Re: [lisp] Ben Campbell's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)
Luigi Iannone <ggx@gigix.net> Thu, 22 October 2015 09:08 UTC
Return-Path: <ggx@gigix.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F17E1B2F66 for <lisp@ietfa.amsl.com>; Thu, 22 Oct 2015 02:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9_yTwz0iREgX for <lisp@ietfa.amsl.com>; Thu, 22 Oct 2015 02:08:41 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9A221B2F24 for <lisp@ietf.org>; Thu, 22 Oct 2015 02:08:40 -0700 (PDT)
Received: by wikq8 with SMTP id q8so21707915wik.1 for <lisp@ietf.org>; Thu, 22 Oct 2015 02:08:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gigix_net.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ljrdH1Wqo0Pw2n3sVUwQNQZBcQeF5XR4FX95Zz2wv1Y=; b=NMyHHXHvuDj9UttKp4ojqfc72hEmmbJHPeUOEDaDYuv2binPO9C8bdvShMX9FwC7+L QkSJ+uE39gyIdSiFJLk0zdRw+6chcl2texc3ccAA4dStcS6h5mLxK/qkjpGeb6U9C9lj M+bMUFs4bLcZqHFqKgpJDtaoUdzYb7A1D35+1Gr52rK86lMiu/zFv5OOF0XL36Ja2sYE /bivQQCZEoPunUK/DJRFptrjd92Ze6IKifoWkzfO0EUB+cB2r5S9yQeVO+uDdDVkGD2a dgShV7DHfLvOPbEcMfUSLNXyaqUZqJyHQ+4K1nEaNFy/YqDWAct+OE81lpse9h7TNntN 0W3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=ljrdH1Wqo0Pw2n3sVUwQNQZBcQeF5XR4FX95Zz2wv1Y=; b=fFT3hC6/m7NsJt3rWbSky8mVCv3xw0fM7oQjFIvsEjU3cjwlDk+yXT5MExfckdibwC IwWGqJGmfe/cIQVBi8qqDfQruyWbtXp2bNQAhoZM4wIlT6Vr4+TAoGYIPhXr1RYugtTa PCbLTnT0DfpCfu3UfsQzkvzMxhgRyuBhdFXYGTgwn0IeMKepv4fSqGL4+JQEvkQaRKgz GBFDRA6a0WARIPxcs6nYAWl7/mdZGUn9UDSeKxNvZnaFK5LuqaEpf/F8yyqnPhMgEbZF x7N+wOWXiAqSChQI2Y084Fe3aILIFNyf2b6bIkjQFuwbB/mLOxzrC7r3n6EcnCh76iKL 6ZHw==
X-Gm-Message-State: ALoCoQlh9aIr91I09I154xeViKEn1xgUxTm10saDz7eR7UgbJEd0b4EPBojjsZxIoMzW0yufNhE0
X-Received: by 10.180.206.230 with SMTP id lr6mr16856461wic.69.1445504919340; Thu, 22 Oct 2015 02:08:39 -0700 (PDT)
Received: from ?IPv6:2001:660:330f:a4:69d0:ed82:4a4d:120e? ([2001:660:330f:a4:69d0:ed82:4a4d:120e]) by smtp.gmail.com with ESMTPSA id ht5sm10759086wib.10.2015.10.22.02.08.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Oct 2015 02:08:38 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Luigi Iannone <ggx@gigix.net>
In-Reply-To: <20151021021458.7620.61602.idtracker@ietfa.amsl.com>
Date: Thu, 22 Oct 2015 11:08:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <2DAE09CA-B090-404C-89D6-D1EB4DA85426@gigix.net>
References: <20151021021458.7620.61602.idtracker@ietfa.amsl.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/PkPDbyGBqOyEXMWRABBgih2xh5M>
Cc: lisp-chairs@ietf.org, lisp@ietf.org, draft-ietf-lisp-impact.all@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-lisp-impact@ietf.org
Subject: Re: [lisp] Ben Campbell's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 09:08:42 -0000
Hi Ben, > On 21 Oct 2015, at 04:14, Ben Campbell <ben@nostrum.com> wrote: > [snip] > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > It seems odd to me that an "impacts" paper would leave security impacts > out of scope. Even with the detailed security considerations in > draft-ietf-lisp-threats, it seems like there might be some higher-level > observations to make, along the lines of the rest of the draft. > Yes you are right. We proposed an updated security section in the reply to Hillarie, who did the secdir review. The proposed text is: A thorough security and threats analysis of the LISP protocol is carried out in details in [I-D.ietf-lisp-threats]. Like for other Internet technologies, also for LISP most of threats can be mitigated using Best Current Practice, meaning with careful deployment an configuration (e.g., filter) and also by activating only features that are really necessary in the deployment and verifying all the information obtained from third parties. Unless gleaning features (actually deprecated in RFC 6830 [RFC6830]) are used, the LISP data-plane shows the same level of security as other IP-over-IP technologies. From a security perspective, the control-plane remains the critical part of the LISP architecture. To mitigate the threats on the mapping system, authentication should be used for all control plane messages. The current specification ([RFC6833], [I-D.ietf-lisp-sec]) defines security mechanisms which can reduce threats in open network environments. The LISP specification defines a generic authentication data field for control plane messages [RFC6830] which could be used for a general authentication mechanisms for the LISP control-plane while staying backward compatible. > Along those lines, if you want to refer to draft-ietf-lisp-threats for > security considerations, it needs to be a normative reference. > > Absolutely. We will move the document as normative reference. thanks Luigi
- Re: [lisp] Ben Campbell's No Objection on draft-i… Luigi Iannone
- [lisp] Ben Campbell's No Objection on draft-ietf-… Ben Campbell
- Re: [lisp] Ben Campbell's No Objection on draft-i… Ben Campbell