IETF Logo Mail Archive

Re: [lisp] Fwd: decentralization of Internet (was Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

Dino Farinacci <farinacci@gmail.com> Mon, 09 September 2013 16:45 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D818711E81B2 for <lisp@ietfa.amsl.com>; Mon, 9 Sep 2013 09:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYXo7vPXuA6R for <lisp@ietfa.amsl.com>; Mon, 9 Sep 2013 09:45:40 -0700 (PDT)
Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com [IPv6:2607:f8b0:400e:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id CD55511E8121 for <lisp@ietf.org>; Mon, 9 Sep 2013 09:45:40 -0700 (PDT)
Received: by mail-pd0-f170.google.com with SMTP id x10so6457234pdj.1 for <lisp@ietf.org>; Mon, 09 Sep 2013 09:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jmVLs2zIGrCl8dXla6yYe5MiNyBlB23BniB9JWezSlY=; b=xoV2a61U2jrn5X3jN3sb7fpx4kpEIy72/vkWHWG7L2Y97kGSisUVW9QFddr5PUM3Dl tH/iydOHDU3P1Nr2PDcb4BgeamtMJBaHX8jpw64/z2mUd3CseOkzmFrVhbUkxLkuZGxh /S5J150lfJhAJ4Fv0j7WZ89b3l/mBWBSvsDmyCKS7mFYDM442z/6LvnE1oH9mSJYAH1S MyUhJdee2ZQMhxPKzqUgKagvQQaOxjJaUM2tQVDymwc7HwD+LXvTiMbDRh7zmG57smmn 74D0GscRHqlrFLeC3yjz31COZAR58uuN/bcoc5+tH6ulBgBpBvhDdN3fmlfCgklgcdFl SdcQ==
X-Received: by 10.66.162.136 with SMTP id ya8mr9543797pab.110.1378745140575; Mon, 09 Sep 2013 09:45:40 -0700 (PDT)
Received: from [192.168.1.115] ([207.145.253.66]) by mx.google.com with ESMTPSA id ve9sm17269267pbc.19.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Sep 2013 09:45:39 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <4ABB752A36221949A095CDE2C6DBB1C80982F67D@xmb-aln-x12.cisco.com>
Date: Mon, 09 Sep 2013 09:45:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <DEC36591-E9A8-4776-8BC2-D7F256C81A7C@gmail.com>
References: <4ABB752A36221949A095CDE2C6DBB1C80982F67D@xmb-aln-x12.cisco.com>
To: "Michiel Blokzijl (mblokzij)" <mblokzij@cisco.com>
X-Mailer: Apple Mail (2.1508)
Cc: Noel Chiappa <jnc@mercury.lcs.mit.edu>, "lisp@ietf.org" <lisp@ietf.org>
Subject: Re: [lisp] Fwd: decentralization of Internet (was Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 16:45:42 -0000

> Even in the case where the ITR is on the CPE we might be able to do better.
> 
> For IPv6 RLOCs, we could use temporary IPv6 addresses (IPv6 privacy
> extension, rfc4941 I think) as the RLOCs in outgoing packets. That way,
> you couldn't discover the EID by doing a "reverse lookup" on the RLOC in
> the mapping system.

Well in today's deployments there are no RLOC records in the mapping database. So finding an EID associated with an RLOC is a different thing to do today. And this is goodness.

But not to take away from your point. But if those private addresses are not injected into the underlying routing protocol and PE boxes run URPF, those packets will be dropped.

Dino

> This would be especially useful if the IPv6 prefix on your uplink is used
> on a multipoint link, if it's just used on a point-to-point link it's a
> bit pointless :)
> 
> Best regards,
> 
> Michiel
> 
> On 09/09/2013 10:01, "Joel M. Halpern" <jmh@joelhalpern.com> wrote:
> 
>> Doesn't this depend upon where the ITR is?
>> If, as is usually proposed, the ITR is a piece of CPE, then it will hide
>> the content of my message (good), and my individual EID (okay), but it
>> won't hide which site is sending the packet, which is an awful lot of
>> information.
>> 
>> Also, moving the ITR to the PE router merely means that all the
>> information is collectible at that point.  And we have observable data
>> that collectible => will be collected.
>> 
>> Yours,
>> Joel
>> 
>> On 9/8/13 10:15 PM, Dino Farinacci wrote:
>>>> Hello Noel,
>>>> 
>>>>> Err, that would get the address and name of the ITR, not the actual
>>>>> source
>>>>> host.
>>>> 
>>>> this thread started with a subject of how to save the Internet from the
>>>> all-powerful agencies. Lisp was not invented to hide your identity,
>>>> it's only separating it from the location - this doesn't mean the
>>>> location information cannot reveal your (real life) identity. At the
>>>> end the agencies want your name, not your (inner) IP address.
>>> 
>>> Marc, you may have not followed Noel's point. Let me explain with more
>>> detail.
>>> 
>>> (1) I sit at a LISP site, I have an EID assigned to me. I want to send
>>> packet and don't want anyone in the core to know I am sending.
>>> 
>>> (2) My EID comes out of an EID-prefix that is assigned to the site I
>>> currently reside in. There are a pair of ITRs that encapsulate traffic
>>> for packets I source.
>>> 
>>> (3) When I source packets, my EID is known by routers inside of the
>>> site, but when the packet hits the ITR, the ITR will encrypt the entire
>>> packet it is about to encapsulate. So the outer IP header, the UDP
>>> header, and the LISP header is sent in the clear. Everything after the
>>> LISP header is encrypted.
>>> 
>>> (4) I propose that the ITR use a public-key stored in the mapping
>>> database. It does not need to be protected during transport. The only
>>> parties that have the private-key the ETRs at the destination site (and
>>> you can h a public/private pair per ETR).
>>> 
>>> (5) Men in the middle cannot decrypt the encapsulated packet because
>>> they don't have the private key and it is never transmitted on the
>>> network. All they know is that a packet came from some site that is
>>> connected to ISP foobar. So what, that is coarse information.
>>> 
>>> (6) The key is obtained by the ITR the same time it is getting the RLOC
>>> address for encapsulation. Both come together and if the EID or *key*
>>> changes, we treat it as a mobility event where a new registration is
>>> sent to the mapping database to advertise a new RLOC address and/or a
>>> new key.
>>> 
>>> This is pretty simple. Yes it is slow. But so what. We can throw
>>> hardware technology at it or we can have th math guys come up with as
>>> good but less expensive algorithms.
>>> 
>>>> If the xTR is close to you, e.g. your DSL router runs the xTR, then the
>>>> locator is effectively a 1:1 mapping to your identity. If the xTR is
>>>> your office branch router, well, then we have already  (a) a router to
>>>> try to break in  and (b) a physical office location to look for you.
>>> 
>>> It's not all that simple. EIDs can roam around. So if the RLOC at my
>>> house is encapsulating packets because you came over for dinner, it
>>> isn't me that is sourcing. I might be blamed for your wrong-doing, but
>>> all I would say is "I only live there".   ;-)
>>> 
>>> Dino
>>> 
>>>> And if the xTR is further away from your Internet connection point then
>>>> chances are you can get wire-tapped on your way to/from the xTR, i.e.
>>>> Lisp would not help you at all.
>>>> 
>>>> That's all I wanted to say with my statement about "static setups".
>>>> 
>>>> 
>>>> Complete different story is if Lisp could make encryption e.g. between
>>>> company office sites much easier, more scalable etc.. Independent from
>>>> the original subject that would be a real benefit.
>>>> 
>>>> 
>>>> Regards, Marc
>>>> 
>>>> 
>>>>> 
>>>>> Depending on all sorts of factors, that plus the encrypted packet
>>>>> _might_ get
>>>>> them the identity of the actual originator (not, for example, if the
>>>>> ITR has
>>>>> discarded the key used to encrypt the packet by the time the subpoena
>>>>> arrives...)
>>>>> 
>>>>> 	Noel
>>>>> _______________________________________________
>>>>> lisp mailing list
>>>>> lisp@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/lisp
>>>>> 
>>>> _______________________________________________
>>>> lisp mailing list
>>>> lisp@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/lisp
>>> 
>>> _______________________________________________
>>> lisp mailing list
>>> lisp@ietf.org
>>> https://www.ietf.org/mailman/listinfo/lisp
>>> 
>> _______________________________________________
>> lisp mailing list
>> lisp@ietf.org
>> https://www.ietf.org/mailman/listinfo/lisp
>

v2.23.0 | Report a Bug | By Email