Re: [lisp] Restarting last call on LISP threats

Dino Farinacci <> Tue, 27 May 2014 23:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 625F11A0704 for <>; Tue, 27 May 2014 16:18:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id avXE7eVi0xBO for <>; Tue, 27 May 2014 16:18:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 10AD61A02AF for <>; Tue, 27 May 2014 16:18:45 -0700 (PDT)
Received: by with SMTP id c1so1778394igq.7 for <>; Tue, 27 May 2014 16:18:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XAfNGbR6ARhrSm1cxmkhvlx10ikaL3yIAQL9GJPacxE=; b=1Gcm2RWJ8bZgW1xbw9EUmTbNgbBtcqNmypDp4JLtOliHKaTxng+Qkv9KzgPzvkrsoA Y/wzUJ5GzG2iBF9FQlNo2n1c9lr3qZKx5crNDtaP98yGPnjpGz+IH4xwptz4XZlIcB1D rC67ulqSsDW7dz5fiL6yqPafwCKIDPKblvei5bett4f5EZg1uPnArxV0zdFMRRewgYpY acdDZ8ctorpwPhV+FDZxS5omzP2UwRKdKoqiD9/zrTGpNDTgKfHH+AhlGjdvSd7Krle1 3SejoW02ASBi5I8QBVvwvwN3GRDayChg3oRpEbUIIPFCema+xx9w97lwrKNFbPymj75q WCzQ==
X-Received: by with SMTP id o6mr38030123igh.43.1401232721552; Tue, 27 May 2014 16:18:41 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id ng17sm8347989igb.13.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 16:18:40 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Dino Farinacci <>
In-Reply-To: <>
Date: Tue, 27 May 2014 16:18:37 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>, <> <3519A6AD5B18C44EB0291EC6C880A906012FD3@NYDC-EXCH01.vinci-consulting-corp.local> <>
To: Ronald Bonica <>
X-Mailer: Apple Mail (2.1874)
Cc: Roger Jorgensen <>, LISP mailing list list <>
Subject: Re: [lisp] Restarting last call on LISP threats
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 May 2014 23:18:46 -0000

> Hi Paul,
> The attack scenario that I envision is slightly different from the on that you describe below:
> - LISP is widely deployed. Tens of thousands of XTRs are deployed world-wide. The mapping system data base contains hundreds of thousands of EID prefixes.
> - The attack stream is large
> - Each packet in the attack stream has a unique source LOC
> - All packets in the attack stream have the same destination LOC. This LOC represents the XTR under attack.
> - Each packet in the attack stream has a destination EID that will cause it to reach a valid destination (i.e., a destination that will respond). However, all packets in the attack stream don't have the same destination. The attack stream is spread out across multiple valid EID destinations to make it less detectable.
> - Each packet in the attack stream has a carefully chosen source EID. It is chosen to maximize the ratio of attack packets to map-requests.
> One attack stream attacks an XTR. Multiple simultaneous attacks against multiple XTRs can DoS the mapping system, itself.
> A PxTR probably won't generate this attack stream. However, an attack tool might.

Ignoring the unique source RLOC (which makes no difference in this attack because we are not doing a RPF check on the ETR), it is the same as if a PITR was encapsulating from the same set of source-EIDs to the same set of destination-EIDs you describe above.

That was his point.

So some clarifications:

(1) What does unique source LOC mean? I assume you mean each packet as a different source RLOC and that the address is not duplicated from multiple sites (i.e. is it not a private address like, or do you meawn something else?

(2) And what is carefully chosen mean? You might mean a scan of differnet source EIDs in each packet so the xTR that returns packets will get more map-cache misses?