IETF Logo Mail Archive

Re: [secdir] [lisp] Secdir early review of draft-ietf-lisp-nexagon-04

Dino Farinacci <farinacci@gmail.com> Fri, 09 October 2020 17:57 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1763A0D7D; Fri, 9 Oct 2020 10:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pxz_O7sH7ZE5; Fri, 9 Oct 2020 10:57:35 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18A393A0D7B; Fri, 9 Oct 2020 10:57:35 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id d20so10929665iop.10; Fri, 09 Oct 2020 10:57:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qbBxrg4kgkLbm9mbkY1MapL103aA7E+W1yV7R27/caU=; b=Qq5+vfsLZ9TVAlIYAgNSWGNi5Xlwl5ZCRxLQD3MYgTYdp4n4LKsdKkSIDe9edH2DXc zJwGlE5pmXEbBdmvbKM7E+TDUK2YRrHx9XQ0RKiPU9jSexaLQIbnSLwhKLnvtWNMTC6m 2NDB/2ssYZIMzA7knpO+7nygd13ZDjalC0mSonjo7Sjxo6N0v10htBzcnPtsmE+6UDsE Nu1B4KnH4RomYSzLPg3ajEde0SDgxFkKsEIppk8MUuloTiqi580svFvEJiPnVRwCYZOw ZiPr+4oAgnZn3WRl6xs8bky09YZUdH0KnLveY++o2uVDQ7xPBrcamr0gF3Sb+PPSeq62 Ssjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qbBxrg4kgkLbm9mbkY1MapL103aA7E+W1yV7R27/caU=; b=unezoBoBG5trgr9TB6+9/jqp8QeqVS/Six9sMsq6wDIm5yepW6F/6XOimleqAYLh3w Sy4y/hPUY68tqWgI9/Qn2WN59fP0ltuwK3/ehVG75M1Wf15PSdzvIPM6uX1ij/ZpVdE8 1OffP4FxWM5/rvLASJXzCKc9Ure2CYl19GB4bbhF26cqfeFDSqJnCougiBFmE12XeX+R eHxBfwdj1t7pGf+KFSWPx+AUTH1a/ZSw5D3xveAiHt+muULYU9brfWKcbEOA+naWlvt1 XI05tVlNny3774wIxDRLCw/eSClhF+/X0m2usf32zT4cr2j3TIbhjlwly3S22nsfoGyu uy7w==
X-Gm-Message-State: AOAM5311a+I3tEVwEk3XPxU+RJoLOV07fk5PWMlvs0+x/Oonx49suJmD peZPIkdMSpE9Jk03IWWPAK0Y+8iU/wE=
X-Google-Smtp-Source: ABdhPJwLS577XAZDX9kRbHq/gkaAQPgqc2jC4GAxj36fA8mc5jNYbtNHuA1RxLR0LggF2cTOZpYz+w==
X-Received: by 2002:a6b:8ec7:: with SMTP id q190mr853068iod.42.1602266254185; Fri, 09 Oct 2020 10:57:34 -0700 (PDT)
Received: from [172.19.0.85] ([75.104.85.69]) by smtp.gmail.com with ESMTPSA id q196sm3781194iod.17.2020.10.09.10.57.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Oct 2020 10:57:33 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <6524FE35-8DE2-4A3B-89ED-7B9933104FB2@getnexar.com>
Date: Fri, 09 Oct 2020 10:57:23 -0700
Cc: Tero Kivinen <kivinen@iki.fi>, secdir@ietf.org, lisp@ietf.org, draft-ietf-lisp-nexagon.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <270712E7-C1EC-4660-88E0-87F4DDDCE0C0@gmail.com>
References: <160218848061.12936.5873889616190686198@ietfa.amsl.com> <6524FE35-8DE2-4A3B-89ED-7B9933104FB2@getnexar.com>
To: Sharon Barkai <sharon.barkai@getnexar.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/SedKz8rn4dIDYXnw-SM-3lQFYjI>
Subject: Re: [secdir] [lisp] Secdir early review of draft-ietf-lisp-nexagon-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 17:57:37 -0000

> It is going to be very hard to guess a valid EIDClient which an EdgeRTR expects after AAA to whitelist provision. These EIDs are temporary and expire after 15 minutes.

It can be made even harder using more than 64-bits (since we are using IPv6 EIDs). But if you do guess it, there isn't much you can do with it because you don't have context and you can't send packets to it. As an attacker, you can't get the RLOC information to send packets to the guessed EID.

Registrations and lookups to the mapping system can only done by provisioned nodes in a centralized secure enclave.

Dino

v2.23.0 | Report a Bug | By Email