IETF Logo Mail Archive

[lisp] FW: I-D Action: draft-ietf-lisp-sec-18.txt

"Fabio Maino (fmaino)" <fmaino@cisco.com> Thu, 05 December 2019 22:11 UTC

Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820E11200EF; Thu, 5 Dec 2019 14:11:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VjbFu9cA; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=B1mwMQb3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGvBGyYmrTvL; Thu, 5 Dec 2019 14:10:59 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6646A120073; Thu, 5 Dec 2019 14:10:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=505756; q=dns/txt; s=iport; t=1575583859; x=1576793459; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=IY78b8z1+Tq3R4Daga16Y+qKHdlviTv0iUt7z5yTY14=; b=VjbFu9cACZFvd2ucizGm+P/9xpuZ7nUby9NJ4w1hlU1JrH5uQ/OjvUFu 3Fy9LD5Ki9/vRGrFGty3rneNSeSmXiahfteYxMC0QlKJGeIp3bdNYZSA4 0u/vrJZVph37Y4QOQoDNLrO4QDHFiG0AOKor1Mvvz5zuqTrWEhix+VHeu c=;
X-Files: Diff draft-ietf-lisp-sec-17.txt - draft-ietf-lisp-sec-18.pdf, draft-ietf-lisp-sec-17-rev Med (Fabio).doc, ATT00001.txt : 212880, 151040, 127
IronPort-PHdr: 9a23:fKA63hQ6815DS1lXBlp2UXjUNtpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESUDNfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH15g640NmhA4RsuMCEn1NvnvOiI/FcVEU3du/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CkBAASgOld/4sNJK2FRIFpBLlAGwMFBIxJOsJjj3A
X-IronPort-AV: E=Sophos;i="5.69,282,1571702400"; d="doc'32?txt'32?pdf'32?scan'32,208,32";a="378050300"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Dec 2019 22:10:58 +0000
Received: from XCH-RCD-009.cisco.com (xch-rcd-009.cisco.com [173.37.102.19]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id xB5MAwpR017148 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 5 Dec 2019 22:10:58 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-009.cisco.com (173.37.102.19) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 5 Dec 2019 16:10:57 -0600
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 5 Dec 2019 16:10:55 -0600
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 5 Dec 2019 16:10:55 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HklGna8G9MCTCmB5Y4pyw+8Fd74fDCj9HGRUkDVbnI/CyVSKvetPBU2C2HdxSKvkmQU+LJKXlN+Di34JLjNuSa5cu0phlI9KJV7sECjnmtPuRXa5IT+Yx/1slshw1zFBV1oSB1Mxm1xlSgQ84dbLILCiVxftN/kd2+jTTwP2ufxoRmDewadHVhjMpgvzGQldddtKVT+/GxcAvwCGe0u+fH5CCIJmxjpxi+fp6OFErretAE+tuudw2vFhLj0YYtkO6IbKijdaPJYjoVJ1t5fN6i9MWevz0ifMt8lNc4MYlj340Rqqlqwi8OOQscqbzpdNQpULLY+WQsIriL0UZ98kaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JjSOE08GT6uz87K1p9htjlD43ldSSN8lkPzOSksploY=; b=kaC1rLmi8gWhg6Vu0I8kCgnj7iyUeYopzujc5Sl8DqO8V4844Xc+oL5Ld3u6ENX4RpD/TurwPCkVN0g+WaHqBOo3RbQqNjt4VAjypiVCZB0/5SvH2/AcvsSyMnzYIKsEHY4WBI4dxa420cWahPIA6CKSYRwuIPU9gfTR8NaT7Tp0qOqwLnY72wOqOf6FBOwSFCSjA87VY2n30m7R+MlRYoGsyVzPnHCz49l1wToOgq9c7wrvCnQr7SQoZk2hL2gb4oOnffK/A0QOLh5twO8k+JP3D1diEGBscePFZOg+YqkuGUL4F4jzVliVQsNa3SjomGUjjYWWTA33jlM9nN28vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JjSOE08GT6uz87K1p9htjlD43ldSSN8lkPzOSksploY=; b=B1mwMQb3i6sCOOXZt3PQwR4RIC3l8PeemcPB4zbYUX/7befPxuDU1rMWwDz5xURbh/dhtfgNLPfEtNgIZDLgyl/QT/Wt5FbjS/bVoV0W3efJZXzD5ZCztjhhkgUodsgaSmZ+XcHN9jOA4u0TRHl961aMI/X4/JDs6TzAllMBaB0=
Received: from BY5PR11MB4420.namprd11.prod.outlook.com (52.132.255.20) by BY5PR11MB4449.namprd11.prod.outlook.com (52.132.255.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.14; Thu, 5 Dec 2019 22:10:53 +0000
Received: from BY5PR11MB4420.namprd11.prod.outlook.com ([fe80::6956:598b:379f:eb6]) by BY5PR11MB4420.namprd11.prod.outlook.com ([fe80::6956:598b:379f:eb6%5]) with mapi id 15.20.2495.014; Thu, 5 Dec 2019 22:10:53 +0000
From: "Fabio Maino (fmaino)" <fmaino@cisco.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "lisp@ietf.org" <lisp@ietf.org>, "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>, "BRUNGARD, DEBORAH A" <db3546@att.com>
Thread-Topic: [lisp] I-D Action: draft-ietf-lisp-sec-18.txt
Thread-Index: AQHVGU2Xqf6oCqvcjEmKcybRUbaVfKaH+A+AgSTA8AA=
Date: Thu, 05 Dec 2019 22:10:53 +0000
Message-ID: <38F2205A-70EC-419A-BC11-4B2921372DFA@cisco.com>
References: <155948483247.21507.9045651849337465202@ietfa.amsl.com> <22748ED9-7895-4D9A-83AE-A19ED3D050ED@cisco.com>
In-Reply-To: <22748ED9-7895-4D9A-83AE-A19ED3D050ED@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=fmaino@cisco.com;
x-originating-ip: [2001:420:30a:4e05:9c7:7488:4818:6401]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 98dc46df-6e6a-4ae6-62c7-08d779cffee8
x-ms-traffictypediagnostic: BY5PR11MB4449:
x-microsoft-antispam-prvs: <BY5PR11MB44493BE0F30AA94032040F0EC25C0@BY5PR11MB4449.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02426D11FE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(346002)(376002)(396003)(136003)(199004)(189003)(229853002)(11346002)(14444005)(36756003)(6916009)(25786009)(58126008)(316002)(8676002)(86362001)(966005)(102836004)(14454004)(71190400001)(54906003)(6512007)(2906002)(2616005)(76176011)(478600001)(6486002)(76116006)(6506007)(71200400001)(53546011)(66446008)(8936002)(64756008)(66556008)(66476007)(66946007)(66576008)(81156014)(81166006)(186003)(4326008)(66574012)(99286004)(305945005)(5660300002)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY5PR11MB4449; H:BY5PR11MB4420.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +l4VzU+91di6IR2PMOXPysUBRRnkq2ckyBf4eieFHtNy84ML1hghyp9NfdohUEYcG1tV1o5T2cYQMO0TFU0s5DIpRf4FR21NPztVFSn/Kg16XGw1qwRY6iGLw4yyl2sN4bWzTmQSjE3lPsQehjVxs4n7o5bmf6MLMcNHe+TSYQ7TKEeIZbF33NDcD7crZjJSdyxvjmLzMIxwD6qSy9tm1muhR/4VDCiPyz6C4JaKIRQM01bLo7cTOqf6Un733Q/fi0twhbhGS0VM4bD1Ckjsz4jsSFDR+YtrvroTG2ljDy+rbNxwLpe8feRuZsqSgrvOx/k9Z9jNNBlJ1WU+DTqEwD2J+zHUevgUvRUqzp7mux23ey84mrnbS4FSMwR+3rAqmrKqm/7R1STFypJbTjEBs7AiWrnKf6vFwDeeKt9t3Esg60jH8cLfSAlqAVS2gcXpOQvWzbafW0jA9mmxEuqjyJmaNyLf8ZGiBzOht2Wdbw0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed; boundary="_004_38F2205A70EC419ABC114B2921372DFAciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 98dc46df-6e6a-4ae6-62c7-08d779cffee8
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2019 22:10:53.6339 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OmM9+tLSVSBYF1XmNXp+w+to5+IMCWd8Az6SFbajw09aUJ6n0V5AAwJbnGuZlorcZBqVvIkBbNe6LONcK5IrfA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4449
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.19, xch-rcd-009.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/rDHlutCoLwdWs7gm3HA65hI-XfA>
Subject: [lisp] FW: I-D Action: draft-ietf-lisp-sec-18.txt
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 22:11:03 -0000

Hi Ben, 
Now that the LISP-SEC LC has closed, I'm popping this message back to the top of your inbox. 

We discussed the rationale for most of these changes with you in Prague, below is a brief list that may help recalling that conversation. 

Thanks,
Fabio

 

On 6/2/19, 7:34 AM, "lisp on behalf of Fabio Maino (fmaino)" <lisp-bounces@ietf.org on behalf of fmaino@cisco.com> wrote:

    This rev of the lisp-sec draft includes the following main changes: 
    1. a mechanism that allows an ITR to secure downgrade to non LISP-SEC Map-Requests, if it wishes to do so. This is done as discussed in the list and in Prague with Ben
    2. the use of  a per-message key (derived from the pre-shared secret) to protect transport of One-Time-Key from ITR->Map-Resolver and from Map-Server->ETR. This is consistent with the changes that are being introduced in 6833bis, and with what discussed with Ben in Prague
    3. Comments posted by Med on 1/28 are addressed. You can check my notes on the attached word document that describe how each comment has been disposed
    
    
    Attached diff will guide through the changes, but the main protocol changes are:
    - Introduction of ETR-Can’t-Sign E bit in the ECM Authentication Data. This is used as described in section 5.7 to allow secure downgrade to non LISP-SEC (if the ITR choose to do so)
    - Splitting the “OTK Encryption ID” 16-bit field in the ECM Authentication Data into two 8-bit fields (this is consistent with what done in 6833bis for various LISP protocol messages):
    	- Key ID, that identifies the pre-shared secret
    	- OTK Wrapping ID, that identifies the KDF used to derive the per-message OTK encryption key AND the OTK Wrapping algorithm
    - Description of how to derive the per-message OTK encryption key from pre-shared secret (this is coherent with what we did in 6833bis to derive per-message Map-register authentication key). Terminology will be consistent with the next rev of 6833bis
    
    
    Thanks especially  to Ben for the suggested improvements, and to Med for the very detailed review. 
    
    Fabio
    
    
    On 6/2/19, 7:15 AM, "lisp on behalf of internet-drafts@ietf.org" <lisp-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:
    
        
        A New Internet-Draft is available from the on-line Internet-Drafts directories.
        This draft is a work item of the Locator/ID Separation Protocol WG of the IETF.
        
                Title           : LISP-Security (LISP-SEC)
                Authors         : Fabio Maino
                                  Vina Ermagan
                                  Albert Cabellos
                                  Damien Saucez
        	Filename        : draft-ietf-lisp-sec-18.txt
        	Pages           : 27
        	Date            : 2019-06-02
        
        Abstract:
           This memo specifies LISP-SEC, a set of security mechanisms that
           provides origin authentication, integrity and anti-replay protection
           to LISP's EID-to-RLOC mapping data conveyed via mapping lookup
           process.  LISP-SEC also enables verification of authorization on EID-
           prefix claims in Map-Reply messages.
        
        
        
        The IETF datatracker status page for this draft is:
        https://datatracker.ietf.org/doc/draft-ietf-lisp-sec/
        
        There are also htmlized versions available at:
        https://tools.ietf.org/html/draft-ietf-lisp-sec-18
        https://datatracker.ietf.org/doc/html/draft-ietf-lisp-sec-18
        
        A diff from the previous version is available at:
        https://www.ietf.org/rfcdiff?url2=draft-ietf-lisp-sec-18
        
        
        Please note that it may take a couple of minutes from the time of submission
        until the htmlized version and diff are available at tools.ietf.org.
        
        Internet-Drafts are also available by anonymous FTP at:
        ftp://ftp.ietf.org/internet-drafts/
        
        _______________________________________________
        lisp mailing list
        lisp@ietf.org
        https://www.ietf.org/mailman/listinfo/lisp

v2.23.0 | Report a Bug | By Email