Re: [lisp] LISP-SEC review (finally)
Fabio Maino <fmaino@cisco.com> Wed, 26 October 2016 04:07 UTC
Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEDA912945A; Tue, 25 Oct 2016 21:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.383
X-Spam-Level:
X-Spam-Status: No, score=-12.383 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=1.157, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_HTML_ATTACH=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTHITw6VS94k; Tue, 25 Oct 2016 21:07:18 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3768412945C; Tue, 25 Oct 2016 21:07:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=499683; q=dns/txt; s=iport; t=1477454837; x=1478664437; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=wOf9dwpATZXDU9OZmDF385Ijh0Vna4Shadtjp4oPCDc=; b=GGSAuBxQLP3wVxiFEn/nwRoL6a/fOUGLGK1c1S115leaGJLNRBn9P7Ok 0pcNq9Sswf8QWQdh2smH+TCi7ikxIydUmSvUIRoGaUpL0zr16qajMKf9x 5MUDudZhsoKNNpmCRuOkkLwGC5Lf+oAVbY9vGwhwLw3fYU6Z/v4XwcGf+ U=;
X-Files: Diff_ draft-ietf-lisp-sec-11.txt - draft-ietf-lisp-sec-12a.txt.html, draft-ietf-lisp-sec-12a.txt : 170662, 49563
X-IronPort-AV: E=Sophos;i="5.31,548,1473120000"; d="txt'?html'217?scan'217,208,217";a="162002564"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Oct 2016 04:07:15 +0000
Received: from [10.24.90.43] ([10.24.90.43]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u9Q47AS1024523; Wed, 26 Oct 2016 04:07:10 GMT
To: Luigi Iannone <luigi.iannone@telecom-paristech.fr>
References: <FC4677DB-855C-4273-8B52-161039B900A8@telecom-paristech.fr> <8204baa6-8cbd-83b3-aa88-dc3ba16c5a33@cisco.com> <38FE74C1-A8F3-4A92-B575-CC5CF4E249D8@telecom-paristech.fr> <37a920e9-b1aa-33c1-6321-e24937bc6c8d@cisco.com>
From: Fabio Maino <fmaino@cisco.com>
Message-ID: <748f2c3d-16fd-03f3-988d-11a9c262a43a@cisco.com>
Date: Tue, 25 Oct 2016 21:07:10 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <37a920e9-b1aa-33c1-6321-e24937bc6c8d@cisco.com>
Content-Type: multipart/mixed; boundary="------------4FAFE1DA8AE8F9CD37E340F5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/JmzxEIG3tKxZ4ng2qaXvcHsqM7M>
Cc: lisp-chairs@ietf.org, Damien Saucez <damien.saucez@inria.fr>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] LISP-SEC review (finally)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 04:07:28 -0000
Ciao Luigi, here is the updated draft and the diff from -11. Thanks, Fabio On 10/25/16 5:14 PM, Fabio Maino wrote: > Hi Luigi, > below are more replies skipping the ones we agreed already. Looks like > we are converging... > > > wrt to 6830bis, I think we should not wait. I suspect the security > review of the document will take some time, so we can do some progress > in parallel to 6830bis. > > We will have to do a LISP-SECbis afterwards, but that should be simple. > > Please, see below. > > > > > On 10/24/16 3:02 AM, Luigi Iannone wrote: >> Hi Fabio, >> >> se my comment inline. >> (I do not consider the points we agree and everything related to the >> “SHOULD” clarification) >> >> Thanks for your work >> >> Ciao >> >> L. >> >> >>> On 22 Oct 2016, at 01:23, Fabio Maino <fmaino@cisco.com >>> <mailto:fmaino@cisco.com>> wrote: >>> >>> Ciao Luigi, >>> below I have replied to each comment. I'm working to the updated >>> text, that I will send as soon as it is ready. ideally we might be >>> able to publish a new version before draft deadline. >> >> Excellent. Thanks >> >>> >>> Just a note on the most recurring comment: SHOULD vs. MUST. >>> >>> The use of SHOULD across the document is according to RFC 2119: >>> >>> >>> SHOULD >>> >>> This word, or the adjective "RECOMMENDED", mean that there >>> may exist valid reasons in particular circumstances to ignore a >>> particular item, but the full implications must be understood and >>> carefully weighed before choosing a different course. >>> >>> >>> There are use cases where, carefully weighing the implications, some >>> of the security services of LISP-SEC can be turned-off. We want to >>> leave implementors the freedom to allow this flexibility. >>> >>> For example, in a DC deployment it may make sense to turn off OTK >>> decryption between XTR and MS/MR, as MiTM is very unlikely. >>> >>> Similarly, an ITR may decide to implement a loose policy on >>> accepting an AD authenticated with an algorithm different from the >>> preferred authentication algorithm expressed by the ITR. Using a >>> MUST would force support of a given authentication algorithm across >>> each and every MS and ETR, that might not be the case when >>> incrementally deploying LISP-SEC (or while upgrading routers). >>> >>> Using a MUST would prevent this flexibility, that we would like to >>> leave to the implementors. >>> >>> >>> >> >> This is fixed as for the suggestion of Joel. Thanks. >> >> >>> >>> >>> On 10/19/16 8:06 AM, Luigi Iannone wrote: >>>> Dear Authors of the LISP-SEC document, >>>> >>>> hereafter my review of the document. >>>> This was long overdue, sorry for being so late. >>>> >>>> I really like the solution and the majority of my comments are just >>>> clarification questions. >>>> Let me know if my comments are clear. >>>> >>>> ciao >>>> >>>> L. >>>> >>>> >>>> >>>>> 1. Introduction >>>>> >>>>> The Locator/ID Separation Protocol [RFC6830] defines a set of >>>>> functions for routers to exchange information used to map from non- >>>>> routable Endpoint Identifiers (EIDs) to routable Routing Locators >>>>> (RLOCs). >>>> I find the above sentence confusing. Wouldn’t be better to specify >>>> that we are talking about IP addresses? >>> >>> That's how LISP is described in RFC6830, section 1. If you start >>> using the term IP address then you need to qualify if you are >>> talking about Identity-IP or Locator-IP, so the sentence gets >>> complicated pretty quickly. >>> >> >> Not really. The very first sentence of the abstract of 6830 states: >> >> This document describes a network-layer-based protocol that enables >> separation of IP addresses into two new numbering spaces: Endpoint >> Identifiers (EIDs) and Routing Locators (RLOCs). >> >> >> So clearly speaks about IP address. >> Furthermore “routable" en “non routable” is true only in the >> inter-domain point of view, because EID are locally routable. >> Note that 6830 does not specify in the first sentence what is >> routable and what is not. > > ok, fixed with text from 6830. > > >> >> >>> I would leave this one unchanged. >>>> >>>>> If these EID-to-RLOC mappings, carried through Map-Reply >>>>> messages, are transmitted without integrity protection, an adversary >>>>> can manipulate them and hijack the communication, impersonate the >>>>> requested EID, or mount Denial of Service or Distributed Denial of >>>>> Service attacks. Also, if the Map-Reply message is transported >>>>> unauthenticated, an adversarial LISP entity can overclaim an EID- >>>>> prefix and maliciously redirect traffic directed to a large number of >>>>> hosts. A detailed description of "overclaiming" attack is provided >>>>> in [RFC7835]. >>>>> >>>>> This memo specifies LISP-SEC, a set of security mechanisms that >>>>> provides origin authentication, integrity and anti-replay protection >>>>> to LISP's EID-to-RLOC mapping data conveyed via mapping lookup >>>>> process. >>>> >>>> I would put s forward reference to section 3 stating that the >>>> reader will find details about the threat model. >>> >>> OK. We can replace the sentence >>> A detailed description of "overclaiming" attack is provided >>> in [RFC7835] >>> >>> with >>> >>> The LISP-SEC threat model, described in Section 3, is built on top of the LISP threat model defined in RFC7835, that includes a detailed description of "overclaiming" attack. >> OK >> >> >>> >>> >>>> >>>>> LISP-SEC also enables verification of authorization on EID- >>>>> prefix claims in Map-Reply messages, ensuring that the sender of a >>>>> Map-Reply that provides the location for a given EID-prefix is >>>>> entitled to do so according to the EID prefix registered in the >>>>> associated Map-Server. Map-Register security, including the right >>>>> for a LISP entity to register an EID-prefix or to claim presence at >>>>> an RLOC, is out of the scope of LISP-SEC. Additional security >>>>> considerations are described in Section 6. >>>>> >>>>> 2. Definition of Terms >>>>> >>>>> One-Time Key (OTK): An ephemeral randomly generated key that must >>>>> be used for a single Map-Request/Map-Reply exchange. >>>>> >>>>> >>>>> >>>>> ITR-OTK: The One-Time Key generated at the ITR. >>>>> >>>>> MS-OTK: The One-Time Key generated at the Map-Server. >>>> >>>> Why are you considering ITR-OTK and MS-OTK sub-terms? >>>> I would elevate them at full terms, hence avoiding spacing and >>>> indentation. >>> >>> Ok. >>> >>>> >>>>> Encapsulated Control Message (ECM): A LISP control message that is >>>>> prepended with an additional LISP header. ECM is used by ITRs to >>>>> send LISP control messages to a Map-Resolver, by Map-Resolvers to >>>>> forward LISP control messages to a Map-Server, and by Map- >>>>> Resolvers to forward LISP control messages to an ETR. >>>>> >>>> Why are you re-defining ECM? >>>> You do not specify other packets, e.g., Map-Reply, so why ECM? >>>> I would drop it. >>> >>> It is not defined in the Definitions section of 6830. One would need >>> to go through the body of 6830 to find it. >> >> I see your point. Just keep the text and add a ref to section 6.1.8 >> of 6830. This will clarify that is something coming from a specific >> section of that document. > > I have dropped the definition, expanded the acronym ECM and referred > to the specific section. > > In this way we don't have to wait for 6830bis, but we refer to the > proper definition. > >> >> >>> >>> I'll drop it, but we need to make sure that ECM gets into the >>> definition section of 6830bis. >>> >>> Albert: are you looking into that document? Can you take care of this? >>> >>> >>>> >>>> >>>>> Authentication Data (AD): Metadata that is included either in a >>>>> LISP ECM header or in a Map-Reply message to support >>>>> confidentiality, integrity protection, and verification of EID- >>>>> prefix authorization. >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 3] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> OTK-AD: The portion of ECM Authentication Data that contains a >>>>> One-Time Key. >>>>> >>>>> EID-AD: The portion of ECM and Map-Reply Authentication Data >>>>> used for verification of EID-prefix authorization. >>>>> >>>>> PKT-AD: The portion of Map-Reply Authentication Data used to >>>>> protect the integrity of the Map-Reply message. >>>> >>>> >>>> Why are you considering OTK-AD, EID-AD, and PKT-AD sub-terms? >>>> I would elevate them at full terms, hence avoiding spacing and >>>> indentation. >>>> >>> ok. >>> >>>> >>>>> For definitions of other terms, notably Map-Request, Map-Reply, >>>>> Ingress Tunnel Router (ITR), Egress Tunnel Router (ETR), Map-Server >>>>> (MS), and Map-Resolver (MR) please consult the LISP specification >>>>> [RFC6830]. >>>>> >>>>> 3. LISP-SEC Threat Model >>>>> >>>>> LISP-SEC addresses the control plane threats, described in [RFC7835], >>>>> that target EID-to-RLOC mappings, including manipulations of Map- >>>>> Request and Map-Reply messages, and malicious ETR EID prefix >>>>> overclaiming. LISP-SEC makes two main assumptions: (1) the LISP >>>>> mapping system is expected to deliver a Map-Request message to their >>>>> intended destination ETR as identified by the EID, and (2) no man-in- >>>>> the-middle (MITM) attack can be mounted within the LISP Mapping >>>>> System. Furthermore, while LISP-SEC enables detection of EID prefix >>>>> overclaiming attacks, it assumes that Map-Servers can verify the EID >>>>> prefix authorization at time of registration. >>>> LISP-SEC does not require OTK confidentiality in the mapping >>>> system. This should be discussed here. >>> we could add to the above >>> "and (2) no man-in- >>> the-middle (MITM) attack can be mounted within the LISP Mapping >>> System." >>> >>> How the Mapping System is protected from MiTM attacks depends from the particular Mapping System used, and is out of the scope of this memo. >>> >>> >> >> That’s fine for me. >> >> >>> >>>> >>>> >>>>> According to the threat model described in [RFC7835] LISP-SEC assumes >>>>> that any kind of attack, including MITM attacks, can be mounted in >>>>> the access network, outside of the boundaries of the LISP mapping >>>>> system. An on-path attacker, outside of the LISP mapping system can, >>>>> for example, hijack Map-Request and Map-Reply messages, spoofing the >>>>> identity of a LISP node. Another example of on-path attack, called >>>>> overclaiming attack, can be mounted by a malicious Egress Tunnel >>>>> Router (ETR), by overclaiming the EID-prefixes for which it is >>>>> authoritative. In this way the ETR can maliciously redirect traffic >>>>> directed to a large number of hosts. >>>>> >>>>> 4. Protocol Operations >>>>> >>>>> The goal of the security mechanisms defined in [RFC6830] is to >>>>> prevent unauthorized insertion of mapping data by providing origin >>>>> authentication and integrity protection for the Map-Registration, and >>>>> by using the nonce to detect unsolicited Map-Reply sent by off-path >>>>> attackers. >>>>> >>>>> LISP-SEC builds on top of the security mechanisms defined in >>>>> [RFC6830] to address the threats described in Section 3 by leveraging >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 4] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> the trust relationships existing among the LISP entities >>>>> participating to the exchange of the Map-Request/Map-Reply messages. >>>>> Those trust relationships are used to securely distribute a One-Time >>>>> Key (OTK) that provides origin authentication, integrity and anti- >>>>> replay protection to mapping data conveyed via the mapping lookup >>>>> process, and that effectively prevent overclaiming attacks. The >>>>> processing of security parameters during the Map-Request/Map-Reply >>>>> exchange is as follows: >>>>> >>>>> o The ITR-OTK is generated and stored at the ITR, and securely >>>>> transported to the Map-Server. >>>>> >>>>> o The Map-Server uses the ITR-OTK to compute an HMAC that protects >>>> You did not define HMAC acronym. Please define and add a reference. >>> >>> ok. >>> >>> >>>> >>>>> the integrity of the mapping data known to the Map-Server to >>>>> prevent overclaiming attacks. The Map-Server also derives a new >>>>> OTK, the MS-OTK, that is passed to the ETR, by applying a Key >>>>> Derivation Function (KDF) to the ITR-OTK. >>>>> >>>>> o The ETR uses the MS-OTK to compute an HMAC that protects the >>>>> integrity of the Map-Reply sent to the ITR. >>>>> >>>>> o Finally, the ITR uses the stored ITR-OTK to verify the integrity >>>>> of the mapping data provided by both the Map-Server and the ETR, >>>>> and to verify that no overclaiming attacks were mounted along the >>>>> path between the Map-Server and the ITR. >>>>> >>>>> Section 5 provides the detailed description of the LISP-SEC control >>>>> messages and their processing, while the rest of this section >>>>> describes the flow of protocol operations at each entity involved in >>>>> the Map-Request/Map-Reply exchange: >>>>> >>>>> o The ITR, upon needing to transmit a Map-Request message, generates >>>>> and stores an OTK (ITR-OTK). This ITR-OTK is included into the >>>>> Encapsulated Control Message (ECM) that contains the Map-Request >>>>> sent to the Map-Resolver. To provide confidentiality to the ITR- >>>>> OTK over the path between the ITR and its Map-Resolver, the ITR- >>>>> OTK SHOULD >>>> Why not using “MUST”??? >>>> Are you suggesting that a different way to provide confidentiality >>>> can be used (e.g. a different shared key)??? >>>> If yes, please state so. >>>> >>>> Or are you suggesting that no encryption at all is used? But this >>>> means not providing confidentiality… >>>> Can you clarify? >>>> >>>> (this very same comment will appear several time in this review) >>> >>> We don't want to make the use of pre-shared key *mandatory* to all >>> LISP deployments. There are deployments where the risk of MiTM >>> between the xTR and the MS/MR may not justify the cost of >>> provisioning a shared key (data centers, for example). >>> >>> >>>>> be encrypted using a preconfigured key shared between >>>>> the ITR and the Map-Resolver, similar to the key shared between >>>>> the ETR and the Map-Server in order to secure ETR registration >>>>> [RFC6833]. >>>>> >>>>> o The Map-Resolver decapsulates the ECM message, decrypts the ITR- >>>>> OTK, if needed, and forwards through the Mapping System the >>>>> received Map-Request and the ITR-OTK, as part of a new ECM >>>>> message. As described in Section 5.6, the LISP Mapping System >>>>> delivers the ECM to the appropriate Map-Server, as identified by >>>>> the EID destination address of the Map-Request. >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 5] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> o The Map-Server is configured with the location mappings and policy >>>>> information for the ETR responsible for the EID destination >>>>> address. Using this preconfigured information, the Map-Server, >>>>> after the decapsulation of the ECM message, finds the longest >>>>> match EID-prefix that covers the requested EID in the received >>>>> Map-Request. The Map-Server adds this EID-prefix, together with >>>>> an HMAC computed using the ITR-OTK, to a new Encapsulated Control >>>>> Message that contains the received Map-Request. >>>>> >>>>> o The Map-Server derives a new OTK, the MS-OTK, by applying a Key >>>>> Derivation Function (KDF) to the ITR-OTK. This MS-OTK is included >>>>> in the Encapsulated Control Message that the Map-Server uses to >>>>> forward the Map-Request to the ETR. To provide MS-OTK >>>>> confidentiality over the path between the Map-Server and the ETR, >>>>> the MS-OTK should >>>> This “should” should be a “SHOULD” (sorry for the cacophony…) >>> >>> Ok. >>>> >>>> Why not using “MUST”??? >>>> Are you suggesting that a different way to provide confidentiality >>>> can be used (e.g. a different shared key)??? >>>> If yes, please state so. >>>> >>>> Or are you suggesting that no encryption at all is used? But this >>>> means not providing confidentiality… >>>> Can you clarify? >>> >>> Same as above. >>> >>>> >>>>> be encrypted using the key shared between the >>>>> ETR and the Map-Server in order to secure ETR registration >>>>> [RFC6833]. >>>>> >>>>> o If the Map-Server is acting in proxy mode, as specified in >>>>> [RFC6830], the ETR is not involved in the generation of the Map- >>>>> Reply. In this case the Map-Server generates the Map-Reply on >>>>> behalf of the ETR as described below. >>>>> >>>>> o The ETR, upon receiving the ECM encapsulated Map-Request from the >>>>> Map-Server, decrypts the MS-OTK, if needed, and originates a >>>>> standard Map-Reply that contains the EID-to-RLOC mapping >>>>> information as specified in [RFC6830]. >>>>> >>>>> o The ETR computes an HMAC over this standard Map-Reply, keyed with >>>>> MS-OTK to protect the integrity of the whole Map-Reply. The ETR >>>>> also copies the EID-prefix authorization data that the Map-Server >>>>> included in the ECM encapsulated Map-Request into the Map-Reply >>>>> message. The ETR then sends this complete Map-Reply message to >>>>> the requesting ITR. >>>>> >>>>> o The ITR, upon receiving the Map-Reply, uses the locally stored >>>>> ITR-OTK to verify the integrity of the EID-prefix authorization >>>>> data included in the Map-Reply by the Map-Server. The ITR >>>>> computes the MS-OTK by applying the same KDF used by the Map- >>>>> Server, and verifies the integrity of the Map-Reply. If the >>>>> integrity checks fail, the Map-Reply MUST be discarded. Also, if >>>>> the EID-prefixes claimed by the ETR in the Map-Reply are not equal >>>>> or more specific than the EID-prefix authorization data inserted >>>>> by the Map-Server, the ITR MUST discard the Map-Reply. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 6] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> 5. LISP-SEC Control Messages Details >>>>> >>>>> LISP-SEC metadata associated with a Map-Request is transported within >>>>> the Encapsulated Control Message that contains the Map-Request. >>>>> >>>>> LISP-SEC metadata associated with the Map-Reply is transported within >>>>> the Map-Reply itself. >>>>> >>>>> 5.1. Encapsulated Control Message LISP-SEC Extensions >>>>> >>>>> LISP-SEC uses the ECM (Encapsulated Control Message) defined in >>>>> [RFC6830] with Type set to 8, and S bit set to 1 to indicate that the >>>>> LISP header includes Authentication Data (AD). The format of the >>>>> LISP-SEC ECM Authentication Data is defined in the following figure. >>>>> OTK-AD stands for One-Time Key Authentication Data and EID-AD stands >>>>> for EID Authentication Data. >>>>> >>>>> 0 1 2 3 >>>>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>> | AD Type |V| Reserved | Requested HMAC ID | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\ >>>>> | OTK Length | OTK Encryption ID | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>> | One-Time-Key Preamble ... | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ OTK-AD >>>>> | ... One-Time-Key Preamble | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>> ~ One-Time Key (128 bits) ~/ >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <---+ >>>>> | EID-AD Length | KDF ID | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>> | Record Count | Reserved | EID HMAC ID | EID-AD >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\ | >>>>> | Reserved | EID mask-len | EID-AFI | | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Rec | >>>>> ~ EID-prefix ... ~ | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ | >>>>> ~ EID HMAC ~ | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <—+ >>>> I think that “rec” is mis-aligned and should be shifted one >>>> character upward. >>> >>> No. The row above is the portion of the header that specifies how >>> many records will follow. Rec shows one Rec item, in the array of >>> Records. It is consistent with 6830. >>> >>> >> >> OK >> >>> >>>> >>>>> LISP-SEC ECM Authentication Data >>>>> >>>>> AD Type: 1 (LISP-SEC Authentication Data) >>>> This is the first document starting to allocate values to the "AD >>>> Type” value. >>>> Why not asking IANA to create a registry?? >>>> (to be done in the IANA Considerations Section) >>> >>> >>> Ok. >>> >>>> >>>> >>>> >>>>> V: Key Version bit. This bit is toggled when the sender switches >>>>> to a new OTK wrapping key >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 7] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> Reserved: Set to 0 on transmission and ignored on receipt. >>>>> >>>>> Requested HMAC ID: The HMAC algorithm requested by the ITR. See >>>>> Section 5.4 for details. >>>>> >>>>> OTK Length: The length (in bytes) of the OTK Authentication Data >>>>> (OTK-AD), that contains the OTK Preamble and the OTK. >>>>> >>>>> OTK Encryption ID: The identifier of the key wrapping algorithm >>>>> used to encrypt the One-Time-Key. When a 128-bit OTK is sent >>>>> unencrypted by the Map-Resolver, the OTK Encryption ID is set to >>>>> NULL_KEY_WRAP_128. See Section 5.5 for more details. >>>>> >>>>> One-Time-Key Preamble: set to 0 if the OTK is not encrypted. When >>>>> the OTK is encrypted, this field may carry additional metadata >>>>> resulting from the key wrapping operation. When a 128-bit OTK is >>>>> sent unencrypted by Map-Resolver, the OTK Preamble is set to >>>>> 0x0000000000000000 (64 bits). See Section 5.5 for details. >>>>> >>>>> One-Time-Key: the OTK encrypted (or not) as specified by OTK >>>>> Encryption ID. See Section 5.5 for details. >>>>> >>>>> EID-AD Length: length (in bytes) of the EID Authentication Data >>>>> (EID-AD). The ITR MUST set EID-AD Length to 4 bytes, as it only >>>>> fills the KDF ID field, and all the remaining fields part of the >>>>> EID-AD are not present. An EID-AD MAY contain multiple EID- >>>>> records. Each EID-record is 4-byte long plus the length of the >>>>> AFI-encoded EID-prefix. >>>>> >>>>> KDF ID: Identifier of the Key Derivation Function used to derive >>>>> the MS-OTK. The ITR SHOULD use this field to indicate the >>>>> recommended KDF algorithm, according to local policy. >>>> I am not sure I understand the rationale of this “SHOULD”. If for >>>> any reason the ITR does not indicate the KDF ID what are the >>>> consequences? >>> >>> That should be a MAY, I believe, >>> >>> The ITR can specify "no preference" for KDF ID, using a value of 0. >> >> I think this is the unclear information: that the ITR can state “no >> preference” using value 0. >> Would be good if you can state it more clearly. > > I've added text to clarify this. > >> >> >>> >>> In the ITR processing section 5.4, we should add to >>> >>> The KDF ID field, specifies the suggested key derivation function to >>> be used by the Map-Server to derive the MS-OTK. >>> >>> a text like: "A KDF ID value of 0 (NONE), MAY be used to specify >>> that the ITR has no preferred KDF ID". >>> >>> >>> >>>> Is the MS free to choose the algorithm? This should be clarified. >>> This is specified in section 5.7. >>> >>> " >>> The Map-Server updates the OTK-AD by deriving a new OTK (MS-OTK) from >>> the ITR-OTK received with the Map-Request. MS-OTK is derived >>> applying the key derivation function specified in the KDF ID field. >>> If the algorithm specified in the KDF ID field is not supported, the >>> Map-Server uses a different algorithm to derive the key and updates >>> the KDF ID field accordingly. >>> " >>> >>> >> >> Since this paragraph does not use any 2119 language it actually mean >> that an MS can choose freely the algorithm to use. >> right? > > right. If the ITR does support that specific ID, the ITR may still > decide to use it. > >> >>> >>>> >>>>> The Map- >>>>> Server can overwrite the KDF ID if it does not support the KDF ID >>>>> recommended by the ITR. >>>> What happens if the MS will choose a KDF ID not supported by the ITR? >>>> Can you clarify how to solve this situation or explain why this >>>> will never happen? >>> >>> This is specified in 5.4, ITR processing. >>> >>> " >>> To verify the integrity of the PKT-AD, first the MS-OTK is derived >>> from the locally stored ITR-OTK using the algorithm specified in the >>> KDF ID field. This is because the PKT-AD is generated by the ETR >>> using the MS-OTK. If the KDF ID in the Map-Reply does not match the >>> KDF ID requested in the Map-Request, the ITR SHOULD discard the Map- >>> Reply and send, at the first opportunity it needs to, a new Map- >>> Request with a different KDF ID, according to ITR's local policy. >>> " >>> >>> >>> There are two typical use cases: >>> - strict KDF ID policy: ITR specifiy a KDF ID, and will discard >>> map-reply with different KDF IDs. If local policy allows, another >>> map-request will be sent with a different KDF ID >>> - loose KDF ID policy: ITR specify KDF ID = none, and will accept >>> map-reply with any KDF ID (if supported by ITR). If received KDF is >>> not supported the ITR shall drop the map-reply >>> >> >> The above text does not reflect the policies you are describing. That >> “SHOULD” should be a “MAY” and your policies spelled out. > I think we need to separate the recommendations for the two actions: > SHOULD drop and MAY resend. > > " > , the ITR SHOULD discard the Map- > Reply. At the first opportunity it needs to, the ITR MAY send a new Map- > Request with a different KDF ID, according to ITR's local policy. > > What do you think? > >> >> Also, what is the MS stubbornly insists in using an algorithm that >> the ITR does not support? > > The MS might not have alternatives, as it might only support one > algorithm. > > > >> >> >>> >>>> >>>>> See Section 5.4 for more details. >>>>> >>>>> Record Count: The number of records in this Map-Request message. >>>>> A record is comprised of the portion of the packet that is labeled >>>>> 'Rec' above and occurs the number of times equal to Record Count. >>>>> >>>>> Reserved: Set to 0 on transmission and ignored on receipt. >>>>> >>>>> EID HMAC ID: Identifier of the HMAC algorithm used to protect the >>>>> integrity of the EID-AD. This field is filled by Map-Server that >>>>> computed the EID-prefix HMAC. See Section 5.4 for more details. >>>>> >>>>> EID mask-len: Mask length for EID-prefix. >>>>> >>>>> EID-AFI: Address family of EID-prefix according to [RFC5226] >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 8] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> EID-prefix: The Map-Server uses this field to specify the EID- >>>>> prefix that the destination ETR is authoritative for, and is the >>>>> longest match for the requested EID. >>>>> >>>>> EID HMAC: HMAC of the EID-AD computed and inserted by Map-Server. >>>>> Before computing the HMAC operation the EID HMAC field MUST be set >>>>> to 0. The HMAC covers the entire EID-AD. >>>>> >>>>> 5.2. Map-Reply LISP-SEC Extensions >>>>> >>>>> LISP-SEC uses the Map-Reply defined in [RFC6830], with Type set to 2, >>>>> and S bit set to 1 to indicate that the Map-Reply message includes >>>>> Authentication Data (AD). The format of the LISP-SEC Map-Reply >>>>> Authentication Data is defined in the following figure. PKT-AD is >>>>> the Packet Authentication Data that covers the Map-Reply payload. >>>>> >>>>> 0 1 2 3 >>>>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>> | AD Type | Reserved | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <---+ >>>>> | EID-AD Length | KDF ID | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>> | Record Count | Reserved | EID HMAC ID | EID-AD >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\ | >>>>> | Reserved | EID mask-len | EID-AFI | | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Rec | >>>>> ~ EID-prefix ... ~ | | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ | >>>>> ~ EID HMAC ~ | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ <---+ >>>>> | PKT-AD Length | PKT HMAC ID |\ >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | >>>>> ~ PKT HMAC ~ PKT-AD >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ >>>>> >>>>> LISP-SEC Map-Reply Authentication Data >>>>> >>>>> AD Type: 1 (LISP-SEC Authentication Data) >>>> Shouldn’t this be a different value? This AD format is different >>>> from the one described in section 5.1! >>>> Another reason to ask IANA for a registry…. >>> >>> One is the LISP-SEC authentication data that applies to the ECM >>> message (when S-bit = 1), the other is the LISP-SEC authentication >>> data that applies to the Map-Reply (when S-bit = 1). >>> >>> Those are extensions of two different messages (ECM and map-reply), >>> and they are both identified by an AD Type (that happens to be set >>> to value 1 for both). >> >> This is not clear in the current text. > > Right. I have updated the text to clarify it. Together with the IANA > disposition it should be clear now. > > >> >>> >>> Yes, the AD type space is different so we will need two IANA >>> registries. >>> >>> >>> Question for the co-auhtors: should we change the name to 'ECM AD >>> Type' and 'Map-Reply AD Type’? >> >> IMHO you have to, otherwise there will be always confusion…. > > done. > >> >>> >>> >>> >>>> >>>> >>>>> EID-AD Length: length (in bytes) of the EID-AD. An EID-AD MAY >>>>> contain multiple EID-records. Each EID-record is 4-byte long plus >>>>> the length of the AFI-encoded EID-prefix. >>>>> >>>>> KDF ID: Identifier of the Key Derivation Function used to derive >>>>> MS-OTK. See Section 5.7 for more details. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 9] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> Record Count: The number of records in this Map-Reply message. A >>>>> record is comprised of the portion of the packet that is labeled >>>>> 'Rec' above and occurs the number of times equal to Record Count. >>>>> >>>>> Reserved: Set to 0 on transmission and ignored on receipt. >>>>> >>>>> EID HMAC ID: Identifier of the HMAC algorithm used to protect the >>>>> integrity of the EID-AD. See Section 5.7 for more details. >>>>> >>>>> EID mask-len: Mask length for EID-prefix. >>>>> >>>>> EID-AFI: Address family of EID-prefix according to [RFC5226]. >>>>> >>>>> EID-prefix: This field contains an EID-prefix that the destination >>>>> ETR is authoritative for, and is the longest match for the >>>>> requested EID. >>>>> >>>>> EID HMAC: HMAC of the EID-AD, as computed by the Map-Server. >>>>> Before computing the HMAC operation the EID HMAC field MUST be set >>>>> to 0. The HMAC covers the entire EID-AD. >>>>> >>>>> PKT-AD Length: length (in bytes) of the Packet Authentication Data >>>>> (PKT-AD). >>>>> >>>>> PKT HMAC ID: Identifier of the HMAC algorithm used to protect the >>>>> integrity of the Map-reply Location Data. >>>> “Location Data” is something nowhere defined. Can you clarify what >>>> do you mean? >>> >>> we can just remove 'Location Data’ >> >> OK. >> >>> >>> >>>> >>>> >>>>> PKT HMAC: HMAC of the whole Map-Reply packet, including the LISP- >>>>> SEC Authentication Data. The scope of the authentication goes >>>>> from the Map-Reply Type field to the PKT HMAC field included. >>>>> Before computing the HMAC operation the PKT HMAC field MUST be set >>>>> to 0. See Section 5.8 for more details. >>>>> >>>>> 5.3. Map-Register LISP-SEC Extentions >>>>> >>>>> The second bit after the Type field in a Map-Register message is >>>>> allocated as the S bit. >>>> I would better explain that this document is allocating a bit >>>> marked as reserved in 6830. >>> >>> Ok. We will need to reflect this in 6830bis as well. >> >> Sure >> >> >>> >>>> Furthermore, at the cost of being redundant, I would put the packet >>>> format highlighting the position of the bit so that there is no >>>> confusion whatsoever. >>> >>> We wanted to explicitly avoid to include the format of messages >>> when already defined in other documents, >> >> The S-bit is not defined in other documents. IMHO is important to >> have the visual aid of which exact bit your are talking about. >> > I've added text to clarify. I really prefer not to have the whole > picture, but just refer to it. > > Considering that 6830 will evolve into 6830bis, eventually (with the > next LISP-SEC) the reference will be updated in 6830bis. > > >>> so we point rather than copy. If we address this in 6830bis, the >>> problem will be solved. >> >> You mentioned 6830bis several time, let me ask: Would you like to >> reference that document? >> In this case we have to hold this back until we have at least a >> stable version of that document. >> Then the RFC editor will hold this document back until that one is >> RFC, because of missing reference. >> Or you keep it this way and later on you make a ST version. >> >> Either way is fine for me. > > I think we should move this draft forward, without waiting for > 6830bis. Considering that this is security I expect the review process > to last quite some time, so we can make progress without waiting for > 6830bis. Eventually even teh LISP-SEC RFC will be updated, and all > will be good. > >> >> >> >>> >>> >>>> >>>>> The S bit indicates to the Map-Server that >>>>> the registering ETR is LISP-SEC enabled. An ETR that supports LISP- >>>>> SEC MUST set the S bit in its Map-Register messages. >>>>> >>>>> 5.4. ITR Processing >>>>> >>>>> Upon creating a Map-Request, the ITR generates a random ITR-OTK that >>>>> is stored locally, together with the nonce generated as specified in >>>>> [RFC6830]. >>>>> >>>>> The Map-Request MUST be encapsulated in an ECM, with the S-bit set to >>>>> 1, to indicate the presence of Authentication Data. If the ITR and >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 10] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> the Map-Resolver are configured with a shared key, >>>> In section 4 you seem to suggest that this is not the only way to >>>> protect the OTK (see my comment). >>>> Here instead you suggest that a shared key is the only way. >>> >>> >>> Right. Here it says what to do IF there is a shared key, that is >>> consistent with the SHOULD above. >> >> OK. >> >>> >>> >>>>> the ITR-OTK >>>>> confidentiality SHOULD be protected by wrapping the ITR-OTK with the >>>>> algorithm specified by the OTK Encryption ID field. >>>> Not clear what this “SHOULD” refers to. >>>> IS the SHOULD related to the fact to encrypt the OTK? The ITR >>>> SHOULD encrypt. >>>> Or the choice of the algorithm? The ITR SHOULD use the algorithm >>>> specified by the OTK Encryption ID? >>>> The second case looks impossible since is the ITR is choosing the >>>> algorithm. May be the sentence can be rewritten. >>> >>> SHOULD refers to protecting the confidentiality of the ITR-OTK. >>> Maybe the 'by' should be replaced by 'with’? >> >> Just drop the “by”? >> >> >>> >>>> >>>> Similarly to previous comment: Why it is not a MUST? >>> Same as other SHOULD. >>> >>> >>> >>>>> See Section 5.5 >>>>> for further details on OTK encryption. >>>>> >>>>> The Requested HMAC ID field contains the suggested HMAC algorithm to >>>>> be used by the Map-Server and the ETR to protect the integrity of the >>>>> ECM Authentication data and of the Map-Reply. >>>>> >>>> What happens if the MS will choose a HMAC not supported by the ETR >>>> or the ITR? >>>> Can you clarify how to solve this situation or explain why this >>>> will never happen? >>> >>> This is described 5 paragraphs below: >>> >>> " >>> If the EID HMAC ID field does >>> not match the Requested HMAC ID the ITR SHOULD discard the Map-Reply >>> and send, at the first opportunity it needs to, a new Map-Request >>> with a different Requested HMAC ID field, according to ITR's local >>> policy. >>> " >>> >> >> What about the ETR? > > It's specified in 5.8, the ETR makes the same processing as the MS. > > "If the ETR does not support the Requested HMAC ID, it uses a > different algorithm and updates the PKT HMAC ID field accordingly. " > > Also the ETR doesn't process the AD computed by the MS, it just copies > into the Map-Reply. > > > >> >>> >>>> >>>>> The KDF ID field, specifies the suggested key derivation function to >>>>> be used by the Map-Server to derive the MS-OTK. >>>> >>>> What happens if the MS will choose a KDF ID not supported by the ITR? >>>> Can you clarify how to solve this situation or explain why this >>>> will never happen? >>> >>> This is described a few paragraphs below: >>> " >>> If the KDF ID in the Map-Reply does not match the >>> KDF ID requested in the Map-Request, the ITR SHOULD discard the Map- >>> Reply and send, at the first opportunity it needs to, a new Map- >>> Request with a different KDF ID, according to ITR's... >>> " >>> >> >> This does not guarantee that the MS will reply with something the ITR >> understands…. > > For some local ITR's policy it may not be guaranteed. It's a balance > between reachability and security that the ITR will have to choose. > > > > > > >> >> >> >>>> >>>>> The EID-AD length is set to 4 bytes, since the Authentication Data >>>>> does not contain EID-prefix Authentication Data, and the EID-AD >>>>> contains only the KDF ID field. >>>>> >>>>> In response to an encapsulated Map-Request that has the S-bit set, an >>>>> ITR MUST receive a Map-Reply with the S-bit set, that includes an >>>>> EID-AD and a PKT-AD. If the Map-Reply does not include both ADs, the >>>>> ITR MUST discard it. In response to an encapsulated Map-Request with >>>>> S-bit set to 0, the ITR expects a Map-Reply with S-bit set to 0, and >>>>> the ITR SHOULD discard the Map-Reply if the S-bit is set. >>>> Why a “SHOULD”? If the Map-Request has S-bit=0 it mean that there >>>> is no AD, hence no OTK, how can the ITR decrypt the reply????? >>>> It MUST discard….. >>> >>> If S-bit = 0 there's no Authentication Data. The Map-reply is in >>> clear, and can be read. >> >> I am not sure you understood my point. >> >> You send a Map-Request with S=0, hence unenbcrypted. How can you >> possible receive a Map-Reply with S=1? >> How is it encrypted if the ITR did not provide any OTK? > > Misconfiguration, bugs? I was just trying to enumerate the behaviors > of the ITR. There's probably something wrong, and the map-reply should > be discarded. Still the mapping is readable, so an ITR favoring > reachability may decide to use the mapping. > >> >> >> >> >>> >>> >>> Here again the SHOULD leaves open to ITR local policy that can be >>> strict (drop anything not authenticated) or loose (accept >>> unauthenticated map-reply). >>> >>> There are use cases where LISP-SEC is not deployed everywhere, where >>> the ITR might have to use loose policy. >>> >>> >>>> >>>> >>>>> Upon receiving a Map-Reply, the ITR must verify the integrity of both >>>>> the EID-AD and the PKT-AD, and MUST discard the Map-Reply if one of >>>>> the integrity checks fails. >>>>> >>>>> The integrity of the EID-AD is verified using the locally stored ITR- >>>>> OTK to re-compute the HMAC of the EID-AD using the algorithm >>>>> specified in the EID HMAC ID field. If the EID HMAC ID field does >>>>> not match the Requested HMAC ID the ITR SHOULD discard the Map-Reply >>>> Why is this a SHOULD? If it supports the HMAC Algorithm why not >>>> decrypt? Shouldn’t this be a “MAY”, according to internal policy? >>> >>> because this could be used by an attacker to force weaker HMACs >>> (e.g. MD5). >> >> OK >> >>> The SHOULD leaves open the door to not discarding, according to >>> local policy. >>> >>> >> >> OK. >> >> >>> >>> >>>>> and send, at the first opportunity it needs to, a new Map-Request >>>>> with a different Requested HMAC ID field, according to ITR's local >>>>> policy. The ITR MUST set the EID HMAC ID field to 0 before computing >>>>> the HMAC. >>>> Shouldn’t the MS do the same thing? Otherwise different values will >>>> be obtained. This is not specified in the MS functioning description. >>> >>> good catch. Actually it's a typo here, the EID HMAC field should be >>> set to 0 (that is consistent with section 5.7), not the EID HMAC ID >>> that should not be touched. >>> >> >> OK >>> >>> The ITR MUST set the EID HMAC ID field to 0 before computing >>> the HMAC. >>> >>> should change to >>> >>> The scope of the HMAC operation covers the >>> entire EID-AD, from the EID-AD Length field to the EID HMAC field, >>> which must be set to 0 before the computation. >>>>> To verify the integrity of the PKT-AD, first the MS-OTK is derived >>>>> from the locally stored ITR-OTK using the algorithm specified in the >>>>> KDF ID field. This is because the PKT-AD is generated by the ETR >>>>> using the MS-OTK. If the KDF ID in the Map-Reply does not match the >>>>> KDF ID requested in the Map-Request, the ITR SHOULD discard the Map- >>>>> Reply and send, at the first opportunity it needs to, a new Map- >>>>> Request with a different KDF ID, according to ITR's local policy. >>>>> The derived MS-OTK is then used to re-compute the HMAC of the PKT-AD >>>>> using the Algorithm specified in the PKT HMAC ID field. If the PKT >>>>> HMAC ID field does not match the Requested HMAC ID the ITR SHOULD >>>>> discard the Map-Reply and send, at the first opportunity it needs to, >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 11] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> a new Map-Request with a different Requested HMAC ID according to >>>>> ITR's local policy. >>>>> >>>>> Each individual Map-Reply EID-record is considered valid only if: (1) >>>>> both EID-AD and PKT-AD are valid, and (2) the intersection of the >>>>> EID-prefix in the Map-Reply EID-record with one of the EID-prefixes >>>>> contained in the EID-AD is not empty. After identifying the Map- >>>>> Reply record as valid, the ITR sets the EID-prefix in the Map-Reply >>>>> record to the value of the intersection set computed before, and adds >>>>> the Map-Reply EID-record to its EID-to-RLOC cache, as described in >>>>> [RFC6830]. An example of Map-Reply record validation is provided in >>>>> Section 5.4.1. >>>>> >>>>> The ITR SHOULD send SMR triggered Map-Requests over the mapping >>>>> system in order to receive a secure Map-Reply. >>>> I do not understand this “SHOULD”. This has consequences in the >>>> choice how to react to SMR. This is a local policy. >>>> _If_ the ITR wants to protect Map-Requests using LISP-SEC, than SMR >>>> triggered Map-Request MUST be sent through the mapping system. >> >>> so the _if_ is what makes that MUST a SHOULD... According to local >>> policy the ITR SHOULD send the SMR. >> >> I read the sentence in this way: >> >> In order to received a secure Map-Reply, the ITR MUST send SMR >> triggered Map-Requests over the mapping system. >> >> No? > > I see what you are saying. I'll rephrase as: > > If an ITR accepts piggybacked Map-Replies, it SHOULD also send a > Map-Request over the mapping system in order to verify the piggybacked > Map-Reply with a secure Map-Reply. > > > > >> >>>>> If an ITR accepts >>>>> piggybacked Map-Replies, it SHOULD also send a Map-Request over the >>>>> mapping system in order to securely verify the piggybacked Map-Reply. >>>> Same as above. >>>>> 5.4.1. Map-Reply Record Validation >>>>> >>>>> The payload of a Map-Reply may contain multiple EID-records. The >>>>> whole Map-Reply is signed by the ETR, with the PKT HMAC, to provide >>>>> integrity protection and origin authentication to the EID-prefix >>>>> records claimed by the ETR. The Authentication Data field of a Map- >>>>> Reply may contain multiple EID-records in the EID-AD. The EID-AD is >>>>> signed by the Map-Server, with the EID HMAC, to provide integrity >>>>> protection and origin authentication to the EID-prefix records >>>>> inserted by the Map-Server. >>>>> >>>>> Upon receiving a Map-Reply with the S-bit set, the ITR first checks >>>>> the validity of both the EID HMAC and of the PKT-AD HMAC. If either >>>>> one of the HMACs is not valid, a log message is issued and the Map- >>>>> Reply is not processed any further. >>>> I think “log message" is too much implementation specific. >>>> If there is a notification, and how this notification is done, is >>>> implementation specific IMHO. >>> Ok. 'a log message is issued' will change to 'a log action should be >>> taken'. The point is that there could be an attack behind it, and we >>> want to record the event >> >> OK >> >>>>> If both HMACs are valid, the ITR >>>>> proceeds with validating each individual EID-record claimed by the >>>>> ETR by computing the intersection of each one of the EID-prefix >>>>> contained in the payload of the Map-Reply with each one of the EID- >>>>> prefixes contained in the EID-AD. An EID-record is valid only if at >>>>> least one of the intersections is not the empty set. >>>>> >>>>> For instance, the Map-Reply payload contains 3 mapping record EID- >>>>> prefixes: >>>>> >>>>> 1.1.1.0/24 >>>>> >>>>> 1.1.2.0/24 >>>>> >>>>> 1.2.0.0/16 >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 12] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> The EID-AD contains two EID-prefixes: >>>>> >>>>> 1.1.2.0/24 >>>>> >>>>> 1.2.3.0/24 >>>>> >>>>> The EID-record with EID-prefix 1.1.1.0/24 is not processed since it >>>>> is not included in any of the EID-ADs signed by the Map-Server. A >>>>> log message is issued. >>>> I think “log message" is too much implementation specific. >>>> If there is a notification, and how this notification is done, is >>>> implementation specific IMHO. >>> ok. Same as above. >>>>> The EID-record with EID-prefix 1.1.2.0/24 is stored in the map-cache >>>>> because it matches the second EID-prefix contained in the EID-AD. >>>>> >>>>> The EID-record with EID-prefix 1.2.0.0/16 is not processed since it >>>>> is not included in any of the EID-ADs signed by the Map-Server. A >>>>> log message is issued. >>>> I think “log message" is too much implementation specific. >>>> If there is a notification, and how this notification is done, is >>>> implementation specific IMHO. >>> ok. Same as above >>>>> In this last example the ETR is trying to >>>>> over claim the EID-prefix 1.2.0.0/16, but the Map-Server authorized >>>>> only 1.2.3.0/24, hence the EID-record is discarded. >>>> Reading the example I am not sure I would follow this behaviour. >>>> Only 1 record out of 3 is valid so why should I actually trust the >>>> ETR instead of throwing everything away? >>>> Can you explain ??? >>> The other two records are validated by the MS, so there is no reason >>> to throw those away. >> >> Yes, but the ETR is still trying to cheat on the third one…. >> So the ETR may be compromised, why should I send traffic to him??? > > ITR has flagged the security exception with the log entry, and some > local ITR policy will decide what to do (including stop encapsulating > to the ETR, if that's what is specified by the policy). At the LISP > level LISP-SEC has done its job: verified mapping goes into the > map-cache, overclaimed mapping is dropped. > > >> >> >>>>> 5.4.2. PITR Processing >>>>> >>>>> The processing performed by a PITR is equivalent to the processing of >>>>> an ITR. However, if the PITR is directly connected to the ALT, >>>> This would be LISP+ALT. Pleas add a reference to 6836. >>> ok. >>>>> the >>>>> PITR performs the functions of both the ITR and the Map-Resolver >>>>> forwarding the Map-Request encapsulated in an ECM header that >>>>> includes the Authentication Data fields as described in Section 5.6. >>>>> >>>>> 5.5. Encrypting and Decrypting an OTK >>>>> >>>>> MS-OTK confidentiality is required in the path between the Map-Server >>>>> and the ETR, the MS-OTK SHOULD >>>> If confidentiality is required why there is not a MUST? >>> Same. >>>>> be encrypted using the preconfigured >>>>> key shared between the Map-Server and the ETR for the purpose of >>>>> securing ETR registration [RFC6833]. Similarly, if ITR-OTK >>>>> confidentiality is required in the path between the ITR and the Map- >>>>> Resolver, the ITR-OTK SHOULD >>>> Again, if confidentiality is required why there is not a MUST? >>> Same. >>>>> be encrypted with a key shared between >>>>> the ITR and the Map-Resolver. >>>>> >>>>> The OTK is encrypted using the algorithm specified in the OTK >>>>> Encryption ID field. When the AES Key Wrap algorithm is used to >>>>> encrypt a 128-bit OTK, according to [RFC3339], >>>> The correct RFC is 3394. >>> ok. >>>>> the AES Key Wrap >>>>> Initialization Value MUST be set to 0xA6A6A6A6A6A6A6A6 (64 bits). >>>>> The output of the AES Key Wrap operation is 192-bit long. The most >>>>> significant 64-bit are copied in the One-Time Key Preamble field, >>>>> while the 128 less significant bits are copied in the One-Time Key >>>>> field of the LISP-SEC Authentication Data. >>>>> >>>>> When decrypting an encrypted OTK the receiver MUST verify that the >>>>> Initialization Value resulting from the AES Key Wrap decryption >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 13] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> operation is equal to 0xA6A6A6A6A6A6A6A6. If this verification fails >>>>> the receiver MUST discard the entire message. >>>>> >>>>> When a 128-bit OTK is sent unencrypted the OTK Encryption ID is set >>>>> to NULL_KEY_WRAP_128, and the OTK Preamble is set to >>>>> 0x0000000000000000 (64 bits). >>>>> >>>>> 5.6. Map-Resolver Processing >>>>> >>>>> Upon receiving an encapsulated Map-Request with the S-bit set, the >>>>> Map-Resolver decapsulates the ECM message. The ITR-OTK, if >>>>> encrypted, is decrypted as specified in Section 5.5. >>>>> >>>>> The Map-Resolver, as specified in [RFC6833], originates a new ECM >>>>> header with the S-bit set, that contains the unencrypted ITR-OTK, as >>>>> specified in Section 5.5, and the other data derived from the ECM >>>>> Authentication Data of the received encapsulated Map-Request. >>>> Few points on this last paragraph: >>>> - You assume that there is no need of confidentiality inside the >>>> Mapping System? >>>> - Why not stating that encryption inside the mapping system is >>>> mapping system specify and out of scope of this document? >>> ok. as it was pointed out above. >>>> - Why are you assuming that all of the Mapping system will use ECM? >>>> Future Mapping system may use soemthos different. The important >>>> point is to ship the AD along. >>> good point, and I agree with your suggestion to fix this below. >>>>> The Map-Resolver then forwards >>>> to whom? >>> ok. add 'to the Map-Server' >>>>> the received Map-Request, encapsulated >>>>> in the new ECM header that includes the newly computed Authentication >>>>> Data fields. >>>> As for my comment of the previous paragraph I would be more generic >>>> stating that the MR will hand over the request to the mapping system. >>>> You can still provide the example of DDT using ECM. >>> right. >>>>> 5.7. Map-Server Processing >>>>> >>>>> Upon receiving an ECM encapsulated Map-Request with the S-bit set, >>>>> the Map-Server process the Map-Request according to the value of the >>>>> S-bit contained in the Map-Register sent by the ETR during >>>>> registration. >>>>> >>>>> If the S-bit contained in the Map-Register was clear the Map-Server >>>>> decapsulates the ECM and generates a new ECM encapsulated Map-Request >>>>> that does not contain an ECM Authentication Data, as specified in >>>>> [RFC6830]. The Map-Server does not perform any further LISP-SEC >>>>> processing. >>>> This equivalent to not using LISP-SEC. Please specify that the >>>> Map-Reply will be not protected. >>> ok. >>>>> If the S-bit contained in the Map-Register was set the Map-Server >>>>> decapsulates the ECM and generates a new ECM Authentication Data. >>>>> The Authentication Data includes the OTK-AD and the EID-AD, that >>>>> contains EID-prefix authorization information, that are ultimately >>>>> sent to the requesting ITR. >>>>> >>>>> The Map-Server updates the OTK-AD by deriving a new OTK (MS-OTK) from >>>>> the ITR-OTK received with the Map-Request. MS-OTK is derived >>>>> applying the key derivation function specified in the KDF ID field. >>>>> If the algorithm specified in the KDF ID field is not supported, the >>>>> Map-Server uses a different algorithm to derive the key and updates >>>>> the KDF ID field accordingly. >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 14] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> The Map-Server and the ETR MUST be configured with a shared key for >>>>> mapping registration according to [RFC6833]. If MS-OTK >>>>> confidentiality is required, then the MS-OTK SHOULD be encrypted, >>>> Again, if confidentiality is required why there is not a MUST? >>> same as above. >>>>> by >>>>> wrapping the MS-OTK with the algorithm specified by the OTK >>>>> Encryption ID field as specified in Section 5.5. >>>>> >>>>> The Map-Server includes in the EID-AD the longest match registered >>>>> EID-prefix for the destination EID, and an HMAC of this EID-prefix. >>>>> The HMAC is keyed with the ITR-OTK contained in the received ECM >>>>> Authentication Data, and the HMAC algorithm is chosen according to >>>>> the Requested HMAC ID field. If The Map-Server does not support this >>>>> algorithm, the Map-Server uses a different algorithm and specifies it >>>>> in the EID HMAC ID field. The scope of the HMAC operation covers the >>>>> entire EID-AD, from the EID-AD Length field to the EID HMAC field, >>>>> which must be set to 0 before the computation. >>>>> >>>>> The Map-Server then forwards the updated ECM encapsulated Map- >>>>> Request, that contains the OTK-AD, the EID-AD, and the received Map- >>>>> Request to an authoritative ETR as specified in [RFC6830]. >>>>> >>>>> 5.7.1. Map-Server Processing in Proxy mode >>>>> >>>>> If the Map-Server is in proxy mode, it generates a Map-Reply, as >>>>> specified in [RFC6830], with the S-bit set to 1. The Map-Reply >>>>> includes the Authentication Data that contains the EID-AD, computed >>>>> as specified in Section 5.7, as well as the PKT-AD computed as >>>>> specified in Section 5.8. >>>>> >>>>> 5.8. ETR Processing >>>>> >>>>> Upon receiving an ECM encapsulated Map-Request with the S-bit set, >>>>> the ETR decapsulates the ECM message. The OTK field, if encrypted, >>>>> is decrypted as specified in Section 5.5 to obtain the unencrypted >>>>> MS-OTK. >>>>> >>>>> The ETR then generates a Map-Reply as specified in [RFC6830] and >>>>> includes the Authentication Data that contains the EID-AD, as >>>>> received in the encapsulated Map-Request, as well as the PKT-AD. >>>>> >>>>> The EID-AD is copied from the Authentication Data of the received >>>>> encapsulated Map-Request. >>>>> >>>>> The PKT-AD contains the HMAC of the whole Map-Reply packet, keyed >>>>> with the MS-OTK and computed using the HMAC algorithm specified in >>>>> the Requested HMAC ID field of the received encapsulated Map-Request. >>>>> If the ETR does not support the Requested HMAC ID, it uses a >>>>> different algorithm and updates the PKT HMAC ID field accordingly. >>>>> The scope of the HMAC operation covers the entire PKT-AD, from the >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 15] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> Map-Reply Type field to the PKT HMAC field, which must be set to 0 >>>>> before the computation. >>>>> >>>>> Finally the ETR sends the Map-Reply to the requesting ITR as >>>>> specified in [RFC6830]. >>>>> >>>>> 6. Security Considerations >>>>> >>>>> 6.1. Mapping System Security >>>>> >>>>> The LISP-SEC threat model described in Section 3, assumes that the >>>>> LISP Mapping System is working properly and eventually delivers Map- >>>>> Request messages to a Map-Server that is authoritative for the >>>>> requested EID. >>>>> >>>> As for a previous comment, can you elaborate if OTK confidentiality >>>> is required in the mapping system and what are the consequences? >>> ok. >>>>> Map-Register security, including the right for a LISP entity to >>>>> register an EID-prefix or to claim presence at an RLOC, is out of the >>>>> scope of LISP-SEC. >>>>> >>>>> 6.2. Random Number Generation >>>>> >>>>> The ITR-OTK MUST be generated by a properly seeded pseudo-random (or >>>>> strong random) source. See [RFC4086] for advice on generating >>>>> security-sensitive random data >>>>> >>>>> 6.3. Map-Server and ETR Colocation >>>>> >>>>> If the Map-Server and the ETR are colocated, LISP-SEC does not >>>>> provide protection from overclaiming attacks mounted by the ETR. >>>>> However, in this particular case, since the ETR is within the trust >>>>> boundaries of the Map-Server, ETR's overclaiming attacks are not >>>>> included in the threat model. >>>>> >>>>> 7. IANA Considerations >>>> This section is not conform to RFC 5226. >>>> There right way to go is to ask IANA to create three new >>>> registries, for HMAC, Key Wrap, and Key Derivation functions. >>>> Define what is the allocation process (in light of the size of the >>>> field FCFS should not cause any problem IMHO) >>>> Then ask to populate the registries as already described. >>> Ok, so each one of the sections 7.x will say: IANA is requested to >>> create a new <registry-name> registry for use … >> >> There is slightly more text to add. > > right. I have added more. I'm almost ready to send a new rev. > >> >> >>>>> 7.1. HMAC functions >>>>> >>>>> The following HMAC ID values are defined by this memo for use as >>>>> Requested HMAC ID, EID HMAC ID, and PKT HMAC ID in the LISP-SEC >>>>> Authentication Data: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 16] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> Name Number Defined In >>>>> ------------------------------------------------- >>>>> NONE 0 >>>>> AUTH-HMAC-SHA-1-96 1 [RFC2104] >>>>> AUTH-HMAC-SHA-256-128 2 [RFC4634] >>>>> >>>>> values 2-65535 are reserved to IANA. >>>>> >>>>> HMAC Functions >>>>> >>>>> AUTH-HMAC-SHA-1-96 MUST be supported, AUTH-HMAC-SHA-256-128 should be >>>>> supported. >>>>> >>>>> 7.2. Key Wrap Functions >>>>> >>>>> The following OTK Encryption ID values are defined by this memo for >>>>> use as OTK key wrap algorithms ID in the LISP-SEC Authentication >>>>> Data: >>>>> >>>>> Name Number Defined In >>>>> ------------------------------------------------- >>>>> NULL-KEY-WRAP-128 1 >>>>> AES-KEY-WRAP-128 2 [RFC3394] >>>>> >>>>> values 0 and 3-65535 are reserved to IANA. >>>>> >>>>> Key Wrap Functions >>>>> >>>>> NULL-KEY-WRAP-128, and AES-KEY-WRAP-128 MUST be supported. >>>>> >>>>> NULL-KEY-WRAP-128 is used to carry an unencrypted 128-bit OTK, with a >>>>> 64-bit preamble set to 0x0000000000000000 (64 bits). >>>>> >>>>> 7.3. Key Derivation Functions >>>>> >>>>> The following KDF ID values are defined by this memo for use as KDF >>>>> ID in the LISP-SEC Authentication Data: >>>>> >>>>> Name Number Defined In >>>>> ------------------------------------------------- >>>>> NONE 0 >>>>> HKDF-SHA1-128 1 [RFC5869] >>>>> >>>>> values 2-65535 are reserved to IANA. >>>>> >>>>> Key Derivation Functions >>>>> >>>>> HKDF-SHA1-128 MUST be supported >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 17] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> 8. Acknowledgements >>>>> >>>>> The authors would like to acknowledge Pere Monclus, Dave Meyer, Dino >>>>> Farinacci, Brian Weis, David McGrew, Darrel Lewis and Landon Curt >>>>> Noll for their valuable suggestions provided during the preparation >>>>> of this document. >>>>> >>>>> 9. Normative References >>>> Please Check your reference, this is the output if the nits tool: >>>> Checking references for intended status: Experimental >>>> ---------------------------------------------------------------------------- >>>> == Missing Reference: 'RFC3339' is mentioned on line 602, but not >>>> defined >>>> == Missing Reference: 'RFC4634' is mentioned on line 752, but not >>>> defined >>>> ** Obsolete undefined reference: RFC 4634 (Obsoleted by RFC 6234) >>> ok. >>>>> [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- >>>>> Hashing for Message Authentication", RFC 2104, >>>>> DOI 10.17487/RFC2104, February 1997, >>>>> <http://www.rfc-editor.org/info/rfc2104>. >>>>> >>>>> [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate >>>>> Requirement Levels", BCP 14, RFC 2119, >>>>> DOI 10.17487/RFC2119, March 1997, >>>>> <http://www.rfc-editor.org/info/rfc2119>. >>>>> >>>>> [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard >>>>> (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, >>>>> September 2002, <http://www.rfc-editor.org/info/rfc3394>. >>>>> >>>>> [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, >>>>> "Randomness Requirements for Security", BCP 106, RFC 4086, >>>>> DOI 10.17487/RFC4086, June 2005, >>>>> <http://www.rfc-editor.org/info/rfc4086>. >>>>> >>>>> [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an >>>>> IANA Considerations Section in RFCs", BCP 26, RFC 5226, >>>>> DOI 10.17487/RFC5226, May 2008, >>>>> <http://www.rfc-editor.org/info/rfc5226>. >>>>> >>>>> [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand >>>>> Key Derivation Function (HKDF)", RFC 5869, >>>>> DOI 10.17487/RFC5869, May 2010, >>>>> <http://www.rfc-editor.org/info/rfc5869>. >>>>> >>>>> [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The >>>>> Locator/ID Separation Protocol (LISP)", RFC 6830, >>>>> DOI 10.17487/RFC6830, January 2013, >>>>> <http://www.rfc-editor.org/info/rfc6830>. >>>>> >>>>> [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation >>>>> Protocol (LISP) Map-Server Interface", RFC 6833, >>>>> DOI 10.17487/RFC6833, January 2013, >>>>> <http://www.rfc-editor.org/info/rfc6833>. >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 18] >>>>> >>>>> Internet-Draft LISP-SEC October 2016 >>>>> >>>>> >>>>> [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID >>>>> Separation Protocol (LISP) Threat Analysis", RFC 7835, >>>>> DOI 10.17487/RFC7835, April 2016, >>>>> <http://www.rfc-editor.org/info/rfc7835>. >>>>> >>>>> Authors' Addresses >>>>> >>>>> Fabio Maino >>>>> Cisco Systems >>>>> 170 Tasman Drive >>>>> San Jose, California 95134 >>>>> USA >>>>> >>>>> Email:fmaino@cisco.com <mailto:fmaino@cisco.com> >>>>> >>>>> >>>>> Vina Ermagan >>>>> Cisco Systems >>>>> 170 Tasman Drive >>>>> San Jose, California 95134 >>>>> USA >>>>> >>>>> Email:vermagan@cisco.com <mailto:vermagan@cisco.com> >>>>> >>>>> >>>>> Albert Cabellos >>>>> Technical University of Catalonia >>>>> c/ Jordi Girona s/n >>>>> Barcelona 08034 >>>>> Spain >>>>> >>>>> Email:acabello@ac.upc.edu <mailto:acabello@ac.upc.edu> >>>>> >>>>> >>>>> Damien Saucez >>>>> INRIA >>>>> 2004 route des Lucioles - BP 93 >>>>> Sophia Antipolis >>>>> France >>>>> >>>>> Email:damien.saucez@inria.fr <mailto:damien.saucez@inria.fr> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Maino, et al. Expires April 6, 2017 [Page 19] >>> >> >
- [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Joel M. Halpern
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Dino Farinacci
- Re: [lisp] LISP-SEC review (finally) Fabio Maino (fmaino)
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone
- Re: [lisp] LISP-SEC review (finally) Fabio Maino
- Re: [lisp] LISP-SEC review (finally) Luigi Iannone