[RAM] draft-bagnulo-lisp-threat-01
Robin Whittle <rw@firstpr.com.au> Thu, 12 July 2007 04:39 UTC
Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8qSe-0006lM-Ls; Thu, 12 Jul 2007 00:39:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8qSd-0006kz-8t for ram@iab.org; Thu, 12 Jul 2007 00:39:27 -0400
Received: from gair.firstpr.com.au ([150.101.162.123]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I8qSZ-0004Tl-52 for ram@iab.org; Thu, 12 Jul 2007 00:39:27 -0400
Received: from [10.0.0.8] (zita.firstpr.com.au [10.0.0.8]) by gair.firstpr.com.au (Postfix) with ESMTP id CB6A259DDD; Thu, 12 Jul 2007 14:39:15 +1000 (EST)
Message-ID: <4695B066.4000805@firstpr.com.au>
Date: Thu, 12 Jul 2007 14:39:02 +1000
From: Robin Whittle <rw@firstpr.com.au>
Organization: First Principles
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: ram@iab.org
References: <E1I7yhK-0001vj-4f@stiedprstage1.ietf.org> <1A1EE942-944D-4CE6-8C79-C8382C000D1B@it.uc3m.es>
In-Reply-To: <1A1EE942-944D-4CE6-8C79-C8382C000D1B@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: dbb8771284c7a36189745aa720dc20ab
Cc:
Subject: [RAM] draft-bagnulo-lisp-threat-01
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org
My understanding of: http://tools.ietf.org/html/draft-bagnulo-lisp-threat-01 is that 3.1 to 3.1.1.3 involves sending an encapsulated packet to a combined ETR-ITR which convinces that router that the RLOC to use when encapsulating packets with EID=V is the the attacker's address. So subsequent packets with EID=V will wind up at the attacker's host. This is for "LISP 1" (1.5?) where there is no central database. In LISP 2.x, 3.x or 4.x: http://www1.ietf.org/mail-archive/web/ram/current/msg01289.html is it true to say that the ETR-ITR wouldn't learn any such false information simply by receiving a packet, because its mapping is controlled by a database instead? Ivip's ITRs are always controlled by one or more databases - there are no messages and ETRs don't "learn" anything from the encapsulated packet. So this vulnerability doesn't apply to Ivip. Likewise, Ivip has no "Map-Reply" message and the ITRs don't learn their mapping from anything other than their own copy of the database(s) or from responses resulting from queries to a query server which has a copy. So the rest of section 3.1, 3.2.1, 3.2.2 and 3.2.3 doesn't apply to Ivip. In LISP 2 to 4 does the ITR learn mapping information from Map-Reply messages or from an associated ETR learning an RLOC from the outer header of an encapsulated packet it receives? 3.2.4 concerns the cache of ETRs or ITRs overflowing - but the sentence: An attacker could massively generate either tunnelled data packets so that the router cache is overflowed. looks incomplete. I think that in all LISP variants the ITR is not intended to carry a copy of the entire database, so in principle its cache could be overflowed by either making it learn mapping information from the headers of encapsulated packets or perhaps by some use of the Map Reply message. I think the ITR's cache could also be made to overflow by simply sending packets to it which are addressed to a wide variety of LISP EIDs, each with different mappings. This would force the ITR to query and cache the mapping for each EID, or for whatever prefix each EID is within which has the same mapping information. Ivip has ITRDs with a full copy of "the database" - actually multiple arrays of mapping information, one for each Ivip Mapped Address Block (IMAB, previously "master-subnet"). So an ITRD can't be overloaded by any pattern of destination addresses in the packets it encapsulates. This is practical, at least for IPv4, using a server with a 64 bit CPU, rather than a conventional router (though in principle some routers could do it) because the Ivip mapping is simply a 4 byte IP address for every address in the IMABs. (LISP's data per EID IP address or prefix is more extensive.) 2 billion Ivip-mapped addresses therefore require 8 gigabytes of RAM, plus some extra RAM for indexing into this set of arrays for each IMAB and for decoding the incoming database dumps (boot time) and real-time updates. Ivip ITRCs (caching ITRs) and ITFHs (caching ITR functions in sending hosts) are subject to some cache size limit and so would be subject to a DoS attack (or simply non-malicious traffic) which consisted of a sufficiently fast and diverse range of data packets to addressed to Ivip-mapped addresses. However, the response of an ITFH or ITRC to this would probably be to not try to retain the mapping for every address of every packet - which is the same as their normal way of working, which is to only seek mapping information for addresses for which multiple packets are received. If an ITFH lets through a packet without tunneling it, then the packet will be forwarded to some ITRC or ITRD (or maybe explicitly tunneled by the ITFH to an ITRD). Likewise, if things are properly organised, an ITRC doesn't have to encapsulate and tunnel every packet with an Ivip-mapped DA. It can either tunnel these packets to some other ITRC, or ideally to an ITRD, which will handle them - or if the local routing system is suitably organised, the packets will flow through one or more ITRCs or ITRDs anyway. I will add something like this to the I-D: The idea is that any ITFH or ITRC can let a packet addressed to an IMAB pass on to another ITRC or an ITRD which will handle it. This will happen naturally with an ITFH, since any still unencapsulated packets it emits will ultimately be forwarded to some router which advertises the Ivip-Mapped Address Blocks (IMABs) and so can presumably definitely encapsulate the packet. To achieve this, any ITRC which advertises the Ivip IMABs must have a way of tunneling the packets it can't handle to some other ITR which definitely can encapsulate them. This could be another such ITRC, provided any chain or tree of these always forwards packets which still need to be encapsulated towards either an ITRD which will do it, or to the Internet, where the packets should find such an ITRD (which hopefully won't be overloaded.) ITRC functions could be installed on internal routers in a network, so they look out for all packets with DA matching any IMAB and either encapsulate them, or leave them unencapsulated. However, forwarding some or all of these packets without encapsulation will only work if this ITRC does not actually advertise itself as the destination for packets addressed to these IMABs. If it did, the packets it forwards which still need to be encapsulated will probably not progress to any other router. So an ITRC which is simply in the path of packets in general, without advertising itself as the destination for the Ivip IMABs, doesn't need to explicitly tunnel packets it can't handle to some other ITR. So the impact of the DoS attack on any one ITRC or ITFH in a network which was correctly configured for Ivip (according to the new text above) would be to cause some packets to go on longer paths before an ITR encapsulated them. This would cause extra load on the network, and on these other ITRs, but unless the packet wound up at a core ITR or some other ITR which advertised the IMAB prefixes and was overloaded with traffic, then the packet would always be encapsulated and find its way to the destination. - Robin http://www.firstpr.com.au/ip/ivip/ _______________________________________________ RAM mailing list RAM@iab.org https://www1.ietf.org/mailman/listinfo/ram
- [RAM] Fwd: I-D ACTION:draft-bagnulo-lisp-threat-0… marcelo bagnulo braun
- [RAM] draft-bagnulo-lisp-threat-01 Robin Whittle
- [RAM] Re: draft-bagnulo-lisp-threat-01 marcelo bagnulo braun
- [RAM] Re: draft-bagnulo-lisp-threat-01 Robin Whittle
- [RAM] Re: draft-bagnulo-lisp-threat-01 marcelo bagnulo braun
- Re: [RAM] Re: draft-bagnulo-lisp-threat-01 Dino Farinacci
- Re: [RAM] Re: draft-bagnulo-lisp-threat-01 marcelo bagnulo braun
- Re: [RAM] Re: draft-bagnulo-lisp-threat-01 Robin Whittle
- Re: [RAM] Re: draft-bagnulo-lisp-threat-01 Dino Farinacci
- Re: [RAM] Re: draft-bagnulo-lisp-threat-01 Dino Farinacci