Re: [lisp] Stephen Farrell's No Objection on draft-ietf-lisp-threats-14: (with COMMENT)

Stephen Farrell <> Tue, 19 January 2016 14:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 05F3C1B2FF5; Tue, 19 Jan 2016 06:56:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5LvDNGjZEzcY; Tue, 19 Jan 2016 06:56:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F27C91B2FF2; Tue, 19 Jan 2016 06:56:53 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9D993BEA0; Tue, 19 Jan 2016 14:56:52 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wwWSUTm7mGEK; Tue, 19 Jan 2016 14:56:51 +0000 (GMT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 3556CBE73; Tue, 19 Jan 2016 14:56:50 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1453215410; bh=jSNaVCeyEmJ68AMZ1/vbF5Z7NFfK627xRHDKFxT9uzY=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=bcWxgeCaq5ACT7khBzgg7mWzFAUIQEh3pNZ+l7MwiGxqGgX0sWMNiZIyZz7uig5yZ XuUZGCHzFnkia5M5IW6PTXMGSJaPDLRj9qxJYdMgwUKnG6XgSHd/4PvooW5Bqqua16 PxPYaW+T6/iYx79IaPqHRrZbhnVwXtiCpjKeafSM=
To: "Joel M. Halpern" <>, The IESG <>
References: <> <>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Tue, 19 Jan 2016 14:56:49 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [lisp] Stephen Farrell's No Objection on draft-ietf-lisp-threats-14: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jan 2016 14:56:56 -0000

On 19/01/16 14:50, Joel M. Halpern wrote:
> Stephen, than you for the comments.
> With regard to the question of discussing lisp-crypto, the biggest
> concern has been creating a normative dependence on future work. 

Then make it informative I guess. I don't see any problem, and do
see benefits, in text along the lines of "privacy is an issue since
LISP concentrates traffic making passive monitoring of plaintext
arguably somewhat easier, people are working on [list-crypto] as
a way to deal with that." In any case, you shouldn't take anything
I've said as me wanting a normative reference to lisp-crypto, I
didn't mean to suggest that.

As that's how you've handled lisp-sec it shouldn't pose any
process issues I'd hope.

That said, I'm not a DISCUSS on this, so am non-blocking.


> The
> charter item was to discuss threats against LISP as documented already.
> I would like to see the crypto work covered, but it seems incorrect to
> the charter and likely to cause a further significant delay in an
> overdue document.
> Yours,
> Joel
> On 1/19/16 7:07 AM, Stephen Farrell wrote:
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-lisp-threats-14: No Objection
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> Please refer to
>> for more information about IESG DISCUSS and COMMENT positions.
>> The document, along with other ballot positions, can be found here:
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> Thanks for doing this document. I think it's a useful part
>> of the LISP documentation set.
>> general: I think you underestimate the purely passive
>> threats - my point on 2.2 below was almost a DISCUSS but
>> given the WG have already adopted draft-ietf-lisp-crypto I
>> figured there's no need to try block this. I would really
>> encourage you to consider the threats that are mitigated by
>> that specification here, even if those threats weren't
>> initially considered as being that relevant to LISP (when
>> the work on LISP began I mean). If that had been done
>> already in this draft, I'd have been a YES ballot, if that
>> makes any difference;-)
>> - intro: I think you should add a few caveats here to say
>> that you're not covering threats due to specific
>> implementations and also that the text here captures only
>> those LISP-specific threats we know about today and that
>> more *will* be discovered as deployment continues.
>> - intro: you don't write about DNS here, but if some LISP
>> configuration settings use DNS names then via DNS with no
>> DNSSEC an attacker can decide to be on-path sometimes,
>> off-path other times. That (or similar) might be a nice way
>> to illustrate the scope here, while also alerting the
>> implementer to other threats that might affect their
>> implementations.
>> - 2.1 I think it'd be valuable to say that the 2.1.x
>> sections are really just for the sake of exposition - we
>> cannot assume that all attackers fall into any neat
>> category. You do note this (more or less) in 2.1.5 but I
>> think that'd be better done in 2.1. The reason to suggest
>> this change is that being open to attackers not conforming
>> to our descriptions is important.
>> - 2.2 - which section here covers purely passive monitoring?
>> All the 2.2.x seem to only cover active attacks. (I'd also
>> suggest moving the 2.2.10 text to 2.2 similarly to the
>> suggestion above for 2.1.)
>> - 3.8 - you probably need to note somewhere (not sure where)
>> that a bad PRNG would improve the attacker's chances in
>> various ways. I think a calculation of the probability of a
>> nonce collision (for both a good and not-good PRNG) could be
>> a useful addition.
>> - 3.8, 3rd para: I would argue that this threat is a "core"
>> point to be made, as it's arguably the main LISP-specific
>> threat and ought be emphasised more, e.g. via a mention and
>> pointer in the introduction, or otherwise.
>> - section 4 is pretty weak to be honest. I think you could
>> at least recognise that LISP, as with any mechanism that
>> concentrates traffic (between xTRs) means that passively
>> monitoring plaintext is easier than before and that there is
>> therefore value in encrypting the traffic between xTRs as is
>> proposed in draft-ietf-lisp-crypto
>> - (nit) section 5 has a really odd sentence " The usage will
>> be designed and defined specific for the needs of the
>> specification." I've no idea what that means TBH.