Re: [lisp] Restarting last call on LISP threats

Damien Saucez <> Fri, 23 May 2014 13:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8AFD01A01CD for <>; Fri, 23 May 2014 06:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PCHwzTlXU2ak for <>; Fri, 23 May 2014 06:06:40 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 868DD1A0484 for <>; Fri, 23 May 2014 06:06:39 -0700 (PDT)
Received: by with SMTP id bs8so804996wib.12 for <>; Fri, 23 May 2014 06:06:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=4YdRuRKN6Drg1ZwWtnUwSGfYfUEf91aFpHNkOY4UXok=; b=ST1u918IMWo/jNH9czdYP01OkyHtPfMklup3NZnARr1wxK8g0cPqfEX9rpGNtaaMNk xjLd5X95wvwUV3WCgDM4pXEG405UKwMwarSqe07W2vTInhdZ9aODysfHNxVoAc21sall VESxomU6QlMeUdWEF8F+l7hWP0yqjN7Pbe7ty8PqOE3or8yKlVImuLySEOr/Ff1+dBjp eMwKf0SZgxGTIxwfCp9aRcq7EPtKMrATBWz+jc0L4+ZOPVgA4XD0XBh3rrfdIhyxDRDn Xa5Q9MB5N+xqVjAZU9PZ8ph3IzFinGEHErg9dib3rxmb19+IfvxaLpm55Tf8vECxb+bo DUfQ==
X-Received: by with SMTP id o5mr4236320wjo.16.1400850396761; Fri, 23 May 2014 06:06:36 -0700 (PDT)
Received: from ( []) by with ESMTPSA id ln3sm3859894wjc.8.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 May 2014 06:06:35 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DE9C606C-A0FF-4BD8-9BBD-9983ACDA443C"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Damien Saucez <>
In-Reply-To: <>
Date: Fri, 23 May 2014 15:06:34 +0200
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <>
To: Ronald Bonica <>
X-Mailer: Apple Mail (2.1878.2)
Cc: Roger Jorgensen <>, LISP mailing list list <>
Subject: Re: [lisp] Restarting last call on LISP threats
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 May 2014 13:06:42 -0000

Hello Ronald,

On 22 May 2014, at 22:57, Ronald Bonica <> wrote:

> Dino,
> Today's Internet is not as fragile as you think. This mail traversed many routers between my house and yours. If those routers are well-managed, there is nothing that I can do from my house that will cause any of those routers to consume control plane resources. Therefore, there is nothing that I can do from my house that will cause a DoS attack against those routers' control planes.
We tend to disagree with that, for example you have ICMP today...

> In LISP, separation between the forwarding and control plane is lost. As a matter of course, forwarding plane activity causes control plane activity. Since forwarding plane bandwidth exceeds control plane bandwidth, DoS attacks against the control plane are possible.
> In order to be complete, the threats document must describe the DoS threat. It should also describe mitigations, if any exist.

DoS is already explained and the definition given:

" A Denial of Service (DoS) attack aims at disrupting a specific
   targeted service either by exhausting the resources of the victim up
   to the point that it is not able to provide a reliable service to
   legit traffic and/or systems or by exploiting vulnerabilities to make
   the targeted service unable to operate properly.

is covering the case you mention.

Damien Saucez 

>                                                                                               Ron
>> -----Original Message-----
>> From: Dino Farinacci []
>> Sent: Wednesday, May 21, 2014 6:58 PM
>> To: Ronald Bonica
>> Cc: Roger Jorgensen;
>> Subject: Re: [lisp] Restarting last call on LISP threats
>>> The attacker sends a flow of crafted packets to the victim XTR. Each packet
>> is a well-formed LISP data packet. It contains:
>>> - an outer IP header (LOC->LOC)
>>> - a UDP header
>>> - a LISP Header
>>> - an IP header (EID->EID)
>>> - payload
>> Just like a regular packet I can send to your home router today. So yes okay.
>> So let's continue. See comments below.
>>> Each packet contains control plane information that is new to the victim
>> Be more specific about what control information are in these encapsulated
>> packets.
>>> XTR. For example, the victim XTR has no mapping information regarding
>> either the source LOC or source EID prefix. Rather than gleaning this mapping
>> information from the crafted packet, the victim XTR sends a verifying MAP-
>> REQUEST to the mapping system.
>>> Assume that the attack flow is large (N packets per second). Assume also
>> that the XTRs rate limit for MAP-REQUEST messages is less than N packets
>> per second. Has the attack not effectively DoS'd the victim XTR?
>> It caches the rate the rate the packets are coming in and eventually stops
>> sending Map-Requests completely.
>> It cannot stop the incoming rate of packets today just like a roque BGP
>> attacker can send millions of packets per second to a peer regardless if it
>> does or does not have the peer authentication key.
>>> To make this attack work, every packet in the attack flow may need to have
>> a unique, spoofed, source LOC.
>> An implementation can detect that after rate limiting 1000s of such requests
>> are happening that it just stops operation.
>> What if I sent a Juniper 20 million routes today?
>> The Internet is very fragile and LISP IS NOT making it worse. And in some
>> cases it is making it better with integrated techniques.
>> Dino
> _______________________________________________
> lisp mailing list