Re: [lisp] Restarting last call on LISP threats

Dino Farinacci <farinacci@gmail.com> Tue, 13 May 2014 17:47 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD1A1A0126 for <lisp@ietfa.amsl.com>; Tue, 13 May 2014 10:47:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylhM_v-Y_pbc for <lisp@ietfa.amsl.com>; Tue, 13 May 2014 10:47:10 -0700 (PDT)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5451A011A for <lisp@ietf.org>; Tue, 13 May 2014 10:47:10 -0700 (PDT)
Received: by mail-pa0-f47.google.com with SMTP id lf10so544967pab.6 for <lisp@ietf.org>; Tue, 13 May 2014 10:47:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=WdQMh1NXogSb9KI/7ovTY6eY8VIpQfYQcEURVJ2Qzj4=; b=kv3mY3CeEhkkoE8myOT1RvClASlUOPrjkthVTTIMbxJ+FWRIDC4Uolzd+3tZEXraZ4 k8Nv11g+ffaKBxTCqTIf1ppbmoKFzWo8Y8ACkN5eFKlx4Ppu2k8skCqHhh41Vg8ZhKWk 4yHMCUeLCyFmukN9p0HJXIXnk9HJOu//SqkzjcXB4ypNf/zPHYYSyZ3XKJcF1bmwPXpG h+bcK5/mIaGH8BRUG0+Y8Yo8pdZtL1a4atYnGqgyXM0qzDsAFSrSafwXbhp5lPNzxwa6 FW4EX48muJIJGHwaVZcrCLdb7RYj5g77xQN68mkPJTXPG3MrkKDD/dupbZHLtpIUOxi2 Lmwg==
X-Received: by 10.68.114.227 with SMTP id jj3mr4422042pbb.61.1400003224046; Tue, 13 May 2014 10:47:04 -0700 (PDT)
Received: from [192.168.1.79] (173-8-188-29-SFBA.hfc.comcastbusiness.net. [173.8.188.29]) by mx.google.com with ESMTPSA id vf9sm29277974pbc.94.2014.05.13.10.47.01 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 May 2014 10:47:01 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <e03a83d7e45345dfbbe5f08f54cb47fa@CO2PR05MB636.namprd05.prod.outlook.com>
Date: Tue, 13 May 2014 10:47:00 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <11916828-2EE5-4B46-B6F3-994CD9DBA42D@gmail.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <e03a83d7e45345dfbbe5f08f54cb47fa@CO2PR05MB636.namprd05.prod.outlook.com>
To: Ross Callon <rcallon@juniper.net>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/iIn2081YB6QAxF6gSILjsLYodO4
Cc: Roger Jorgensen <rogerj@gmail.com>, "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 17:47:12 -0000

> Thus if we assume that draft-ietf-lisp-sec-06 works, then what we hear back from the mapping system should be correct (or should be equally reliable to what we hear back from the DNS system today, and we do today rely on DNS when we are contacting our bank or brokerage service to conduct financial transactions). 

The main LISP spec (RFC6830) indicates if you want to trust the mapping system you can use the gleaned information as soon as you receive it. And if you don't trust the mapping system, you can send a "verifying Map-Request" to the mapping system which results in a signed Map-Reply returned ala draft-ietf-lisp-sec-06.

Dino