IETF Logo Mail Archive

[lisp] incremental transition to LISP-SEC (was Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-24: (with DISCUSS and COMMENT))

Benjamin Kaduk <kaduk@mit.edu> Sat, 09 February 2019 22:14 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9545C1293B1; Sat, 9 Feb 2019 14:14:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvJR2XJhX4ul; Sat, 9 Feb 2019 14:14:15 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770122.outbound.protection.outlook.com [40.107.77.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9FDB12426A; Sat, 9 Feb 2019 14:14:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6XLjExbULcE0DAhWqPW8GQuAnEk/W1LF9cQJxwKr8Kw=; b=pab3kTuNVkDhGU7Hu/g+yMahiq1flkMcybWVTa2+m2OsxgqtvZiBS6Kngl96idxICUI0bzYZCZbABEqY354m4AUJrKh1Ehg2McpWr1uVQHQMGSy4+sxhhaX0ftv6jDIvI2r1KNNHQabUBTBYSneR8qnJayLVpCzBABGLnqwJILs=
Received: from CY4PR01CA0005.prod.exchangelabs.com (2603:10b6:903:1f::15) by BN7PR01MB3748.prod.exchangelabs.com (2603:10b6:406:81::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.19; Sat, 9 Feb 2019 22:14:12 +0000
Received: from CO1NAM03FT050.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::208) by CY4PR01CA0005.outlook.office365.com (2603:10b6:903:1f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17 via Frontend Transport; Sat, 9 Feb 2019 22:14:12 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT050.mail.protection.outlook.com (10.152.81.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.10 via Frontend Transport; Sat, 9 Feb 2019 22:14:11 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x19ME85i007883 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 9 Feb 2019 17:14:10 -0500
Date: Sat, 09 Feb 2019 16:14:07 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>
CC: ggx@gigix.net, lisp-chairs@ietf.org, lisp@ietf.org, draft-ietf-lisp-rfc6833bis@ietf.org
Message-ID: <20190209221334.GA23225@kduck.mit.edu>
References: <154954743968.23471.9935733647283605722.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <154954743968.23471.9935733647283605722.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(39860400002)(136003)(346002)(376002)(2980300002)(199004)(189003)(305945005)(97756001)(246002)(786003)(186003)(54906003)(47776003)(46406003)(26005)(7696005)(316002)(6666004)(8936002)(88552002)(356004)(1076003)(2906002)(6916009)(8676002)(106002)(486006)(76176011)(55016002)(446003)(53416004)(956004)(26826003)(75432002)(23726003)(58126008)(336012)(16586007)(11346002)(14444005)(126002)(476003)(478600001)(104016004)(36906005)(86362001)(106466001)(50466002)(426003)(4326008)(33656002)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR01MB3748; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; CO1NAM03FT050; 1:L1GQm/uTMxLVbEwTlkJHZVYJE1PG11gnYtiLHNt2nri1UmDIKLWCYeL0hScBzFLp2Pa+ri6mTEbCYlXIcEc+PWFk3Rf4jrttvWLIrJScAOMXZqYOGvwYaxu28OoN4dkBTVtSLXcXlIfeXt/gK/kx6uRZMyk49913JhrXSMwOPB4=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9b02ec41-a4bc-4e71-76b1-08d68edbebb8
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060); SRVR:BN7PR01MB3748;
X-Microsoft-Exchange-Diagnostics: 1; BN7PR01MB3748; 3:+rp9yZY4tvRrZUtuPFuYQekmJHb7BqKit5fD5UOAmeJ655wAGmtoABiSeziF4Zvsi/oTzZIEUZAY6tHddd4c99Pn0D78cJPy/+s2FRMbGRKLxrWCr59yJ0YKP0e4neIulx9oneEZwqwp1BDcta01nokt7WmzTe9t5ZDYi7sk0TkMEIh6rAIpSVy2+mo4XHtekwTMtiTAisCabVU52DxIlblNL8VLGkZZcI+Ihd24cPipMg60HiyyCDa27lJW7dlybKg+DVZ/yR1UKtCfO5jw4+YIY3BBIHkSfUOLKLjo4CYyymCHebCiuS8aVakV2E/ayFSPEvS+56hHqYlDTCOWmPVTGfdMOvr0LJn4YCRD5nRQfYjk1FRJXtSIqAME1gCP; 25:yzjgOIk4WlG/EkC63oFDsrtZbP8R8tyMP8VR35VGQOhNqCeT5SmR+47BLyouqjj7AayNiGeyZozgAqGy4SD1+P5sctMgkXlF+n1V7vw7yd+d3qJIkObXsVi8hNeMI24Vzye6YCED08WfgPdQqIPkyvytOO9dYI5LDZJ/9lAfgPzPLrTZgK4InBso/gY4UaM5WW8MkazNDLSIaILWi2vRDOlRXBK0vmlj9+P7jpT8+lgaF3qOQU1wfyXlA5Jm574kpbVls0LSDQlERfV+Ucl8ujYUj4lpiNh7f8rup4Ic24IAQ+hshZ7aR87/rDEzlX7P0Ohs2WbL3vycR9YA/MNnGw==
X-MS-TrafficTypeDiagnostic: BN7PR01MB3748:
X-Microsoft-Exchange-Diagnostics: 1; BN7PR01MB3748; 31:Vn37cOgGeahEb04L59HPpvdX0b/huH8Oo/ve3DtVDPZ41viL7zYtxqFnvlJxQKqXCyd8tI+JwXrOIJY7cpbry19GQ/sD1inY4LYmbkESPaLMufCfMAfDihbHPZiUQRAP7rpNc1X/nRm92l5IBOR50UmVs0UnHUjI5JJLzK9hezRPVVi/MQEiOXGCMRI+9lD73cwlBkL/rbXlZ6VrDKNlKvwSSVko83tTi9VbzPhF7xg=; 20:tTAotBUZ2vBCwNoVwgPR4kygpf6ZxCg67IsrcIh2E38s5fDAvWv0TryVRKFUH2tCb+hESi04idlhbNK11rpN3dASswA+b7IvPfwf141zkxHkgeDmyRHmfVAtMZbaQ/g57zOj1vsd0OV5IrlvDFDgTgjDkTzhG1OCByS3Bpe06tE9byr2lEZBd2AgxGoOJ8SdL7ZpuxVOLoJPxVP0RoB9JtPaWpkwMCd9RE1tc05NbzllzXwoWBvCGu0qW79Njb3UeOW/0qAwVrKDCcUaa4h8muT2R6CEXL5++707OkWojBN5t5/ogaMoY8sKIlCy7Zirnve22W40Ir70shQlnjl3My7JJiPzvIyS7opEv7E3Rn83+0MWLKU5SKTmBflByOOjNUx8C0ToXF+9Ai5+6Cvi9C4hM221soEd99tSyYVpbvt8kF+UUMguac90IhSii6x5WoyisrCc61t+uCrbmgvXUNuS/oat8KwjCIC87yd27jpiDMEaGrX1CQJwsbx32vPS5MnpKZ/89dtIz3oqZFF0kFh47k11oeKeOr+ix1kYGkge58aq0yjwhwBPONRGGzfQATIdImV+lhmyj+4D+QMzW2O2Y6MfyQeHlo9gJFPSHQ4=
X-Microsoft-Antispam-PRVS: <BN7PR01MB3748F9B65AC145AFFB6A24FCA06A0@BN7PR01MB3748.prod.exchangelabs.com>
X-Microsoft-Exchange-Diagnostics: 1; BN7PR01MB3748; 4:1RXuqYxsaZgdgK2+UcZhSnYKnrIMVhISWlfoQM62D68WmyYl2zfrALen2aezWIus6OUpz6hO3UqcwzUgSrFY1b3hZKDaXjv78RkDlrNIBDra8R6sNNuvIXpQNLYRUYlQE+PYLdnIlO1LzTVaU/bZcq7XLOlu091WibfNezeJ8M6Bf0z0OH24UFVwLP4aucaD1FdE9Hkwj2kJJmMV8cNTKMqa1TsjRLZcwxVJsxAd67fngTrkA0gfkKeWYOdydsGpdbrnPUd7M+CTA38dxinYYpPlKL69aXjj/lJarkLzWoh4NeKZIad1KBQukVIy4aa/
X-Forefront-PRVS: 09435FCA72
X-Microsoft-Exchange-Diagnostics: 1; BN7PR01MB3748; 23:5SJu0RjjA8Ca7E3vWPJ2LIq9ML3fjuKN/5iWbk1P3YxUi8zcV5c6zIdZsIwfTBfbcejGgFt+vLw0tEW0yOT5X4r1+4cT9BsccE0PWLYjzmZaFz115BjJ/eYlckv+kV6HosjVJT2QuW4ZoLDPg6j8F2Jw38bpnvQMbsZ8dpj+CK+OP7mL7j9Djpo5k95lMzP46era82tJlrSsZZ4SeHbJE+ctdJBDtvwAKchE+ub2OIpExTef4boYDLl8XfHfdgPV/XfaiDyARXSqQpznqtY1NUTQrM/2tX0b4rVyRbBnkhe0Y7FdJKYnyytc1uOn93LIiZHrzovfbsATyY4k5qw1FgIrbmXLhDCVh1KFxDyDWmYh65V/uQ5vD/FsUDpzzYtR63c9YEpOrxSMDsxgIdhEN2TfR075eqKU76Zn9enPIZ7skryFKFmXX4N+RTN3oY2oPwllk7Lyqc44wyjvigrhYvl5rktP/Bj/kIC9L6qaWuiuYJ+vX6hFJs0KsX+Vew1jzhJyOPcjjcsMuYPb9kLzw+PfenGkmDyJVx/h9zEN1XoaQNVlV7zsT4Y/ug6ODgbQmjH0dDt6gvJ8+dT1emCCvaMrAZ9E38O1ISTNAfQmZp/b04GlCXivetd+HgVe3sx+1teNGH2oq6gaduNm/SQnG+/aoM3vmz/DPgCxkx8RggOuV3W2WClNQTKaknt+1dizfa+C3fkV0y7tHwt7MnXqkDPl6l/T3XfKFihDO3nInggagZtBLvHsmiZShkVDmnDso7CGXTk6+rhhuNxowR/BZcetphHMrX/X02tQaLr0xxODS2u91yIto4bm5pOySJKDRZkP51rPS/KwDPv/WulCcT7dmgDCpKis6vsjF3D1N+DrOYGd8CVF4ntEwnP01YURQoTI/aY7F8nWgEhB7COTcJQxm8/fdAePDm59WdghnZjDgv1JW1ndvIzrcrqyUTuecLXANz9mus2BQvX5bK9l8VQzZSJNU+wN3okRo+kHCnvalli48cQo+M1Csxk5W2Ei2+QohpOxtM6xqURLJy/L8O28GgN0dBoal+mFIGWHblECZPfRehv88GUcmyGjtgnQk5nca7SdgWpKOBpzTN608OpdSJY1nCkmWLCXArKM4MzLz7l6PK4V0isSt6EzMcRdX5yLfwjbeZCAWtH9rYlleOvAiT97zqGLTonR61Tf3QI=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: S45S7Vic3z1xzuTsTASlOSZBI7YUsMUBWVABEvahxsabzQ6/Qx/pzYmP+9VoCk7X67XUGUIRms4DC87iadCHERks6G/usj6I36KA3HxNhnCkF+Vsr6tNs05NPO8q4xXfiFuCn8QWERU/X5Tp5kUYB+T6OWwtmZfwwMLLXj+SsTscl3Gx6wzA80xXLty5JFot2JfjHcxSzK9+DRJCzbg6/lKYazObyebX6kw+EVI0OQytwAPeq9NsGb2bxdjeinP3YpSKf01mjsG21PvMfzhYzQZSxR5nvS6OtMmovjVO3cJ4rakSXoLmG+uKMYCIFEsLPfAINqW2ioVFb0MQS/HVuh4XBO0e22uFPWpx472m2TSJPE4emLmywtxbDuF02gExaql+CeYucjIO9YaGTbfsVLRh0ObO+XFY9gWsHsSHhF4=
X-Microsoft-Exchange-Diagnostics: 1; BN7PR01MB3748; 6:XPRtOGSiNrSj5o2Eqlx6/74HH4zc3uuckRWNu7evcDa2NH1DbZjVrv4b8L/cWbbf6nguRJ63UL+z7pXY1g/FWZEjXo9AvoL8Z4VPx24kuHmMCG9sAgSoptKBQ3c4kdJ/1KRtbE9RK5d97mKIknxygOM/Gh4Pvbbd6hiC8m/JGAg207r5dao8SAp6QKEFIG47955/4h7MipIDdqSPApDt/h0Ap03GDbOr0qYm+W/xC6FvlxJ83+oix1beUG8GDCWlWtFX1oskSlVCTnMVJpHSlPuYU14tYrWfO0LplypR1IYJIPGUcUhOW9D5o+rPBe3nA711Z2G15iuFFU2139tF5uZj4m6jm5qcKqlWtUwov9lCpAkcRQRPMH/yc29A/yYOtIkGHOsFGgK/rKDpUDRfjlXt3DixJzNP0ELctFkwOjk09SbAK8lSdsYS7qMr03/JYEKMiSsKrSx7RmjTS268DA==; 5:/KwGhG6XP95E+umRH8eQbkeAfuOiZokUdviaZW3ILZAxbi6iJGkxvAwOxj1KN5qGVBJ0rRPAWfIjixpU855EHG80MgS4V2htvaxK2b7wK42eus8vq9lFevMxtf5N2/ORPrJ5EfIa03HSfYinir5FVwAX04l3sGwC1XdHIy1T2mLz/uXcMy39l47DohtNSPrRwQFhakZ6+RwBNvhgJZj2ZA==; 7:AzNMazVnVJjgoW83RGbtHaovmdb+oMELWCTYjGGclSeV/bhqgI+sWAcABQE0F7IdykWLAgV8oInxyzTYRHbfu3L6NPcX8GLjwbl1xRPgFGnRhOasbiG/e6nBukgdV2KwswuePZvR1/lQo6I85gzsPQ==
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2019 22:14:11.9067 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b02ec41-a4bc-4e71-76b1-08d68edbebb8
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR01MB3748
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/CfmO9FJ4G4u608eJCfbWeBMV0_A>
Subject: [lisp] incremental transition to LISP-SEC (was Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-24: (with DISCUSS and COMMENT))
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2019 22:14:18 -0000

Splitting off a sub-thread for one fairly narrow point that AFAICT needs
further discussion to clarify the path forward:

On Thu, Feb 07, 2019 at 05:50:39AM -0800, Benjamin Kaduk wrote:
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
[...]
> 
>    3.  LISP-SEC [I-D.ietf-lisp-sec] MUST be implemented.  Network
>        operartors should carefully weight how the LISP-SEC threat model
>        applies to their particular use case or deployment.  If they
>        decide to ignore a particular recommendation, they should make
>        sure the risk associated with the corresponding threats is well
>        understood.
> 
> I'm concerned enough about the risk of having a "ITR requests lisp-sec but
> ETR didn't use it" case that causes complete breakage, that I want to talk
> about this a bit more.  We currently in this document say that lisp-sec is
> mandatory to implement (which presumably covers at least ITRs, ETRs,
> Map-Resolvers, and Map-Servers).  LISP-SEC itself says that "and ETR that
> supports LISP-SEC MUST set the S bit in its Map-Register messages".  Is it
> possible that an ETR might "implement" but then not "support" LISP-SEC?  If
> so, then we should consider the possibility that we need an authenticated
> signal (from the mapping system to the ITR) that downgrading from lisp-sec
> is allowed.  There seem to be several possibilities for how one might
> construct such a signal; two that came to mind to me would be (1) to define a
> new ACT value for "repeat without lisp-sec" that could be returned as a
> negative Map-Response directly from the mapping system wherever the mapping
> system is able to discern that the ETR in question does not support
> lisp-sec (I don't actually know if this could happen at Map-Resolver or
> would need to be delayed until the final Map-Server) and (2) to have an
> optional Map-Request field that the ETR is required to copy unchanged to
> the Map-Reply; this could then include a message HMAC'd in the ITR-OTK that
> indicates lisp-sec non-support and binds to the nonce in the request.
> Whether these are workable ideas seems to depend on aspects of the mapping
> system to which I cannot speak.

In terms of some background assumptions I've been making (that of course
could be false, so I'm trying to make them explicit), I am assuming that
many or most current LISP deployments do not utilize LISP-SEC at runtime.
It's less clear to me how many deployments/implementations simply do not
have LISP-SEC capabilities at all, or how easy it is to get
software/firmware updates to the needed devices.  Regardless, if there
are existing RFC 6833 deployments that want to migrate to 6833bis when it
is finalized, we should consider what steps would be needed to safely
deploy LISP-SEC without disruption.  In particular, it seems a useful goal
to try to get the security benefit of LISP-SEC for those machines/sites
that have LISP-SEC capability without waiting for the entire administrative
domain's deployment to get updated software/firmware, which I assume is at
least a 5-year lead time in many sites.

Given that at this point my analyses are mostly treating the mapping system
as something of a closed "magic box" that takes Map-Requests as input and
emits them to the appropriate ETRs (or internal proxy function), I'm forced
to conclude that any incremental update to using LISP-SEC will inherently
require the entire mapping system to upgrade first, before any concrete
usage of LISP-SEC should be expected.  Hopefully that's less of a burden
than upgrading entire deployments, since the mapping system is a more
contained set of devices and does not need to handle data-plane levels of
traffic.

Once that's done, though, we still have the question of "which ETRs are
updated to be registering themselves as LISP-SEC-capable?".  For any given
ITR/ETR pair, if both are LISP-SEC capable, we want them to be using
LISP-SEC, while still allowing traffic if one or both are not LISP-SEC
capable.  If the ITR is not capable, this is easy, as the Map-Request will
never attempt to use LISP-SEC.  But if the ITR is capable and the ETR is
not, the ITR is going to either attempt to use LISP-SEC for all
Map-Requests or need some out-of-band knowledge of whether the target ETR
is capabable.  Now, the whole point of the mapping system is that the ITR
doesn't know what ETR it's going to talk to when it sends the Map-Request,
so this "out-of-band" setup seems pretty hard to fulfil.  My current best
thought (not expected to be perfect) in this scenario is that the ITR that
is LISP-SEC capable (and configured to use it, I suppose) will always try
to use LISP-SEC, but needs an authenticated signal from the mapping system
that the ETR it's being mapped to is not LISP-SEC-capable, and it should
try again without LISP-SEC.  This signal needs to be authenticated not just
for security reasons (though an insecure downgrade would render LISP-SEC
useless against an active attacker until the entire deployment disabled
non-LISP-SEC exchanges), but also for performance concerns.  As currently
specified, the Map-Server that gets a LISP-SEC Map-Request but is going to
forward it to an ETR that did not register as LISP-SEC capable is going to
repackage the Map-Request into a non-LISP-SEC Map-Request to send to the
ETR in question.  That ETR will produce a normal Map-Reply, that the ITR
will proceed to drop without processing, since it does not use LISP-SEC.
IIUC, that leaves the ITR in "wait to timeout" territory, which is a pretty
lousy situation to be in.

I know there are only a couple values left for ACT values, but it seems
that this may be a big enough issue to justify allocating one for "retry
with downgrade", so that the final Map-Server can send a negative Map-Reply
that does use LISP-SEC, and the ITR can have this authenticated signal that
the destination ETR is not LISP-SEC capable at the moment.  There are of
course other ways to generate an authenticated downgrade signal, but the
only other ones I've been able to come up with seem less architecturally
pleasing (and may not in fact work when the destination ETR is running
original RFC 6833 code).

I'm interested in hearing what other people think about this scenario and
proposed remediation.

-Benjamin

v2.23.0 | Report a Bug | By Email