IETF Logo Mail Archive

Re: [lisp] draft-ietf-lisp-threats

Damien Saucez <damien.saucez@gmail.com> Tue, 23 July 2013 20:47 UTC

Return-Path: <damien.saucez@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27C0011E8100 for <lisp@ietfa.amsl.com>; Tue, 23 Jul 2013 13:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xTG-iJG8kK6V for <lisp@ietfa.amsl.com>; Tue, 23 Jul 2013 13:47:09 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) by ietfa.amsl.com (Postfix) with ESMTP id AC93911E8136 for <lisp@ietf.org>; Tue, 23 Jul 2013 13:47:08 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id hi5so36483wib.7 for <lisp@ietf.org>; Tue, 23 Jul 2013 13:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=zlRi5IlC+ZjSz19rQxvLtbEldAb/uq1GMA3XN+Qq9vU=; b=n8tDjDtQtOaTWbbCcdZWQWg0N6You6QtdeJDhGOvelNO5fauEZxoY0X9p1lI2fteJ/ eLXOkofHknHoUwEVIbnIvrQLLov3+KFP0lg/TLEXp0stVAyXIGqOtQxXq8ClJ3qs8BiK zAezX36USG8+qlIZ9yYOkt2nH3lN4fzsyf2+Z55GUgl9EpC4zHLMZW4tOLR5TQnZmzZP EhqqSw86L8Ron/+WsUTvj+fFBG0yM4+Wpvr/8ThhVTFDh6IKyHav6IYPTdIINh8e26pb +Fk6NxfRwLUKOX+Odz3dZM6fd9xkCeO2uGwBuJpT8M6XO44i8kwAM8DjpmUrQT2MpJKC mWFg==
X-Received: by 10.180.189.37 with SMTP id gf5mr392423wic.9.1374612427631; Tue, 23 Jul 2013 13:47:07 -0700 (PDT)
Received: from [192.168.1.221] (LVelizy-156-46-22-251.w80-11.abo.wanadoo.fr. [80.11.231.251]) by mx.google.com with ESMTPSA id s19sm882692wik.11.2013.07.23.13.47.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 23 Jul 2013 13:47:06 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Damien Saucez <damien.saucez@gmail.com>
In-Reply-To: <5187D023.8010406@joelhalpern.com>
Date: Tue, 23 Jul 2013 22:47:06 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <FFCC37D3-479C-4001-AE69-2BC3311B091D@gmail.com>
References: <5187D023.8010406@joelhalpern.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
X-Mailer: Apple Mail (2.1508)
Cc: "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] draft-ietf-lisp-threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2013 20:47:10 -0000

Dear Joel,

Please first apologies four our silence.

We are indeed very late with this draft. We have discussed with the authors about
the way of fixing the problems. However, we think that we need to discussed f2f
with people to propose a new draft version that corresponds to the best consensus
between needs of people. For example, we believe that assessing the security level
risk is important, however, putting a "rank" as we made is touchy as from one to
another, the feeling of danger can be very different. We thus think of remove this
"absolute" ranking and replace by some sentences that are more neutral. For
that, we still need to find a way to cover with precision the problems and their
solutions. Also, we want to add to the draft the example provided during the
discussion by mails.

We hope to have valuable changes in the document at the term of this IETF
and propose a new version to the WG in the following of the meeting. So,
we are not dead or silent, just that we want to be sure to provide the best
possible document as the topic is very serious.

Respectfully yours,

The authors,


On 06 May 2013, at 17:45, Joel M. Halpern <jmh@joelhalpern.com> wrote:

> My apologies for not getting to this issue soone.
> 
> The approach being taken in this version of the document seems to me to be ineffective.  As a simple example, section 5.2 says that EID-to-RLOC cache Threats are Severity level 2, meaning that it can be dealt with by turning off certain features in pubic deployments.
> But it is then followed by a LISP of threats, and a set of points to features in section 6 and 6.3.  As a result I can not tell what features would need to be turned off to address the threat of section 5.2.
> 
> I am very concerned by declaring that folks should turn off echo-nonce.  Echo-none was added, for use in public deployments, fo good reasons. Changing the recommendations in this regard is fairly major.
> 
> This leads to a general issue about Severity Level 2.  Across the document, different features are recommended to be turned off.  As a reader, it is very easily to lose track of the collective effect.  If we are going to stick with this approach, I think we need to pull up the list of problematic features to the front of the document.  We need to clearly state that based on the analysis below, features X, Y, and Z are not recommended for public deployments of LISP.
> And then the WG has to decide whether that is a recommendation we can support.
> (Yes, I think we would be well-served putting this in the front of the document, rather than in the security considerations section.)
> 
> In the description of section 5.4.4 of Instance ID bits, I do not understand how an ACL could help.  I can not see folks configuring firewalls for the set of EIDs permitted within the VPN.  Such a configuration would counter the very ease of deployment associated with using LISP for VPNs.  Outer have a similar problem, and would need to be able to act on the instance ID, which current ACLs can not do.
> 
> Section 7 seems to call for Proxy-ITR deployers to deploy data plane access control at "the border of the network, that is the edge of the scope of the Proxy_ITR's announcement of the EID-Prefix."  But in many Proxy-ITR deployments, that edge is not under the control of the Proxy-ITR deployer.
> 
> Proxy-ETR static configuration seems to be difficult to integrate with the dynamics of LISP (section 7, Proxy-ETR.
> 
> The text in section 10 (Security Considerations) regers to "the increasing deployment of spoofing prevention techniques such as [rfc3704] or [SAVI]..."  I have not seen any evidence of such increasing deployment, and plenty of evidence (such as the recent spoofed DNS reflection attack) that it is not increasing.
> 
> ----
> 
> As a minor suggestion, when there are existing configuration mechanisms that can address the threat, it would be helpful to point to the specific document and section where that is described.  For example, section 5.3 could point to RFC 6830 section 10 (security considerations).
> 
> The introduction of section 6 should not end with a Severity level as each subsection has its ow Severity level indication.
> 
> Claiming that "correct deployment of anti-spoofing" means that a treat is Severity level 1 is technically accurate, but probably misleading and likely to raise problems.  (Section 6.1 for example).  (Rate limiting reduces the scope of the attack, but does not prevent it.)
> 
> Yours,
> Joel
> _______________________________________________
> lisp mailing list
> lisp@ietf.org
> https://www.ietf.org/mailman/listinfo/lisp

v2.23.0 | Report a Bug | By Email