Re: [lisp] Restarting last call on LISP threats

Dino Farinacci <farinacci@gmail.com> Tue, 27 May 2014 15:17 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A071A013B for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 08:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N-CRgrmb6pJ for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 08:17:19 -0700 (PDT)
Received: from mail-pb0-x22c.google.com (mail-pb0-x22c.google.com [IPv6:2607:f8b0:400e:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B14071A00F9 for <lisp@ietf.org>; Tue, 27 May 2014 08:17:19 -0700 (PDT)
Received: by mail-pb0-f44.google.com with SMTP id rq2so9465897pbb.3 for <lisp@ietf.org>; Tue, 27 May 2014 08:17:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZQWnbPGAQFlxqPIZRi3Wb0LkSv70QGtVt9EXB1muU9Q=; b=d0yXPw2ma1Jzc/e7GjyWckOx8jVSj1sBNNho0v+Zi9Q3vEjn0NEx8UZL9TuNQQDgnj QRcCOKtklXo3BBTWgVt0qBkCJ+kAF774yW4w3KOFpW87mg+w3gcjRDKdoaaN/oTS0CPf n4spo0HJ4UuF1X3Atvx4/pT6voy01fGzCJQCCmWVRjEWOqrhw7GEtmL46DUYxhXU7RTC 0vhN2q80r69edpNx3ZAZNYl1q0L2+jJ4duY0aPA5VCEL9NwCNKgX1cLv+fViwjqV4oGX 7U9zGW7296qLQacLV+EYS7HBe2/HYajc1EbUAmj10ly2Uo43LUrbWcugFQ6w3/ZUPL5K mHkg==
X-Received: by 10.66.251.136 with SMTP id zk8mr37255642pac.137.1401203836605; Tue, 27 May 2014 08:17:16 -0700 (PDT)
Received: from [192.168.1.174] ([207.145.253.66]) by mx.google.com with ESMTPSA id tg9sm23840475pbc.29.2014.05.27.08.17.15 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 08:17:15 -0700 (PDT)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <5384AB4E.2010208@joelhalpern.com>
Date: Tue, 27 May 2014 08:17:14 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CBCA3DF0-2AAC-462F-89F1-8369B0E42EDE@gmail.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com> <029e0f8bc7ba433ba4d3ee70b8431f9f@CO1PR05MB442.namprd05.prod.outlook.com> <FB6C01EE-2BB8-4848-8AA2-9512F8FE064A@gmail.com> <5384AB4E.2010208@joelhalpern.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/XxM6C7nWi9dnRq6SRNpNlHBxKbo
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 15:17:20 -0000

> Can we please not get into a debate about how well BCP38 is or is not deployed, whether violations are remotely detectable, ...This is NOT the working group for that.

The point is that LISP makes spoofing no worse even though many think that it could because there are more addreses in the packet to manipulate. This aspect is on topic.

> For our purposes, given that source address forging is known to occur, we have to allow it in the threat analysis.

I agree.

Dino

> 
> Yours,
> Joel
> 
> On 5/27/14, 11:04 AM, Dino Farinacci wrote:
>> 
>>> Also, recall that large BCP38 holes exist in today's internet.
>> 
>> And I am going to repeat again, this is not a binary statement. That is, if a BCP38 hole exists in one part of the network, source spoofing can still be detected in other parts of the network.
>> 
>> Dino
>> 
>>