Re: [lisp] Restarting last call on LISP threats

Ross Callon <rcallon@juniper.net> Tue, 13 May 2014 16:31 UTC

Return-Path: <rcallon@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3930B1A011B for <lisp@ietfa.amsl.com>; Tue, 13 May 2014 09:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1KOdeY4yb44W for <lisp@ietfa.amsl.com>; Tue, 13 May 2014 09:31:37 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0095.outbound.protection.outlook.com [65.55.169.95]) by ietfa.amsl.com (Postfix) with ESMTP id D3AFC1A0117 for <lisp@ietf.org>; Tue, 13 May 2014 09:31:36 -0700 (PDT)
Received: from CO2PR05MB636.namprd05.prod.outlook.com (10.141.199.24) by CO2PR05MB634.namprd05.prod.outlook.com (10.141.199.17) with Microsoft SMTP Server (TLS) id 15.0.944.11; Tue, 13 May 2014 16:31:22 +0000
Received: from CO2PR05MB636.namprd05.prod.outlook.com ([10.141.199.24]) by CO2PR05MB636.namprd05.prod.outlook.com ([10.141.199.24]) with mapi id 15.00.0929.001; Tue, 13 May 2014 16:31:21 +0000
From: Ross Callon <rcallon@juniper.net>
To: =?utf-8?B?Um9nZXIgSsO4cmdlbnNlbg==?= <rogerj@gmail.com>
Thread-Topic: [lisp] Restarting last call on LISP threats
Thread-Index: AQHPa58M9eFhkxJvMEaw1MEc+Ryfdps9FMJAgAETSICAAIz2sA==
Date: Tue, 13 May 2014 16:31:20 +0000
Message-ID: <e03a83d7e45345dfbbe5f08f54cb47fa@CO2PR05MB636.namprd05.prod.outlook.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com>
In-Reply-To: <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.17]
x-forefront-prvs: 0210479ED8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(189002)(199002)(51704005)(13464003)(24454002)(377454003)(87936001)(15975445006)(99396002)(46102001)(15202345003)(2656002)(20776003)(19580405001)(99286001)(21056001)(83322001)(19580395003)(101416001)(80022001)(86362001)(66066001)(77096999)(16601075003)(85852003)(54356999)(33646001)(4396001)(76482001)(81342001)(79102001)(81542001)(83072002)(74502001)(1411001)(77982001)(76176999)(74316001)(50986999)(74662001)(76576001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR05MB634; H:CO2PR05MB636.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rcallon@juniper.net;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/N9Bba4eXuBEhf5OMkZULEy3AokE
Cc: "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 16:31:39 -0000

I don't think that the two drafts that you reference solve the problem that I am concerned about (they address and may solve other problems, of course). 

For example, looking at draft-ietf-lisp-sec-06, it says:

   This memo specifies LISP-SEC, a set of security mechanisms that
   provides origin authentication, integrity and anti-replay protection
   to LISP's EID-to-RLOC mapping data conveyed via mapping lookup
   process.  LISP-SEC also enables verification of authorization on EID-
   prefix claims in Map-Reply messages.

Thus if we assume that draft-ietf-lisp-sec-06 works, then what we hear back from the mapping system should be correct (or should be equally reliable to what we hear back from the DNS system today, and we do today rely on DNS when we are contacting our bank or brokerage service to conduct financial transactions). 

What I am concerned about is that *before* we hear back from the mapping system, we are believing what we have gleaned, and this may cause us to be talking to the wrong system. We might be conducting key negotiation with the wrong system just as easily as we could be exchanging banking or brokerage information with the wrong system. 

Ross  

-----Original Message-----
From: Roger Jørgensen [mailto:rogerj@gmail.com] 
Sent: Tuesday, May 13, 2014 3:48 AM
To: Ross Callon
Cc: lisp@ietf.org
Subject: Re: [lisp] Restarting last call on LISP threats

Hi Ross,

See inline,


On Mon, May 12, 2014 at 7:11 PM, Ross Callon <rcallon@juniper.net> wrote:
> Thanks Joel;
>
> I think that draft-ietf-lisp-threats-09.txt is a start towards a threats document, but that it has serious omissions and needs more work before being progressed. Here are some specific comments:
>
>
> Section 2 (On-path Attackers), first paragraph:
>
>    On-path attackers are attackers that are able to capture and modify
>    all the packets exchanged between an Ingress Tunnel Router (ITR) and
>    an Egress Tunnel Router (ETR).  To cope with such an attacker,
>    cryptographic techniques such as those used by IPSec ([RFC4301]) are
>    required.  As with IP, LISP relies on higher layer cryptography to
>    secure packet payloads from on path attacks, so this document does
>    not consider on-path attackers.
>
> To me an on-path attacker is one which is on the data path. Such an attacker might attack the contents of the data packet. In this case the paragraph seems mostly correct to me: You encrypt the contents if you don't want someone on the path to the destination to look at the contents. However, as is discussed later in the document, LISP allows systems which are not in the normal physical path, through a gleaning attack, to inject themselves into the data path. This could be applied to allow attacker's systems to inject themselves into the path of the key management protocol. This implies that a legitimate user could get keys supplied by an attacker, just as easily as it could get keys supplied by a legitimate Internet site. If you are proposing that end to end encryption is the solution to on path attackers then you need to understand the implications of LISP on the operation of the protocol needed for key management to support end to end encryption.



There exist two draft that are relevant to what you address.

You have https://datatracker.ietf.org/doc/draft-farinacci-lisp-crypto/
where the payload of a LISP encapsulated packet are encrypted. None of
the keys for encrypting/decrypting are stored in the mapping system
but is calculated by the xTR's involved.
Then you have https://datatracker.ietf.org/doc/draft-ietf-lisp-sec/
that attempts to secure the xTR to xTR relationship.



-- 

Roger Jorgensen           | ROJO9-RIPE
rogerj@gmail.com          | - IPv6 is The Key!
http://www.jorgensen.no   | roger@jorgensen.no