Re: [lisp] Restarting last call on LISP threats

Ronald Bonica <rbonica@juniper.net> Tue, 03 June 2014 19:04 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F6B1A025B for <lisp@ietfa.amsl.com>; Tue, 3 Jun 2014 12:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.601
X-Spam-Level:
X-Spam-Status: No, score=-102.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAaLHTjLG4XB for <lisp@ietfa.amsl.com>; Tue, 3 Jun 2014 12:04:41 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D173C1A0249 for <lisp@ietf.org>; Tue, 3 Jun 2014 12:04:40 -0700 (PDT)
Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) with Microsoft SMTP Server (TLS) id 15.0.949.11; Tue, 3 Jun 2014 19:04:33 +0000
Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.68]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.68]) with mapi id 15.00.0949.001; Tue, 3 Jun 2014 19:04:33 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Dino Farinacci <farinacci@gmail.com>
Thread-Topic: [lisp] Restarting last call on LISP threats
Thread-Index: AQHPa58LSm48HWl6Wky1MR3KNHiENZs9MyiAgAD04oCAAJ/u8IAAAtXQgADypICAAlhbEIABfmkAgAefyVCAAITngIABbBJggAETbwCABC0O0IAAtqUAgAABTnCAADykgIABvzTggAATfICAAA/EoIAAEAYAgAlC09A=
Date: Tue, 3 Jun 2014 19:04:31 +0000
Message-ID: <4a60f797eebc467aa4095ad56a3491e2@CO1PR05MB442.namprd05.prod.outlook.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com> <029e0f8bc7ba433ba4d3ee70b8431f9f@CO1PR05MB442.namprd05.prod.outlook.com> <3519A6AD5B18C44EB0291EC6C880A906012FD3@NYDC-EXCH01.vinci-consulting-corp.local> <936e209eb2fb49288f3a776aaa4b71cb@CO1PR05MB442.namprd05.prod.outlook.com> <7E76C55E-CCD0-4A52-A481-5BA9BF6A6689@gmail.com> <9091dab3083e460abb2080f1e9315aba@CO1PR05MB442.namprd05.prod.outlook.com> <4B057F83-72DF-44B8-A6D5-2DF6829C8948@gmail.com>
In-Reply-To: <4B057F83-72DF-44B8-A6D5-2DF6829C8948@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.13]
x-microsoft-antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
x-forefront-prvs: 02318D10FB
x-forefront-antispam-report: SFV:NSPM; SFS:(979002)(6009001)(428001)(13464003)(51704005)(24454002)(199002)(189002)(377454003)(92566001)(74316001)(50986999)(19580405001)(81542001)(81342001)(86362001)(19580395003)(99396002)(74662001)(83322001)(2656002)(80022001)(46102001)(101416001)(85852003)(66066001)(20776003)(33646001)(64706001)(77982001)(54356999)(21056001)(74502001)(83072002)(87936001)(79102001)(99286001)(31966008)(76176999)(1411001)(4396001)(76576001)(76482001)(24736002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR05MB442; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:; MLV:ovrnspm; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rbonica@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/IsUKwIxj7opofNKnmzuQCrH0UDA
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jun 2014 19:04:44 -0000

Dino,

I think statements are true. That is:

1) The attack stream is crafted to maximize the ratio of attack packets to map-requests.
2) Traffic originating from a real PiTR probably won't maximize the ratio of attack packets to map-requests because "packets encapsulated by PITRs originate from non-LISP sources. Thereby the ITR at the LISP site will natively-forward to those random places. And those native-forward map-cache entries are very coarse since the mapping system returns the least specific prefix that covers all non-LISP sites."

In either case, if we are going to deploy LISP on the global Internet, we need to deal with the attack in the threats document.

                                      Ron


> -----Original Message-----
> From: Dino Farinacci [mailto:farinacci@gmail.com]
> Sent: Tuesday, May 27, 2014 9:12 PM
> To: Ronald Bonica
> Cc: Paul Vinciguerra; Joel M. Halpern; Damien Saucez; Roger Jorgensen; LISP
> mailing list list
> Subject: Re: [lisp] Restarting last call on LISP threats
> 
> 
> 
> > On May 27, 2014, at 5:18 PM, Ronald Bonica <rbonica@juniper.net> wrote:
> >
> > RPB]
> > Exactly. Source EIDs are chosen to maximize the ratio of attack packets to
> map-requests sent by the victim XTR.
> >
> > This is what make the attack stream so different from a stream that a PiTR
> is likely to send during normal operation.
> 
> It is not different for that reason. It is different because packets
> encapsulated by PITRs originate from non-LISP sources. Thereby the ITR at
> the LISP site will natively-forward to those random places. And those native-
> forward map-cache entries are very coarse since the mapping system returns
> the least specific prefix that covers all non-LISP sites.
> 
> I believe Paul is still right IMO.
> 
> Dino