Re: [RAM] ITR complexity & security (ICMP) in LISP-NERD/CONS & eFIT-APT
jnc@mercury.lcs.mit.edu (Noel Chiappa) Fri, 27 July 2007 16:52 UTC
Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1IET3h-0001b0-SY; Fri, 27 Jul 2007 12:52:57 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1IET3g-0001ar-JK
for ram@iab.org; Fri, 27 Jul 2007 12:52:56 -0400
Received: from mercury.lcs.mit.edu ([18.26.0.122])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IET3g-0000eK-7e
for ram@iab.org; Fri, 27 Jul 2007 12:52:56 -0400
Received: by mercury.lcs.mit.edu (Postfix, from userid 11178)
id B57EF86ADD; Fri, 27 Jul 2007 12:52:55 -0400 (EDT)
To: ram@iab.org
Subject: Re: [RAM] ITR complexity & security (ICMP) in LISP-NERD/CONS &
eFIT-APT
Message-Id: <20070727165255.B57EF86ADD@mercury.lcs.mit.edu>
Date: Fri, 27 Jul 2007 12:52:55 -0400 (EDT)
From: jnc@mercury.lcs.mit.edu (Noel Chiappa)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: jnc@mercury.lcs.mit.edu
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>,
<mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>,
<mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org
> From: Robin Whittle <rw@firstpr.com.au> > .. handling ICMP DU messages regarding reachability and Path MTU > Discovery. > The only way I can imagine these being handled securely seems to > involve an impractically large amount of state and processing. I'm a bit too crunched for time to really understand this entire message, but I was wondering if you have considered the following approach to this problem: All ITRs/ETRs have their interfaces which face toward the 'core' (i.e. the other ITRs/ETRs in the system) have addresses from some reserved part of the address space (e.g. net 10), addresses which are not functional on the 'site' side of the ITRs/ETRs. (I.e. you can't send a packet to one of the addresses from inside a site.) The ITRs only accept reachability DU messages on those interfaces, destined to the addresses from the reserved space. In other words, there's no way to send them one of these DU packets from a customer site. This should be easier than carefully validating each individual DU, and keeping enough state to do so, right? Yes, this still allows a compromised ITR/ETR to generate bogus traffic, but I think it's a useful reduction in the threat universe. I don't have any clearest best idea on how to validate incoming DU messages from other ITRs/ETRs... Maybe a per-ETR nonce (i.e. only a slight amount of increase in the state in the ITR), which is included in each tunnelled packet, or something like that. If it's 32 bits, and changed every 10 seconds, it would be hard to find by generating random values (and in any case the incoming errors could set off alarm bells), and even if it were found, it would only give you a break-in for a few seconds. In short, I agree this is a problem, and one that needs a solution, but I'm not sure the mechanism you posit is the best solution. In part, you seem to be trying to solve it without changing the protocol (i.e. packet format), and I think that's too hard a constraint. If you really need a screwdriver, go buy one, don't try and make do with a hammer. Noel _______________________________________________ RAM mailing list RAM@iab.org https://www1.ietf.org/mailman/listinfo/ram
- [RAM] ITR complexity & security (ICMP) in LISP-NE… Robin Whittle
- Re: [RAM] ITR complexity & security (ICMP) in LIS… Noel Chiappa
- Re: [RAM] ITR complexity & security (ICMP) in LIS… Robin Whittle