IETF Logo Mail Archive

Re: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt

"Fabio Maino (fmaino)" <fmaino@cisco.com> Sun, 02 June 2019 14:32 UTC

Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D17D11200B3; Sun, 2 Jun 2019 07:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ikqOMvoD; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ltawCo7p
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_GKYDyNEroA; Sun, 2 Jun 2019 07:32:43 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2420C120043; Sun, 2 Jun 2019 07:32:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=504247; q=dns/txt; s=iport; t=1559485962; x=1560695562; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=2ydyBuRATroFZs48RMWKMBL35aIy45zDMUTzNiMe72I=; b=ikqOMvoDS9+mHuP1O3onQe8b6jN7jrqKlx2Bw766+st/c3/IoF05mBgq 0t1/TEUjt3XQo0F+U1nt8gZ6CvE9WCd4WHgL8wPE+XHH7vKV+6pgYUrER t63XyNGFlaKi+ClbIP06qj8lAisqD3vOyn3MKsXH+b++xwmhhTYa19MDs M=;
X-Files: Diff draft-ietf-lisp-sec-17.txt - draft-ietf-lisp-sec-18.pdf, draft-ietf-lisp-sec-17-rev Med (Fabio).doc : 212880, 151040
IronPort-PHdr: 9a23:mmKmtx9XFdvkpf9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcCAAEz9K9bhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CeBABS3fNc/5JdJa2ddKYuDwSHJjq6TI8t
X-IronPort-AV: E=Sophos;i="5.60,543,1549929600"; d="pdf'?doc'32?scan'32,208,32";a="281269032"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Jun 2019 14:32:40 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x52EWeRu023983 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 2 Jun 2019 14:32:40 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 2 Jun 2019 09:32:39 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 2 Jun 2019 09:32:37 -0500
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sun, 2 Jun 2019 10:32:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ltECVngRSTQDFBqLf6o00yVMGxOsChezBLosuFQBwjM=; b=ltawCo7pYExp4YkoqDLpmzCYtNlUnDuU3/iOn6JRR9tbZOHmi1GGAvz4flIVDVdiWp4F5Ys9dTj4ArpjOq2u6mL0IcowKwPkuWHOpaqi3ibZjHA8XGcoZq4XjskQhqd7qNzZ23qIY00wRYDJW8OMeWrOXlBL4yBBVziQ6q09PC0=
Received: from DM5PR1101MB2122.namprd11.prod.outlook.com (10.174.106.19) by DM5PR1101MB2251.namprd11.prod.outlook.com (10.174.105.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.20; Sun, 2 Jun 2019 14:32:35 +0000
Received: from DM5PR1101MB2122.namprd11.prod.outlook.com ([fe80::5078:3cd2:894a:cd8a]) by DM5PR1101MB2122.namprd11.prod.outlook.com ([fe80::5078:3cd2:894a:cd8a%4]) with mapi id 15.20.1943.018; Sun, 2 Jun 2019 14:32:34 +0000
From: "Fabio Maino (fmaino)" <fmaino@cisco.com>
To: "lisp@ietf.org" <lisp@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Eric Rescorla <ekr@rtfm.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
Thread-Topic: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt
Thread-Index: AQHVGU2Xqf6oCqvcjEmKcybRUbaVfKaH+A+A
Date: Sun, 02 Jun 2019 14:32:34 +0000
Message-ID: <22748ED9-7895-4D9A-83AE-A19ED3D050ED@cisco.com>
References: <155948483247.21507.9045651849337465202@ietfa.amsl.com>
In-Reply-To: <155948483247.21507.9045651849337465202@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
authentication-results: spf=none (sender IP is ) smtp.mailfrom=fmaino@cisco.com;
x-originating-ip: [2001:420:c0c8:1008::2a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f891b2bb-6635-4fcb-c54b-08d6e767277b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(49563074)(7193020); SRVR:DM5PR1101MB2251;
x-ms-traffictypediagnostic: DM5PR1101MB2251:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DM5PR1101MB2251E56DD98FB6AA41F07C38C21B0@DM5PR1101MB2251.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 005671E15D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(136003)(396003)(366004)(376002)(189003)(199004)(2906002)(478600001)(86362001)(305945005)(966005)(102836004)(76176011)(6506007)(486006)(316002)(7736002)(99936001)(71200400001)(476003)(14454004)(2616005)(11346002)(446003)(66576008)(8936002)(76116006)(91956017)(6306002)(6512007)(66946007)(66556008)(66446008)(64756008)(66476007)(81166006)(8676002)(110136005)(81156014)(66574012)(6116002)(33656002)(5660300002)(2501003)(25786009)(58126008)(99286004)(73956011)(71190400001)(68736007)(2171002)(53936002)(83716004)(6246003)(36756003)(46003)(229853002)(6486002)(82746002)(186003)(6436002)(256004)(14444005)(5024004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR1101MB2251; H:DM5PR1101MB2122.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4OMipVMyUPUO5Tm/SxHVs15N0kziEBqcMt42IlKQ32d3gn1VgRy1dWCpJI+Nrdz8g2iqim1XxG6Kv/EZeC+LEYb63bA+OcTdA8gKodUQHhDqRAC1J64I6E7M9pRPG10y3SA8KBo8Q+AGnSZCL6gOdG2iWoYIBDJGkB3xMVSpUlxvvGQFPHbkcq4mjNoOYWwUU/JO1eeND08gucJqmqca+Hioqg2HTI9rk7YbKS19fIXFX5jpogb46lKRyPc7WoW3vEj7ubS0DsM139arfulrsR/42PtklH+SjWaJIvufFH+pgc2X0P+K5HXrBdEm9Yjd9v58q9pqUtOfqm/68KCu58vAAvF9sjbiLqvuZ9lC49O7MDqNXNjuPslgg+dYVLPoioHkCqa4jlXExQhNVsh4r0Z4nAif3xYKglSp6p+Pa2Y=
Content-Type: multipart/mixed; boundary="_003_22748ED978954D9A83AEA19ED3D050EDciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f891b2bb-6635-4fcb-c54b-08d6e767277b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2019 14:32:34.8013 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fmaino@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2251
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/G0Te1JXELKLVqkUQ_a6M-S5Fkcs>
Subject: Re: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jun 2019 14:32:47 -0000

This rev of the lisp-sec draft includes the following main changes: 
1. a mechanism that allows an ITR to secure downgrade to non LISP-SEC Map-Requests, if it wishes to do so. This is done as discussed in the list and in Prague with Ben
2. the use of  a per-message key (derived from the pre-shared secret) to protect transport of One-Time-Key from ITR->Map-Resolver and from Map-Server->ETR. This is consistent with the changes that are being introduced in 6833bis, and with what discussed with Ben in Prague
3. Comments posted by Med on 1/28 are addressed. You can check my notes on the attached word document that describe how each comment has been disposed


Attached diff will guide through the changes, but the main protocol changes are:
- Introduction of ETR-Can’t-Sign E bit in the ECM Authentication Data. This is used as described in section 5.7 to allow secure downgrade to non LISP-SEC (if the ITR choose to do so)
- Splitting the “OTK Encryption ID” 16-bit field in the ECM Authentication Data into two 8-bit fields (this is consistent with what done in 6833bis for various LISP protocol messages):
	- Key ID, that identifies the pre-shared secret
	- OTK Wrapping ID, that identifies the KDF used to derive the per-message OTK encryption key AND the OTK Wrapping algorithm
- Description of how to derive the per-message OTK encryption key from pre-shared secret (this is coherent with what we did in 6833bis to derive per-message Map-register authentication key). Terminology will be consistent with the next rev of 6833bis


Thanks especially  to Ben for the suggested improvements, and to Med for the very detailed review. 

Fabio


On 6/2/19, 7:15 AM, "lisp on behalf of internet-drafts@ietf.org" <lisp-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:

    
    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Locator/ID Separation Protocol WG of the IETF.
    
            Title           : LISP-Security (LISP-SEC)
            Authors         : Fabio Maino
                              Vina Ermagan
                              Albert Cabellos
                              Damien Saucez
    	Filename        : draft-ietf-lisp-sec-18.txt
    	Pages           : 27
    	Date            : 2019-06-02
    
    Abstract:
       This memo specifies LISP-SEC, a set of security mechanisms that
       provides origin authentication, integrity and anti-replay protection
       to LISP's EID-to-RLOC mapping data conveyed via mapping lookup
       process.  LISP-SEC also enables verification of authorization on EID-
       prefix claims in Map-Reply messages.
    
    
    
    The IETF datatracker status page for this draft is:
    https://datatracker.ietf.org/doc/draft-ietf-lisp-sec/
    
    There are also htmlized versions available at:
    https://tools.ietf.org/html/draft-ietf-lisp-sec-18
    https://datatracker.ietf.org/doc/html/draft-ietf-lisp-sec-18
    
    A diff from the previous version is available at:
    https://www.ietf.org/rfcdiff?url2=draft-ietf-lisp-sec-18
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.
    
    Internet-Drafts are also available by anonymous FTP at:
    ftp://ftp.ietf.org/internet-drafts/
    
    _______________________________________________
    lisp mailing list
    lisp@ietf.org
    https://www.ietf.org/mailman/listinfo/lisp

v2.23.0 | Report a Bug | By Email