Re: [lisp] Restarting last call on LISP threats

Ronald Bonica <> Wed, 21 May 2014 15:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 90C411A03DD for <>; Wed, 21 May 2014 08:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.601
X-Spam-Status: No, score=-102.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZU5PVgULz63n for <>; Wed, 21 May 2014 08:40:45 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 028D61A0135 for <>; Wed, 21 May 2014 08:40:44 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.944.11; Wed, 21 May 2014 15:40:42 +0000
Received: from ([]) by ([]) with mapi id 15.00.0944.000; Wed, 21 May 2014 15:40:42 +0000
From: Ronald Bonica <>
To: Dino Farinacci <>
Thread-Topic: [lisp] Restarting last call on LISP threats
Thread-Index: AQHPa58LSm48HWl6Wky1MR3KNHiENZs9MyiAgAD04oCAAJ/u8IAAAtXQgADypICAAlhbEIABfmkAgAefyVA=
Date: Wed, 21 May 2014 15:40:41 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-forefront-prvs: 0218A015FA
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(189002)(199002)(51704005)(87936001)(85852003)(101416001)(2656002)(99396002)(74662001)(74502001)(76576001)(83072002)(21056001)(31966008)(50986999)(99286001)(33646001)(81342001)(74316001)(86362001)(66066001)(54356999)(4396001)(80022001)(76176999)(1411001)(76482001)(81542001)(79102001)(64706001)(77982001)(20776003)(92566001)(46102001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR05MB444;; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is );
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Roger Jorgensen <>, "" <>
Subject: Re: [lisp] Restarting last call on LISP threats
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 May 2014 15:40:47 -0000


I don't understand your response. So, I will ask the question another way.

Imagine a scenario in which a victim XTR and an attacker are attached to the global Internet. The attacker is neither an XTR nor contained by a LISP site.

The attacker sends a flow of crafted packets to the victim XTR. Each packet is a well-formed LISP data packet. It contains:

- an outer IP header (LOC->LOC)
- a UDP header
- a LISP Header
- an IP header (EID->EID)
- payload

Each packet contains control plane information that is new to the victim XTR. For example, the victim XTR has no mapping information regarding either the source LOC or source EID prefix. Rather than gleaning this mapping information from the crafted packet, the victim XTR sends a verifying MAP-REQUEST to the mapping system.

Assume that the attack flow is large (N packets per second). Assume also that the XTRs rate limit for MAP-REQUEST messages is less than N packets per second. Has the attack not effectively DoS'd the victim XTR?

To make this attack work, every packet in the attack flow may need to have a unique, spoofed, source LOC.


> > The attacker can launch a DoS attack against an XTRs control plan by
> sending a barrage of crafted packets to the victim XTR. Each crafted packet
> cause the victim XTR to send a verifying MAP-REQUEST to the mapping
> system.  The attack stream may be so large that it causes the victim XTR to
> exceed the rate limit for MAP-REQUEST messages.
> You can trust sources less if they ARE NOT in the mapping database. That is, if
> you are a LISP site, you have more tools be verify trust.
> Dino