IETF Logo Mail Archive

Re: [lisp] Secdir early review of draft-ietf-lisp-nexagon-04

Sharon Barkai <sharon.barkai@getnexar.com> Sat, 17 October 2020 11:24 UTC

Return-Path: <sharon.barkai@getnexar.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860163A0A64 for <lisp@ietfa.amsl.com>; Sat, 17 Oct 2020 04:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=getnexar.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcKrTS1heBIe for <lisp@ietfa.amsl.com>; Sat, 17 Oct 2020 04:24:20 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D22883A0A63 for <lisp@ietf.org>; Sat, 17 Oct 2020 04:24:19 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id d3so8101826wma.4 for <lisp@ietf.org>; Sat, 17 Oct 2020 04:24:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=getnexar.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=eS/jt/0pm5RLIkbJyLpq75y+7+TISWcl9bKx9dyKKMQ=; b=hOzutXf6CFWtVLVflhoQ0dB1OUK0Ar1JrNZJQCXezro7+t1vp11z5Y3InEHS91euh+ J4107eEcjZQ96qH90NE6PnE3XG00ACuwP3IqPRRsSyVjZtPn3jKmEoxSzKDCoXfBwb9S OVXw4BKpHSbeBA/DZfqZhk2LyP17S3imgz0Yg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=eS/jt/0pm5RLIkbJyLpq75y+7+TISWcl9bKx9dyKKMQ=; b=lhzDlZdzctNi9zRIwpaBAOwdojMZ26hxHrzQlWlJ6lB1fPgAR/t42wwvUXHXnFfHlM Pd03+9XRpPHiyhQKnEBGUfgEdbFcqkhd4hEeG/Jh0hO6walpr8MwQgwm2WGlgMQEYou+ t1B45yTvq+38Pw1nzbNbuc5/F/jbzYffDoE2twrkY6N2EfbJHvGGZR0VMZZEWMhsQMKT dfuftY4TwuUgOdcheUmSyh7ZGL+TrvXCdqf04XjHw1xM8+ZO+/+X3t4oqci4zpTJcyTF KLVOuQD5DBtDDNpM41V6HOgxObRQVRSR/JvAgSVrvCv0uE7+UUYVHCqCfQ8vgbkb+pTY Ev8g==
X-Gm-Message-State: AOAM532wLcjU9r9eVJF+EBNU0lW2wvoMopAVEaTgmlA9EPMKktPKLW7T FGNv69dxQmA4QKY60puuClAWuw==
X-Google-Smtp-Source: ABdhPJwxB3ZPETNiiWc87/W7lsk4dd72Mq+/ZrKhV9fJAvcBOy3zinnIGp9oeu9RvCbQLkhxjMT+jQ==
X-Received: by 2002:a1c:b646:: with SMTP id g67mr7886310wmf.87.1602933858247; Sat, 17 Oct 2020 04:24:18 -0700 (PDT)
Received: from ?IPv6:2a02:14c:27c:b400:f5b5:cd6:d37a:6dc6? ([2a02:14c:27c:b400:f5b5:cd6:d37a:6dc6]) by smtp.gmail.com with ESMTPSA id l26sm7104303wmi.41.2020.10.17.04.24.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Oct 2020 04:24:17 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_29C71931-FADC-4FA9-99C5-EDDF228E357A"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Sharon Barkai <sharon.barkai@getnexar.com>
In-Reply-To: <160218848061.12936.5873889616190686198@ietfa.amsl.com>
Date: Sat, 17 Oct 2020 14:24:15 +0300
Cc: secdir@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>, draft-ietf-lisp-nexagon.all@ietf.org
Message-Id: <AE593613-97AD-43F3-A968-695B8F97DFC4@getnexar.com>
References: <160218848061.12936.5873889616190686198@ietfa.amsl.com>
To: Tero Kivinen <kivinen@iki.fi>, David Mandelberg <david@mandelberg.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/elPgZ3z61sZrv2NW-BuVSFRTnPs>
Subject: Re: [lisp] Secdir early review of draft-ietf-lisp-nexagon-04
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2020 11:24:23 -0000

Dear David, thank you again for putting the effort to review the draft.
Published bellow are clarifications to concerns raised.


In summary of main risk mitigations for the lisp-nexagon interface we can say:

  (1) tapping: all communications are through dynamic tunnels therefor may be
  encrypted using IP-Sec or other supported point to point underlay standards
*this are not static, but retunneling routers (RTRs) do all aggregations

  (2) spoofing: it is very hard to guess a MobilityClientEID valid for a short
  period of time. Clients and H3Services EIDs are whitelisted in EdgeRTRs

  (3) impersonating: efforts to use MobilityClients and H3Services RLOCs should
  be caught by the underlying service provider edge and access networks
** we rely on underlay anti-spoofing for RLOCs and provide anti-spoofing for EIDs

  (4) credibility: the interface crowd-sources geo-state and does not assume to
  trust single detections. Credit history can be traced and reflect credentials

  (5) privacy: Only EdgeRTRs are aware of both clients' RLOC and geo-location,
  only AAA is aware of client IDs credentials and credit but not geo-location
***enterprises can bring their own RTRs and if trusted are provisioned to the LISP network
**** AAA is provisioned administratively including credentials and trust



https://datatracker.ietf.org/doc/html/draft-ietf-lisp-nexagon-05 <https://datatracker.ietf.org/doc/html/draft-ietf-lisp-nexagon-05>


Please let us know as soon as you can if you think the concerns are addressed.
All the best,
Sharon



> On Oct 8, 2020, at 23:21, Tero Kivinen via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: David Mandelberg
> Review result: Not Ready
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is Not ready.
> 
> If I understand correctly, 64-bit Client EIDs serve as both 
> identification and authentication for a client. How many clients will an 
> EdgeRTR know about at a single time? How many EIDs can an attacker guess 
> per second? If an attacker can guess 1024 EIDs per second, and there are 
> 2^32 valid EIDs, I think that would mean it would take about 24 days on 
> average to guess a (non-specific) EID. Are my numbers off? Is that 
> acceptable?
> 
> How does the Client XTR verify the authenticity of the data coming from 
> Server XTRs? Is it relying on infrastructure security in the LISP and 
> server networks, and the obscurity of its own Client EID? E.g., if a 
> non-participant in the LISP network can get the Client EID and RLOC 
> (e.g., by sniffing packets), could they spoof an unsolicited multicast 
> packet to the client?
> 
> If the above is possible, I think this part of the Security 
> Considerations section should be fleshed out more, and possibly made 
> mandatory: "The traffic on the MobilityClient<>EdgeRTR interface is 
> tunneled  and its UDP content may be encrypted"
> 
> The Security Considerations section says "The H3ServiceEIDs themselves 
> decrypt and parse actual H3-R15 annotations" but as far as I can tell, 
> that's the first mention of any mandatory encryption of H3-R15 
> information. How does that encryption work?
> 
> I assume it wouldn't be that hard for an attacker to get legitimate 
> access to a Mobility Client (e.g., by buying a car). What would stop 
> them from sending the type of "fake-news" updates the Security 
> Considerations section talks about?
> 
> 
> 
> 
> _______________________________________________
> lisp mailing list
> lisp@ietf.org
> https://www.ietf.org/mailman/listinfo/lisp

v2.23.0 | Report a Bug | By Email