Re: [lisp] Restarting last call on LISP threats

Sharon <sbarkai@gmail.com> Mon, 26 May 2014 16:06 UTC

Return-Path: <sbarkai@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36FE71A019B for <lisp@ietfa.amsl.com>; Mon, 26 May 2014 09:06:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fy9KKBb29Qv9 for <lisp@ietfa.amsl.com>; Mon, 26 May 2014 09:06:27 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E49B21A01A5 for <lisp@ietf.org>; Mon, 26 May 2014 09:06:26 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id i57so6623529yha.27 for <lisp@ietf.org>; Mon, 26 May 2014 09:06:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=eDqAZJieCZ+CXwgHLWgeqhU19ZjiaNspnTwfN+IFgi4=; b=Zm1kFbx+Q5U6N2oYM/2tuP5qj7kwevaCDhg7cdWU+KrFHQ/uvYHzhcoLB3GYEaQ1nQ 0Ft60Iq1UPb7LOD9H/Xl5Xiw5ZaezMcMj0YHoI6Q5WwyC/nrQe6Nd6vtfSLKlLwZGnJS F1P1t4kulCU1nw7zIcioqO6a1sBOguP/HG9oZjgzw6lLvm34q3r57aEIHBBGoGB2RGF8 raGp5Sj6lX7eG3DKBgWZklajAa70UPzldBz5FiBzSHrMq0bYypBmpTpXF/FhHYmu5bOt d2JNZmnNtOmjYz62mvWIRHfSJy48uedZxv4S1FXyuko87t8HWe4gQ9QlLqnVM+kOp2Af 6k0w==
X-Received: by 10.236.129.43 with SMTP id g31mr36266111yhi.86.1401120383828; Mon, 26 May 2014 09:06:23 -0700 (PDT)
Received: from [192.168.1.102] (108-214-96-27.lightspeed.sntcca.sbcglobal.net. [108.214.96.27]) by mx.google.com with ESMTPSA id 37sm8084063yhu.26.2014.05.26.09.06.22 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 26 May 2014 09:06:23 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Sharon <sbarkai@gmail.com>
X-Mailer: iPhone Mail (11D201)
In-Reply-To: <538361DA.10808@joelhalpern.com>
Date: Mon, 26 May 2014 09:06:21 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <BDAC9F7C-1205-4A59-A252-2B20998E187B@gmail.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/TdsY8DkP6mf_fLp2I2pZiMlaDm0
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2014 16:06:29 -0000

Joel, thanks for clearing.
It was hard to follow.

If the challenge is for a distributed mapping system to keep track and protect itself from a "sick" xTR, sick because of a bug or an attack..
Then perhaps we could maintain mapping lookup per sec counters per xTR in the mapping. It adds some overhead to the mapping, but doesn't slow down forwarding. Can be aggregated by map servers for efficiency.

--szb

On May 26, 2014, at 8:46 AM, "Joel M. Halpern" <jmh@joelhalpern.com> wrote:

Top posting to make sure I am understanding:

You asssert that any xTR is subject to a DoS attack.  And that such a DoS attack can render the mapping system unusable.

It targeting an ITR, this would need to be from within ths cope the ITR serves.  I believe that is discussed.

If I have connected the dots correctly, the attack you are contemplating is sending a large stream of packets with different inner source addresses to an ETR.  This would prompt the ETR to check with the mapping system about each and every address.

If I have understood this properly, while there are several very effective mitigations, that does not change the basic message that this is an attack, and as such ought to be described in the threats document.  There are clealry a number of variations on this attack.  For example, using the same outer source address makes mitigation easier, while using different outer source addresses either requires a bot-net or a large unchecked BCP38 hole (and those can be used for MANY attacks on many systems.)  Both presumably should be described.

Have I captured your request accurately?

Yours,
Joel

> On 5/26/14, 1:06 AM, Ronald Bonica wrote:
> *From:*Damien Saucez [mailto:damien.saucez@gmail.com]
> *Sent:* Friday, May 23, 2014 9:07 AM
> *To:* Ronald Bonica
> *Cc:* Dino Farinacci; Roger Jorgensen; LISP mailing list list
> *Subject:* Re: [lisp] Restarting last call on LISP threats
> 
> Hello Ronald,
> 
> On 22 May 2014, at 22:57, Ronald Bonica <rbonica@juniper.net
> <mailto:rbonica@juniper.net>> wrote:
> 
> 
> 
>    Dino,
> 
>    Today's Internet is not as fragile as you think. This mail traversed
>    many routers between my house and yours. If those routers are
>    well-managed, there is nothing that I can do from my house that will
>    cause any of those routers to consume control plane resources.
>    Therefore, there is nothing that I can do from my house that will
>    cause a DoS attack against those routers' control planes.
> 
> We tend to disagree with that, for example you have ICMP today...
> 
> */[RPB] Because ICMP is susceptible to DoS attacks, it wouldn’t make a
> very good routing protocol. That’s why we don’t use it for routing. By
> contrast, LISP map-request messages are susceptible to DoS attacks and
> they do carry routing information./*
> 
> 
> 
>    In LISP, separation between the forwarding and control plane is
>    lost. As a matter of course, forwarding plane activity causes
>    control plane activity. Since forwarding plane bandwidth exceeds
>    control plane bandwidth, DoS attacks against the control plane are
>    possible.
> 
>    In order to be complete, the threats document must describe the DoS
>    threat. It should also describe mitigations, if any exist.
> 
> DoS is already explained and the definition given:
> 
> " A Denial of Service (DoS) attack aims at disrupting a specific
> 
>    targeted service either by exhausting the resources of the victim up
> 
>    to the point that it is not able to provide a reliable service to
> 
>    legit traffic and/or systems or by exploiting vulnerabilities to make
> 
>    the targeted service unable to operate properly.
> 
> "
> 
> is covering the case you mention.
> 
> */[RPB] /*
> 
> */You might want to add the following details to section 5.2:/*
> 
> *//*
> 
> -A DoS attack can be launched by anybody who can send a packet to the
> XTR’s LOC
> 
> -DoS attacks can render an XTR inoperable
> 
> -DDoS attacks can render the mapping system inoperable.
> 
> This is what differentiates LISP from today’s routing system.
> 
>                                       Ron
> 
> Damien Saucez
> 
> 
> 
>                                                                                                   Ron
> 
> 
> 
>        -----Original Message-----
>        From: Dino Farinacci [mailto:farinacci@gmail.com]
>        Sent: Wednesday, May 21, 2014 6:58 PM
>        To: Ronald Bonica
>        Cc: Roger Jorgensen; lisp@ietf.org <mailto:lisp@ietf.org>
>        Subject: Re: [lisp] Restarting last call on LISP threats
> 
> 
>            The attacker sends a flow of crafted packets to the victim
>            XTR. Each packet
> 
>        is a well-formed LISP data packet. It contains:
> 
> 
>            - an outer IP header (LOC->LOC)
>            - a UDP header
>            - a LISP Header
>            - an IP header (EID->EID)
>            - payload
> 
> 
>        Just like a regular packet I can send to your home router today.
>        So yes okay.
>        So let's continue. See comments below.
> 
> 
>            Each packet contains control plane information that is new
>            to the victim
> 
> 
>        Be more specific about what control information are in these
>        encapsulated
>        packets.
> 
> 
>            XTR. For example, the victim XTR has no mapping information
>            regarding
> 
>        either the source LOC or source EID prefix. Rather than gleaning
>        this mapping
>        information from the crafted packet, the victim XTR sends a
>        verifying MAP-
>        REQUEST to the mapping system.
> 
> 
>            Assume that the attack flow is large (N packets per second).
>            Assume also
> 
>        that the XTRs rate limit for MAP-REQUEST messages is less than N
>        packets
>        per second. Has the attack not effectively DoS'd the victim XTR?
> 
>        It caches the rate the rate the packets are coming in and
>        eventually stops
>        sending Map-Requests completely.
> 
>        It cannot stop the incoming rate of packets today just like a
>        roque BGP
>        attacker can send millions of packets per second to a peer
>        regardless if it
>        does or does not have the peer authentication key.
> 
> 
>            To make this attack work, every packet in the attack flow
>            may need to have
> 
>        a unique, spoofed, source LOC.
> 
>        An implementation can detect that after rate limiting 1000s of
>        such requests
>        are happening that it just stops operation.
> 
>        What if I sent a Juniper 20 million routes today?
> 
>        The Internet is very fragile and LISP IS NOT making it worse.
>        And in some
>        cases it is making it better with integrated techniques.
> 
>        Dino
> 
> 
>    _______________________________________________
>    lisp mailing list
>    lisp@ietf.org <mailto:lisp@ietf.org>
>    https://www.ietf.org/mailman/listinfo/lisp
> 
> 
> 
> _______________________________________________
> lisp mailing list
> lisp@ietf.org
> https://www.ietf.org/mailman/listinfo/lisp
> 

_______________________________________________
lisp mailing list
lisp@ietf.org
https://www.ietf.org/mailman/listinfo/lisp