IETF Logo Mail Archive

Re: [lisp] Warren Kumari's Discuss on draft-ietf-lisp-rfc6830bis-26: (with DISCUSS and COMMENT)

Dino Farinacci <farinacci@gmail.com> Wed, 06 February 2019 22:07 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00723130EF1; Wed, 6 Feb 2019 14:07:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.598
X-Spam-Level:
X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwbjhHb6RaoZ; Wed, 6 Feb 2019 14:07:22 -0800 (PST)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F6C1130F40; Wed, 6 Feb 2019 14:07:22 -0800 (PST)
Received: by mail-ot1-x32f.google.com with SMTP id u16so14794425otk.8; Wed, 06 Feb 2019 14:07:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=eY4GNo9zP3aIcBxtb1vhVgVk1EN6AoItg4k+01zbPWs=; b=qvftO8AIuygzuY9qzm+AhoLsuEqcc1k3fVq+tKcBPOliihcvw5pYU7KD4Vzf12z7bo Oh+M01zTW6sCJveM4A86NsyF8PFtVaM7AFOVhOcFrt48YBigTVVqr0ASuYYyQAcbPqE4 CTLp13aKSg9qAckZYAYg0MFtrmnESbB3uUVsLJBAqITXK69K5FrN5KgWBAIecdjG94X2 fwrb0wk1zpLqJIZr5M9BFg8VTR6aUJuPCh5boCNLr0H1DwdJhElcOBVPY3y9+r1snw1u Y/QWydojJxff86aG4SOO+f8S56VSxBb+UobUtp4OARuAOCO8KlweCAfCOiaxklLzX8fD fvoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=eY4GNo9zP3aIcBxtb1vhVgVk1EN6AoItg4k+01zbPWs=; b=YgAZWwg7W2zb4YKuQwyxRW5086T6Pvu3E5IW83lyk22fedDka+Xka2VGdtWOTtQPjN /n4fxasAKO2IavNxCAp4KquXfG1PFrHJhlBKdj8dIlKpDBVr+Gn8OYaATg0K9DRUS8ET kZe/SZzKpaEcdx5hlOOgr3a1HsJJEheP1H9N+tTQmFHcpMzSs4PEIglQwAbTAJO/ltzu iEmeHi0SvJWjvczLyhnImfksMEgjul2piRA5COtnb1BQRHR8MOJfWZwdtoL4j5I4snv5 g/hduGBUm5748sq9dACsGxPv1MNV6U9qW84S0ixd3I0ujkXgsxGdggX/xmGn3xaTRMbo WRQg==
X-Gm-Message-State: AHQUAuYrWG4RJWQ11mR4vq9CTSmSBuvbKSCPyp5brTOFx6dhSLhl+KO5 sRx2TJZHDuglBDwLIU9PGOQtMFeX
X-Google-Smtp-Source: AHgI3IZvMfqI7CbGg09cxVA7FdWzNr+SojNVYRIy90+qjoHv5XU5g22TCwXnf46tuBiRL1zpEEqzEA==
X-Received: by 2002:aca:5193:: with SMTP id f141mr93347oib.114.1549490841368; Wed, 06 Feb 2019 14:07:21 -0800 (PST)
Received: from dino-macbook.attlocal.net (adsl-108-94-1-57.dsl.pltn13.sbcglobal.net. [108.94.1.57]) by smtp.gmail.com with ESMTPSA id v20sm9601182otp.10.2019.02.06.14.07.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Feb 2019 14:07:19 -0800 (PST)
From: Dino Farinacci <farinacci@gmail.com>
Message-Id: <80010161-70A1-4B59-ADEA-2C5588CFF3F6@gmail.com>
Content-Type: multipart/mixed; boundary="Apple-Mail=_9A64C7D3-A0AC-4D20-B973-F8E9FC083567"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 06 Feb 2019 14:07:04 -0800
In-Reply-To: <CAHw9_iKiEiELVVWeJQcHr6-pnXJ5_h+Wv6miU8hF-G2v7tfREA@mail.gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-lisp-rfc6830bis@ietf.org, Luigi Iannone <ggx@gigix.net>, lisp-chairs@ietf.org, lisp@ietf.org
To: Warren Kumari <warren@kumari.net>
References: <154941971479.32132.7227582520612116720.idtracker@ietfa.amsl.com> <E8FC2F26-A7F3-454C-ABBB-C3B47536EB58@gmail.com> <CAHw9_iLvNo7gdnyXcdKLyqA+iuvnLmMkX9ZHretgfy6Tn9-Lwg@mail.gmail.com> <0D72CB4B-2016-4978-97C9-E943AFD19D31@gmail.com> <CAHw9_iKiEiELVVWeJQcHr6-pnXJ5_h+Wv6miU8hF-G2v7tfREA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/eYL6rapt5XQIUEED8TYgmBvBs-I>
Subject: Re: [lisp] Warren Kumari's Discuss on draft-ietf-lisp-rfc6830bis-26: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2019 22:07:27 -0000

> L is an architectural constant. If there tends to be tunnels between the ITR and ETR, then you choose L to be 1400. Or you run MTU discovery between the ITR and ETR to determine the effective MTU.
> > 
> > That doesn't sound like an "architectural constant" - it sounds like a configurable value.
> > As an example: 
> > "Both OSPF and IS-IS make a clear distinction between architectural constants and configurable parameters. Architectural constants are parameters which were fixed by the specification and cannot be changed by the network manager". 
> > (from "OSPF and IS-IS: From Link State Routing Principles to Technologies").
> > See also https://tools.ietf.org/html/rfc2328#appendix-B , https://tools.ietf.org/html/rfc3719, etc. 
> 
> Was the changed text sufficient?
> 
> Which changed text? It wasn't (as far as I could see) in the diff which you attacked earlier. 
> Also, in the diff there is still the "example" typo: "For exmple of such attacks”

I was referring to the MTU text. We combined two discussion points at the same time. I was referring to the the size of the packet that the ITR needs to encapsulate and that L includes the size of the encapsulation headers.

Fixed the typo.

> > > deprecated. I start a timer, and second or two less than the TTL later I start
> > > spoofing packets again, knowing that site X will soon expire the cache entry
> > > and will once again be willing to accept mine again. A: I get some Site X to
> > > Site Y traffic for a few seconds every TTL seconds, and B: the loss of this
> > > traffic is a signal that TTL seconds again it will need to be refreshed.
> > 
> > It was a Google employee in the early days that wanted this feature (circa 2007). ;-) It was so return packets from a server side didn’t have to do the mapping system lookup. It is off by default and only used in trusted enviornments where you can control how the ITR and ETR behave.
> > 
> > You say that "it is off by default" -- but I don't see that in this document (nor, at a quick glance, in RFC 7832 - "Locator/ID Separation Protocol (LISP) Threat Analysis”).
> 
> It has been implemented in products as off by default.
> 
> ... and someone reading this document is supposed to know that how? The purpose of publishing documents like this is to allow for interoperable implementations - expecting implementers to have to examine other implementations to learn how not to shoot themselves in the foot doesn't help anyone. 

Tell me why this text does not satisfy your concern?


It’s at the end of section 9.

> > > valid nonce the ITR is requesting to be echoed within a small window of time. 
> > > The goal is to convince the ITR that the ETR’s RLOC is  reachable even when it
> > > may not be reachable."  attack listed in the document in that a: it doesn't
> > > require any guessing, and b: makes an ETR appear down, not up.
> > 
> > You can’t overfill any cache. An xTR just remembers the last nonce that came with the E-bit set and when it returns packets it uses that nonce.
> > 
> > Um, I don't think this is right (or I've misunderstood) - you don't store "the last nonce that came with the E-bit set" (one number), you have to store "the last nonce that came with the E-bit set for every ITR which is sending them”.
> 
> Right. The context was from a single encapsulator.
> 
> > These have to be stored somewhere, and this is a limited size space (N slots). If I send you N+1 spoofed packets you will have to evict something from this space -- what am I missing?
> 
> They are stored in the map-cache since you encap to that ITR (which is now an ETR). So its a 24-bit number you use in an RLOC data structure in your implemenation. I have implemented this way twice (in 2 different implementations).
> 
> Ok, this seems seems like a good optimization (but does require that the RLOC storage needs to be larger ) - why not suggest this in the document? It would only take a sentence or two, and would make future implementations more likely / resilient. 

Because we have decided that many things like this be left for implementor creativity and experimentation.

> 
> > Yes, many implementations default to not setting advertising they are echo-nonce capable in Map-Replies. So RLOC-probing tends to be used for RLOC reachability. Plus we added features into RLOC-probing that makes it more useful now (lisp-crypto key exchange for one).
> > 
> > 
> > Pointer?
> 
> The LISP WG can provide pointes. Damien and Luigi did extensive research on this.
> 
> 
> Again, something like "many implementations default to not advertising that they are echo-nonce capable in Map-Replies and so RLOC-probing tends to be used for RLOC reachability." would help - there is no harm in trying to make things easier for your readers / future implementors.

I have added your text. See new diff enclosed.

Dino

v2.23.0 | Report a Bug | By Email