[lisp] possible text for LISP threats

Ross Callon <rcallon@juniper.net> Fri, 13 June 2014 16:26 UTC

Return-Path: <rcallon@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9C5581B2974 for <lisp@ietfa.amsl.com>; Fri, 13 Jun 2014 09:26:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FhuwOiR9nBzr for <lisp@ietfa.amsl.com>; Fri, 13 Jun 2014 09:26:36 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C72831A00D2 for <lisp@ietf.org>; Fri, 13 Jun 2014 09:26:35 -0700 (PDT)
Received: from CO2PR05MB636.namprd05.prod.outlook.com ( by CO2PR05MB633.namprd05.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.954.9; Fri, 13 Jun 2014 16:26:32 +0000
Received: from CO2PR05MB636.namprd05.prod.outlook.com ([]) by CO2PR05MB636.namprd05.prod.outlook.com ([]) with mapi id 15.00.0954.000; Fri, 13 Jun 2014 16:26:32 +0000
From: Ross Callon <rcallon@juniper.net>
To: "damien.saucez@inria.fr" <damien.saucez@inria.fr>, "luigi.iannone@telecom-paristech.fr" <luigi.iannone@telecom-paristech.fr>, "olivier.bonaventure@uclouvain.be" <olivier.bonaventure@uclouvain.be>
Thread-Topic: possible text for LISP threats
Thread-Index: AQHPhyMnC8QSqTBqz0alNjaiEG8PF5tvOB5g
Date: Fri, 13 Jun 2014 16:26:31 +0000
Message-ID: <898c27d33fdd452499848408c9eac47f@CO2PR05MB636.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-microsoft-antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(979002)(6009001)(428001)(189002)(199002)(164054003)(4396001)(46102001)(20776003)(77096999)(92566001)(2201001)(85852003)(76576001)(33646001)(83072002)(2656002)(87936001)(74662001)(54356999)(66066001)(80022001)(50986999)(64706001)(86362001)(76482001)(31966008)(101416001)(74502001)(81342001)(99396002)(74316001)(83322001)(21056001)(99286001)(77982001)(81542001)(79102001)(105586001)(24736002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:; SCL:1; SRVR:CO2PR05MB633; H:CO2PR05MB636.namprd05.prod.outlook.com; FPR:; MLV:ovrnspm; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rcallon@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/70A8SEN3lUTTJ3_uIPS7RtFo-c8
Cc: LISP mailing list list <lisp@ietf.org>
Subject: [lisp] possible text for LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jun 2014 16:26:38 -0000

We have had significant discussion of attacks against the control plane of routers, and some discussion of the relative capacity of the control plane versus data plane. I have been thinking that the LISP threats document should give examples of DoS attacks against the control plane of the xTR's. If this will help with progression of the document, some possible text is below. I am not sure if this is complete but it might be a start. 

It is not completely obvious where this text would best fit into the existing document, and my understanding is that some restructuring of the document is underway. Perhaps as new subsection(s) at the end of section 5.2 (Denial of Service) of the existing document might be appropriate. I have written the text below as two subsections 5.2.3 and 5.2.4 of section 5.2, but of course there are other ways that this could be incorporated into the threats document. 

Thanks, Ross

5.2.3 Control Plane versus Data Plane DOS attacks

In some cases, particularly very high speed routers, there may be a very large difference between the capacity of the data plane versus the control plane. For example, at the time this is written there are widely deployed routers which can handle a few terabits of data in the data plane. These routers might typically have gigabit Ethernet links to the control processor, but it is unlikely that they could handle Map-Requests coming in at line rate at a gigabit. Thus in some routers (particularly very high speed ones) the ratio between the speed of the control plane and the speed of the data plane may be significantly greater than 1,000.

This implies that DoS attacks against the control plane of routers may be more serious than DOS attacks which only target the data plane. LISP allows data plane traffic to impact the control plane. Examples are included in the following section. 

5.2.4 Examples of DoS attacks

Suppose that the attacker has a single system that he controls, and that his ISP does not check the source address of outgoing packets. Suppose gleaning is turned off (so that gleaning cannot be utilized in the attack): 

1. Attacker could send a lot of packets to one address behind a particular xTR, each packet with a different source EID. This causes the xTR to do a mapping lookup for each one. This causes two problems in the xTR: (i) control plane load (a simple data plane DOS has turned into a control plane DOS); (ii) potential exhaustion of the cache. Optionally the attacker could use the same source RLOC for each, but this could in theory lead to the attacked xTR noticing and putting in a packet filter for that source RLOC, so that varying the source RLOC may make this attack more difficult to counter. 

2. Attacker could send a lot of packets to many remote xTRs, one packet to each, all with the same source forged EID and source RLOC, with the source EID and source RLOC being that of the system that he really wants to attack. This causes each to do the same mapping lookup, which might overwhelm the mapping system serving the system under attack. 

3. Attacker could send a large number of map requests to many remote xTRs, all with the same forged source EID and source RLOC, again with the source EID and source RLOC being that of the system that he really wants to attack. This causes each to send a map response to the system under attack. This again would be intended to overwhelm the control plane and cache of the system under attack. 

Suppose that the attacker controls a moderate sized BOTNET, consisting of a few thousand captive systems. He might install enough software on his BOT's to send a packet that looks like a LISP packet. In this case each of the attacks discussed above can be multiplied by having a wider range of systems participating in the attack.