[lisp] A Stab At Opportunistic Encryption for LISP

Edward Lopez <elopez@fortinet.com> Mon, 03 March 2014 18:14 UTC

Return-Path: <elopez@fortinet.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id B4F2A1A0122 for <lisp@ietfa.amsl.com>; Mon, 3 Mar 2014 10:14:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.737
X-Spam-Status: No, score=-4.737 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mW_3Wcuri9oI for <lisp@ietfa.amsl.com>; Mon, 3 Mar 2014 10:13:55 -0800 (PST)
Received: from smtp.fortinet.com (smtp.fortinet.com []) by ietfa.amsl.com (Postfix) with ESMTP id 03AD11A003B for <lisp@ietf.org>; Mon, 3 Mar 2014 10:13:13 -0800 (PST)
From: Edward Lopez <elopez@fortinet.com>
To: "lisp@ietf.org list" <lisp@ietf.org>
Thread-Topic: A Stab At Opportunistic Encryption for LISP
Thread-Index: AQHPNww8b2z7LAwvt0OI7waAfMayqQ==
Date: Mon, 3 Mar 2014 18:13:10 +0000
Message-ID: <6BC34AAF-E8D8-4D94-BF86-67BA834564CC@fortinet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/mixed; boundary="_005_6BC34AAFE8D84D94BF8667BA834564CCfortinetcom_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/W7Vzua32Q9OHKFDg2QPgfLwfOzM
Subject: [lisp] A Stab At Opportunistic Encryption for LISP
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 18:14:04 -0000

First off, I apologize to all for my absence on the mailing list, particularly Dino.  My company is relatively new to IETF WG participation, and there were some backend discussions I had to have back at corporate to ensure that I was both in compliance with the IETF Note Well, as well as my company’s internal IP processes.  This has been resolved, and I will be resuming active participation on the list.

At the time, I was working with Dino on crypto solutions for LISP.  Enclosed in my draft regarding opportunistic encryption for LISP.  While there are significant similarities with regard to the goals of one exchange of key material, non-reliance on PKI, nor storing keys on the mapping system, I proposed the use of IPSec ESP in transport mode for the actual encryption of packets between xTRs, as opposed to developing support for encryption within the LISP protocol itself.  I feel this has significant advantages toward ease of deployment and hardware acceleration, as well as support for multiple available encryption/hash algorithms.

The use of the security type (11) LCAF is very similar, except I propose that the Key Algorithm field be used to support encryption/hash algorithm sets, rather than individual algorithms.  In this way, we can use Key Count values to signify ITF preferences.

Another significant different is that this draft makes use of the R-bit to signal when Keys should be revoked, and can be used locally by xTRs to signal expiry conditions such as lifetime, peer detection failure, etc.


Ed Lopez

***  Please note that this message and any attachments may contain confidential 
and proprietary material and information and are intended only for the use of 
the intended recipient(s). If you are not the intended recipient, you are hereby 
notified that any review, use, disclosure, dissemination, distribution or copying 
of this message and any attachments is strictly prohibited. If you have received 
this email in error, please immediately notify the sender and destroy this e-mail 
and any attachments and all copies, whether electronic or printed.
Please also note that any views, opinions, conclusions or commitments expressed 
in this message are those of the individual sender and do not necessarily reflect 
the views of Fortinet, Inc., its affiliates, and emails are not binding on 
Fortinet and only a writing manually signed by Fortinet's General Counsel can be 
a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***