IETF Logo Mail Archive

Re: [lisp] Virtual meeting

"Alberto Rodriguez Natal (natal)" <natal@cisco.com> Wed, 01 April 2020 21:17 UTC

Return-Path: <natal@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A67FE3A08DD for <lisp@ietfa.amsl.com>; Wed, 1 Apr 2020 14:17:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.596
X-Spam-Level:
X-Spam-Status: No, score=-9.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UKx1T0AM; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Uilg8Cex
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5lcsm15MGK9 for <lisp@ietfa.amsl.com>; Wed, 1 Apr 2020 14:17:49 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 059E93A09C8 for <lisp@ietf.org>; Wed, 1 Apr 2020 14:17:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=284888; q=dns/txt; s=iport; t=1585775868; x=1586985468; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=cxRWAL706tHQ8mCvj2UImPCp2ve55+3svFKtNfizWUU=; b=UKx1T0AMttoaEu9bwKi/8BvUuQ4tfgpK+jIMdNs+Vqd7wkIW3RCIH/Np VM+dr4NXdUcIqTH1DYvmewwv7axVnaU0SUg3tQ9b6591cEAZCTx/LdcdO /G99bLP+9rwgiSvG3l92RqPGZvTOxbCi85bhDoH+5+AhAH4696grIIeXW w=;
X-Files: image001.png, image002.png : 112547, 86790
IronPort-PHdr: 9a23:KSA4rhUnhme404AxJBAJIk5N5gXV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSANWJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtank8FdhLUHdu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CkBADxA4Ve/40NJK2FS4FpBJMGpmIcAwUEjQY6wyaQDA
X-IronPort-AV: E=Sophos;i="5.72,333,1580774400"; d="png'150?scan'150,208,217,150";a="733547125"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Apr 2020 21:17:48 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 031LHmcm008265 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 1 Apr 2020 21:17:48 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 1 Apr 2020 16:17:48 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 1 Apr 2020 17:17:46 -0400
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 1 Apr 2020 16:17:46 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gPGWVNu3PsU2OBi0tTHHTR3hMuzRnX+vhHrjV7P1cmtNzpvbECGieKLkIcFj2pxDjWS/zShUfTRsVCBJqleW+DcosSvLKdh4jkxVCANcSl1g1U+Md2UIiYZZGzFPcZUQOJtmst95TykwRVdluzdPqqISylDLXyKYKry5bWh2prd/iTzdwR2RpW9jnuDHTmSxG7/+lPHPB6qexTzfq3LhXZRgSQAB+5EGsDSZUs6+avnVlHQXHS/tAi0plhnFYDvPo+l3ayLz6YFjLY1QASMuMZE7X4fBv4uvSXUFZ7fLiVUBFF5tBJ+27cqWqE5oEaHKXIfRTxnaAm9SM5Sr45rwyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iIAHaWNVLiyEZ4xL8LKDNaOG/DDv6gB/LiZ3UY/Dgpc=; b=m2VGF2nDNM9kkqGqp7l81fG4a8102XHgI1oVEalzS9yYFeFVPnx38u8p8Y43cKYQ2Zs+u/Yf1tBJejHJn1qR3pUkjA2+X3Nj3iBV1n5x+v2fvrFw60sPxaYescpoFKOFOyYIfvMBoAdHCkt5JJ6b+ciYqXUPVFUZCGMb3EOJCUaclrYUkMrGimwHTnGz3pK2VfoVCFR5tXsI0VDWl+Lq1LWDgLbSX8v3axPEP0BbCWqy6dWBqOBmjRDf9VGZWiOD7kxJzSL7JrScwnP+RBfnKvAMhET5S4foNZ/J/EnPvVU6sVQ4+3u2lrQOjQyWGl2icHibyauitGciPYfvc5oQkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iIAHaWNVLiyEZ4xL8LKDNaOG/DDv6gB/LiZ3UY/Dgpc=; b=Uilg8Cexs/UKzosCMGEfQyRJOFsn7RLjcHYhKs7F6Ks0TDaaVnOV7JJ87DaLTRKs0YOkwEhmb+K2CuCrWOTnwcVFMj2dcm1A+aaXj4X1v7Zf1cL1LG8PuUPhJvcDIuXo8wAWJZxGSJuW/SjxCj7iNh2GQ9BwWkmay2TCxeLZu1c=
Received: from BY5PR11MB4273.namprd11.prod.outlook.com (2603:10b6:a03:1c9::32) by BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.19; Wed, 1 Apr 2020 21:17:45 +0000
Received: from BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::4861:82b8:5aed:692d]) by BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::4861:82b8:5aed:692d%7]) with mapi id 15.20.2878.014; Wed, 1 Apr 2020 21:17:45 +0000
From: "Alberto Rodriguez Natal (natal)" <natal@cisco.com>
To: Dino Farinacci <farinacci@gmail.com>, Joel Halpern Direct <jmh.direct@joelhalpern.com>, "Fabio Maino (fmaino)" <fmaino@cisco.com>
CC: "lisp@ietf.org" <lisp@ietf.org>
Thread-Topic: [lisp] Virtual meeting
Thread-Index: AQHV9yUe+1HiOdBvP0m8TlCT0OA6SahCXZOAgAABdICAAAH9AIAABLCAgAi0SYCAAHfdAIABvNyAgBV4doCAAE9jgIAAHEeAgABGtgCAAAjVgIAAAJwAgAAAlgCAAAa1AIAAATWAgAABzwCAAOUHgA==
Date: Wed, 01 Apr 2020 21:17:45 +0000
Message-ID: <00B217D7-BDD1-4030-B4CE-7EDD5C1B9E69@cisco.com>
References: <bf751274-3d10-4675-40ff-0876b968ec58@joelhalpern.com> <EB8728FF-8299-4915-81C0-7A414E1A1735@gmail.com> <b2bf2e7c-9535-e6b2-51ff-dc922c875fb7@joelhalpern.com> <F0929D9F-2726-48AF-90E0-9242A5898F4C@gmail.com> <e995cd58-3504-c7b4-a970-f55550e3829b@joelhalpern.com> <0310FDA2-6AE2-472B-82A7-D38039F64DDB@cisco.com> <293fbb16-75c4-bb79-e183-eaf781b696e3@joelhalpern.com> <613F569E-6FCF-4363-A60A-CB14C6459FE2@cisco.com> <8e654897-26f6-e4c2-db74-e5a15155e04b@joelhalpern.com> <D4231D6A-A0EC-484D-BE3A-C3E31476178B@gmail.com> <e87119cf-443e-753a-1c87-0c2ae197a61a@joelhalpern.com> <9C98131B-A82E-43DE-B1F4-417018EF2C10@gmail.com> <245a8fc4-c937-887d-bf30-6070fb6a7dc6@joelhalpern.com> <1A349ADD-92F6-4945-B688-A1F1552F2136@gmail.com> <b43577df-0c51-beba-372e-5cdbb9d68f18@joelhalpern.com> <17C04FAE-6CD7-43F7-8B6F-525BD4D5AA11@gmail.com> <131b7796-c819-90c7-c7d5-3d4e86e5ec98@joelhalpern.com> <222E7375-84DD-4DEF-B349-29459F5548DE@gmail.com>
In-Reply-To: <222E7375-84DD-4DEF-B349-29459F5548DE@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=natal@cisco.com;
x-originating-ip: [24.4.6.237]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 50c9f099-c59e-4d36-82f5-08d7d6821f36
x-ms-traffictypediagnostic: BY5PR11MB4070:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB40709BEA41D6AC49BCF2B98EB6C90@BY5PR11MB4070.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 03607C04F0
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4273.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(376002)(39860400002)(396003)(346002)(366004)(136003)(8676002)(5660300002)(71200400001)(26005)(2616005)(2906002)(36756003)(53546011)(186003)(6506007)(33656002)(66576008)(81156014)(6486002)(64756008)(81166006)(66556008)(76116006)(86362001)(110136005)(478600001)(4326008)(8936002)(6512007)(66946007)(66476007)(6636002)(316002)(99936003)(66446008); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EgpbQ1iiq7cRx1mFOT2wYY7pt8o0H14lD8g22PYFtsp1XTE3TZ9v1lLVZ7d9te8P55+ylxssV4PJGt02zZpCZ7Hb5hVk9HXsripjhvz2KiSTbf0iRKky9lqZH91DCNINNV3VS623iIw+ZjhXT3URgrX2v8nZa5dfd9AkqaVUs1xKOHWVtYpRs4BmF5B5Ash1qfaH1L2DoagNMdwu2zi5nFRqClMKnelLMT6f7P42C9adWwrbYDU7HoP4hI2MB8s4XU7P2/NhsMLtj6TBBm6I8aW22i5sp/v0BHaWQ//mHZWNprAMb/JwKbqDR7aQitEVX1R3gxu+V0oPe1zUIz9mibA7a7DwdtP4D+d3khBKVkckMbKXIRqv86TzOFiFQKJqgWRrn69YlUGdZq49BKkugzih9Y59tkHmHU4lDwrOxSG2pXbjBQ0RQup4sg5rT+vA
x-ms-exchange-antispam-messagedata: +KYyO9UktecEhd2H5Mr8CJ+vcP3gHOgJtOXK8I21ea6Ug69r1SAxDo+ob8zKpc/m79l8aRv5mgT3PSJFYtH6eWP2809MJ29ZJLh77U//6xNKOrmqzb7KrnL7eo9XY1kW+A6HaxeomH1tvKgxcSIlIw==
Content-Type: multipart/related; boundary="_005_00B217D7BDD14030B4CE7EDD5C1B9E69ciscocom_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 50c9f099-c59e-4d36-82f5-08d7d6821f36
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2020 21:17:45.2254 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iRsMemsMSfyrCWJNUYlXI3FpQxu5mnS0cWZUmx+JAmLQYAO6QjnIT2g3icvnQ4Od
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4070
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/Ntq11RZaY3tDJPtBMh9erhFAUME>
Subject: Re: [lisp] Virtual meeting
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 21:17:52 -0000

Joel, Dino,

I like it. This is actually something that Fabio and I discussed some time ago as a possible option but we never really closed on it.

@Fabio: What do you think?

Alberto

From: lisp <lisp-bounces@ietf.org> on behalf of Dino Farinacci <farinacci@gmail.com>
Date: Tuesday, March 31, 2020 at 5:38 PM
To: Joel Halpern Direct <jmh.direct@joelhalpern.com>
Cc: "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] Virtual meeting

Yes, you did. Great. Let’s get some opinions from the list and from the LISP-SEC experts. Fabio would have to comment on how flexible the Map-Reply Authentication Data field is to add the pubsub key-material.

Map-Request:

[cid:image001.png@01D60830.4F726DC0]

Map-Reply:

[cid:image002.png@01D60830.4F726DC0]

Dino


On Mar 31, 2020, at 5:31 PM, Joel Halpern Direct <jmh.direct@joelhalpern.com<mailto:jmh.direct@joelhalpern.com>> wrote:

Yep, that fills in the details nicely.  I started from "we should be able to bootstrap the security through lisp-sec".

Yours,
Joel

On 3/31/2020 8:27 PM, Dino Farinacci wrote:

Sorry, yes, it is the MS, not the MR, who provides the information to construct the key, since it is the MS who is generating the notifies. Sorry I still cross them up.
Oh good. That is more clear now. So if you are saying this:
(1) Use LISP-sec as defined today.
(2) Have the MS wrap some new key material with the MS-OTK and pass it to the ETR.
(3) The ETR replies as it does today but we have new protected key material in the Map-Reply.
(4) The MS stores the new key-material.
(5) The ITR generates the new key-material because it can unwrap the MS-OTK that is derived from the ITR-OTK.
(6) Any subsequent unsolicited Map-Notify messages from the MS (for an RLOC-change) are signed with the new key-material. Which the ITR can verify since it has the new key-material from step (5).
That is a shared-key created with the pair of OTKs. I think that can work. Fabio needs to verify.
I know you didn’t say all these details but I’m progressing your point, for discussion.
Dino

v2.23.0 | Report a Bug | By Email