Re: [lisp] Restarting last call on LISP threats

Roger Jørgensen <rogerj@gmail.com> Sat, 17 May 2014 20:37 UTC

Return-Path: <rogerj@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D0551A0216 for <lisp@ietfa.amsl.com>; Sat, 17 May 2014 13:37:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLlnyvaeWKpy for <lisp@ietfa.amsl.com>; Sat, 17 May 2014 13:36:56 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 011781A0208 for <lisp@ietf.org>; Sat, 17 May 2014 13:36:55 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id w62so3914328wes.2 for <lisp@ietf.org>; Sat, 17 May 2014 13:36:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=p/mXum9l81uwUC6KSDydwqOwb/L3CKSEF8lDZY0jlaI=; b=wFzJkt4x7pO8JTszYFrgOrcJh94fghe08tWlediCMBg9FEqNpB4gEoYbkpfeWMmsTH whdW0EX5lhgHJG8lZuQRmF8aY51vOvqYOLzLnjGDAgwH7kECvx24DVQESt2MMb54qdKt mJ2QYAv0Gqtb7fme0UlBvRXeXuUvpmQdHgsJTjmI1UAguKHJJY/hnfNlycKX5+Efd7FS WX887yGvj3PYu3OeCvyNVlbHKL/t8MZiZqJY4/WBXcB/P7/fEq6bDbBL/NLiB5eEk+Gt qY4pIOFBfd5XWvWE3CIcnnr+iKqS9HTUSFxoM5MyNl/Mq0GBkoPJmT54Ur5+FAqP8rPs M23Q==
MIME-Version: 1.0
X-Received: by 10.194.206.2 with SMTP id lk2mr20685391wjc.33.1400359014394; Sat, 17 May 2014 13:36:54 -0700 (PDT)
Received: by 10.216.210.6 with HTTP; Sat, 17 May 2014 13:36:54 -0700 (PDT)
In-Reply-To: <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com>
Date: Sat, 17 May 2014 22:36:54 +0200
Message-ID: <CAKFn1SEjco4rS9NaAFDGuozw_MvA=h46FU0d_VL9Gezf+7_b9w@mail.gmail.com>
From: =?UTF-8?Q?Roger_J=C3=B8rgensen?= <rogerj@gmail.com>
To: Ronald Bonica <rbonica@juniper.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/VZNASPgKj674_A8JjAnpfCxEMjM
Cc: "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 May 2014 20:37:00 -0000

On Thu, May 15, 2014 at 11:02 PM, Ronald Bonica <rbonica@juniper.net> wrote:
> Roger,
>
> Having considered this, it appears that the LISP data plane can operate in trusted or untrusted mode. In the trusted mode, when one XTR receives a data-plane packet from another, it can trust control plane information that it might glean from the packet's outer IP header and LISP header. Such trust is based on the assumption that:
>
> - the sending XTR is who it claims to be
> - the sending XTR is not intentionally offering bad mapping information to the receiving XTR
>
> In trusted mode, the receiving XTR can glean control information from the data plane. However, in untrusted mode, the receiving XTR must not do so. Alternatively, it must send a verifying MAP-REQUEST to the mapping system.
>
> So far, all of this is covered nicely between RFC 6830 and the LISP threats document. However, we have yet to explore the threats associated with unsecured mode operation, where gleaned information cannot be used.
>
> For example, assume that two XTRs and an attacker are connected to the global Internet. The attacker is neither an XTR nor contained by a LISP site. The attacker is capable of spoofing its sources address.
>
> The attacker can launch a DoS attack against an XTRs control plan by sending a barrage of crafted packets to the victim XTR. Each crafted packet cause the victim XTR to send a verifying MAP-REQUEST to the mapping system.  The attack stream may be so large that it causes the victim XTR to exceed the rate limit for MAP-REQUEST messages.

Lots of other people that know LISP way better than I do have responded already.

Do I understand you correct that you think there is a hole in the
threat draft, or are you talking about another miss, that is what will
happen if the mapping-system fail to reply in time when encryption or
other form for verification of both ends (iTR and eTR) are used?





-- 

Roger Jorgensen           | ROJO9-RIPE
rogerj@gmail.com          | - IPv6 is The Key!
http://www.jorgensen.no   | roger@jorgensen.no