Re: [lisp] Reviewing the updated LISP docs
Eric Rescorla <ekr@rtfm.com> Thu, 07 February 2019 13:41 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC63126CB6 for <lisp@ietfa.amsl.com>; Thu, 7 Feb 2019 05:41:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.04
X-Spam-Level:
X-Spam-Status: No, score=-2.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PU9cPrcefRxI for <lisp@ietfa.amsl.com>; Thu, 7 Feb 2019 05:41:38 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABE512872C for <lisp@ietf.org>; Thu, 7 Feb 2019 05:41:37 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id j15so8188827lfh.5 for <lisp@ietf.org>; Thu, 07 Feb 2019 05:41:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/USFJdmk4zG05jsJmJhQO2T8QyWn+QsceeJ9SAdCQSo=; b=FxD6OMSqpF80MrOG8WziicEyeZh9nJcxDMj8rfpNzalizcmSWU8MopdhuSFBdDf0fO e/Fvo8+nE1jm1FSh8vQNCh7jM9WLVoocw1GcAnhnrKyZBzMjIyaZlsrbde2BTlfLGGme ekVA81yYUNB0bXdnnQorCP/gT1wBnX0CqM43qiz3UsDHWuL1Z/oq/cTq1qyEjRKm9qo9 bFM5SzbaX748qxzgix9K8YqW/V5kU1GoYReY+1tlmMnG7prLCzJ8mduoMbn7N3rdfWwb xsx55qfnUIXKVz37GVI85nOQyiLucIO9yFZ14j4C9GbZf2MVxcrhwPcRdLSCJDnnrCW4 Po0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/USFJdmk4zG05jsJmJhQO2T8QyWn+QsceeJ9SAdCQSo=; b=Vo8X1TqLc5PF4Z7M3n1OKRWD03vgxcv3lubCMg/10WFdDLZ8jmz1XubxJnBWV5t8re Vnd/95qT6dvYE8o9h+v5notn0cCBkvZagqQEaF1xW7WRMbHxmEB2kiBhWzJdYCWzETk1 LlXgCUr8FO/nfOnL/PpteiZ7nx1BAJx7fZGVa5hf7o6mma08U0DLLvbdjCmketTIyX9l I2LNkWVVclk7MOIYAdPu7SLlKTZJVh/Wzfbx2Z1a94RuTMz76PHwvfqcW7fbbAobC44a iuPk4WVSBRr0UnFlqFZVZFxC/1yCVtD4kjqxxrZCAK92fENtFLytKqJeKUxhoadasdcH T8EQ==
X-Gm-Message-State: AHQUAuZCI94b8tOke/gG5PVsjpobLbEY5u/knzU1bSpddLUTX/tzgWSi buxn201TYldbK5znmuw7o5Su7lO6YTboceyvYh0c0jZj
X-Google-Smtp-Source: AHgI3IZO105wwWH0V7LFBmOoM5l4TGZIDbsn2OHCSOk9ukaMzzT95ONVmi0ZtVtQR6rzaWQw5pHoq8qtiq58I7IQt20=
X-Received: by 2002:a19:f204:: with SMTP id q4mr10586417lfh.133.1549546895831; Thu, 07 Feb 2019 05:41:35 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBNqxYv_42ETH9FmaswBgcwO6fL8+WsJq7ZuyJES520cRg@mail.gmail.com>
In-Reply-To: <CABcZeBNqxYv_42ETH9FmaswBgcwO6fL8+WsJq7ZuyJES520cRg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 07 Feb 2019 05:40:56 -0800
Message-ID: <CABcZeBNhdiVmK4OdTvsR9nVwuRA4MH=ehSophzwQ+jQCV+3P3Q@mail.gmail.com>
To: IESG <iesg@ietf.org>, "lisp@ietf.org list" <lisp@ietf.org>, draft-ietf-lisp-rfc6833bis@ietf.org, draft-ietf-lisp-rfc6830bis@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004a0b6405814e002c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/i_7iSUbmraWzMwq53u71nZBvbNM>
Subject: Re: [lisp] Reviewing the updated LISP docs
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 13:41:42 -0000
Now with LISP on the To: line On Thu, Feb 7, 2019 at 5:37 AM Eric Rescorla <ekr@rtfm.com> wrote: > I apologize for the length of this e-mail, but there's a lot to > go over. > > I have gone over the responses to my DISCUSS on the LISP > documents as well as taken another look at LISP-SEC. I agree that a number > of the > issues I raised are resolved, and I note those below. However, > I believe that a number of issues remain. > > First, as a procedural I do not think it's appropriate to approve two > documents (6830bis and 6833bis) which have critical security > dependencies on documents (LISP-SEC, Map-Version) which are not yet > before the IESG and therefore have contents which might change during > IETF-LC. I'll happily re-review all these documents together. > Alternately, you can precisely state the properties of LISP-SEC > that you are depending on and we can review these documents > assuming those are correct and then subsequently review > LISP-SEC against that standard. > > Second, LISP-SEC is MTI, not MTU, but that means that we need > to evaluate the security properties of LISP in the case where > LISP-SEC is not in use; I do not believe those properties are > appropriate for a new Internet protocol, as they do not provide > reasonable security against integrity attacks. Is there a reason > that comsec is not mandatory in this case? Note the text > in RFC 3552 which says: > > Note: In general, the IESG will not approve standards track protocols > which do not provide for strong authentication, either internal to > the protocol or through tight binding to a lower layer security > protocol. > > Additionally (and this is dicta because LISP-SEC is not before > us), the design of LISP-SEC seems unnecessarily complicated and > brittle, so at some point that's worth examining. > > Moving to the DISCUSS-worthy points I raised in my review (ignoring > non-blocking comments for now). > > > RFC 6833bis > > THREAT MODEL > > I'm assuming the usual RFC 3552 threat model, I.e., > > > > - All non-Map Server elements in the system (specifically, endpoints > > and the xTRs are potentially malicious). > > > > - Aside from the links between the Map Server elements, the network > > is controlled by the attacker. > > > > Against this background, my expectation is that the attacker > > should not be able to affect traffic in any fashion significantly > > more effective than tampering with the data plane. For instance, > > it's clearly the case that an on-path attacker between two xTRs > > can drop all the packets or forward them to some third xTR, but > > it should not be able to send a small number of packets which > > would then affect the routing of a large number of packets. > > > > I do not expect that the data plane should have better security > > than native (non-IPsec) traffic. Given the nature of LISP and > > the existence of a mapping system, it seems like it's kind of > > a missed opportunity to deploy a credentials system that would > > support IPsec-style data plane security, but given that this > > isn't a generally safe assumption for IP traffic, and therefore > > you need to provide some sort of transport or application security > > anyway, I don't think it's the right standard to hold LISP to. > > This is preface. > > > > ATTACKS > > LISP appears to be vulnerable to a number of routing attacks that > > I claim above it should not be subject to. For example: > > > > 1. An on-path attacker can forge Map Replys to the ITR, > > thus redirecting traffic. > > > > 2. An ETR can perform an "overclaiming" attack in which it > > claims to be responsible for EIDs which it is not actually > > responsible for. > > I believe that both of these are intended to be protected against > by LISP-SEC, but LISP-SEC is not MTU. > > > > 3. An off-path attacker can temporarily reroute traffic by exploiting > > the "gleaning" feature to cache poison an ITR. In addition, the > > "echo noncing" feature does not appear to have a sufficiently strong > > nonce to protect against forgery, and thus turning this into a > > long-term attack > > > > 4. An attacker may be able to perform a number of cache invalidation > > and contamination attacks by exploiting the Map-Version and > > Locator-Status bits. This may lead to DoS. > > In the spreadsheet, you say that this is addressed in the 6833-bis > security considerations, but I don't see it. In any case, I don't > understand why it cannot be fixed, rather than just documented. > > > > 5. An attacker who was at time T responsible for an EID block > > can probably prolong its ability to respond for that block > > even after it is no longer responsible. > > I agree that this is addressed. > > > > 6. A number of the components appear to be subject to various replay > > attacks. > > As above, I don't believe that this is fixed. > > > > DEFENSES > > When looking at attacks, it's important to determine whether there are > > plausible defenses. For most of these, I believe that the answer is > > "yes", at varying levels of cost. As noted above, LISP-SEC appears to > > be intended to address a number of these issues, so it's possible that > > requiring LISP-SEC would go a fair ways towards addressing these > > issues. A cursory look at LISP-SEC turns up some somewhat concerning > > design choices, so I would have to examine it more closely to give a > > real opinion. > > > > I do not believe that LISP-SEC will address the attacks that do not > > involve the Mapping Server. For instance, the gleaning > > contamination/nonce attacks (3) would not appear to be fixed by > > LISP-SEC. However, it's probably possible to fix them by lengthening > > the nonce. > > It's not clear to me that these are documented, but even if they > are, they should be fixed or at least we need an explanation of > why they can't be. The nonce one is especially obvious as it > seems to be just a case of making it bigger. Relying on uBPRF > does not seem sufficient. > > > > With that said, I tend to think that the overall authentication > > architecture here would benefit from a rethink. At a high level, the > > source of most of these problems is the "non-transferability" of the > > mapping information from the Map Server. If the Map Server instead had > > an asymmetric key pair which it used to sign mappings, then almost all > > of these attacks would not work. Specifically: > > > > - The map server could send signed Map Replys so forgery wouldn't work > > > > - Map Replys from ETRs would be signed, so you couldn't overclaim > > > > - Gleaning attacks would sort of work, but because the probe would > > elicit a Map Reply, you couldn't persist them > > > > - Map Versions could be tied to signed objects, so you couldn't do > > cache invalidation by version. You'd probably need some other > > approach for Locator Status bits. > > > > And so on. > > You say that there is text about this in security considerations, > but it mostly seems to just restate the current design, not explain > why a better one is not possible. > > > IMPORTANT > > S 5.2. > > > s: This is the SMR-invoked bit. This bit is set to 1 when an xTR > is > > > sending a Map-Request in response to a received SMR-based Map- > > > Request. > > > > > > m: This is the LISP mobile-node m-bit. This bit is set by xTRs > that > > > operate as a mobile node as defined in [I-D.ietf-lisp-mn]. > > > > This would appear to create a normative reference to this document. To > > avoid that, you need to specify how I behave if I receive it but I > > don't implement lisp-mn. > > I agree that this is fixed. > > > > S 5.2. > > > m: This is the LISP mobile-node m-bit. This bit is set by xTRs > that > > > operate as a mobile node as defined in [I-D.ietf-lisp-mn]. > > > > > > I: This is the xTR-ID bit. When this bit is set, what is > appended to > > > the Map-Request is a 128-bit xTR router-ID. See LISP PubSub > usage > > > procedures in [I-D.ietf-lisp-pubsub] for details. > > > > here too you seem to be creating a normative reference. > > This as well. > > > > S 5.5. > > > is being mapped from a multicast destination EID. > > > > > > 5.5. EID-to-RLOC UDP Map-Reply Message > > > > > > A Map-Reply returns an EID-Prefix with a prefix length that is > less > > > than or equal to the EID being requested. The EID being > requested is > > > > How do I behave if I receive an EID-Prefix that is less than any of my > > mappings. So, I might have mappings for 10.1.0.0/16 and 10.2.0.0/16 > > and someone asks me for 10.0.0.0/8? Also, when you talk about prefix > > length, I assume you mean the length fo the mask? > > We had an extended back and forth on this. I still don't find the document > very clear, and I'm not sure that this text is correct. Specifically, > consider the following example, where the MS has two mappings: > > 10/8 -> ETR1 > 10.0.1/24 -> ETR2 > > The Map-Request is for 10.1/16. In email, we agreed that you cannot return > only the first mapping because that would implicitly over-claim. This means > that you either supset one of your mappings or return both (I understood > Dino to be saying you return both). However, the 10.0.1/24 mapping has > a longer prefix than the requested one, so that would seem to violate this > text. > > > > S 5.6. > > > Authentication Data: This is the message digest used from the > output > > > of the MAC algorithm. The entire Map-Register payload is > > > authenticated with this field preset to 0. After the MAC is > > > computed, it is placed in this field. Implementations of this > > > specification MUST include support for HMAC-SHA-1-96 [RFC2404], > > > and support for HMAC-SHA-256-128 [RFC4868] is RECOMMENDED. > > > > What prevents replay attacks here? I'm guessing it's the Map-Version- > > Number, but as I understand it, I can set this to 0. > > You write in your spreadsheet: > "We have fixed this, now Map-Register have an incremental nonce to > prevent replay attacks (in 6833bis: "Nonce: This 8-octet 'Nonce' field > is incremented each time a Map-Register message is sent") " > > It's not clear to me why this prevents replay. Can you please walk me > through the mechanism? > > > > > > S 6.1. > > > receives an SMR-based Map-Request and the source is not in the > > > Locator-Set for the stored Map-Cache entry, then the responding > Map- > > > Request MUST be sent with an EID destination to the mapping > database > > > system. Since the mapping database system is a more secure way to > > > reach an authoritative ETR, it will deliver the Map-Request to the > > > authoritative source of the mapping data. > > > > If I'm understanding this correctly, this allows an ETR to prevent an > > ITR from learning that it is no longer the appropriate ETR for a > > prefix. The way this attack works is that before the topology shift, I > > send SMRs, thus causing Map-Requests, which, because my entry is > > cached, refresh the cache on the ITR past the topology shift. I can > > keep doing this indefinitely. Am I missing something > > I agree with your response here and consider this resolved. > > > > > S 8.2. > > > authentication data, so prior to sending a Map-Register message, > the > > > ETR and Map-Server SHOULD be configured with a shared secret or > other > > > relevant authentication information. A Map-Server's configuration > > > SHOULD also include a list of the EID-Prefixes for which each ETR > is > > > authoritative. Upon receipt of a Map-Register from an ETR, a Map- > > > Server accepts only EID-Prefixes that are configured for that ETR. > > > > How does it know? > > This now seems to be clear. > > > > COMMENTS > > S 5. > > > \ | UDP Length | UDP > Checksum | > > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > | | > > > | LISP > Message | > > > > | | > > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > What do these two diagrams correspond to? v4 and v6? This needs > > explanation. > > This seems to be resolved. > > > RFC 6830 bis > > DETAIL > > S 4.1. > > > RLOC (outer-header source IP address) in a received LISP > packet. > > > Such a cache entry is termed a "glean mapping" and only > contains > > > a single RLOC for the EID in question. More complete > information > > > about additional RLOCs SHOULD be verified by sending a LISP > Map- > > > Request for that EID. Both the ITR and the ETR MAY also > > > influence the decision the other makes in selecting an RLOC. > > > > This seems like it introduces an immediate overclaiming problem. > > I seem to have misunderstood this. > > > > S 10. > > > When an ETR decapsulates a packet, it will check for any change in > > > the 'Locator-Status-Bits' field. When a bit goes from 1 to 0, the > > > ETR, if acting also as an ITR, will refrain from encapsulating > > > packets to an RLOC that is indicated as down. It will only resume > > > using that RLOC if the corresponding Locator-Status-Bit returns > to a > > > value of 1. Locator-Status-Bits are associated with a Locator-Set > > > > This seems to enable a pretty obvious denial of service attack in > > which you send a message with all LSBs set to 0. > > The change here seems to be: > > " An ETR MUST rate-limit the action it takes when it detects changes in > the > Locator-Status-Bits." > > I'm not sure I understand what this text means, but in any case it > doesn't seem to address the concern I had, which was the use of > LSB=0 to empty the cache. It's not clear why rate limiting helps > that. > > > > > S 10. > > > list returned by the last Map-Reply will be set to zero for that > > > particular EID-Prefix. Refer to Section 16 for security related > > > issues regarding Locator-Status-Bits. > > > > > > When an ETR decapsulates a packet, it knows that it is reachable > from > > > the encapsulating ITR because that is how the packet arrived. In > > > > It doesn't even know this. It just knows that that's been claimed by > > someone who can generate traffic to it. > > This was mostly about clarity. > > > > S 10.1. > > > NOT use the lack of return traffic as an indication that the ETR > is > > > unreachable. Instead, it MUST use an alternate mechanism to > > > determine reachability. > > > > > > 10.1. Echo Nonce Algorithm > > > > > > > This mechanism seems sufficient to verify unreachability but is not a > > secure test of reachability because the nonce is way too short. > > Your response (as above) is that you updated security considerations, > to document this, but why not simply fix it? > > > > S 16. > > > Map-Versioning is a Data-Plane mechanism used to signal a peering > xTR > > > that a local EID-to-RLOC mapping has been updated, so that the > > > peering xTR uses LISP Control-Plane signaling message to retrieve > a > > > fresh mapping. This can be used by an attacker to forge the map- > > > versioning field of a LISP encapsulated header and force an > excessive > > > amount of signaling between xTRs that may overload them. > > > > Can't I also set a super-high version number, thus gagging updates? > > You say "This attack is discussed in the Security Section of 6830bis." > > The relevant text says: > > Map-Versioning is a Data-Plane mechanism used to signal a peering xTR > that a local EID-to-RLOC mapping has been updated, so that the > peering xTR uses LISP Control-Plane signaling message to retrieve a > fresh mapping. This can be used by an attacker to forge the map- > versioning field of a LISP encapsulated header and force an excessive > amount of signaling between xTRs that may overload them. > > A thorough analysis of this depends on Map-Versioning, which, as above, > is not in scope here, but why can't this be fixed? > > >
- Re: [lisp] Reviewing the updated LISP docs Eric Rescorla
- Re: [lisp] Reviewing the updated LISP docs Dino Farinacci
- Re: [lisp] Reviewing the updated LISP docs Luigi Iannone
- Re: [lisp] Reviewing the updated LISP docs Eric Rescorla