Re: [lisp] Eric Rescorla's Discuss on draft-ietf-lisp-rfc6833bis-16: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Fri, 05 October 2018 13:38 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54CF130E2A for <lisp@ietfa.amsl.com>; Fri, 5 Oct 2018 06:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrHQSGK-v_PX for <lisp@ietfa.amsl.com>; Fri, 5 Oct 2018 06:38:40 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89FC130DC6 for <lisp@ietf.org>; Fri, 5 Oct 2018 06:38:39 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id r83-v6so11647564ljr.7 for <lisp@ietf.org>; Fri, 05 Oct 2018 06:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L+bvfaqzZ2G8pXJxrRiHMosvdhWrpweVJsrbOBkNOBg=; b=EDUfkM8ICqT7DEljbKciZurxzujk38ur3Zp/jKwqSdbrRxB7zQvPF6ACBmmbxaCAoZ /0h5JdSUhQJntNuDR5niSZJ9TxjhxgNBGAzR3R45qLi+yCQIL8E6J0a9JcenVjoMVD4X IuA1iJrq9+0bYT5EbQWyiM8wwHFS4VWoxiKRcw//nbML7Q84M43mF8ILRGch1EBDIvvi wVBg5d3fpJq4vfqwJb2vzKnW5AFhmh76RFtW1gW1cIA8GfhY3PTL2fn4aJDUH14adMG6 XkVu3emB3c0N9qAcyF51dpz3RAorfntl9ORjbwhl9roMFvZWpoc0MkfSDASpQWtosl5S mgXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L+bvfaqzZ2G8pXJxrRiHMosvdhWrpweVJsrbOBkNOBg=; b=EgFnfAy0L5Tlu62D1DcZP6J4UCllbv9g0DU5+jaK4tPwjuMJV0Znm0OyYc0Vh9js1y 2uDnPO9MNTRkRu7S6Xi6KMmunJ2GOaY+1wDGofRp9eRSgPMP9FprqWtaIFtYu/YwBnxL EuHZ6vgRm1awGiJ3Bl16KOVk7FLthErS1E4WgW17N6FdJ8PRYUQKAjv3YwlGN4dyaISG PbDvC/JWlQKJr+jq/tzsLhKFz+lbEPGSWnyPIDLk3ISg4GGA9x1/sfcyKm70AcROv+E9 0AhbzL50yS5cWQDqwmDFuSWckHmD3XT2C+M+WUgVvJDCOkR2DYJp9QbQEk8D6CLXRF5o fN6A==
X-Gm-Message-State: ABuFfoiheAL0Z2JIkNniIC6Rz68xrJCxayNimDnP5/UqYJRqsbhJlHHk Lsq8E+sKDRoODkW04Nvq+Te87WrRbKDr86GT0suLHQ==
X-Google-Smtp-Source: ACcGV61RwMrxl34dbEAjZcH1qslruyu72SVMqtDYfLsI4cg6GH5KGMxJis3hh9231UKsssXtwaO6euFwQlF3ax6OF2A=
X-Received: by 2002:a2e:2a43:: with SMTP id q64-v6mr7146018ljq.153.1538746718070; Fri, 05 Oct 2018 06:38:38 -0700 (PDT)
MIME-Version: 1.0
References: <153805056019.26512.877252229948689152.idtracker@ietfa.amsl.com> <F1E6357D-0A02-4A2E-B98E-7B34D7AB5EA0@gmail.com> <CABcZeBMbAoo_UUjdhn0vU-cQrH9XQvs6VohBzs7q=BjbVi1BVQ@mail.gmail.com> <27454678-1FED-43EC-9D65-72F18487E619@gmail.com>
In-Reply-To: <27454678-1FED-43EC-9D65-72F18487E619@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 05 Oct 2018 06:38:01 -0700
Message-ID: <CABcZeBNj_2o-5rVJBog+-OcDNEwrsPERmPbxQ6u47X6dFjFkkw@mail.gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
Cc: IESG <iesg@ietf.org>, draft-ietf-lisp-rfc6833bis@ietf.org, Luigi Iannone <ggx@gigix.net>, lisp-chairs@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000087bf2505777b6323"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/ooS44pxr30IZRZxX0wuY1LaY0WI>
Subject: Re: [lisp] Eric Rescorla's Discuss on draft-ietf-lisp-rfc6833bis-16: (with DISCUSS and COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Oct 2018 13:38:44 -0000
On Mon, Oct 1, 2018 at 11:39 AM Dino Farinacci <farinacci@gmail.com> wrote: > > > > > > IMPORTANT > > > S 5.2. > > >> s: This is the SMR-invoked bit. This bit is set to 1 when an xTR > is > > >> sending a Map-Request in response to a received SMR-based Map- > > >> Request. > > >> > > >> m: This is the LISP mobile-node m-bit. This bit is set by xTRs > that > > >> operate as a mobile node as defined in [I-D.ietf-lisp-mn]. > > > > > > This would appear to create a normative reference to this document. To > > > avoid that, you need to specify how I behave if I receive it but I > > > don't implement lisp-mn. > > > > I am find making it a normative reference but need the lisp-chairs to > comment. I am not sure what the implications of that are. > > > > Me neither. Seems like it could go either way. My only interest is that > the protocol be unambiguous. > > We are working through removing normative references to working group > drafts. > OK. > > > S 5.5. > > >> is being mapped from a multicast destination EID. > > >> > > >> 5.5. EID-to-RLOC UDP Map-Reply Message > > >> > > >> A Map-Reply returns an EID-Prefix with a prefix length that is > less > > >> than or equal to the EID being requested. The EID being > requested is > > > > > > How do I behave if I receive an EID-Prefix that is less than any of my > > > mappings. So, I might have mappings for 10.1.0.0/16 and 10.2.0.0/16 > > > and someone asks me for 10.0.0.0/8? > > > > > I think I'm still unclear on this point. > > The spec says you cache it. That is all you can do. But it means the > sender of the Map-Reply is not spec conformant. That means RLOCs are used > for the coarser EID-prefix. > Sorry, cache it? My question is how to respond to the case where the Map-Request has this property. > > > Also, when you talk about prefix > > > length, I assume you mean the length fo the mask? > > > > Yes, this is explained later in this section. Was that not helpful?? > > > > I found it a bit confusing. It seems to me like there are two lengths > involved here: > > > > - The length of the field (4 or 16) > > - The parts of the field that are significant (i.e., the mask) > > In routing, as you know, the mask-length is always the same as the > prefix-length. It is the number of bits in the mask. > > > I had thought that "prefix length" referred to the former, but it seems > like here it > > refers to the latter. > > The length of the address is defined by the 16-bit AFI that precedes the > address. > I agree, but the text refers to this as the prefix and it has a length, which is the length of the encoded field, not the length of the mask, as seen in this excerpt: EID-Prefix: This prefix is 4 octets for an IPv4 address family and 16 octets for an IPv6 address family when the EID-Prefix-AFI is 1 or 2, respectively. For other AFIs [AFI], the length varies and for the LCAF AFI the format is defined in [RFC8060]. When a Map- > > > S 5.6. > > >> Authentication Data: This is the message digest used from the > output > > >> of the MAC algorithm. The entire Map-Register payload is > > >> authenticated with this field preset to 0. After the MAC is > > >> computed, it is placed in this field. Implementations of this > > >> specification MUST include support for HMAC-SHA-1-96 [RFC2404], > > >> and support for HMAC-SHA-256-128 [RFC4868] is RECOMMENDED. > > > > > > What prevents replay attacks here? I'm guessing it's the Map-Version- > > > Number, but as I understand it, I can set this to 0. > > > > Well there are many. The nonce can change for each Map-Register sent. > Same for Map-Version number as well as the key-id. > > > > I think you need to describe the precise process of replay prevention > here. > > Not addressing any security issues right now until we have the conference > call. I agree with you and believe we have solutions, we just haven’t > documented them clearly. And understand why your line of questioning. > Sure, Let's pick this up later. > > > > S 6.1. > > >> receives an SMR-based Map-Request and the source is not in the > > >> Locator-Set for the stored Map-Cache entry, then the responding > Map- > > >> Request MUST be sent with an EID destination to the mapping > database > > >> system. Since the mapping database system is a more secure way to > > >> reach an authoritative ETR, it will deliver the Map-Request to the > > >> authoritative source of the mapping data. > > > > > > If I'm understanding this correctly, this allows an ETR to prevent an > > > ITR from learning that it is no longer the appropriate ETR for a > > > prefix. The way this attack works is that before the topology shift, I > > > send SMRs, thus causing Map-Requests, which, because my entry is > > > cached, refresh the cache on the ITR past the topology shift. I can > > > keep doing this indefinitely. Am I missing something > > > > Well if the ETR is being spoofed, then there is Map-Request load, but it > won’t corrupt the ITR’s map-cache. The ITR always sends a verifying > Map-Request to the mapping system to get the latest and authenticated > RLOC-set for the mapping. Rate-limiting is necessary so each SMR received > DOES NOT result in a Map-Requerst to the mapping system. > > > > I'm probably just confused here: SMRs go through the mapping system, not > directly? If so, I agree that this wont' work. > > SMRs are sent from an xTR that changes its RLOC set to xTRs that might > have EID-prefixes cached. It tells those caching xTRs to do a lookup to the > mapping system. So the Map-Request, with S-bit set (an SMR) are sent > directly from xTR to xTR. > Sorry, I misspoke, but i think I get your point. This sounds fine. > > > > > S 5. > > >> \ | UDP Length | UDP Checksum > | > > >> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > >> | > | > > >> | LISP Message > | > > >> | > | > > >> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > > > What do these two diagrams correspond to? v4 and v6? This needs > > > explanation. > > > > It is th entire IP packet sent as a LISP control-message. The header > before the diagrams indicate they are UDP packets. > > > > A caption would probably help. > > The beginning of the section shows an IPv4 UDP packet format as well as a > IPv6 UDP packet format. > Agreed. I'm just saying you should put in a caption on each of them. > > > > > S 5.2. > > >> receipt. > > >> > > >> L: This is the local-xtr bit. It is used by an xTR in a LISP > site to > > >> tell other xTRs in the same site that it is part of the > RLOC-set > > >> for the LISP site. The L-bit is set to 1 when the RLOC is the > > >> sender's IP address. > > > > > > Is the xTR supposed to filter this on exiting the site. > > > > Nope. > > > > Won't this cause problems on ingress to another site? > > No, I don’t think so. But you have to write more words to let me know what > you are thinking about. > I'm not sure I understand well enough, but it just seems like if you have a bit that says "this is local" that then appears on another network where it's not local, that might cause problems. But if you say it doesn't, then OK > > > > S 5.3. > > >> originating Map-Request source. If the RLOC is not in the > Locator- > > >> Set, then the ETR MUST send the "verifying Map-Request" to the > > >> "piggybacked" EID. Doing this forces the "verifying Map-Request" > to > > >> go through the mapping database system to reach the authoritative > > >> source of information about that EID, guarding against > RLOC-spoofing > > >> in the "piggybacked" mapping data. > > > > > > This text here doesn't seem compatible with either of the two cases > > > listed in "EID-prefix" above. > > > > I don’t understand the comment Eric. Maybe because I can’t find the > exact reference to EID-prefix where you think there is a conflict. Please > cite for me. Thanks. > > > > This does seem to have been assigned to the wrong text. > > > > I am referring to: > > > > " A Map-Reply returns an EID-Prefix with a prefix length that is less > > than or equal to the EID being requested. The EID being requested is > > either from the destination field of an IP header of a Data-Probe or > > the EID record of a Map-Request. The RLOCs in the Map-Reply are > > " > > > > versus > > > > " EID-Prefix: This prefix is 4 octets for an IPv4 address family and > > 16 octets for an IPv6 address family when the EID-Prefix-AFI is 1 > > or 2, respectively. For other AFIs [AFI], the length varies and > > for the LCAF AFI the format is defined in [RFC8060]. When a Map- > > " > > > > This is just the question of whether "prefix length" refers to the field > or > > the significant bits of the field. > > Prefix-length = mask-length = number-of-bits-in-mask = value-after-/. > OK, but then this second excerpt seems contradictory. We have an EID-Prefix field which has a different length which is dictated by the AFI only. > > > S 8.3. > > >> of the mapping database protocols. > > >> > > >> 8.3. Map-Server Processing > > >> > > >> Once a Map-Server has EID-Prefixes registered by its client ETRs, > it > > >> can accept and process Map-Requests for them. > > > > > > This section is confusing because the introduction says that this > > > function is only performed by Map-Resolvers: > > > ' > > > "The LISP Mapping Service defines two new types of LISP-speaking > > > devices: the Map-Resolver, which accepts Map-Requests from an > > > Ingress > > > Tunnel Router (ITR) and "resolves" the EID-to-RLOC mapping using a > > > mapping database; and the Map-Server, which learns authoritative > > > EID- > > > to-RLOC mappings from an Egress Tunnel Router (ETR) and publishes > > > them in a database.” > > > > The document does cover the operation of a Map-Resolver and a > Map-Server. Some functions are performed only by Map-Resolvers only and > other different functions are performed by Map-Servers only. > > > > I am not sure what you don’t understand. > > > > Sure: As I understand it, Map Resolvers process Map Requests, and Map > Servers do not (that's what the quoted text seems to say). However, this > sentence talks about a Map Server processing a Map Request. That's where I > am confused. > > Here is a brief scenario: > > (1) ITR sends Map-Request to a Map-Resolver. > (2) Map-Resolver “finds” the Map-Server where the EID could be registered. > That is the mapping database transport system, two examples are LISP-ALT > and LISP-DDT. > (3) The Map-Resolver in the case of LISP-DDT, will have a referral-cache > and know which map-server is authoriative for the EID-prefix the > Map-Request EID is for. > (4) The Map-Resolver forwards the Map-Request to that Map-Server. > > And hence Map-Servers process Map-Requests. The Map-Server can proxy-reply > with the RLOC-set cached in its site-cache or forward to one or more ETRs > (described by the RLOC-set) so they can map-reply. > Sure, this seems reasonable, but then perhaps the text above could be revised, because it reads like Map Resolvers process these requests and therefore implies that Map-Servers do not. -Ekr > Most of the above is described in the LISP-DDT RFC. For LISP-ALT, the > map-resovler forwards the Map-Request across a tunneled topology where BGP > is used to tell you where EID-prefixes are registered to what Map-Servers. > That tunneled toplogy is used for the sole purpose to forward Map-Requests. > No data-plane involved there. > > Dino > > >
- [lisp] Eric Rescorla's Discuss on draft-ietf-lisp… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Joel M. Halpern
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Joel M. Halpern
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Joel M. Halpern
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Dino Farinacci
- Re: [lisp] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk