IETF Logo Mail Archive

Re: [lisp] John Scudder's Discuss on draft-ietf-lisp-sec-26: (with DISCUSS)

John Scudder <jgs@juniper.net> Wed, 15 June 2022 13:56 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C52C159483; Wed, 15 Jun 2022 06:56:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=zv6KEMMk; dkim=pass (1024-bit key) header.d=juniper.net header.b=N5nn9uFi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJiyQ4F0tBhe; Wed, 15 Jun 2022 06:56:47 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 228A5C157B4A; Wed, 15 Jun 2022 06:56:43 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25FD0NRt023360; Wed, 15 Jun 2022 06:56:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=Bp49nGANu6PTpIi2rh/bKczmLT3p9NrzXBOzW7HBbpA=; b=zv6KEMMkoJ1vGIZVhJLYaCcFTn0mIUzAWJjl5JVMBRRPKiiw8xcYQF6VEKotmEKQthLA fkI20ipzPib67P1tZrx7oa5DRLzXXrK9ZODoCVcuJ9EcvX13t6cKFgyCUEnkoKzc2k8Y 3YRwhA77Htf0VEA5hyHvn8880CtRlZTC0UiWV+xm7snVJrqwqLxw8j9bj0MZ1A/Buz1s BQRfq2KwxlEzGlnyNQy8DXWA++qCDRcXbQkrJMCC2C4AdbhBZ8rRCedObw/7ey+gVjYZ /rIYFtfovj/Bbd52VbPyUyovHhmr3JyBtRn5srAPvu7B3ua/PxcFhqMDA9srPgmmLiI6 HA==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2175.outbound.protection.outlook.com [104.47.55.175]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3gqdqg8ahs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Jun 2022 06:56:41 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nIAIYPg+OIErzXj5rGmm9u3s/rOI8AN1qTUADLf5wd9ERwPWqOY8fiGNjqca3051HCcJQsXnSEmZ7FD8ULFTOVb6MEExVir6LGPZndpWIU9+h7HpjpGmxOmHrS+fX6aXzAScIuAUjnhE7vkWlu4wqiwpzAfPPbgztZRu8kyo39ZHVlR5AxXIxxRbQ1c8Y7/6FUNpA33XyCn8Hjlc0NkvF4+i3UB23/7hiTw8HlvoPTgD6DaQhQ895XSKK6MyZaRT7pr+lBTBmnP5G/dP0WdFugDwarlmi40BrH0UHFNzyYt03R1VZ04GLs8kch1ZBhBxZ7Vt5RgXmQSfcxKfQrbJSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Bp49nGANu6PTpIi2rh/bKczmLT3p9NrzXBOzW7HBbpA=; b=fu4RZ/kFpw4rEY1OqgwmjEWHSxcONccHnO4SrInBaw0xzxXjcaSY+Q1R7EgeoXF5Aw1XCn3nXvNS5mkm32rf4BR5UcqJJ/HK7URkrvml3lQK+D2o+gGorbb9cEzUrU3bxoPbkgLQC7D/GsC/xQTJ2yu3tHUXkJziGjGk3ldyg4fErlgR1E6mcbUat5tFRBfRzgr8Ru+ixwIHGu8UvoBpXuQYfb0bnt70uC+LvEfiTgMe3u3mFLiL1E29HlFKYkxHCYU2ccZy+5EubuPx448Koc35sbBU7LnbE0cGHmL7S1fy05CcMCo8Vl3HA8imunwSGNeWI5U07tVo6UAgKq6RKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Bp49nGANu6PTpIi2rh/bKczmLT3p9NrzXBOzW7HBbpA=; b=N5nn9uFiWjezVimXk9KeGM2T7YxvTQm9qgRaVoRZ37MXDQflazlfyxAekcOotAxoxPw9c97Mydne6ylVFA39OwxjTVmYTCK6J1QL2Xe5Cdw6lmBk71n+ohQP4ADHgOjoLmBlVPVvefg+G4l8ZJnZD1K/TuZkLUZBufHGGYv+8AY=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by DM6PR05MB7035.namprd05.prod.outlook.com (2603:10b6:5:206::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5353.6; Wed, 15 Jun 2022 13:56:39 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::4881:fca5:fcdb:72ad]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::4881:fca5:fcdb:72ad%6]) with mapi id 15.20.5353.014; Wed, 15 Jun 2022 13:56:38 +0000
From: John Scudder <jgs@juniper.net>
To: Luigi Iannone <ggx@gigix.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-lisp-sec@ietf.org" <draft-ietf-lisp-sec@ietf.org>, "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>, "lisp@ietf.org" <lisp@ietf.org>
Thread-Topic: John Scudder's Discuss on draft-ietf-lisp-sec-26: (with DISCUSS)
Thread-Index: AQHYgF4bFdXb3EgaYki1y13RoGf+7q1QM/yAgABKvYA=
Date: Wed, 15 Jun 2022 13:56:38 +0000
Message-ID: <D2D80E5E-0512-49B8-BD6E-5ED023F95437@juniper.net>
References: <165525946025.9886.1713011288499892827@ietfa.amsl.com> <94A5FB19-1DD3-4122-B96D-8CD020136D67@gigix.net>
In-Reply-To: <94A5FB19-1DD3-4122-B96D-8CD020136D67@gigix.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.100.31)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 81b98df0-b1d9-4449-f938-08da4ed6de74
x-ms-traffictypediagnostic: DM6PR05MB7035:EE_
x-microsoft-antispam-prvs: <DM6PR05MB703527B8192334C5B3BBC072AAAD9@DM6PR05MB7035.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xx5dWCq/CQZ9ggXAKf5cl156PeUgcTlrwZWYWLbYZQNghQhfaWS+34f7XEhYe7w6HyEcteMHtueektdlovj7/G4/z2On3tbfGxSnvmU5pV9FXT47WXEHo5QYqrpAt7G8EZ06lxV7rMwHlKtTwrNNbvmcyktuWZZW+Y+Y+qe+Yms1Ot1xiJeDpqblGdXda7O+ru69Sq2eOADA1wLXnxUkVU7K3p9dT5fVv1ZKFZvPT3jv4suOYeta421e0fB/PGkPmdNiEBBzjS2+w+5yWtvZyAuCSPIYYX0HQ2zdHD42yNIf7S3x1RnZCVhYPnAAhRpzi9OsA9tzkRzF2wusNQpkhIimlAN6WE2LOgBmpWLLTAvHBPHd9FYJ79aik16aJmeFLTbBI52jO5ux+EbyqLdEDbhnD22d/CCwirHup29PKo58uBz/UHL+iTBVUr6ezNugjYech/OHZ+SIfEjJ3GuEcEhlUca4pCMzXTmRL4WVS0xyNeE8y/Dik2RRA9KWIeOzPJbgdXlZH6VkUpSIthJ3/ll/Fy5DXwo8E6t1qdoTDspKmU1d8mY7/6IL27ENrSLzCZpLJiWKKl1TjO3PX7zPiEqniOAqQyrwYKjo5tsel0gFrvdwRAKaAlcHn/0hZLC8wGjGK/eCkG5T3jbqYa/0pkLfSTdSOsYfy6FBdKp3h71cZh/ngDvXDZqzGrD8l4pWdm0wWjLaQHj4hnkdvvgfKZYkmg/s/TBnQL6F3tXOtcpPjrYqslI1JiegMxZivOrb
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(186003)(508600001)(6486002)(2906002)(2616005)(33656002)(6512007)(26005)(6506007)(5660300002)(53546011)(4744005)(38100700002)(86362001)(8936002)(66946007)(38070700005)(66556008)(91956017)(76116006)(122000001)(71200400001)(6916009)(83380400001)(54906003)(64756008)(316002)(36756003)(8676002)(4326008)(66476007)(66446008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: h0VSPCHkMNdSI1VBPOkrLbymzD155rEaHztIYuTkfIN9+bUHcZzERS1cR46aSpuKSjHn1qJtJHtlzd0bDXajaZDQi1bWanqEeBrmOHsYrv/aOFJuCQWe67lXn9W/yIJBpPNjGZuZ4OH/Mw3Q7xO9691sZ+GREjWtxmZ9IsNdlstT9kPgn5PGvPcjfFZqaaP2TkZgWNp0/eO+DTegJB60fBYEx7dGIdygqJpozJmELosZRQKym9PO/Arl0b+4w5Amu0kmc0pwZGgeI3cunWyO5CRPkeceQUDp0gKIBKj+AvhTZFZYmvIEDKLiWsjcLSDfJ7ELRxyJJFYLucddwSyUw3gBFZiXwny6fQ0S+JLZ2VWnsT3kbv1lZdd8D3ICZqr6K++clCdo1XMW06e0oSMbGFwnFwEOQXGYH7yz9qj4OvhR04KbbdRmV6oZZlmQeA5WP6HJVUWVaujLPIvARuWxCgk4OXOH0sY++QV55PoPtf1IjjYiYS0g27v9KHbtx9IHhJENIEVNTmUFyIEbH27KZu0UlS5IBTePjvHLV7SCqUfVts5jf/Q4Gj4ccOdpr0zRcTY7rE+0n/64NDqmiodZFlUfH2b3dHDSFy47+Pd29imfxDcUNbNlKVXDBlyAym0SMuZIUydNp8gwQ+XoN4Q9uMrjV2yxw8IIOB19AYbmaBHIsdbRicwkfjUjJeJLHyD5LXqYVMHTf5ZzS+08QuFerVa+EsPcbebBJuNLV6p83rk0cwBwSTBWDCZ0k+06y0PzZ7c++2qrcW5AxFTtqELsPoliqG3/iNCTpmeEIUeh9ph96w4pWJ0TqFZI02Hnf+ptB2evd7xWzFDK+5ZAS6XlcZJ9m8SgvM7hfy9zfMmftWSgyoOA1Szt2D3zAr1VVnDhm3q8svj9Umjor81NkittlrdcxDeg8wOyhBQATq6/5ongBhO5BIazxZ0I1xXZo0GX2KU0WvcFwii+1HRuo1RJFRN6pH2X9uVk7HjiIIxb+q/sX/kVt0Fa8DNkjYqNWCGU1fZxAj0qJ+9t3KNFQ3h4JfNswzKnIHGCd984zBoTWFMzSjUhbTynwgtgvY8uC+XDaALwyyHUV/t19yEAvl05wxVHCnJwsni1ri/q8MfvqRaG2mtxOu6Ib+uZt5sVyLkKaOs+cJ2vmj2XehT1oZDni9irsX1cMflShumdlfrMcNkM+a3tPEgtw57gZICDzioEbg0K/A0HBh5yPwgarrLo6k2uGm1EfSDuwpczdZGCA6w9REPTwQcNQH3w5EXgCZrk5cI+tIHVYkDX19TI6lz2++FArNsBn8frRT6aAWo7gItiegI/jOv08CV81sEaLFWZaJXq1JglOW82PgIOKd586ZK2Agnoz+SNPadK8kDqHiiCqmMlWYNKHZsR3x7nY1NY24FMYY9urkre7/GhnjUjLvO46B7wWtHyEVCRF7JdCCNtjYH7aw0s/zj23I6UgInEDkBCYOLZBqrhgLkV323faVmpMxOonVWb7OEi6V+RMbRFCovjpEe0QIQvz8zfq3EQ7bILzgztSihdr5HWvqE4ELjTJoBsXcaJcamFyOxM3Z9ZW2VqtGdW9lw06oK7EghCSr5QkdwWG1fyxN80bJktILOfeTuJZX8EW3u3VOdSdyXUdRhPkS3cur+HpKs3WwpIHXIcmxUBlpWU+wB3AeAzHUGp8ttE2m4SdURptNlcx35TznT2n+Bcn+52e+Kci6dBqiVw5+5/YqC1Y4/rbhhSPJ77wOYYHNmQ+LPc349dX10=
Content-Type: text/plain; charset="utf-8"
Content-ID: <2996A5891515BC4499A466458FCA80A3@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 81b98df0-b1d9-4449-f938-08da4ed6de74
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2022 13:56:38.7897 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zcbKJXaocDAf9FpES+piKBbnUyKgH7AtYY3ZPEnOxXYNXRFwJMbynynytJOrokXq
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB7035
X-Proofpoint-ORIG-GUID: uJb3vOi6ACR3VzUVAQ1AvZLdbsOZmUEV
X-Proofpoint-GUID: uJb3vOi6ACR3VzUVAQ1AvZLdbsOZmUEV
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.517,FMLib:17.11.64.514 definitions=2022-06-15_13,2022-06-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 spamscore=0 priorityscore=1501 suspectscore=0 clxscore=1011 malwarescore=0 lowpriorityscore=0 mlxscore=0 phishscore=0 bulkscore=0 mlxlogscore=767 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206150056
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/E5_LlfcSJvYq4eG3fsJEhhTteO4>
Subject: Re: [lisp] John Scudder's Discuss on draft-ietf-lisp-sec-26: (with DISCUSS)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 13:56:51 -0000

Hi Luigi,

Thanks for your reply.

> On Jun 15, 2022, at 5:29 AM, Luigi Iannone <ggx@gigix.net> wrote:
> 
> Hi John,
> 
> AFAICT the reason is very simple, LISP-SEC has been designed to secure existing LISP control plane messages, not to add new messages.
> So it is able to protect the Map-Request and Map-Reply messages flowing around but it never generates any LISP-SEC specific message.

Point taken, but see below.

> The action you are suggesting at the end of your discuss needs a new message, which is not inline with the design decision taken for this draft.

I guess I didn’t express myself clearly. For example, in the case of disagreement on KDF ID, since the ITR is going to throw away the Map-Reply anyway, it appears as though the Map-Server could return a Map-Reply containing LISP-SEC ECM Authentication Data whose EID-AD Length is 4 and simply proposing a new KDF ID. That would reuse existing messages without doing throwaway work, wouldn’t it?

Thanks,

—John

v2.23.0 | Report a Bug | By Email