Re: [lisp] Restarting last call on LISP threats

Dino Farinacci <farinacci@gmail.com> Tue, 27 May 2014 15:12 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32771A0428 for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 08:12:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGlInooZ_rKX for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 08:12:01 -0700 (PDT)
Received: from mail-pb0-x22b.google.com (mail-pb0-x22b.google.com [IPv6:2607:f8b0:400e:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAB3A1A040C for <lisp@ietf.org>; Tue, 27 May 2014 08:12:01 -0700 (PDT)
Received: by mail-pb0-f43.google.com with SMTP id up15so9403612pbc.2 for <lisp@ietf.org>; Tue, 27 May 2014 08:11:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bgM/xqzvpYutgsV/i/NbWsmDZSqsWfnb28kNRk79I8o=; b=ReBPaKeiHA/J/MIfcHIoWUPLer6SgS7jt0y1rR+ASIVZuQQcZQgJi+REvUCDEmri+m VDqxtsfbwLfSznGExhV10rD+bYJh6Ldj8YkS/CfER1SAXEFOxFQwh8kEufuWGPUGQNZ/ 8FaH0ZxV98Iyswr/7PDooH4i1O1Don63oz9uT+RDSxBI4cc3P8uC2hA3tg6CXLDevHna iIbHfPXX/FUbBu4Mr7WfKFUPQXSNs5ELbb9kT9nzi4UYLzqXRTlJ1f/Hel7bmT+Q0vrX LE64xYQkMe3Iu7iaqEXLxIrDG6tD9SaMpnJ8Dcmy766PawKwRUCovauTu2HJfslTBOvT fRgw==
X-Received: by 10.66.233.73 with SMTP id tu9mr19141986pac.78.1401203518521; Tue, 27 May 2014 08:11:58 -0700 (PDT)
Received: from [192.168.1.174] ([207.145.253.66]) by mx.google.com with ESMTPSA id ck10sm74759678pac.0.2014.05.27.08.11.56 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 08:11:57 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <3519A6AD5B18C44EB0291EC6C880A906012FD3@NYDC-EXCH01.vinci-consulting-corp.local>
Date: Tue, 27 May 2014 08:11:55 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BC8321B-26CD-4A33-B999-64B8A44428DD@gmail.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com>, <029e0f8bc7ba433ba4d3ee70b8431f9f@CO1PR05MB442.namprd05.prod.outlook.com> <3519A6AD5B18C44EB0291EC6C880A906012FD3@NYDC-EXCH01.vinci-consulting-corp.local>
To: Paul Vinciguerra <pvinci@VinciConsulting.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/KSj1cdakPnQMNh0cyCbUlgeeXKI
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 15:12:03 -0000

> I would defer to Dino and others on the list, but I do not believe that the ETR does a reverse lookup on every packet.  At least that is not the behavior we observe.  What we see happen is that the packet is decapsulated 

Right Paul. We did not document an ETR doing reverse lookups to solve this problem. When I mentioned it, I said it is something that COULD be done. It comes at a cost but wouldn't come at a per-packet cost, not even close. And as you said if the inner source is changing but the mapping system covers those addresses with a coarse prefix (that is returned from a lookup), then that reduces the number of RPF lookups, in addition to rate-limiting the number you do.

But I would suggest that implementations do what they are already doing. That is what you describe here:

> and sent to the destination.  If a valid destination host responds, then the ITR does a map-request for the reply packet.  There is not a 1:1 relationship between the number of packets and the number of map-requests.

The mapping system is no different in its load then the DNS system. We engineer and build that infrastructure the same way to protect it. 

So how many more magnitudes of hosts are sending DNS queries than xTRs sending Map-Requests (and please normalize this to every site having at least 2 xTRs per site).

We are over-reacting a bit, but just saying that is not going to calm fears. With continued experimentation and deployment, we will prove it.

Dino

P.S. Don't eat that burger today, it will kill you just like the cigarette you may smoke today.  ;-)