Re: [lisp] Progress on threats document

Ross Callon <> Sat, 14 February 2015 03:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8ED2A1A0371 for <>; Fri, 13 Feb 2015 19:02:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zy866cpZDs0h for <>; Fri, 13 Feb 2015 19:02:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D28A61A00AE for <>; Fri, 13 Feb 2015 19:02:21 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Sat, 14 Feb 2015 03:02:20 +0000
Received: from ([]) by ([]) with mapi id 15.01.0087.013; Sat, 14 Feb 2015 03:02:20 +0000
From: Ross Callon <>
To: Luigi Iannone <>, LISP mailing list list <>
Thread-Topic: [lisp] Progress on threats document
Thread-Index: AQHQLnbAifHrWK3PZEqRlsLEylMghpzvp1Fw
Date: Sat, 14 Feb 2015 03:02:19 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
authentication-results:; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0501MB1430;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:; SRVR:BY1PR0501MB1430;
x-forefront-prvs: 0487C0DB7E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(53754006)(377454003)(13464003)(164054003)(51444003)(51914003)(2656002)(87936001)(19580395003)(33656002)(19580405001)(40100003)(122556002)(50986999)(54356999)(76176999)(86362001)(46102003)(99286002)(77156002)(62966003)(76576001)(106116001)(92566002)(2950100001)(2900100001)(74316001)(66066001)(15975445007)(102836002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0501MB1430;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2015 03:02:19.5608 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0501MB1430
Archived-At: <>
Cc: Damien Saucez <>, Olivier Bonaventure <>
Subject: Re: [lisp] Progress on threats document
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 14 Feb 2015 03:02:26 -0000

As requested, here are my comments on the current threats document. Generally thanks for the work, I think that this is much improved from the previous versions. However, there is still IMHO some work needed. 

First a couple of minor grammatical issues: Section 1, second paragraph, the grammatical construction is not parallel. In listing the three parts, "the first defines...", "the second describing...", "The third discussing...". I think that this should be either "the first defining...", "the second describing..", etc. Alternately this could "the first defines...", "the second describes...". 

Second minor grammatical issue, in many places the documents starts sentences with "To succeed their attacks, <something> attackers...". I think that on the most part this should read something more like "In order for their attacks to succeed, <something> attackers...". 

Section 2.1.4: This section correctly mentions that it is possible for an attacker to operate in the data plane to mount attacks targeting the control plane (or vice versa). However, the implication of this, in terms of the difference in speeds of the two planes, is not discussed anywhere. I am not sure where this should be discussed, but this is a sufficiently important issue that it should be discussed somewhere. I have wondered whether this should be mentioned here, or in section 2.2.9 (since this could be thought of as a form of amplification attack). Perhaps the most straightforward way to fix this would to be append to the second paragraph of section 2.1.4 a couple of additional sentences that state: "In some cases, particularly in very high performance routers, the data plane may operate faster, and potentially several orders of magnitude faster, relative to the control plane. Launching an attack in the data plane that is targeted at the control plane may therefore greatly amplify the affect of the attack (ie serve a function similar to an amplification attack)." 

Section 3.8 first paragraph, second sentence. This currently reads "If an ETR does not accept Map-Reply messages with an invalid nonce, the risk of attack is limited given the size of the nonce (64 bits)". This is true for off-path attackers. However, an on-path attacker can see the nonce (and noting that the document is already clear that where gleaning allows a formerly off-path attacker to insert themselves into the data path then they have become by definition an on-path attacker). I think that this sentence should read "If an ETR does not accept Map-Reply messages with an invalid nonce, the risk of an off-path attack is limited given the size of the nonce (64 bits)".

Section 3.9, fourth paragraph. This currently reads:

   A compromised ETR can also de-aggregate its EID prefix in order to
   register more EID prefixes than necessary to its Map Servers (see
   Section 3.7 for the impact of de-aggregation of prefixes by an

I think that it might be worth mentioning: De-aggregation could occur as part of an intentional attack, but could also occur as an unintended side effect of normal operation if over time too many LISP sites advertise relatively de-aggregated or very fine grained mappings. 

Section 4, "Note on privacy". Second paragraph. This currently reads: 

   Note, however, that like public deployments of any other control
   plane protocol, in an Internet deployment mappings are public and
   hence provide information about the infrastructure and reachability
   of LISP sites (i.e., the addresses of the edge routers).

The amount of information made available with LISP, particularly in map replies, is finer grained than what is available with current routing protocols. Certainly with current protocols ping could in principle give fine grained information (if I trace route across my ISP, and if they let me do it, then I would find out the IP addresses of routers), but it is largely turned off just for this reason. I think that it would be more accurate to say: 

   Like public deployments of any other control
   plane protocols, in an Internet deployment mappings are public and
   hence provide information about the infrastructure and reachability
   of LISP sites (i.e., the addresses of the edge routers). LISP map 
   replies may however provide finer grained and more detailed
   information to a wider set of Internet sites than is available with 
   currently control protocols. 

Section 6 (security considerations), second paragraph: 

   The purpose of this document is not to provide recommendations to
   protect against attacks, however most of threats can be prevented
   with careful deployment and configuration (e.g., filter) and also by
   applying the general rules in security that consist in activating
   only features that are necessary in the deployment and verifying the
   validity of the information obtained from third parties.  More
   detailed recommendations are given in [Saucez13].

Given that this document does not provide recommendations to protect against attacks, it seems premature to conclude that "most of the attacks can be prevented with careful deployment and configuration". If detailed recommendations are in a different document, then that other document might be the right place to conclude whether or not "most of the threats can be prevented". Also, of course protecting against most of the threats is very different from protecting against all of the threats.  I would therefore shorten this paragraph to just: 

   The purpose of this document is not to provide recommendations to
   protect against attacks. More detailed recommendations for preventing 
   or mitigating these threats are given in [Saucez13].

Thanks, Ross

-----Original Message-----
From: lisp [] On Behalf Of Luigi Iannone
Sent: Monday, January 12, 2015 9:48 AM
To: LISP mailing list list
Cc: Damien Saucez; Olivier Bonaventure
Subject: [lisp] Progress on threats document

Hi All,

back in Toronto the WG agreed to organise the threats document in two main parts: 

1- threat analysis 
2- threats mitigation

there was also agreement to try to finalise the first part before tackling the second one.

To this end, this would be the right time to review the current document and send any comment/feedback to the authors.

Having such review by the end of February at latest would give sufficient time to have a new document with the first part done and a newly proposed second part before the meeting in Dallas.

Please speak up before the end of February if you have any comment, otherwise authors will consider the first part as done.


lisp mailing list