Re: [lisp] Eric Rescorla's Discuss on draft-ietf-lisp-rfc6830bis-20: (with DISCUSS and COMMENT)
Luigi Iannone <ggx@gigix.net> Mon, 15 October 2018 10:49 UTC
Return-Path: <ggx@gigix.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9EC4130E45 for <lisp@ietfa.amsl.com>; Mon, 15 Oct 2018 03:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gigix-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XrLdNsccELw for <lisp@ietfa.amsl.com>; Mon, 15 Oct 2018 03:49:07 -0700 (PDT)
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69660130E3E for <lisp@ietf.org>; Mon, 15 Oct 2018 03:49:07 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id y11-v6so20718597wrd.4 for <lisp@ietf.org>; Mon, 15 Oct 2018 03:49:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gigix-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zXzS5CHKGQcRmeta0ZxLw9RCG/JD0tYriYNCjQfRIus=; b=az4LXR2VvPBNVutOyZob+17RNC+GiMp2ajb/IKL3ZKKmjlRBX3eYr1hfbgJnB4ygUE CkvnvR9F/wGjeGbktLgPp/3LyFTnMwYO3affmao+lxg2uUJMIRrY4HXLUguIQDI3v2hY N4+pksus8l5XulIFMUr971HmVkNIFxSgfljzNtqzhN0XlP37nEZfo4Pmkt6vyu3xRJAB b0A/Syz928GIlZr12ARYV/g+Pq66HgH6+WcFVdhcSpVCXLge9iFhMaPSbidXokkDQv9D AfjFGWDw4wdT7G9MscssY2/GDuLPjLG1NEV54s+zIzpe1HquN3Tp1nHgGU5WSk4Nqj3o Ofwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zXzS5CHKGQcRmeta0ZxLw9RCG/JD0tYriYNCjQfRIus=; b=CU4xUpxripYX2Njm94PS9hE651TH59raJhkFlwMKd5ip0+9nca/uXobs5hJRy3/N/d WOApgU09CX0kHDQve2qXSX8vcpgu1bNuc5ly/cWD/gU4QmamuMtpLCLT+61ZzGb8nhIH CDt7ZNq7YIu3De67Aww1b27Nr5nyQx+LP9dtcJo9exwQW+kiVcE2j1DZeUwq+sRNNQdO yEnt2ua3qQ9ihgm25TVYzVTrkts/p7+bgRoer3lFxezR5UbhPOcObCo2JD1VyA+Ndf4n QRB5dEJbJk777jsMVG7fAlWEctYL+QEeXBTjQ5WiNSmffIuMZs6txZEEuRtO7wpleSjj n5qA==
X-Gm-Message-State: ABuFfogTzrM3xRXEh/bSEsaTuDDd7Kq6kPRkYifcjsmfxNProVDcZNfi dIVCDKSj8B1Ns0bQAMYDd0FnZw==
X-Google-Smtp-Source: ACcGV63UZhNmODCkk6o8Hqkia5lTUZAL2UZzQEkW3LN16sQFv/1ANWS2xpex/tOxMct/aYsKVKClow==
X-Received: by 2002:a5d:698b:: with SMTP id g11-v6mr14939138wru.159.1539600545761; Mon, 15 Oct 2018 03:49:05 -0700 (PDT)
Received: from ?IPv6:2001:660:330f:a4:a9ce:7790:e4b6:8331? ([2001:660:330f:a4:a9ce:7790:e4b6:8331]) by smtp.gmail.com with ESMTPSA id h64-v6sm7627317wmh.27.2018.10.15.03.49.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 03:49:03 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Luigi Iannone <ggx@gigix.net>
In-Reply-To: <74F9CFAD-6C2E-4BDB-A56B-0186789EE058@gmail.com>
Date: Mon, 15 Oct 2018 12:49:01 +0200
Cc: Eric Rescorla <ekr@rtfm.com>, Benjamin Kaduk <kaduk@mit.edu>, IESG <iesg@ietf.org>, draft-ietf-lisp-rfc6830bis@ietf.org, lisp-chairs@ietf.org, albert.cabellos@gmail.com, "BRUNGARD, DEBORAH A" <db3546@att.com>, fmaino@cisco.com, "lisp@ietf.org list" <lisp@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DDB8DF69-02B3-4168-A3B2-250421ED2584@gigix.net>
References: <153805068062.26427.10428634331947404660.idtracker@ietfa.amsl.com> <ACFD874F-113E-4AD4-9056-CD3CFA9BA477@gmail.com> <CABcZeBM4XotbW6BYbCzHq7SJW7NdVK+fJZom8J=AHwi+dkL5Wg@mail.gmail.com> <74F9CFAD-6C2E-4BDB-A56B-0186789EE058@gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/5DoGvJ0KBsQS_QpxI9qtPowZklo>
Subject: Re: [lisp] Eric Rescorla's Discuss on draft-ietf-lisp-rfc6830bis-20: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Oct 2018 10:49:10 -0000
Hi, > On 15 Oct 2018, at 04:20, Dino Farinacci <farinacci@gmail.com> wrote: > >>> Well this is true, but 6833bis discusses RLOC-reachability and there >>> is a RLOC-probe cache that will tell the ITR when it last heard from >>> the RLOC. >> >> Just to be clear, it's not "last heard from" that you need, but >> rather "last verifiably responded". > > Right agree. > >>>> S 16. >>>>> Map-Versioning is a Data-Plane mechanism used to signal a peering xTR >>>>> that a local EID-to-RLOC mapping has been updated, so that the >>>>> peering xTR uses LISP Control-Plane signaling message to retrieve a >>>>> fresh mapping. This can be used by an attacker to forge the map- >>>>> versioning field of a LISP encapsulated header and force an excessive >>>>> amount of signaling between xTRs that may overload them. >>>> >>>> Can't I also set a super-high version number, thus gagging updates? >>> >>> It doesn’t matter the value. All that matters is that it changed and you should do to the mapping system to get an updated RLOC-set. >> >> Hmm... S 5.1 of 6834-bis suggests that you can just discard it. This is true if we talk about the destination version number (S5.1 6834bis). If you receive a LISP packet carrying a map version number that is higher that what you registered in the map system then there is ana issue with the packet. Best option is to discard it. Different think is about source version number. If I receive a packet with a source Map-Version number higher (does not matter how much higher, just higher) than the version I have stored in my cache, then I need to check with the mapping system whether something has really changed, hence I send a Map-Request. This last action can generate the attack described above. Concerning the text it self, I think is OK. Or you guys see something missing or not clearly stated? Ciao L. > > Luigi - what do you think. Do we need rewording? > > Dino
- [lisp] Eric Rescorla's Discuss on draft-ietf-lisp… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Luigi Iannone
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Luigi Iannone
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci