IETF Logo Mail Archive

Re: [lisp] WGLC draft-ietf-lisp-threats-08

Damien Saucez <damien.saucez@gmail.com> Thu, 05 December 2013 23:05 UTC

Return-Path: <damien.saucez@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B6F1AE1CD for <lisp@ietfa.amsl.com>; Thu, 5 Dec 2013 15:05:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Znm4bCeYRboT for <lisp@ietfa.amsl.com>; Thu, 5 Dec 2013 15:05:34 -0800 (PST)
Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 7A6351AE17E for <lisp@ietf.org>; Thu, 5 Dec 2013 15:05:34 -0800 (PST)
Received: by mail-we0-f175.google.com with SMTP id t60so1573062wes.34 for <lisp@ietf.org>; Thu, 05 Dec 2013 15:05:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=jdDSScfRHqK2wkfKfGcjZHkTbqPgOCej3ZA6BZxJJWA=; b=Ho4O545QK4Z40JXjevkQdDfuizWVTTYPVbM+rW2xpKmKGW8WAQAocOV8VCByvAQsRv hxTbpHbSOqKrlNNG5+G8XBctQHKGu06I74HQDR85CnIHoVG7gnHhYUAXkY+bkJqGy6nV Y12mYyOlxotSRJZXDaJQOyCwRmZfxUMTgs4lGqFrnaTl0OIEfJRuHnxgu5P5OoZ8Bg4V WmBYWRXEnLX27W1tCsun2ov53jE/o9ZZ7VC8WEDBIZWpnobVKaFFsagY8KLR4Q9ILk2B a7KvkrYQ1NtqMhJU1pbnxXBrp4bps/7c4IzKqU9KfEb/wDb5KfW3bzlCqdg61eFCf7CV 7HGA==
X-Received: by 10.180.13.142 with SMTP id h14mr146847wic.3.1386284730505; Thu, 05 Dec 2013 15:05:30 -0800 (PST)
Received: from [192.168.1.73] (LVelizy-156-46-22-251.w80-11.abo.wanadoo.fr. [80.11.231.251]) by mx.google.com with ESMTPSA id je17sm594527wic.4.2013.12.05.15.05.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Dec 2013 15:05:29 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_96A63A67-368D-4A0B-A0FC-03639D03F07A"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Damien Saucez <damien.saucez@gmail.com>
In-Reply-To: <52A05BC6.9080008@ac.upc.edu>
Date: Fri, 06 Dec 2013 00:05:25 +0100
Message-Id: <D4B39C6B-F143-4C5D-AB9A-F180AAB1872E@gmail.com>
References: <CEC226FA.1EAA8%terry.manderson@icann.org> <529F9088.8060504@ac.upc.edu> <91805CE8-01CC-4F6D-945F-D98D23A3F179@gmail.com> <52A05BC6.9080008@ac.upc.edu>
To: Albert Cabellos <acabello@ac.upc.edu>
X-Mailer: Apple Mail (2.1822)
Cc: LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] WGLC draft-ietf-lisp-threats-08
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 23:05:36 -0000

On 05 Dec 2013, at 11:56, Albert Cabellos <acabello@ac.upc.edu> wrote:

> Hi,
> 
> On 04/12/2013 22:40, Damien Saucez wrote:
> 
> [snip]
>>> * Section 4.3.2.2->RFC6830 already recommends rate-limiting Map-Requests,
>>> hence there is a limit on the amplification attack.
>>> 
>> 
>> I think the analysis is complementary to the recommendation.  In
>> RFC6830, no reason is given about why rate limit, here it shows why
>> this is recommended.
>> 
> I agree, but the text seems to suggest that the amplification attack scales linearly and it is bounded to the maximum bandwidth (in control messages per second) of the attacker, this is not true. The attack is bounded by the rate-limit set at the xTR.
> 
>>> 
>>> * Section 4.3.2.3->I´m having a hard time understanding this attack,
>>> even under attack, the ETR will reply with the "real nonce", at least
>>> once. Probably I´m missing something.
>>> 
>>> 
>> 
>> sure but if an attacker floods with random nonce, then when the node
>> will answer with the real nonce, it will already have been changed to
>> another one sent by the attacker.
>> 
> 
> Right, thanks. What about recommending that each nonce should be used at least once? So that a nonce can´t be overwritten if it has not been used.
> 

Isn't that the definition of a nonce? I don't see how it helps.

Imagine

- Legit sends Nonce1 
- Bad guy sends Nonce2 with spoof address of Legit
- Nonce1 arrives, but it is too late, it has been overridden by Nonce2
already so the return with Nonce1is just ignored.

>>> * Section 4.4.1-> In some cases the SMR-invoked Map-Request is sent
>>> through the mapping system (not directly to the source RLOC), in this
>>> case the attack is still effective and involves the Mapping System, the
>>> Map-Server and the xTR (if operating in non-proxy mode).
>>> 
>> 
>> I am not sure I understand your question here.
>> 
> 
> I´m referring to this paragraph:
> 
> "  The Map-Request message may also contain the SMR bit.  Upon reception
>    of a Map-Request message with the SMR bit, an ETR must return to the
>    source of the Map-Request message a Map-Request message to retrieve
>    the corresponding mapping.  This raises similar problems as the RLOC
>    record P bit discussed above except that as the Map-Request messages
>    are smaller than Map-Reply messages, the risk of amplification
>    attacks is reduced. "
> 
> In some cases the SMR-invoked Map-Request is sent through the Mapping System (RFC6830):
> 
> "      If the source Locator is the only
>        Locator in the cached Locator-Set, the remote ITR SHOULD send a
>        Map-Request to the database mapping system just in case the
>        single Locator has changed and may no longer be reachable to
>        accept the Map-Request."
> So my point is that the attack is similar (true) but in some cases the amplification attack is through the Mapping System. Again the attack is bounded by the rate-limit set the xTR. In my view this should be also stated.

ok, we could say so

Damien Saucez

> 
> Regards
> 
> Albert
>> 
>>> Editorial, please consider them suggestions, at the end it is a matter
>>> of taste of the writer/reader.
>> 
>> ok, will take them into account according to other reviews.
>> 
>>> > 1.  Introduction
>>> >
>>> >    The Locator/ID Separation Protocol (LISP) is defined in [RFC6830].
>>> 
>>> specified instead of defined?
>>> 
>>> >    The present document assesses the security level and identifies
>>> >    security threats in the LISP specification if LISP is deployed in the
>>> >    Internet (i.e., a public non-trustable environment).  As a result of
>>> >    the performed analysis, the document discusses the severity of the
>>> >    threats and proposes recommendations to reach the same level of
>>> >    security in LISP than in Internet today (e.g., without LISP).
>>> 
>>> "(i.e., without LISP)" (not e.g.,) I understand that the authors are not
>>> referring to an example.
>>> 
>>> >    This document does not consider all the possible uses of LISP as
>>> >    discussed in [RFC6830].  The document focuses on LISP unicast,
>>> >    including as well LISP Interworking [RFC6832], LISP-MS [RFC6833], and
>>> >    LISP Map-Versioning [RFC6834].  The reading of these documents is a
>>> >    prerequisite for understanding the present document.
>>> 
>>> Several deployment scenarios are discussed in
>>> draft-ietf-lisp-deployment, please consider citing it and discussing if
>>> the use-cases described in the deployment draft are covered by this
>>> analysis.
>>> 
>>> >    SA  is an off-path attacker that is able to send spoofed packets,
>>> >        i.e., packets with a different source IP address than its
>>> >        assigned IP address.  SA stands for Spoofing Attacker.
>>> 
>>> SA attackers need access to the RLOC space, it might make sense to state
>>> this here.
>>> 
>>> > 4.3.1.2.  Threats concerning Interworking
>>> >
>>> >    [RFC6832] defines Proxy-ITR And Proxy-ETR network elements to allow
>>> 
>>> Edit "and" instead of "And"
>>> 
>>> On 02/12/2013 3:02, Terry Manderson wrote:
>>>> I would just like to highlight that the end of this LC draws near.
>>>> 
>>>> Without review, this document cannot move forward.
>>>> 
>>>> Cheers
>>>> Terry
>>>> 
>>>> On 20/11/13 9:23 AM, "Terry Manderson" <terry.manderson@icann.org> wrote:
>>>> 
>>>>> All,
>>>>> 
>>>>> As requested in Vancouver, the authors of draft-ietf-lisp-threats-08 have
>>>>> requested a work group last call.
>>>>> 
>>>>> Here starts a 14 day last call for this document, the last call will end
>>>>> on
>>>>> Wednesday 4th December 2013.
>>>>> 
>>>>> You will find its text here:
>>>>> http://tools.ietf.org/html/draft-ietf-lisp-threats-08
>>>>> 
>>>>> Please review this WG item and provide any last comments.
>>>>> 
>>>>> Cheers
>>>>> Terry
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> lisp mailing list
>>>>> lisp@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/lisp
>>> 
>>> _______________________________________________
>>> lisp mailing list
>>> lisp@ietf.org
>>> https://www.ietf.org/mailman/listinfo/lisp
>> 
>

v2.39.1 | Report a Bug | By Email | System Status