP5W8tDDQ7ae/UsYn/rA=; b=Rulxce4hmy5aep/RpnpEwfwAlhOyfRp/LmdAI6k+9SclslUTsuCjVdqHf2Vt+3tUDA nWDdNuxVlLuZNvoNknD8fMNwkAGFygG86HfoUegNcrUu1PxsvvCf4bzJ5v81twuGZKko T8TG5Cup2P2qd2CsIm2KDEs7qW9GgxzqDoQav6LdbECopPPyQbmLKWOoxyhnNRb/Wwld Xh62ZqxeIPsLe9+CuamSAArS1sAmbNtuiUiJ69GgPDbs/AZqWiQKbkUYL5dIwHOOrHWk tw0pD6Nf5/sYOyAwMQcfUGDN3Epu69dw00Yaq01DWpYPyl523rApXBvqBF69Xl0QGgZI HXag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=AaZm0r9E/WeUt9DQV7wlYQDCP5W8tDDQ7ae/UsYn/rA=; b=ctt2HXi9htqHIsKPee4l4Kt5XhfxcFTYpbwE769d2uqdsCH48ZJcr2ha5H6noExdKm wwJeJcV3IAVmteHJPNByv2ARydTqrkHBnEgoQKBKpdnokefFZN7JDzb+97Kj2aTVc6yt RQ0k5e5GW5nPa0BT+RUhClH3AsAWW56P7WHY9sAIhyP6BPwly1gjdYcshKS0RxFl3rf5 f5gpJvuZOLPzLaPMAvmrotq1Fs+vWlG8J4cf1AK0XlvEzvXUx2C8cqGuT6D4+xCqlwFn L4MZQRx2AZZW61adI33z+SCqGOjpjI16BCOgKLigKUsw9bkm8Z4L0M9XLLci4b+dJZOs qm5A==
X-Gm-Message-State: AElRT7HwXsbhBhWyD7/UWAuZw5FNRCg5+bhHuwfRRETw5n1w63pvUyHH DkuysAG40CUV3NXi9i4qKIY=
X-Google-Smtp-Source: AG47ELu9y6QeFJ24OuTjyLfaZFdx5j85pKcNt4Ma/M8kfG4rc+FMVFqfMjCcTtUIJfNkpNcO6KNF8A==
X-Received: by with SMTP id k1mr2265357pgr.61.1521225703297; Fri, 16 Mar 2018 11:41:43 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id 189sm16732996pfu.129.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Mar 2018 11:41:42 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Dino Farinacci <>
In-Reply-To: <>
Date: Fri, 16 Mar 2018 11:41:41 -0700
Cc: Florin Coras <>, "Alberto Rodriguez Natal (natal)" <>, "" <>, "" <>, David Meyer <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
To: Tom Herbert <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
Subject: Re: [lisp] [Ila] LISP for ILA
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Mar 2018 18:41:45 -0000

> Detecting that something is under DOS attack is not problem. It’s

I do think it is a problem. Because you can’t tell sometimes if it is a high-rate due to high demand from good actors. From the mapping system’s perspective, you don’t know the traffic patterns so you don’t know that if a source-EID wants to talk to 100 EIDs if that is a good actor or a bad actor. If that source-EID is my phone, then it may be suspect, but if it’s a Google server talking to 100 phones, that is pretty normal.

> pretty obvious when a device is getting flooded which a bunch of
> spoofed SYNs for example. The problem is trying to find that one SYN
> packet in a thousand that is not part of the attack and is actually

Right, at cisco, we called that “the needle in the haystack problem”. And it comes up when we talk about topics of “punt path” in routers and DoS attacks.

> legitimate. Again this is not easy because the attacker is purposely
> trying to prevent this determination. AFAIK this is a generally

Yep, that’s right.

> unsolved problem and probably impossible to fully solve. So if the

Agree. We should look at the honey-pot solutions that DNS has used. But its a different animal though than packet attacks.

> reaction to the attack is to stop all requests and that one legitimate
> flow is blocked from making progress, then it would seen the DOS
> attack is successful.

That isn’t what would happen with the frequency-hopping idea. If the map-resolver is aggressive in dropping and it drops the needles, those ITRs have a back-up or parallel plan to get their requests resolved from other map-resolvers in the mapping system. Be them part of an anycast group or not.