Re: [lisp] Restarting last call on LISP threats

[Luigi Iannone <ggx@gigix.net>]

Hi,

On 16 Jun 2014, at 20:50, Brian Haberman <brian@innovationslab.net> wrote:

> Hi Joel,
> 
> On 6/16/14 2:43 PM, Joel M. Halpern wrote:
>> My understanding is that security oriented threat analyses documents do
>> not generally, and the charter item for this document does not
>> specifically, call out mitigations.  Mitigation is, as your comment
>> suggests, a complex tradeoff as different mitigations have different
>> costs and different efficacy.  So the tradeoff in using mitigation
>> would, it seems to me, need to be in the document that proposes the
>> mechanisms.
> 
> The charter work item says:
> 
>    - LISP security threats and solutions

Previous versions of the threats document gave some “recommendations” (like fo instance the use of lisp-sec), but discuss on the ML and WG meetings lead to drop that section. So, why going back now?

> 
> My question was whether the WG plans to overhaul lisp-sec to describe
> the mitigations/solutions to the threats described in lisp-threats or
> just put them in one document.
> 

IMHO LISP-sec is a specific solution for a specific set of threats, hence, while it has to clearly state which attacks it solves I do not think that has to discuss all possible mitigations for the all possible threats. 

I was also thinking that similarly to the fact that threats are described by class, mitigation techniques (if we ever want to re-introduce them) should also be “cited” by class. 
I use the word “cited” because I do not think we need to document the details but just refer to existing techniques that can be used.
(note that this was more or less what we had in early versions of the document)

ciao

Luigi


> Regards,
> Brian
> 
> _______________________________________________
> lisp mailing list
> lisp@ietf.org
> https://www.ietf.org/mailman/listinfo/lisp