Re: [lisp] Constructing Map-Replies with overlapping prefixes
Eric Rescorla <ekr@rtfm.com> Thu, 07 February 2019 04:36 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F371E131092 for <lisp@ietfa.amsl.com>; Wed, 6 Feb 2019 20:36:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.04
X-Spam-Level:
X-Spam-Status: No, score=-2.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4knIg6QEghf for <lisp@ietfa.amsl.com>; Wed, 6 Feb 2019 20:36:35 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFEED131091 for <lisp@ietf.org>; Wed, 6 Feb 2019 20:36:32 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id j15so7138095lfh.5 for <lisp@ietf.org>; Wed, 06 Feb 2019 20:36:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AnijnoarWlGFgmjGJJEauWTwGLxNBEbdL0xcgyhiJfs=; b=XueBvI5VsIxlVQ5wu60F7AIGapPhApymRA2oRZFbts5KPy3foK5JtauAtk60mnoEkb eVWV0bOKrWDwxFrARUW9O1eMXxtTTIAu5SwPp4zct0/XbBD4ZNPfHRvFL1f6OlMfbU8P Jd3ogI6HSmHY8D5722QtlSYxY2wXIkItNyo5qpeebfzIblDBSXNfgDfjve3JGIImxWRx i5XanaiiaHfNsr5rwpdfyB2iqa3UR2Snhu25+zVcbH3AbvT9Rl+v4hxmV4c1NoH/N8q4 om8Fv22ip/fVjU+qEWtUEFM8YdguZ0gYdEqyiYG4Mbd2tO7znP/X/2OsTx/ZgT+ScWRs Ym5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AnijnoarWlGFgmjGJJEauWTwGLxNBEbdL0xcgyhiJfs=; b=CnRH+ZKLkhcD5xGH/w/A6wD1s/A3zmq4hmpcoDP+QQsJmvswDE0ZuUjOfOZMxgtn44 qt+gzsGG0AcWJrLVFcaigrfz0hrbqC9Ks1zaYPtb1dKIO5JzXmZLyfDCWKGAvvcWMfaw a2wtMb6qNRPW6T5t7StbtS4i0QyMg8oJbGhVx/8fRq9XtA6ER4nC6/qIxjCo5GwyzgAd 6e+4/SQyhr15AFtB4I0a+P41vAoHbB9aCXo9xlR1CcC3dhaAWeUb39fchj6+OF9aBUab TNRHJLpbx+nR5UeDHeX70H3A72WeLGC3zFs/dk8VqdRAa1n1xUHHv77dZrlPM5etGJnz jMCg==
X-Gm-Message-State: AHQUAubMSohmMQ1YOzyPXBTlciYNn4KP2eueCc2ABfLz7Wzjryp/OQYP Y2ncnHuUXUzczi0qW/1ojTY6HYQ4py+U37qwIjLHow==
X-Google-Smtp-Source: AHgI3IYFJgjy5jFhvse4hc14B8yAI5yUjuXXHi14oCyIbI5Bjd2DcSgez0hXzCO+0Ctfkm8Xhxpbxt3mNCSTUsYi+H0=
X-Received: by 2002:a19:1d87:: with SMTP id d129mr7869558lfd.106.1549514191048; Wed, 06 Feb 2019 20:36:31 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBOW=Vam7jxe14gFvu2+8BkQGkJH4eocxhF17ngcYv37rA@mail.gmail.com> <CABcZeBMreZt8uz0xEp9TpT0nt28hHpnmXjkeALCGytPz9ugqoA@mail.gmail.com> <61A6EEE3-F667-4B0D-B8AF-62982ED769BF@gmail.com>
In-Reply-To: <61A6EEE3-F667-4B0D-B8AF-62982ED769BF@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 06 Feb 2019 20:35:51 -0800
Message-ID: <CABcZeBPJJF9ZFwp6iEakndnrbeB_NVSOm+R11m-Z9iTwo0CkUg@mail.gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
Cc: IESG <iesg@ietf.org>, draft-ietf-lisp-rfc6833bis@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eeabc70581466275"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/2THExXu4D-XxQy_RC68epQFnmlE>
Subject: Re: [lisp] Constructing Map-Replies with overlapping prefixes
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 04:36:38 -0000
On Wed, Feb 6, 2019 at 7:08 PM Dino Farinacci <farinacci@gmail.com> wrote: > Another question: What does the Map Server do if it gets a request for a > shorter prefix than it has an EID for. E.g., I have a > > Returns an empty RLOC-set with action “native-forward” with an EID-prefix > that is equal to the EID-prefix in the Map-Request. > > mapping for 10/8 (and nothing else) but I get a request for 10/4. The text > in S 5.5 suggests that I return an empty locator set. Is that correct? > Yep. > Thanks. This brings me to the security question I have. As I understand it, Map-Requests are not integrity protected (except for the protected OTK if LISP-SEC is used). So consider the following situation. Let's assume that the MS has a prefix table consisting of: 10.1/16 -> ETR1 10.2/16 -> ETR2 The ITR wants to send to 10.1.0.1, so it naturally send a Map-Request for that address, but the attacker tampers with it. ITR Attacker Map Server Map-Request [10.1.0.1/32] -> Map-Request [10/8] -> <- Map-Reply [10/8, RLOC-Set=()] <- Map-Reply [10/8, RLOC-Set=()] Assuming I have understood correctly, this will cause the ITR to think that there is no available mapping for anything in 10/8. Even if there is LISP-SEC, because the Map-Request isn't integrity protected, though the Map-Reply is, the integrity protection doesn't cover the requested prefix, so that doesn't help. Is there something in the protocol that I am missing that prevents this? Thanks, -Ekr Dino > > > On Wed, Feb 6, 2019 at 6:11 PM Eric Rescorla <ekr@rtfm.com> wrote: > >> I'm trying to piece together the algorithm in 6833-bis S 5.5 >> for Map-Replies. The text says: >> >> A Map-Reply returns an EID-Prefix with a mask-length that is less >> than or equal to the EID being requested. >> >> So, consider the case where an MS has two mappings: >> >> 10/8 -> ETR1 >> 11/8 -> ETR2 >> >> If the Map-Request is for 10.0.0.1, then I would return >> >> 10/8 -> ETR1 >> >> Now consider what happens when I have three mappings: >> >> 10/16 -> ETR1 >> 10.0.2/24 -> ETR3 // New >> 11/16 -> ETR2 >> >> Now we turn to the remainder of this section: >> >> When an EID moves out of a LISP site [I-D.ietf-lisp-eid-mobility], >> the database mapping system may have overlapping EID-prefixes. Or >> when a LISP site is configured with multiple sets of ETRs that >> support different EID-prefix mask-lengths, the database mapping >> system may have overlapping EID-prefixes. When overlapping EID- >> prefixes exist, a Map-Request with an EID that best matches any EID- >> Prefix MUST be returned in a single Map-Reply message. For instance, >> if an ETR had database mapping entries for EID-Prefixes: >> >> I'm having trouble parsing this, but what I get out of the example >> is that the Map-Response is supposed to contain the EID-prefix that >> best matches the request, plus whatever exceptions would be required >> to create a correct routing table. So, that would mean in the case >> where the Map-Request contains 10.0.0.1, the MS would have to reply >> with: >> >> 10/16 -> ETR1 >> 10.0.2/24 -> ETR3 // New >> >> The first of these is necessary to provide correct routing information >> for the requested prefix and the second to avoid providing incorrect >> routing information for 10.0.2.1. >> >> Do I have this correct? It seems like the alternative is that the MS >> or ETR synthesize a new, more specific prefix. Is that what's intended >> instead? The example in S 5.5 suggests otehrwise, but perhaps I am >> misunderstanding. >> >> Thanks, >> -Ekr >> >> >> >> >> >> >> >> >> >> >> >>
- [lisp] Constructing Map-Replies with overlapping … Eric Rescorla
- Re: [lisp] Constructing Map-Replies with overlapp… Eric Rescorla
- Re: [lisp] Constructing Map-Replies with overlapp… Dino Farinacci
- Re: [lisp] Constructing Map-Replies with overlapp… Dino Farinacci
- Re: [lisp] Constructing Map-Replies with overlapp… Eric Rescorla
- Re: [lisp] Constructing Map-Replies with overlapp… Eric Rescorla