Re: [lisp] incremental transition to LISP-SEC (was Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-24: (with DISCUSS and COMMENT))
Fabio Maino <fmaino@cisco.com> Thu, 28 February 2019 23:46 UTC
Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADAC21310AD for <lisp@ietfa.amsl.com>; Thu, 28 Feb 2019 15:46:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llxegz59nSm3 for <lisp@ietfa.amsl.com>; Thu, 28 Feb 2019 15:46:05 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7FB12D826 for <lisp@ietf.org>; Thu, 28 Feb 2019 15:46:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8182; q=dns/txt; s=iport; t=1551397565; x=1552607165; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=WmOrHcCYA245axpkmYYVdyabNjBtbMuBE0XggBO8V1w=; b=MoJ03F8lIqDLBwvaE3ZAk/3Weo7bBhd4+uDiQd7n7cJTNt85xfk1sheU svRVMXnd7TbVGVx8dUlXsLzLoHgiLNnxetLPtwtX6RzbeTcmITf7SC4Q9 MRULJpS8umMElkXMQ+pwUmbzMxMNLl6kFhy0onbFFGE4PafkNVg1YnWFk g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ASAAA8cnhc/4kNJK1lGwEBAQEDAQEBBwMBAQGBUQYBAQELAYIEaIEDJ4QIiBqLT4FgCCV8lySBew0YC4FUgnUChBQiNAkNAQMBAQMBAwJtHAyFSwEBAQMBASEPAQU2GwsYAgIfBwICJzATBgIBAYMcAYFyD6tbgS+FRIRqBYELiz0XgUA/gREnDIFhSTWDHgEBgUsJgxeCVwKKCQQvhyKSDAmSZAYZgXOIf4gqi2+RLIFHOIFWMxoIGxU7gmyCKBcTiEyFYB4DMI1ZgksBAQ
X-IronPort-AV: E=Sophos;i="5.58,425,1544486400"; d="scan'208";a="241896427"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Feb 2019 23:46:04 +0000
Received: from [10.41.32.164] ([10.41.32.164]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTP id x1SNk3aw030239 for <lisp@ietf.org>; Thu, 28 Feb 2019 23:46:04 GMT
To: lisp@ietf.org
References: <154954743968.23471.9935733647283605722.idtracker@ietfa.amsl.com> <20190209221334.GA23225@kduck.mit.edu>
From: Fabio Maino <fmaino@cisco.com>
Message-ID: <4723572b-1883-1bba-852d-b24014d987a3@cisco.com>
Date: Thu, 28 Feb 2019 15:46:04 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <20190209221334.GA23225@kduck.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Outbound-SMTP-Client: 10.41.32.164, [10.41.32.164]
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/gROu3GlwIVoEZbmSSy0r9tW-_Ak>
Subject: Re: [lisp] incremental transition to LISP-SEC (was Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-24: (with DISCUSS and COMMENT))
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 23:46:09 -0000
Hi Benjamin, thanks for bringing this up. I think it makes sense to have a mechanism for secure downgrade, and it should indeed simplify adoption and transition to LISP-SEC. I discussed what you proposed here with the LISP-SEC authors and with Dino and Alberto. We agree to the principles of what you are proposing. I'll send detailed text, but here is a brief description of what we plan to do. The Map-Register has already the capability to encode ETR's support for LISP-SEC. We will change the behavior of the MS to signal to the ITR when the ETR is not LISP-SEC capable. This will happen when - the ITR is sending a LISP-SEC Map-Request, AND - the corresponding ETR has not registered as LISP-SEC capable, AND - the ETR is in "non-proxy mode" (that is the mode in which the Map-reply should be originated at the ETR. (MS/ITR behavior won't change if the ETR is in "proxy mode") In this case the MS will send a Negative Map-Reply, protected by LISP-SEC, that includes an ETR-Cant-Sign bit that informs the ITR that the ETR doesn't support LISP-SEC. The integrity of the ECS bit is protected by LISP-SEC, as the rest of the Map-Reply. This will work without changes to the ETR. In this way the ITR has the option to choose to downgrade to non LISP-SEC if it wants to favor reachability. Thanks, Fabio On 2/9/19 2:14 PM, Benjamin Kaduk wrote: > Splitting off a sub-thread for one fairly narrow point that AFAICT needs > further discussion to clarify the path forward: > > On Thu, Feb 07, 2019 at 05:50:39AM -0800, Benjamin Kaduk wrote: >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> > [...] >> 3. LISP-SEC [I-D.ietf-lisp-sec] MUST be implemented. Network >> operartors should carefully weight how the LISP-SEC threat model >> applies to their particular use case or deployment. If they >> decide to ignore a particular recommendation, they should make >> sure the risk associated with the corresponding threats is well >> understood. >> >> I'm concerned enough about the risk of having a "ITR requests lisp-sec but >> ETR didn't use it" case that causes complete breakage, that I want to talk >> about this a bit more. We currently in this document say that lisp-sec is >> mandatory to implement (which presumably covers at least ITRs, ETRs, >> Map-Resolvers, and Map-Servers). LISP-SEC itself says that "and ETR that >> supports LISP-SEC MUST set the S bit in its Map-Register messages". Is it >> possible that an ETR might "implement" but then not "support" LISP-SEC? If >> so, then we should consider the possibility that we need an authenticated >> signal (from the mapping system to the ITR) that downgrading from lisp-sec >> is allowed. There seem to be several possibilities for how one might >> construct such a signal; two that came to mind to me would be (1) to define a >> new ACT value for "repeat without lisp-sec" that could be returned as a >> negative Map-Response directly from the mapping system wherever the mapping >> system is able to discern that the ETR in question does not support >> lisp-sec (I don't actually know if this could happen at Map-Resolver or >> would need to be delayed until the final Map-Server) and (2) to have an >> optional Map-Request field that the ETR is required to copy unchanged to >> the Map-Reply; this could then include a message HMAC'd in the ITR-OTK that >> indicates lisp-sec non-support and binds to the nonce in the request. >> Whether these are workable ideas seems to depend on aspects of the mapping >> system to which I cannot speak. > In terms of some background assumptions I've been making (that of course > could be false, so I'm trying to make them explicit), I am assuming that > many or most current LISP deployments do not utilize LISP-SEC at runtime. > It's less clear to me how many deployments/implementations simply do not > have LISP-SEC capabilities at all, or how easy it is to get > software/firmware updates to the needed devices. Regardless, if there > are existing RFC 6833 deployments that want to migrate to 6833bis when it > is finalized, we should consider what steps would be needed to safely > deploy LISP-SEC without disruption. In particular, it seems a useful goal > to try to get the security benefit of LISP-SEC for those machines/sites > that have LISP-SEC capability without waiting for the entire administrative > domain's deployment to get updated software/firmware, which I assume is at > least a 5-year lead time in many sites. > > Given that at this point my analyses are mostly treating the mapping system > as something of a closed "magic box" that takes Map-Requests as input and > emits them to the appropriate ETRs (or internal proxy function), I'm forced > to conclude that any incremental update to using LISP-SEC will inherently > require the entire mapping system to upgrade first, before any concrete > usage of LISP-SEC should be expected. Hopefully that's less of a burden > than upgrading entire deployments, since the mapping system is a more > contained set of devices and does not need to handle data-plane levels of > traffic. > > Once that's done, though, we still have the question of "which ETRs are > updated to be registering themselves as LISP-SEC-capable?". For any given > ITR/ETR pair, if both are LISP-SEC capable, we want them to be using > LISP-SEC, while still allowing traffic if one or both are not LISP-SEC > capable. If the ITR is not capable, this is easy, as the Map-Request will > never attempt to use LISP-SEC. But if the ITR is capable and the ETR is > not, the ITR is going to either attempt to use LISP-SEC for all > Map-Requests or need some out-of-band knowledge of whether the target ETR > is capabable. Now, the whole point of the mapping system is that the ITR > doesn't know what ETR it's going to talk to when it sends the Map-Request, > so this "out-of-band" setup seems pretty hard to fulfil. My current best > thought (not expected to be perfect) in this scenario is that the ITR that > is LISP-SEC capable (and configured to use it, I suppose) will always try > to use LISP-SEC, but needs an authenticated signal from the mapping system > that the ETR it's being mapped to is not LISP-SEC-capable, and it should > try again without LISP-SEC. This signal needs to be authenticated not just > for security reasons (though an insecure downgrade would render LISP-SEC > useless against an active attacker until the entire deployment disabled > non-LISP-SEC exchanges), but also for performance concerns. As currently > specified, the Map-Server that gets a LISP-SEC Map-Request but is going to > forward it to an ETR that did not register as LISP-SEC capable is going to > repackage the Map-Request into a non-LISP-SEC Map-Request to send to the > ETR in question. That ETR will produce a normal Map-Reply, that the ITR > will proceed to drop without processing, since it does not use LISP-SEC. > IIUC, that leaves the ITR in "wait to timeout" territory, which is a pretty > lousy situation to be in. > > I know there are only a couple values left for ACT values, but it seems > that this may be a big enough issue to justify allocating one for "retry > with downgrade", so that the final Map-Server can send a negative Map-Reply > that does use LISP-SEC, and the ITR can have this authenticated signal that > the destination ETR is not LISP-SEC capable at the moment. There are of > course other ways to generate an authenticated downgrade signal, but the > only other ones I've been able to come up with seem less architecturally > pleasing (and may not in fact work when the destination ETR is running > original RFC 6833 code). > > I'm interested in hearing what other people think about this scenario and > proposed remediation. > > -Benjamin > > _______________________________________________ > lisp mailing list > lisp@ietf.org > https://www.ietf.org/mailman/listinfo/lisp
- [lisp] Benjamin Kaduk's Discuss on draft-ietf-lis… Benjamin Kaduk
- [lisp] incremental transition to LISP-SEC (was Re… Benjamin Kaduk
- Re: [lisp] incremental transition to LISP-SEC (wa… Fabio Maino
- Re: [lisp] incremental transition to LISP-SEC (wa… Fabio Maino
- [lisp] Deriving Map-Register/Notify authenticatio… Fabio Maino
- Re: [lisp] Deriving Map-Register/Notify authentic… Benjamin Kaduk
- Re: [lisp] Deriving Map-Register/Notify authentic… Fabio Maino
- Re: [lisp] Deriving Map-Register/Notify authentic… Dino Farinacci
- Re: [lisp] Deriving Map-Register/Notify authentic… Benjamin Kaduk
- Re: [lisp] Deriving Map-Register/Notify authentic… Benjamin Kaduk
- Re: [lisp] Deriving Map-Register/Notify authentic… Dino Farinacci
- Re: [lisp] Deriving Map-Register/Notify authentic… Benjamin Kaduk
- Re: [lisp] Deriving Map-Register/Notify authentic… Benjamin Kaduk