Re: [lisp] Stephen Farrell's No Objection on draft-ietf-lisp-threats-14: (with COMMENT)

Luigi Iannone <> Wed, 20 January 2016 11:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6B5F51B3AA9 for <>; Wed, 20 Jan 2016 03:51:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_EQ_FR=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EOUKn52vDV8J for <>; Wed, 20 Jan 2016 03:51:20 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E597E1B3AA8 for <>; Wed, 20 Jan 2016 03:51:16 -0800 (PST)
Received: by with SMTP id r129so127761259wmr.0 for <>; Wed, 20 Jan 2016 03:51:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+qiOFhZR4jlCLuBeAREAPpPQ2xrw4kBNflTYbXXQpf8=; b=BtxOGyzANxi0nh0tYk/1aq+jR16VVL2OSsajqokiTgtBf2XplzlYmdqYdSHSRXujjO 4xe2Rc6Sm440/95h0vvNeQ7Z9E+JtoKSQy7J9rxXGiUSStqwC5tRsVbmAaS2AmBTqtYj lTSCPPc1+QSKkCrGR4BJWKujsdCbdBuzZvCS+1wsi7ZFZ7Z/+MQaIvbbWOfPaYphPLPU MeQW/ncRJgr0hb+1Ua5WAZTSkwxEuVn3aQNnJwVyS5eu8CikfLeVS81G8T51kMMUoKxF /oPfwCJ0zZ9bYJk27gdE/a3unZdgP4+7tdlI0TZVulL95fvGxfQFT0Urn2/7QLWZ7Nqw uQ/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=+qiOFhZR4jlCLuBeAREAPpPQ2xrw4kBNflTYbXXQpf8=; b=C15TR/zu8laz/8N5RVk3Yl3JT/jTPa9max3HWlCDgqtNNqaDfL3/yU42XHGzmhX21N r4FL0HSpv82GqA+/zXjDjnEUV1Ck7JfGPHO27yh//wwWo9uIaH00BvX705LE2T+Yz7iS ggLA7HsHVuY9po0zBKuS/vv2g19dY+Le3I9awWNQ1u0nWmBhAn9Iz4jyaURPGyr08i5l jsR+K7yUdfT/jDlgH1Xfph/WlxpT3sL4MPzbRyWyYEVwexH6sAQvExrUSHJbmNshHbfk DJlTLpylzSDkAPTZHKOdoT0SFyCArcWWguvvG+3X5P8TQXBlulbcW1sym63cNFvsWZEg dMgA==
X-Gm-Message-State: AG10YOScEuROv3GT/6QNXsC7PsYBu/++YKL1Iiw5t4ANWx4WGI3YOV13y6gKTTXaXef/Ew==
X-Received: by with SMTP id l189mr3706001wmf.89.1453290675414; Wed, 20 Jan 2016 03:51:15 -0800 (PST)
Received: from ( []) by with ESMTPSA id o7sm32807102wjf.45.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Jan 2016 03:51:13 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Luigi Iannone <>
In-Reply-To: <>
Date: Wed, 20 Jan 2016 12:51:17 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Stephen Farrell <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc:,, The IESG <>,
Subject: Re: [lisp] Stephen Farrell's No Objection on draft-ietf-lisp-threats-14: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jan 2016 11:51:22 -0000

Thanks for the comments Stephen.

Crypto was not meant to be normative… We will move in its right place: informative.

further comments inline.

thanks ciao


> On 19 Jan 2016, at 15:56, Stephen Farrell <> wrote:
> On 19/01/16 14:50, Joel M. Halpern wrote:
>> Stephen, than you for the comments.
>> With regard to the question of discussing lisp-crypto, the biggest
>> concern has been creating a normative dependence on future work. 
> Then make it informative I guess. I don't see any problem, and do
> see benefits, in text along the lines of "privacy is an issue since
> LISP concentrates traffic making passive monitoring of plaintext
> arguably somewhat easier, people are working on [list-crypto] as
> a way to deal with that." In any case, you shouldn't take anything
> I've said as me wanting a normative reference to lisp-crypto, I
> didn't mean to suggest that.
> As that's how you've handled lisp-sec it shouldn't pose any
> process issues I'd hope.
> That said, I'm not a DISCUSS on this, so am non-blocking.
> Cheers,
> S.
>> The
>> charter item was to discuss threats against LISP as documented already.
>> I would like to see the crypto work covered, but it seems incorrect to
>> the charter and likely to cause a further significant delay in an
>> overdue document.
>> Yours,
>> Joel
>> On 1/19/16 7:07 AM, Stephen Farrell wrote:
>>> Stephen Farrell has entered the following ballot position for
>>> draft-ietf-lisp-threats-14: No Objection
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>> Please refer to
>>> for more information about IESG DISCUSS and COMMENT positions.
>>> The document, along with other ballot positions, can be found here:
>>> ----------------------------------------------------------------------
>>> ----------------------------------------------------------------------
>>> Thanks for doing this document. I think it's a useful part
>>> of the LISP documentation set.
>>> general: I think you underestimate the purely passive
>>> threats - my point on 2.2 below was almost a DISCUSS but
>>> given the WG have already adopted draft-ietf-lisp-crypto I
>>> figured there's no need to try block this. I would really
>>> encourage you to consider the threats that are mitigated by
>>> that specification here, even if those threats weren't
>>> initially considered as being that relevant to LISP (when
>>> the work on LISP began I mean). If that had been done
>>> already in this draft, I'd have been a YES ballot, if that
>>> makes any difference;-)
>>> - intro: I think you should add a few caveats here to say
>>> that you're not covering threats due to specific
>>> implementations and also that the text here captures only
>>> those LISP-specific threats we know about today and that
>>> more *will* be discovered as deployment continues.

Good point what about change the sentences:

	This document does not consider all the possible uses of LISP as
   	discussed in [RFC6830] and [RFC7215]. The document focuses on LISP
   	unicast, including as well LISP Interworking [RFC6832], LISP Map-
   	Server [RFC6833]), and LISP Map-Versioning [RFC6834]. 

in the following manner:

	This document does not consider all the possible uses of LISP as
   	discussed in [RFC6830] and [RFC7215] and does not cover 
	threats due to specific implementations. The document focuses 
	on known LISP-specific threats related to LISP unicast, 
	including as well LISP Interworking [RFC6832], LISP Map-
  	 Server [RFC6833]), and LISP Map-Versioning [RFC6834]. 
	Additional threats may be discovered in the future while 
	deployment continues.

>>> - intro: you don't write about DNS here, but if some LISP
>>> configuration settings use DNS names then via DNS with no
>>> DNSSEC an attacker can decide to be on-path sometimes,
>>> off-path other times. That (or similar) might be a nice way
>>> to illustrate the scope here, while also alerting the
>>> implementer to other threats that might affect their
>>> implementations.

At this stage there are no LISP configuration settings related to DNS.
Hence, IMHO, there is no need to add anything.

>>> - 2.1 I think it'd be valuable to say that the 2.1.x
>>> sections are really just for the sake of exposition - we
>>> cannot assume that all attackers fall into any neat
>>> category. You do note this (more or less) in 2.1.5 but I
>>> think that'd be better done in 2.1. The reason to suggest
>>> this change is that being open to attackers not conforming
>>> to our descriptions is important.

The idea of 2.1.5 was to provide an example. This can be done only after 
the different modes are explained. 
Instead of moving text from 2.1.5 to 2.1 I would modify  2.1 in the following manner:

	Attackers can be classified according to the following four modes of
   	operation, i.e., the temporal and spacial diversity of the attacker.
	These modes are not mutually exclusive and can be used by 
	attackers in any combination.

>>> - 2.2 - which section here covers purely passive monitoring?
>>> All the 2.2.x seem to only cover active attacks. (I'd also
>>> suggest moving the 2.2.10 text to 2.2 similarly to the
>>> suggestion above for 2.1.)

Good point. Similarly to 2.1 I would add the following sentence to 2.2:

	These categories are not mutually exclusive and can be used by 
	attackers in any combination.
Also I would add a new subsection numbered 2.10 and renumber the old 2.10 as 2.11.
The content of the new subsection would be:

	2.2.10 Passive Monitoring Attacks
	An attacker can use pervasive monitoring, which is a technical attack [RFC7258],
	targeting information about LISP traffic that may or not be used to mount other 
	type of attacks.    

>>> - 3.8 - you probably need to note somewhere (not sure where)
>>> that a bad PRNG would improve the attacker's chances in
>>> various ways. I think a calculation of the probability of a
>>> nonce collision (for both a good and not-good PRNG) could be
>>> a useful addition.

Not sure that the collision probability would be really helpful here, but you have a point about PRNG.
I suggest we change this text:

 	If an ETR does not accept Map-Reply
   	messages with an invalid nonce, the risk of an off-path attack is
   	limited given the size of the nonce (64 bits).


	Given the size of the nonce (64 bits), if best current practice is used [RFC4086] 
	and If an ETR does not accept Map-Reply messages with an invalid nonce, 
	the risk of an off-path attack is limited.

>>> - 3.8, 3rd para: I would argue that this threat is a "core"
>>> point to be made, as it's arguably the main LISP-specific
>>> threat and ought be emphasised more, e.g. via a mention and
>>> pointer in the introduction, or otherwise.

Not sure I understand. 
You talking about the paragraph about the attacker is a valid ETR?
Why this problem is more important than others?  
Several attacks can cause lot of damage, why this should better highlighted?

>>> - section 4 is pretty weak to be honest. I think you could
>>> at least recognise that LISP, as with any mechanism that
>>> concentrates traffic (between xTRs) means that passively
>>> monitoring plaintext is easier than before and that there is
>>> therefore value in encrypting the traffic between xTRs as is
>>> proposed in draft-ietf-lisp-crypto

I think this is covered by the last sentence of the section. 
If an attacker knows detailed information gathered from the mappings
it can use it for a lot of things, not only passive monitoring as you suggest. 

>>> - (nit) section 5 has a really odd sentence " The usage will
>>> be designed and defined specific for the needs of the
>>> specification." I've no idea what that means TBH.

Thanks … it read really bad ;-)
It is actually referred to the sentence preceding this one,
but it’s original meaning is redundant with the sentence 
that is right after (The exact technique still has to be designed and
defined. ), hence, it can be simply dropped.

Let us know if the suggested changes would answer your comments.