Re: [lisp] Restarting last call on LISP threats

Dino Farinacci <farinacci@gmail.com> Wed, 28 May 2014 01:12 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5D7C1A0850 for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 18:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNNMCqDfzyVu for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 18:12:29 -0700 (PDT)
Received: from mail-pb0-x236.google.com (mail-pb0-x236.google.com [IPv6:2607:f8b0:400e:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 197AE1A084A for <lisp@ietf.org>; Tue, 27 May 2014 18:12:29 -0700 (PDT)
Received: by mail-pb0-f54.google.com with SMTP id jt11so10261096pbb.27 for <lisp@ietf.org>; Tue, 27 May 2014 18:12:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=QjijGiaREw2bfLEvWiFtGT/8G/kpDI/UyiS+ZizI5Tw=; b=eOLVeL624rc7l93WSEy22n7ygEDeiFkRm0Jkq78p8yWe8DEuZ38pPMDaeS7JBb9Pbw x6WeKHA0ZDVjfxc9lZ83z+xiBV+OaY7kUgp6dfHnsmXYXLo7ZHwQdFwE4H9XIhad1xHH AH9E4oZ3xV0SvgRpIJ6bvsVeHZqbxpw7gPAvM/wkYVLJtXuwJyXO0//by71CEdY7G/JU vXGrFiCOifQu86WU9JBn0Dh8ArwIkmdkKi7lcmlI2ZoHxcA0qGywJ7h/Ym7o8uI0ce2b Hg5sNs3XS6rka62Cw21NMCjBHPgonD+ywrh00LHWyIpg8tJzafq1JStC4qqM+DKy7nJq Fxug==
X-Received: by 10.68.134.169 with SMTP id pl9mr40951924pbb.133.1401239545795; Tue, 27 May 2014 18:12:25 -0700 (PDT)
Received: from [192.168.1.7] (173-8-188-29-SFBA.hfc.comcastbusiness.net. [173.8.188.29]) by mx.google.com with ESMTPSA id z3sm80596717pas.15.2014.05.27.18.12.24 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 18:12:24 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Dino Farinacci <farinacci@gmail.com>
X-Mailer: iPad Mail (11D201)
In-Reply-To: <9091dab3083e460abb2080f1e9315aba@CO1PR05MB442.namprd05.prod.outlook.com>
Date: Tue, 27 May 2014 18:12:24 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4B057F83-72DF-44B8-A6D5-2DF6829C8948@gmail.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com> <029e0f8bc7ba433ba4d3ee70b8431f9f@CO1PR05MB442.namprd05.prod.outlook.com> <3519A6AD5B18C44EB0291EC6C880A906012FD3@NYDC-EXCH01.vinci-consulting-corp.local> <936e209eb2fb49288f3a776aaa4b71cb@CO1PR05MB442.namprd05.prod.outlook.com> <7E76C55E-CCD0-4A52-A481-5BA9BF6A6689@gmail.com> <9091dab3083e460abb2080f1e9315aba@CO1PR05MB442.namprd05.prod.outlook.com>
To: Ronald Bonica <rbonica@juniper.net>
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/bse790RnRgVV-7ZRt655ZYY_l7w
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 01:12:33 -0000


> On May 27, 2014, at 5:18 PM, Ronald Bonica <rbonica@juniper.net> wrote:
> 
> RPB] 
> Exactly. Source EIDs are chosen to maximize the ratio of attack packets to map-requests sent by the victim XTR.
> 
> This is what make the attack stream so different from a stream that a PiTR is likely to send during normal operation.

It is not different for that reason. It is different because packets encapsulated by PITRs originate from non-LISP sources. Thereby the ITR at the LISP site will natively-forward to those random places. And those native-forward map-cache entries are very coarse since the mapping system returns the least specific prefix that covers all non-LISP sites. 

I believe Paul is still right IMO. 

Dino