Re: [lisp] Restarting last call on LISP threats
Ronald Bonica <rbonica@juniper.net> Tue, 27 May 2014 14:17 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D6461A0394 for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 07:17:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.601
X-Spam-Level:
X-Spam-Status: No, score=-102.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqeE46NiJRm0 for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 07:17:11 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A15D1A0158 for <lisp@ietf.org>; Tue, 27 May 2014 07:17:10 -0700 (PDT)
Received: from CO1PR05MB442.namprd05.prod.outlook.com (10.141.73.146) by CO1PR05MB443.namprd05.prod.outlook.com (10.141.73.152) with Microsoft SMTP Server (TLS) id 15.0.949.11; Tue, 27 May 2014 14:17:06 +0000
Received: from CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.68]) by CO1PR05MB442.namprd05.prod.outlook.com ([169.254.13.68]) with mapi id 15.00.0949.001; Tue, 27 May 2014 14:17:06 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Sharon <sbarkai@gmail.com>, "Joel M. Halpern" <jmh@joelhalpern.com>
Thread-Topic: [lisp] Restarting last call on LISP threats
Thread-Index: AQHPa58LSm48HWl6Wky1MR3KNHiENZs9MyiAgAD04oCAAJ/u8IAAAtXQgADypICAAlhbEIABfmkAgAefyVCAAITngIABbBJggAETbwCABC0O0IAAtqUAgAAFh4CAAXMyQA==
Date: Tue, 27 May 2014 14:17:05 +0000
Message-ID: <db536016d3734bf4b289f185b0051768@CO1PR05MB442.namprd05.prod.outlook.com>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com> <BDAC9F7C-1205-4A59-A252-2B20998E187B@gmail.com>
In-Reply-To: <BDAC9F7C-1205-4A59-A252-2B20998E187B@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.14]
x-forefront-prvs: 02243C58C6
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(377454003)(13464003)(51704005)(479174003)(199002)(189002)(24454002)(52604005)(21056001)(81342001)(76482001)(74502001)(74662001)(81542001)(74316001)(76576001)(76176999)(86362001)(2656002)(79102001)(80022001)(87936001)(101416001)(15975445006)(33646001)(83072002)(4396001)(99396002)(77982001)(19580395003)(19580405001)(83322001)(99286001)(66066001)(50986999)(46102001)(64706001)(20776003)(54356999)(85852003)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR05MB443; H:CO1PR05MB442.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rbonica@juniper.net;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/nevNYrcqYQf7PIQlmpDy1fCKwo4
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 14:17:14 -0000
Hi Sharon, We may be talking about an XTR that is sick due to a bug or attack. We may also be talking about an attacker that isn't an XTR at all, just impersonating one. Ron > -----Original Message----- > From: Sharon [mailto:sbarkai@gmail.com] > Sent: Monday, May 26, 2014 12:06 PM > To: Joel M. Halpern > Cc: Ronald Bonica; Damien Saucez; Roger Jorgensen; LISP mailing list list > Subject: Re: [lisp] Restarting last call on LISP threats > > Joel, thanks for clearing. > It was hard to follow. > > If the challenge is for a distributed mapping system to keep track and protect > itself from a "sick" xTR, sick because of a bug or an attack.. > Then perhaps we could maintain mapping lookup per sec counters per xTR in > the mapping. It adds some overhead to the mapping, but doesn't slow down > forwarding. Can be aggregated by map servers for efficiency. > > --szb > > On May 26, 2014, at 8:46 AM, "Joel M. Halpern" <jmh@joelhalpern.com> > wrote: > > Top posting to make sure I am understanding: > > You asssert that any xTR is subject to a DoS attack. And that such a DoS > attack can render the mapping system unusable. > > It targeting an ITR, this would need to be from within ths cope the ITR serves. > I believe that is discussed. > > If I have connected the dots correctly, the attack you are contemplating is > sending a large stream of packets with different inner source addresses to an > ETR. This would prompt the ETR to check with the mapping system about > each and every address. > > If I have understood this properly, while there are several very effective > mitigations, that does not change the basic message that this is an attack, and > as such ought to be described in the threats document. There are clealry a > number of variations on this attack. For example, using the same outer > source address makes mitigation easier, while using different outer source > addresses either requires a bot-net or a large unchecked BCP38 hole (and > those can be used for MANY attacks on many systems.) Both presumably > should be described. > > Have I captured your request accurately? > > Yours, > Joel > > > On 5/26/14, 1:06 AM, Ronald Bonica wrote: > > *From:*Damien Saucez [mailto:damien.saucez@gmail.com] > > *Sent:* Friday, May 23, 2014 9:07 AM > > *To:* Ronald Bonica > > *Cc:* Dino Farinacci; Roger Jorgensen; LISP mailing list list > > *Subject:* Re: [lisp] Restarting last call on LISP threats > > > > Hello Ronald, > > > > On 22 May 2014, at 22:57, Ronald Bonica <rbonica@juniper.net > > <mailto:rbonica@juniper.net>> wrote: > > > > > > > > Dino, > > > > Today's Internet is not as fragile as you think. This mail traversed > > many routers between my house and yours. If those routers are > > well-managed, there is nothing that I can do from my house that will > > cause any of those routers to consume control plane resources. > > Therefore, there is nothing that I can do from my house that will > > cause a DoS attack against those routers' control planes. > > > > We tend to disagree with that, for example you have ICMP today... > > > > */[RPB] Because ICMP is susceptible to DoS attacks, it wouldn’t make a > > very good routing protocol. That’s why we don’t use it for routing. By > > contrast, LISP map-request messages are susceptible to DoS attacks and > > they do carry routing information./* > > > > > > > > In LISP, separation between the forwarding and control plane is > > lost. As a matter of course, forwarding plane activity causes > > control plane activity. Since forwarding plane bandwidth exceeds > > control plane bandwidth, DoS attacks against the control plane are > > possible. > > > > In order to be complete, the threats document must describe the DoS > > threat. It should also describe mitigations, if any exist. > > > > DoS is already explained and the definition given: > > > > " A Denial of Service (DoS) attack aims at disrupting a specific > > > > targeted service either by exhausting the resources of the victim > > up > > > > to the point that it is not able to provide a reliable service to > > > > legit traffic and/or systems or by exploiting vulnerabilities to > > make > > > > the targeted service unable to operate properly. > > > > " > > > > is covering the case you mention. > > > > */[RPB] /* > > > > */You might want to add the following details to section 5.2:/* > > > > *//* > > > > -A DoS attack can be launched by anybody who can send a packet to the > > XTR’s LOC > > > > -DoS attacks can render an XTR inoperable > > > > -DDoS attacks can render the mapping system inoperable. > > > > This is what differentiates LISP from today’s routing system. > > > > Ron > > > > Damien Saucez > > > > > > > > > > Ron > > > > > > > > -----Original Message----- > > From: Dino Farinacci [mailto:farinacci@gmail.com] > > Sent: Wednesday, May 21, 2014 6:58 PM > > To: Ronald Bonica > > Cc: Roger Jorgensen; lisp@ietf.org <mailto:lisp@ietf.org> > > Subject: Re: [lisp] Restarting last call on LISP threats > > > > > > The attacker sends a flow of crafted packets to the victim > > XTR. Each packet > > > > is a well-formed LISP data packet. It contains: > > > > > > - an outer IP header (LOC->LOC) > > - a UDP header > > - a LISP Header > > - an IP header (EID->EID) > > - payload > > > > > > Just like a regular packet I can send to your home router today. > > So yes okay. > > So let's continue. See comments below. > > > > > > Each packet contains control plane information that is new > > to the victim > > > > > > Be more specific about what control information are in these > > encapsulated > > packets. > > > > > > XTR. For example, the victim XTR has no mapping information > > regarding > > > > either the source LOC or source EID prefix. Rather than gleaning > > this mapping > > information from the crafted packet, the victim XTR sends a > > verifying MAP- > > REQUEST to the mapping system. > > > > > > Assume that the attack flow is large (N packets per second). > > Assume also > > > > that the XTRs rate limit for MAP-REQUEST messages is less than N > > packets > > per second. Has the attack not effectively DoS'd the victim XTR? > > > > It caches the rate the rate the packets are coming in and > > eventually stops > > sending Map-Requests completely. > > > > It cannot stop the incoming rate of packets today just like a > > roque BGP > > attacker can send millions of packets per second to a peer > > regardless if it > > does or does not have the peer authentication key. > > > > > > To make this attack work, every packet in the attack flow > > may need to have > > > > a unique, spoofed, source LOC. > > > > An implementation can detect that after rate limiting 1000s of > > such requests > > are happening that it just stops operation. > > > > What if I sent a Juniper 20 million routes today? > > > > The Internet is very fragile and LISP IS NOT making it worse. > > And in some > > cases it is making it better with integrated techniques. > > > > Dino > > > > > > _______________________________________________ > > lisp mailing list > > lisp@ietf.org <mailto:lisp@ietf.org> > > https://www.ietf.org/mailman/listinfo/lisp > > > > > > > > _______________________________________________ > > lisp mailing list > > lisp@ietf.org > > https://www.ietf.org/mailman/listinfo/lisp > > > > _______________________________________________ > lisp mailing list > lisp@ietf.org > https://www.ietf.org/mailman/listinfo/lisp
- [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Roger Jørgensen
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Roger Jørgensen
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Joel Halpern Direct
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Sander Steffann
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Roger Jørgensen
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Roger Jørgensen
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Sharon
- Re: [lisp] Restarting last call on LISP threats Paul Vinciguerra
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Marc Binderberger
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Sharon Barkai
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Florin Coras
- Re: [lisp] Restarting last call on LISP threats Marc Binderberger
- Re: [lisp] Restarting last call on LISP threats Florin Coras
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Darrel Lewis (darlewis)
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Dino Farinacci
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Luigi Iannone
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Ronald Bonica
- Re: [lisp] Restarting last call on LISP threats Damien Saucez
- Re: [lisp] Restarting last call on LISP threats Brian Haberman
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern
- Re: [lisp] Restarting last call on LISP threats Brian Haberman
- Re: [lisp] Restarting last call on LISP threats Luigi Iannone
- Re: [lisp] Restarting last call on LISP threats Luigi Iannone
- Re: [lisp] Restarting last call on LISP threats Ross Callon
- Re: [lisp] Restarting last call on LISP threats Joel M. Halpern