Re: [lisp] Restarting last call on LISP threats

"Joel M. Halpern" <jmh@joelhalpern.com> Tue, 27 May 2014 15:12 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 157AC1A0456 for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 08:12:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Foo5og5xXsBp for <lisp@ietfa.amsl.com>; Tue, 27 May 2014 08:12:19 -0700 (PDT)
Received: from mailc1.tigertech.net (mailc1.tigertech.net [208.80.4.155]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 627AB1A0166 for <lisp@ietf.org>; Tue, 27 May 2014 08:12:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailc1.tigertech.net (Postfix) with ESMTP id 004B8220DA5; Tue, 27 May 2014 08:12:16 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at c1.tigertech.net
Received: from Joels-MacBook-Pro.local (pool-70-106-135-10.clppva.east.verizon.net [70.106.135.10]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mailc1.tigertech.net (Postfix) with ESMTPSA id E5964220D91; Tue, 27 May 2014 08:12:14 -0700 (PDT)
Message-ID: <5384AB4E.2010208@joelhalpern.com>
Date: Tue, 27 May 2014 11:12:14 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Dino Farinacci <farinacci@gmail.com>, Ronald Bonica <rbonica@juniper.net>
References: <536CFA13.4010102@joelhalpern.com> <4e6c0aaac8fb4aba87ab137cc49b51dc@CO2PR05MB636.namprd05.prod.outlook.com> <CAKFn1SH_gu1+e6EsWESBsRw9EGiSQ+Z5r9E7GEhMO1FdNuM9nQ@mail.gmail.com> <1a200c5f5de041fbaf88edd1a5c3159c@CO1PR05MB442.namprd05.prod.outlook.com> <CAKFn1SEAZyydpQ4cx77mthsUx1HZqMwsM6xNuL4LJjG=oL1mjw@mail.gmail.com> <860b7987207345afb282a82862ff42c0@CO1PR05MB442.namprd05.prod.outlook.com> <F4799A7A-BAEF-458A-8C43-9DF16C9B7828@gmail.com> <e3be912f6afd4f0aa6c8414fede37c74@CO1PR05MB442.namprd05.prod.outlook.com> <2CF699DA-2BAA-4A76-BFF1-64625E001184@gmail.com> <09d3b0d276004c88b6de1a59cf863062@CO1PR05MB442.namprd05.prod.outlook.com> <3269BEE4-C3E5-4D76-A1C0-0B70B6928A12@gmail.com> <dd849ce0cca749c885c5b8a1e989f758@CO1PR05MB442.namprd05.prod.outlook.com> <538361DA.10808@joelhalpern.com> <029e0f8bc7ba433ba4d3ee70b8431f9f@CO1PR05MB442.namprd05.prod.outlook.com> <FB6C01EE-2BB8-4848-8AA2-9512F8FE064A@gmail.com>
In-Reply-To: <FB6C01EE-2BB8-4848-8AA2-9512F8FE064A@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/lisp/rDMnyFhIdP1qvDcrnwSK15DDsCM
Cc: Roger Jorgensen <rogerj@gmail.com>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Restarting last call on LISP threats
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 15:12:26 -0000

Can we please not get into a debate about how well BCP38 is or is not 
deployed, whether violations are remotely detectable, ...This is NOT the 
working group for that.

For our purposes, given that source address forging is known to occur, 
we have to allow it in the threat analysis.

Yours,
Joel

On 5/27/14, 11:04 AM, Dino Farinacci wrote:
>
>> Also, recall that large BCP38 holes exist in today's internet.
>
> And I am going to repeat again, this is not a binary statement. That is, if a BCP38 hole exists in one part of the network, source spoofing can still be detected in other parts of the network.
>
> Dino
>
>