[lisp] Comments on draft-saucez-lisp-security-00
Sam Hartman <hartmans-ietf@mit.edu> Fri, 09 October 2009 21:03 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: lisp@core3.amsl.com
Delivered-To: lisp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2EA628C1BD for <lisp@core3.amsl.com>; Fri, 9 Oct 2009 14:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.42
X-Spam-Level:
X-Spam-Status: No, score=-2.42 tagged_above=-999 required=5 tests=[AWL=-0.155, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qN0Yak36m2M for <lisp@core3.amsl.com>; Fri, 9 Oct 2009 14:03:28 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id CAD4C28C1AE for <lisp@ietf.org>; Fri, 9 Oct 2009 14:03:27 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id F255E202F2; Fri, 9 Oct 2009 17:05:12 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C6837445B; Fri, 9 Oct 2009 17:04:57 -0400 (EDT)
To: Luigi Iannone <luigi@net.t-labs.tu-berlin.de>
References: <tsl4oqwh7th.fsf@mit.edu> <4AB9B6BE.6070006@cisco.com> <tsl63ba54h9.fsf@mit.edu> <C20E3AB2-46B9-4544-8AB0-68C2908804BB@net.t-labs.tu-berlin.de>
From: Sam Hartman <hartmans-ietf@mit.edu>
Date: Fri, 09 Oct 2009 17:04:57 -0400
Message-ID: <tsl4oq8s2h2.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be>, lisp@ietf.org
Subject: [lisp] Comments on draft-saucez-lisp-security-00
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2009 21:03:28 -0000
Hi. I agree with the goals of the approach you're taking as something we should do. I think that my effort and yours can proceed in parallel adapting information from each other. They may merge some day, although I think right now that the taxonomy I'm taking is somewhat different and I don't think it would make sense to merge at this point. One thing I think it would be valuable to adopt is to set out some high level goals for LISP security; perhaps you could use something similar to mine, or describe your own. My high level goals follow: * LISP will not make Internet security worse * LISP will not create an architecture in which ongoing IETF-wide security goals such as the SIDR working group or BCP 84 are made more difficult. The big question is what does it mean to make the Internet security worse and what is the current security model of the Internet. In answering these sorts of questions, Then, I recommend referencing your requirements back to these goals. Section 4.1 When you talk about security of the data stream, what security services are you talking about? Confidentiality? Integrity? Peer entity authentication? Where do these requirements come from for LISP as a routing scalability solution? Why would you propose IPsec inside the tunnel to secure LISP rather than IPsec outside the tunnel? Section 4.2 discusses packet spoofing. How is the work in SAVI applicable? I cannot figure out how to apply what I know of SAVI to LISP? Section 4.3 proposes that the nonce is similar to the L2TP cookie. How is that true? The L2TP cooking is a cookie established between two peers to prevent off-path attacks. If a packet is included in an L2TP tunnel with an improper cookie, that packet is discarded. In what circumstances is a 24-bit nonce long enough to provide protection? In what circumstances can an ETR discard a packet based on a nonce? Section 4.4.1: Another important attack is DOS attacks based on rloc entries. Take a look at the mip6 route optimization security analysis. One attack is to set up a very high bandwidth flow to EIDs you own. Then update your mapping redirecting some or all of that traffic off to some unsuspecting person. This is the attack that motivates the requirement that someone with an RLOC prove that they actually want to accept traffic before you redirect to them. Section 4.6.2: How will ignoring the loc reach bits if nonce/versioning did not change help? Wouldn't an attacker change the nonce/version? Section 4.6.3: How do you deal with missing packets/version numbers changing rapidly enough that one ETR doesn't see a packet of a particular version? Section 4.6.4: How can filtering spoofed EIDs on the ITR remove cache poisoning? How do you actually filter out spoofed EIDs/identify them? Section 4.6.6: How do PITRs effectively filter? What does requiring a source EID be in the mapping cache on the *ETR* accomplish? Section 5.2: I think that there are some significant deployment considerations that generate requirements. For example I think we need a level of security similar to what we get on the Internet today if two clients of the mapping system do not share trust anchors for public-key operations. I think it is reasonable to assume that an ITR and its map resolver share trust, an ETR and a map server share trust. However I think we want to do at least as well as the internet does today without requiring more trust.
- [lisp] Call for interest in working on security Sam Hartman
- Re: [lisp] Call for interest in working on securi… Eliot Lear
- Re: [lisp] Call for interest in working on securi… Sam Hartman
- Re: [lisp] Call for interest in working on securi… Luigi Iannone
- Re: [lisp] Call for interest in working on securi… Eliot Lear
- Re: [lisp] Call for interest in working on securi… Luigi Iannone
- Re: [lisp] Call for interest in working on securi… Eliot Lear
- Re: [lisp] Call for interest in working on securi… Sam Hartman
- [lisp] Comments on draft-saucez-lisp-security-00 Sam Hartman