Re: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt
"Fabio Maino (fmaino)" <fmaino@cisco.com> Sun, 02 June 2019 14:32 UTC
Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D17D11200B3; Sun, 2 Jun 2019 07:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ikqOMvoD; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ltawCo7p
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_GKYDyNEroA; Sun, 2 Jun 2019 07:32:43 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2420C120043; Sun, 2 Jun 2019 07:32:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=504247; q=dns/txt; s=iport; t=1559485962; x=1560695562; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=2ydyBuRATroFZs48RMWKMBL35aIy45zDMUTzNiMe72I=; b=ikqOMvoDS9+mHuP1O3onQe8b6jN7jrqKlx2Bw766+st/c3/IoF05mBgq 0t1/TEUjt3XQo0F+U1nt8gZ6CvE9WCd4WHgL8wPE+XHH7vKV+6pgYUrER t63XyNGFlaKi+ClbIP06qj8lAisqD3vOyn3MKsXH+b++xwmhhTYa19MDs M=;
X-Files: Diff draft-ietf-lisp-sec-17.txt - draft-ietf-lisp-sec-18.pdf, draft-ietf-lisp-sec-17-rev Med (Fabio).doc : 212880, 151040
IronPort-PHdr: 9a23:mmKmtx9XFdvkpf9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcCAAEz9K9bhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CeBABS3fNc/5JdJa2ddKYuDwSHJjq6TI8t
X-IronPort-AV: E=Sophos;i="5.60,543,1549929600"; d="pdf'?doc'32?scan'32,208,32";a="281269032"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Jun 2019 14:32:40 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x52EWeRu023983 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 2 Jun 2019 14:32:40 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 2 Jun 2019 09:32:39 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 2 Jun 2019 09:32:37 -0500
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sun, 2 Jun 2019 10:32:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ltECVngRSTQDFBqLf6o00yVMGxOsChezBLosuFQBwjM=; b=ltawCo7pYExp4YkoqDLpmzCYtNlUnDuU3/iOn6JRR9tbZOHmi1GGAvz4flIVDVdiWp4F5Ys9dTj4ArpjOq2u6mL0IcowKwPkuWHOpaqi3ibZjHA8XGcoZq4XjskQhqd7qNzZ23qIY00wRYDJW8OMeWrOXlBL4yBBVziQ6q09PC0=
Received: from DM5PR1101MB2122.namprd11.prod.outlook.com (10.174.106.19) by DM5PR1101MB2251.namprd11.prod.outlook.com (10.174.105.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.20; Sun, 2 Jun 2019 14:32:35 +0000
Received: from DM5PR1101MB2122.namprd11.prod.outlook.com ([fe80::5078:3cd2:894a:cd8a]) by DM5PR1101MB2122.namprd11.prod.outlook.com ([fe80::5078:3cd2:894a:cd8a%4]) with mapi id 15.20.1943.018; Sun, 2 Jun 2019 14:32:34 +0000
From: "Fabio Maino (fmaino)" <fmaino@cisco.com>
To: "lisp@ietf.org" <lisp@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Eric Rescorla <ekr@rtfm.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
Thread-Topic: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt
Thread-Index: AQHVGU2Xqf6oCqvcjEmKcybRUbaVfKaH+A+A
Date: Sun, 02 Jun 2019 14:32:34 +0000
Message-ID: <22748ED9-7895-4D9A-83AE-A19ED3D050ED@cisco.com>
References: <155948483247.21507.9045651849337465202@ietfa.amsl.com>
In-Reply-To: <155948483247.21507.9045651849337465202@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
authentication-results: spf=none (sender IP is ) smtp.mailfrom=fmaino@cisco.com;
x-originating-ip: [2001:420:c0c8:1008::2a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f891b2bb-6635-4fcb-c54b-08d6e767277b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(49563074)(7193020); SRVR:DM5PR1101MB2251;
x-ms-traffictypediagnostic: DM5PR1101MB2251:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DM5PR1101MB2251E56DD98FB6AA41F07C38C21B0@DM5PR1101MB2251.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 005671E15D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(136003)(396003)(366004)(376002)(189003)(199004)(2906002)(478600001)(86362001)(305945005)(966005)(102836004)(76176011)(6506007)(486006)(316002)(7736002)(99936001)(71200400001)(476003)(14454004)(2616005)(11346002)(446003)(66576008)(8936002)(76116006)(91956017)(6306002)(6512007)(66946007)(66556008)(66446008)(64756008)(66476007)(81166006)(8676002)(110136005)(81156014)(66574012)(6116002)(33656002)(5660300002)(2501003)(25786009)(58126008)(99286004)(73956011)(71190400001)(68736007)(2171002)(53936002)(83716004)(6246003)(36756003)(46003)(229853002)(6486002)(82746002)(186003)(6436002)(256004)(14444005)(5024004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR1101MB2251; H:DM5PR1101MB2122.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4OMipVMyUPUO5Tm/SxHVs15N0kziEBqcMt42IlKQ32d3gn1VgRy1dWCpJI+Nrdz8g2iqim1XxG6Kv/EZeC+LEYb63bA+OcTdA8gKodUQHhDqRAC1J64I6E7M9pRPG10y3SA8KBo8Q+AGnSZCL6gOdG2iWoYIBDJGkB3xMVSpUlxvvGQFPHbkcq4mjNoOYWwUU/JO1eeND08gucJqmqca+Hioqg2HTI9rk7YbKS19fIXFX5jpogb46lKRyPc7WoW3vEj7ubS0DsM139arfulrsR/42PtklH+SjWaJIvufFH+pgc2X0P+K5HXrBdEm9Yjd9v58q9pqUtOfqm/68KCu58vAAvF9sjbiLqvuZ9lC49O7MDqNXNjuPslgg+dYVLPoioHkCqa4jlXExQhNVsh4r0Z4nAif3xYKglSp6p+Pa2Y=
Content-Type: multipart/mixed; boundary="_003_22748ED978954D9A83AEA19ED3D050EDciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f891b2bb-6635-4fcb-c54b-08d6e767277b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2019 14:32:34.8013 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fmaino@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2251
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/G0Te1JXELKLVqkUQ_a6M-S5Fkcs>
Subject: Re: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jun 2019 14:32:47 -0000
This rev of the lisp-sec draft includes the following main changes: 1. a mechanism that allows an ITR to secure downgrade to non LISP-SEC Map-Requests, if it wishes to do so. This is done as discussed in the list and in Prague with Ben 2. the use of a per-message key (derived from the pre-shared secret) to protect transport of One-Time-Key from ITR->Map-Resolver and from Map-Server->ETR. This is consistent with the changes that are being introduced in 6833bis, and with what discussed with Ben in Prague 3. Comments posted by Med on 1/28 are addressed. You can check my notes on the attached word document that describe how each comment has been disposed Attached diff will guide through the changes, but the main protocol changes are: - Introduction of ETR-Can’t-Sign E bit in the ECM Authentication Data. This is used as described in section 5.7 to allow secure downgrade to non LISP-SEC (if the ITR choose to do so) - Splitting the “OTK Encryption ID” 16-bit field in the ECM Authentication Data into two 8-bit fields (this is consistent with what done in 6833bis for various LISP protocol messages): - Key ID, that identifies the pre-shared secret - OTK Wrapping ID, that identifies the KDF used to derive the per-message OTK encryption key AND the OTK Wrapping algorithm - Description of how to derive the per-message OTK encryption key from pre-shared secret (this is coherent with what we did in 6833bis to derive per-message Map-register authentication key). Terminology will be consistent with the next rev of 6833bis Thanks especially to Ben for the suggested improvements, and to Med for the very detailed review. Fabio On 6/2/19, 7:15 AM, "lisp on behalf of internet-drafts@ietf.org" <lisp-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Locator/ID Separation Protocol WG of the IETF. Title : LISP-Security (LISP-SEC) Authors : Fabio Maino Vina Ermagan Albert Cabellos Damien Saucez Filename : draft-ietf-lisp-sec-18.txt Pages : 27 Date : 2019-06-02 Abstract: This memo specifies LISP-SEC, a set of security mechanisms that provides origin authentication, integrity and anti-replay protection to LISP's EID-to-RLOC mapping data conveyed via mapping lookup process. LISP-SEC also enables verification of authorization on EID- prefix claims in Map-Reply messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lisp-sec/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lisp-sec-18 https://datatracker.ietf.org/doc/html/draft-ietf-lisp-sec-18 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lisp-sec-18 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp
- [lisp] I-D Action: draft-ietf-lisp-sec-18.txt internet-drafts
- Re: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt Fabio Maino (fmaino)
- [lisp] FW: I-D Action: draft-ietf-lisp-sec-18.txt Fabio Maino (fmaino)