[lisp] draft-ietf-lisp-threats
"Joel M. Halpern" <jmh@joelhalpern.com> Mon, 06 May 2013 15:45 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0889B21F92B7 for <lisp@ietfa.amsl.com>; Mon, 6 May 2013 08:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.367
X-Spam-Level:
X-Spam-Status: No, score=-102.367 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVopxh30YQpV for <lisp@ietfa.amsl.com>; Mon, 6 May 2013 08:45:46 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) by ietfa.amsl.com (Postfix) with ESMTP id 4567921F92BC for <lisp@ietf.org>; Mon, 6 May 2013 08:45:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 31FAA1D09B6 for <lisp@ietf.org>; Mon, 6 May 2013 08:45:46 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [10.72.211.58] (unknown [193.1.64.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id B02141D0839 for <lisp@ietf.org>; Mon, 6 May 2013 08:45:45 -0700 (PDT)
Message-ID: <5187D023.8010406@joelhalpern.com>
Date: Mon, 06 May 2013 11:45:39 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: "lisp@ietf.org" <lisp@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [lisp] draft-ietf-lisp-threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2013 15:45:53 -0000
My apologies for not getting to this issue soone. The approach being taken in this version of the document seems to me to be ineffective. As a simple example, section 5.2 says that EID-to-RLOC cache Threats are Severity level 2, meaning that it can be dealt with by turning off certain features in pubic deployments. But it is then followed by a LISP of threats, and a set of points to features in section 6 and 6.3. As a result I can not tell what features would need to be turned off to address the threat of section 5.2. I am very concerned by declaring that folks should turn off echo-nonce. Echo-none was added, for use in public deployments, fo good reasons. Changing the recommendations in this regard is fairly major. This leads to a general issue about Severity Level 2. Across the document, different features are recommended to be turned off. As a reader, it is very easily to lose track of the collective effect. If we are going to stick with this approach, I think we need to pull up the list of problematic features to the front of the document. We need to clearly state that based on the analysis below, features X, Y, and Z are not recommended for public deployments of LISP. And then the WG has to decide whether that is a recommendation we can support. (Yes, I think we would be well-served putting this in the front of the document, rather than in the security considerations section.) In the description of section 5.4.4 of Instance ID bits, I do not understand how an ACL could help. I can not see folks configuring firewalls for the set of EIDs permitted within the VPN. Such a configuration would counter the very ease of deployment associated with using LISP for VPNs. Outer have a similar problem, and would need to be able to act on the instance ID, which current ACLs can not do. Section 7 seems to call for Proxy-ITR deployers to deploy data plane access control at "the border of the network, that is the edge of the scope of the Proxy_ITR's announcement of the EID-Prefix." But in many Proxy-ITR deployments, that edge is not under the control of the Proxy-ITR deployer. Proxy-ETR static configuration seems to be difficult to integrate with the dynamics of LISP (section 7, Proxy-ETR. The text in section 10 (Security Considerations) regers to "the increasing deployment of spoofing prevention techniques such as [rfc3704] or [SAVI]..." I have not seen any evidence of such increasing deployment, and plenty of evidence (such as the recent spoofed DNS reflection attack) that it is not increasing. ---- As a minor suggestion, when there are existing configuration mechanisms that can address the threat, it would be helpful to point to the specific document and section where that is described. For example, section 5.3 could point to RFC 6830 section 10 (security considerations). The introduction of section 6 should not end with a Severity level as each subsection has its ow Severity level indication. Claiming that "correct deployment of anti-spoofing" means that a treat is Severity level 1 is technically accurate, but probably misleading and likely to raise problems. (Section 6.1 for example). (Rate limiting reduces the scope of the attack, but does not prevent it.) Yours, Joel
- [lisp] draft-ietf-lisp-threats Joel M. Halpern
- Re: [lisp] draft-ietf-lisp-threats Jeff Wheeler
- Re: [lisp] draft-ietf-lisp-threats Joel M. Halpern
- Re: [lisp] draft-ietf-lisp-threats Ronald Bonica
- Re: [lisp] draft-ietf-lisp-threats Noel Chiappa
- Re: [lisp] draft-ietf-lisp-threats Terry Manderson
- Re: [lisp] draft-ietf-lisp-threats Damien Saucez