Re: [lisp] Restarting last call on LISP threats

[Ross Callon <rcallon@juniper.net>]

I don't think that the two drafts that you reference solve the problem that I am concerned about (they address and may solve other problems, of course). 

For example, looking at draft-ietf-lisp-sec-06, it says:

   This memo specifies LISP-SEC, a set of security mechanisms that
   provides origin authentication, integrity and anti-replay protection
   to LISP's EID-to-RLOC mapping data conveyed via mapping lookup
   process.  LISP-SEC also enables verification of authorization on EID-
   prefix claims in Map-Reply messages.

Thus if we assume that draft-ietf-lisp-sec-06 works, then what we hear back from the mapping system should be correct (or should be equally reliable to what we hear back from the DNS system today, and we do today rely on DNS when we are contacting our bank or brokerage service to conduct financial transactions). 

What I am concerned about is that *before* we hear back from the mapping system, we are believing what we have gleaned, and this may cause us to be talking to the wrong system. We might be conducting key negotiation with the wrong system just as easily as we could be exchanging banking or brokerage information with the wrong system. 

Ross  

-----Original Message-----
From: Roger Jørgensen [mailto:rogerj@gmail.com] 
Sent: Tuesday, May 13, 2014 3:48 AM
To: Ross Callon
Cc: lisp@ietf.org
Subject: Re: [lisp] Restarting last call on LISP threats

Hi Ross,

See inline,


On Mon, May 12, 2014 at 7:11 PM, Ross Callon <rcallon@juniper.net> wrote:
> Thanks Joel;
>
> I think that draft-ietf-lisp-threats-09.txt is a start towards a threats document, but that it has serious omissions and needs more work before being progressed. Here are some specific comments:
>
>
> Section 2 (On-path Attackers), first paragraph:
>
>    On-path attackers are attackers that are able to capture and modify
>    all the packets exchanged between an Ingress Tunnel Router (ITR) and
>    an Egress Tunnel Router (ETR).  To cope with such an attacker,
>    cryptographic techniques such as those used by IPSec ([RFC4301]) are
>    required.  As with IP, LISP relies on higher layer cryptography to
>    secure packet payloads from on path attacks, so this document does
>    not consider on-path attackers.
>
> To me an on-path attacker is one which is on the data path. Such an attacker might attack the contents of the data packet. In this case the paragraph seems mostly correct to me: You encrypt the contents if you don't want someone on the path to the destination to look at the contents. However, as is discussed later in the document, LISP allows systems which are not in the normal physical path, through a gleaning attack, to inject themselves into the data path. This could be applied to allow attacker's systems to inject themselves into the path of the key management protocol. This implies that a legitimate user could get keys supplied by an attacker, just as easily as it could get keys supplied by a legitimate Internet site. If you are proposing that end to end encryption is the solution to on path attackers then you need to understand the implications of LISP on the operation of the protocol needed for key management to support end to end encryption.



There exist two draft that are relevant to what you address.

You have https://datatracker.ietf.org/doc/draft-farinacci-lisp-crypto/
where the payload of a LISP encapsulated packet are encrypted. None of
the keys for encrypting/decrypting are stored in the mapping system
but is calculated by the xTR's involved.
Then you have https://datatracker.ietf.org/doc/draft-ietf-lisp-sec/
that attempts to secure the xTR to xTR relationship.



-- 

Roger Jorgensen           | ROJO9-RIPE
rogerj@gmail.com          | - IPv6 is The Key!
http://www.jorgensen.no   | roger@jorgensen.no