Re: [lisp] possible text for LISP threats

Ross Callon <rcallon@juniper.net> Fri, 13 June 2014 18:36 UTC

Return-Path: <rcallon@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A461A05F5 for <lisp@ietfa.amsl.com>; Fri, 13 Jun 2014 11:36:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBLfN7W-jm52 for <lisp@ietfa.amsl.com>; Fri, 13 Jun 2014 11:36:18 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A66A51B29C8 for <lisp@ietf.org>; Fri, 13 Jun 2014 11:36:18 -0700 (PDT)
Received: from CO2PR05MB636.namprd05.prod.outlook.com (10.141.199.24) by CO2PR05MB636.namprd05.prod.outlook.com (10.141.199.24) with Microsoft SMTP Server (TLS) id 15.0.954.9; Fri, 13 Jun 2014 18:36:17 +0000
Received: from CO2PR05MB636.namprd05.prod.outlook.com ([10.141.199.24]) by CO2PR05MB636.namprd05.prod.outlook.com ([10.141.199.24]) with mapi id 15.00.0954.000; Fri, 13 Jun 2014 18:36:17 +0000
From: Ross Callon <rcallon@juniper.net>
To: Dino Farinacci <farinacci@gmail.com>
Thread-Topic: [lisp] possible text for LISP threats
Thread-Index: AQHPhyMnC8QSqTBqz0alNjaiEG8PF5tvOB5ggAAatgCAAAJXEA==
Date: Fri, 13 Jun 2014 18:36:16 +0000
Message-ID: <68c3feb199e840908a8516ee7dc9f357@CO2PR05MB636.namprd05.prod.outlook.com>
References: <898c27d33fdd452499848408c9eac47f@CO2PR05MB636.namprd05.prod.outlook.com> <EF2B2675-0E43-4ECC-A1D4-2C5B18F875B0@gmail.com>
In-Reply-To: <EF2B2675-0E43-4ECC-A1D4-2C5B18F875B0@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.11]
x-microsoft-antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(164054003)(54094003)(199002)(51704005)(51444003)(189002)(33646001)(4396001)(46102001)(21056001)(2656002)(99396002)(80022001)(101416001)(92566001)(66066001)(99286001)(105586001)(83322001)(74502001)(76482001)(77982001)(50986999)(83072002)(85852003)(87936001)(74316001)(79102001)(31966008)(74662001)(76576001)(20776003)(1411001)(81342001)(81542001)(64706001)(77096999)(54356999)(76176999)(86362001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:CO2PR05MB636; H:CO2PR05MB636.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rcallon@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/g4ZMDFTn4oPDDlYEpTrDzjuPF00
Cc: Damien Saucez <damien.saucez@inria.fr>, Luigi Iannone <luigi.iannone@telecom-paristech.fr>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] possible text for LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jun 2014 18:36:21 -0000

A few snippets (with the rest dropped, at least for this one email)...

> Ross you have to be much more precise in your language...

More precision and detail is a good idea.

> For the above text, you shoudl say "all ISPs on the path do not do a source check".

When you are looking at "big core ISP" connected to another "big core ISP", my understanding is that source checks are normally not done because it is too hard to know what source IP addresses a very large ISP might legitimately source (other than "all"). Yes, if a very small ISP (say, a single university network) is attacked to a larger ISP (say, a national service provider) then the source check might be done either at the entry from the host to the small ISP, or from the small ISP to the larger ISP. Both would need to be missing for my attack #1 to succeed, at least if the source RLOC's were forged. 

> You should state where the attacker is. In this case it is not at the LISP site where you refer to the xTR.

That was my intention, so yes it should be stated. I was specifically thinking of the "attacks from elsewhere in the worldwide open Internet" case, which probably should be stated. 

> You need to say that the attacker is not necessarily at a LISP site

Correct...

> but its source address will be used by the xTR FOR RETURN TRAFFIC. You need to make it
> clear if the mapping database should return a set of RLOCs or what is returned is a
> negative Map-Reply. I presume the former since you said the attacker uses a "source EID".

I think that you are correct that a bit more detail is appropriate here. However, in my scenario 1 I am concerned about the control plane load of the xTR being forced to send out a lot of map requests, so it is not clear that it matters what the response will be to those map requests. Of course there is also the problem that if the forged source EID's span a large fraction of the full LISP database, then the replies that the xTR receives from its map requests will also span the LISP database and fill the cache. Thus you are correct that more detail would be appropriate here. 

> I think you should make it clear this is not unique to LISP...
> You don't want to mislead people to think LISP is worse in this case.

For the host to which the attack packets are destined, I don't think that LISP is worse in this case. However, it is not the effect on a host that I am concerned about. If the xTR serving that host in this case is either a CE router or a PE router, then this is a lot worse for the xTR, since the attack packets cause a reaction in its control plane. Of course if the effect of the attack is to fill the cache, then again LISP is worse since "non-LISP Internet operation" doesn't have a cache. I understand that we are not planning to describe solutions in this text, but if rate limiting of map requests is considered to be normal practice, I wonder if it would be worth mentioning that rate limiting could prevent overload of the xTR's control plane, but that in this case the attack could prevent map requests in support of legitimate users. 

> If the cache is going to be exhausted you need to say that each source EID chosen
> will match a different EID-prefix in the mapping database causing distinct entries to be created...

Correct.

>> the attacked xTR noticing and putting in a packet filter for that source RLOC,
>> so that varying the source RLOC may make this attack more difficult to counter. 
>
> You shouldn't say how the xTR would handle this or else, yes, it will get worse.
> Because if you choose a faulty solution, you will introduce more issues.

I am fine with dropping the sentence stating "Optionally the attacker could use the same source RLOC for each, but this could in theory lead to the attacked xTR noticing and putting in a packet filter for that source RLOC, so that varying the source RLOC may make this attack more difficult to counter". However, I do wonder, what would happen if a single attacker sent a large number of packets which look like LISP packets with the same RLOC for all (perhaps the legitimate RLOC of the attacker) but with different EID's, each EID chosen from a different EID block. Would the xTR receiving all of these incoming packets send a map request for each EID? This could be a way to get around source IP address checks (where they are deployed), since the source RLOC would be correct and legitimate. 

> Thanks,
> Dino

Thanks, Ross