[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
Christian Vogt wrote:
PS: In all of the above, we are talking about the initial mapping
provisioning for the receiving side. While the benefits of public-key
authentication are IMO limited in this case, public-key authentication
may very well be suited for mapping /updates/, which a sending side may
want to communicate to a receiving side for TE reasons.
I think discussion on this is certainly going to be good at
understanding the security
implications of various design decisions and models, including looking
at where "evil"
packets might be seen, what they might look like, and what impact they
could have.
(I'll try to keep this short and structured.)
We're considering traffic between a client and server.
We'll use lower-case "c" and "s" to designate respective elements.
Hc -> Hs (client sends packet to server):
Hc(EIDc,EIDs) -> ITRc
ITRc(RLOCc1,RLOCs1) -> {Internet} -> ETRs
ETRs(EIDc,EIDs) -> Hs
Hs -> Hc (server sends response):
Design choice 1a (asymmetric use of ITR/ETR pairs):
Hs(EIDs,EIDc) -> ITRs
ITRs(RLOCs2,RLOCc2) -> {Internet} -> ETRc
ETRc(EIDs,EIDc) -> Hc
Design choice 1b (symmetric function on ITRs and ETRs):
Hs(EIDs,EIDc) -> ETRs
ETRs(RLOCs2,RLOCc2) -> {Internet} -> ITRc
ITRc(EIDs,EIDc) -> Hc
For purposes of this analysis, we will presume that "evil" packets will
only show up via "Internet" paths above.
Possible "evil" intentions:
1. Hijack client identity
2. Hijack server identity
3. Spoof packets into stream
4. Denial of Service
5. (Any others I have overlooked?)
Hijack client identity: This would require changing either static
mapping, or dynamic (update) mapping.
Prevention methods:
* Secure static mappings (e.g. via DNSSEC)
* Limit dynamic information to reachability only (relative to static
mappings)
* Require forward lookups on EIDc for any Hs->Hc traffic
Hijack server identity: same as Hijack client identity
Spoof packets into stream:
Spoofed packets have spoofed-EID with actual RLOC values (can't be
stopped by BCP-38)
Prevention methods:
* validate source EID->RLOC (as appropriate, if possible),
reject mismatches
Spoofed packets have spoofed-EID with spoofed RLOC values (spoof
with real EID->RLOC mapping)
* cannot be detected by ETRs (!!)
* can be prevented by BCP-38 (which is far from universal)
* likely to be one DoS vector
Denial of Service: in addition to any vectors above, spoofed
reachability signaling can result in complete DoS
Prevention methods:
* secure signaling control plane/path (may not scale)
* limit exposure by de-preferring RLOCs rather than withdrawing them
o DoS only possible if one or more RLOCs is truly suffering an
outage
o window of vulnerability can be further limited by updates to
static mappings, either when an outage happens, or in
response to a DoS+outage
o TE capability may be best accomplished administratively
rather than dynamically, analogous to MX preference levels
on EID->RLOC map entries
Summary:
Any design should include:
* secure EID->RLOC mappings
* signaling of reachability rather than new RLOC mappings
* signaling of degradation (deprefering RLOCs) rather than outage
(unreachable)
* forward lookups on source EID->RLOC to validate received packets
* TE done by administrative control on mappings rather than via
signalling
* push further adoption of BCP-38 in the operator community
All other kinds of DoS traffic, are not unique to LISP, but rather are
general to any client-server or p2p connections.
Brian Dickson
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg