Re: [lisp] Mirja Kühlewind's No Objection on draft-ietf-lisp-ddt-08: (with COMMENT)
Anton Smirnov <asmirnov@cisco.com> Tue, 01 November 2016 19:05 UTC
Return-Path: <asmirnov@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32D741298D0; Tue, 1 Nov 2016 12:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.019
X-Spam-Level:
X-Spam-Status: No, score=-16.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NaDh50Pt5Nu; Tue, 1 Nov 2016 12:05:14 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7D4129969; Tue, 1 Nov 2016 12:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1824; q=dns/txt; s=iport; t=1478027066; x=1479236666; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=H8wPRsNvjkArsZ5xF8cT65Cj66Jg66VLWE163A0R/w4=; b=Pyjl5xTTsoOjhUgJxGmNLWD0U/qwwomLRyZ64UJlGYqBWowJWjy8Lgwa Kix4mkmKqfyvgwLR1P2ds3aJLiC16z26JX8kzo+iJRCz/lckWawNsOkEN 9O1CDRMjWJ+12rb2SNyjBuSwveGibe5u32+TiZUzXsNNlcL1etgIur+zj k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CTAgDU5hhY/xbLJq1UCRkBAQEBAQEBAQEBAQcBAQEBAYMqAQEBAQF3AydSjTaXAZI2gg+CByiFegKCUhQBAgEBAQEBAQFiKIRiAQEEIw8BBUEQCw4KAgImAgJXBgEMCAEBiFAOqxOMfwEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBB4U2gX0IglCEGQcKAYMgglwFiEaRVIYxigSBboRugxeGE40ThAQeNlIGCIUUPTQBhS+CLAEBAQ
X-IronPort-AV: E=Sophos;i="5.31,580,1473120000"; d="scan'208";a="649618009"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Nov 2016 19:04:23 +0000
Received: from [10.55.206.135] (ams-asmirnov-nitro6.cisco.com [10.55.206.135]) (authenticated bits=0) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id uA1J4Nee020000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 1 Nov 2016 19:04:23 GMT
To: Mirja Kuehlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
References: <147756279870.18880.16779109803016660833.idtracker@ietfa.amsl.com>
From: Anton Smirnov <asmirnov@cisco.com>
Organization: Cisco Systems
Message-ID: <30d35695-5683-30f3-f2d3-28739a1bbf86@cisco.com>
Date: Tue, 01 Nov 2016 20:04:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <147756279870.18880.16779109803016660833.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Authenticated-User: asmirnov
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/AmzazSYTdFuzMwPf8-IebgBkd9Q>
Cc: lisp-chairs@ietf.org, draft-ietf-lisp-ddt@ietf.org, lisp@ietf.org
Subject: Re: [lisp] Mirja Kühlewind's No Objection on draft-ietf-lisp-ddt-08: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 19:05:15 -0000
Hello Mirja,
thanks for your comment. Since LISP/DDT was conceived to be used on
the public Internet security concerns are very important and were taken
very seriously. Authors believe that the trust delegation scheme
specified in the document provides very good mechanism to verify
authenticity of DDT messages.
The system obviously remains potentially vulnerable to (d)DOS
attacks overloading DDT nodes with non-authenticated requests.
Most of security concerns are inherited from LISP-SEC and are being
discussed in the corresponding draft.
Authors are planning to enhance security section of the draft in the
next revision, mostly to clarify calculation and verification of signatures.
Anton
On Thursday 27 October 2016 12:06, Mirja Kuehlewind wrote:
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-lisp-ddt-08: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-lisp-ddt/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Would it be worth it to potentially think about/document potential
> attacks against this system? I didn't think myself about how such an
> attack could look like but given that location and identity are potential
> sensitive data it might be worth it...
>
>
- [lisp] Mirja Kühlewind's No Objection on draft-ie… Mirja Kuehlewind
- Re: [lisp] Mirja Kühlewind's No Objection on draf… Anton Smirnov