draft-ietf-lisp-threats-12.txt   draft-ietf-lisp-threats-13.txt 
Network Working Group D. Saucez Network Working Group D. Saucez
Internet-Draft INRIA Internet-Draft INRIA
Intended status: Informational L. Iannone Intended status: Informational L. Iannone
Expires: September 6, 2015 Telecom ParisTech Expires: February 27, 2016 Telecom ParisTech
O. Bonaventure O. Bonaventure
Universite catholique de Louvain Universite catholique de Louvain
March 5, 2015 August 26, 2015
LISP Threats Analysis LISP Threats Analysis
draft-ietf-lisp-threats-12.txt draft-ietf-lisp-threats-13.txt
Abstract Abstract
This document proposes a threat analysis of the Locator/Identifier This document proposes a threat analysis of the Locator/Identifier
Separation Protocol (LISP). Separation Protocol (LISP).
Status of This Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2015. This Internet-Draft will expire on February 27, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Threat model . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Threat model . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Attacker's Operation Modes . . . . . . . . . . . . . . . 4 2.1. Attacker's Operation Modes . . . . . . . . . . . . . . . . 4
2.1.1. On-path vs. Off-path Attackers . . . . . . . . . . . 4 2.1.1. On-path vs. Off-path Attackers . . . . . . . . . . . . 4
2.1.2. Internal vs. External Attackers . . . . . . . . . . . 4 2.1.2. Internal vs. External Attackers . . . . . . . . . . . 4
2.1.3. Live vs. Time-shifted attackers . . . . . . . . . . . 4 2.1.3. Live vs. Time-shifted attackers . . . . . . . . . . . 4
2.1.4. Control-plane vs. Data-plane attackers . . . . . . . 5 2.1.4. Control-plane vs. Data-plane attackers . . . . . . . . 5
2.1.5. Cross mode attackers . . . . . . . . . . . . . . . . 5 2.1.5. Cross mode attackers . . . . . . . . . . . . . . . . . 5
2.2. Threat categories . . . . . . . . . . . . . . . . . . . . 5 2.2. Threat categories . . . . . . . . . . . . . . . . . . . . 5
2.2.1. Replay attack . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Replay attack . . . . . . . . . . . . . . . . . . . . 5
2.2.2. Packet manipulation . . . . . . . . . . . . . . . . . 5 2.2.2. Packet manipulation . . . . . . . . . . . . . . . . . 5
2.2.3. Packet interception and suppression . . . . . . . . . 6 2.2.3. Packet interception and suppression . . . . . . . . . 6
2.2.4. Spoofing . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4. Spoofing . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.5. Rogue attack . . . . . . . . . . . . . . . . . . . . 7 2.2.5. Rogue attack . . . . . . . . . . . . . . . . . . . . . 7
2.2.6. Denial of Service (DoS) attack . . . . . . . . . . . 7 2.2.6. Denial of Service (DoS) attack . . . . . . . . . . . . 7
2.2.7. Performance attack . . . . . . . . . . . . . . . . . 7 2.2.7. Performance attack . . . . . . . . . . . . . . . . . . 7
2.2.8. Intrusion attack . . . . . . . . . . . . . . . . . . 7 2.2.8. Intrusion attack . . . . . . . . . . . . . . . . . . . 7
2.2.9. Amplification attack . . . . . . . . . . . . . . . . 7 2.2.9. Amplification attack . . . . . . . . . . . . . . . . . 7
2.2.10. Multi-category attacks . . . . . . . . . . . . . . . 7 2.2.10. Multi-category attacks . . . . . . . . . . . . . . . . 7
3. Attack vectors . . . . . . . . . . . . . . . . . . . . . . . 7 3. Attack vectors . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Gleaning . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Gleaning . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. Locator Status Bits . . . . . . . . . . . . . . . . . . . 9 3.2. Locator Status Bits . . . . . . . . . . . . . . . . . . . 9
3.3. Map-Version . . . . . . . . . . . . . . . . . . . . . . . 10 3.3. Map-Version . . . . . . . . . . . . . . . . . . . . . . . 10
3.4. Routing Locator Reachability . . . . . . . . . . . . . . 11 3.4. Routing Locator Reachability . . . . . . . . . . . . . . . 10
3.5. Instance ID . . . . . . . . . . . . . . . . . . . . . . . 12 3.5. Instance ID . . . . . . . . . . . . . . . . . . . . . . . 11
3.6. Interworking . . . . . . . . . . . . . . . . . . . . . . 12 3.6. Interworking . . . . . . . . . . . . . . . . . . . . . . . 12
3.7. Map-Request messages . . . . . . . . . . . . . . . . . . 12 3.7. Map-Request messages . . . . . . . . . . . . . . . . . . . 12
3.8. Map-Reply messages . . . . . . . . . . . . . . . . . . . 13 3.8. Map-Reply messages . . . . . . . . . . . . . . . . . . . . 13
3.9. Map-Register messages . . . . . . . . . . . . . . . . . . 14 3.9. Map-Register messages . . . . . . . . . . . . . . . . . . 14
3.10. Map-Notify messages . . . . . . . . . . . . . . . . . . . 15 3.10. Map-Notify messages . . . . . . . . . . . . . . . . . . . 15
4. Note on Privacy . . . . . . . . . . . . . . . . . . . . . . . 15 4. Note on Privacy . . . . . . . . . . . . . . . . . . . . . . . 15
5. Threats Mitigation . . . . . . . . . . . . . . . . . . . . . 15 5. Threats Mitigation . . . . . . . . . . . . . . . . . . . . . . 15
6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.1. Normative References . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17
9.2. Informative References . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . . 17
Appendix A. Document Change Log . . . . . . . . . . . . . . . . 18 Appendix A. Document Change Log . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
The Locator/ID Separation Protocol (LISP) is specified in [RFC6830]. The Locator/ID Separation Protocol (LISP) is specified in [RFC6830].
The present document assess the potential security threats identified The present document assess the potential security threats identified
in the LISP specifications if LISP is deployed in the Internet (i.e., in the LISP specifications if LISP is deployed in the Internet (i.e.,
a public non-trustable environment). a public non-trustable environment).
The document is composed of three main parts: the first defines the The document is composed of three main parts: the first defines the
general threat model that attackers can follow to mount attacks. The general threat model that attackers can follow to mount attacks. The
skipping to change at page 5, line 14 skipping to change at page 5, line 14
2.1.4. Control-plane vs. Data-plane attackers 2.1.4. Control-plane vs. Data-plane attackers
A control-plane attacker mounts its attack by using control-plane A control-plane attacker mounts its attack by using control-plane
functionalities, typically the mapping system. functionalities, typically the mapping system.
A data-plane attacker mounts its attack by using data-plane A data-plane attacker mounts its attack by using data-plane
functionalities. functionalities.
As there is no complete isolation between the control-plane and the As there is no complete isolation between the control-plane and the
data-plane, an attacker can operate in the control-plane (resp. data-plane, an attacker can operate in the control-plane (resp. data-
data-plane) to mount attacks targeting the data-plane (resp. plane) to mount attacks targeting the data-plane (resp. control-
control-plane) or keep the attacked and targeted planes at the same plane) or keep the attacked and targeted planes at the same layer
layer (i.e., from control-plane to control-plane or from data-plane (i.e., from control-plane to control-plane or from data-plane to
to data-plane). data-plane).
2.1.5. Cross mode attackers 2.1.5. Cross mode attackers
The attacker modes of operation are not mutually exclusive and hence The attacker modes of operation are not mutually exclusive and hence
attackers can combine them to mount attacks. attackers can combine them to mount attacks.
For example, an attacker can launch an attack using the control-plane For example, an attacker can launch an attack using the control-plane
directly from within a LISP site to which it got temporary access directly from within a LISP site to which it got temporary access
(i.e., internal + control-plane attacker) to create a vulnerability (i.e., internal + control-plane attacker) to create a vulnerability
on its target and later on (i.e., time-shifted + external attacker) on its target and later on (i.e., time-shifted + external attacker)
skipping to change at page 12, line 25 skipping to change at page 12, line 19
3.6. Interworking 3.6. Interworking
[RFC6832] defines Proxy-ITR and Proxy-ETR network elements to allow [RFC6832] defines Proxy-ITR and Proxy-ETR network elements to allow
LISP and non-LISP sites to communicate. The Proxy-ITR has LISP and non-LISP sites to communicate. The Proxy-ITR has
functionality similar to the ITR, however, its main purpose is to functionality similar to the ITR, however, its main purpose is to
encapsulate packets arriving from the DFZ in order to reach LISP encapsulate packets arriving from the DFZ in order to reach LISP
sites. A Proxy-ETR has functionality similar to the ETR, however, sites. A Proxy-ETR has functionality similar to the ETR, however,
its main purpose is to inject de-encapsulated packets in the DFZ in its main purpose is to inject de-encapsulated packets in the DFZ in
order to reach non-LISP Sites from LISP sites. As a PITR (resp. order to reach non-LISP Sites from LISP sites. As a PITR (resp.
PETR) is a particular case of ITR (resp. ETR), it is subject to same PETR) is a particular case of ITR (resp. ETR), it is subject to same
attacks than ITRs (resp. ETR). attacks than ITRs (resp. ETR).
As any other system relying on proxies, LISP interworking can be used As any other system relying on proxies, LISP interworking can be used
by attackers to hide their exact origin in the network. by attackers to hide their exact origin in the network.
3.7. Map-Request messages 3.7. Map-Request messages
A control-plane off-path attacker can exploit Map-Request messages to A control-plane off-path attacker can exploit Map-Request messages to
mount DoS, performance, or amplification attacks. By sending Map- mount DoS, performance, or amplification attacks. By sending Map-
Request messages at high rate, the attacker can overload nodes Request messages at high rate, the attacker can overload nodes
involved in the mapping system. For instance sending Map-Requests at involved in the mapping system. For instance sending Map-Requests at
skipping to change at page 17, line 8 skipping to change at page 17, line 8
The authors would like to thank Ronald Bonica, Albert Cabellos, Ross The authors would like to thank Ronald Bonica, Albert Cabellos, Ross
Callon, Noel Chiappa, Florin Coras, Vina Ermagan, Dino Farinacci, Callon, Noel Chiappa, Florin Coras, Vina Ermagan, Dino Farinacci,
Stephen Farrell, Joel Halpern, Emily Hiltzik, Darrel Lewis, Edward Stephen Farrell, Joel Halpern, Emily Hiltzik, Darrel Lewis, Edward
Lopez, Fabio Maino, Terry Manderson, and Jeff Wheeler for their Lopez, Fabio Maino, Terry Manderson, and Jeff Wheeler for their
comments. comments.
This work has been partially supported by the INFSO-ICT-216372 This work has been partially supported by the INFSO-ICT-216372
TRILOGY Project (www.trilogy-project.org). TRILOGY Project (www.trilogy-project.org).
The work of Luigi Iannone has been partially supported by the ANR- The work of Luigi Iannone has been partially supported by the ANR-13-
13-INFR-0009 LISP-Lab Project (www.lisp-lab.org) and the EIT KIC ICT- INFR-0009 LISP-Lab Project (www.lisp-lab.org) and the EIT KIC ICT-
Labs SOFNETS Project. Labs SOFNETS Project.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", RFC 6830, January Locator/ID Separation Protocol (LISP)", RFC 6830,
2013. DOI 10.17487/RFC6830, January 2013,
<http://www.rfc-editor.org/info/rfc6830>.
[RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller,
"Interworking between Locator/ID Separation Protocol "Interworking between Locator/ID Separation Protocol
(LISP) and Non-LISP Sites", RFC 6832, January 2013. (LISP) and Non-LISP Sites", RFC 6832, DOI 10.17487/
RFC6832, January 2013,
<http://www.rfc-editor.org/info/rfc6832>.
[RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation
Protocol (LISP) Map-Server Interface", RFC 6833, January Protocol (LISP) Map-Server Interface", RFC 6833,
2013. DOI 10.17487/RFC6833, January 2013,
<http://www.rfc-editor.org/info/rfc6833>.
[RFC6834] Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID [RFC6834] Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID
Separation Protocol (LISP) Map-Versioning", RFC 6834, Separation Protocol (LISP) Map-Versioning", RFC 6834,
January 2013. DOI 10.17487/RFC6834, January 2013,
<http://www.rfc-editor.org/info/rfc6834>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973,
2013. DOI 10.17487/RFC6973, July 2013,
<http://www.rfc-editor.org/info/rfc6973>.
9.2. Informative References 9.2. Informative References
[I-D.bagnulo-lisp-threat] [I-D.bagnulo-lisp-threat]
Bagnulo, M., "Preliminary LISP Threat Analysis", draft- Bagnulo, M., "Preliminary LISP Threat Analysis",
bagnulo-lisp-threat-01 (work in progress), July 2007. draft-bagnulo-lisp-threat-01 (work in progress),
July 2007.
[I-D.ietf-lisp-ddt] [I-D.ietf-lisp-ddt]
Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP
Delegated Database Tree", draft-ietf-lisp-ddt-02 (work in Delegated Database Tree", draft-ietf-lisp-ddt-03 (work in
progress), October 2014. progress), April 2015.
[I-D.ietf-lisp-sec] [I-D.ietf-lisp-sec]
Maino, F., Ermagan, V., Cabellos-Aparicio, A., and D. Maino, F., Ermagan, V., Cabellos-Aparicio, A., and D.
Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-07 Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-08
(work in progress), October 2014. (work in progress), April 2015.
[RFC7215] Jakab, L., Cabellos-Aparicio, A., Coras, F., Domingo- [RFC7215] Jakab, L., Cabellos-Aparicio, A., Coras, F., Domingo-
Pascual, J., and D. Lewis, "Locator/Identifier Separation Pascual, J., and D. Lewis, "Locator/Identifier Separation
Protocol (LISP) Network Element Deployment Protocol (LISP) Network Element Deployment
Considerations", RFC 7215, April 2014. Considerations", RFC 7215, DOI 10.17487/RFC7215,
April 2014, <http://www.rfc-editor.org/info/rfc7215>.
[Trilogy] Saucez, D. and L. Iannone, "How to mitigate the effect of [Trilogy] Saucez, D. and L. Iannone, "How to mitigate the effect of
scans on mapping systems", Trilogy Future Internet Summer scans on mapping systems", Trilogy Future Internet Summer
School., 2009. School., 2009.
Appendix A. Document Change Log Appendix A. Document Change Log
o Version 13 Posted August 2015.
* Keepalive version.
o Version 12 Posted March 2015. o Version 12 Posted March 2015.
* Addressed comments by Ross Callon on the mailing list * Addressed comments by Ross Callon on the mailing list (http://
(http://www.ietf.org/mail-archive/web/lisp/current/ www.ietf.org/mail-archive/web/lisp/current/msg05829.html).
msg05829.html).
* Addition of a section discussing mitigation techniques for * Addition of a section discussing mitigation techniques for
deployments in non-trustable environments. deployments in non-trustable environments.
o Version 11 Posted December 2014. o Version 11 Posted December 2014.
* Editorial polishing. Clarifications added in few points. * Editorial polishing. Clarifications added in few points.
o Version 10 Posted July 2014. o Version 10 Posted July 2014.
* Document completely remodeled according to the discussions on * Document completely remodeled according to the discussions on
the mailing list in the thread http://www.ietf.org/mail- the mailing list in the thread
archive/web/lisp/current/msg05206.html and to address comments http://www.ietf.org/mail-archive/web/lisp/current/msg05206.html
from Ronald Bonica and Ross Callon. and to address comments from Ronald Bonica and Ross Callon.
o Version 09 Posted March 2014. o Version 09 Posted March 2014.
* Updated document according to the review of A. Cabellos. * Updated document according to the review of A. Cabellos.
o Version 08 Posted October 2013. o Version 08 Posted October 2013.
* Addition of a privacy consideration note. * Addition of a privacy consideration note.
* Editorial changes * Editorial changes
o Version 07 Posted October 2013. o Version 07 Posted October 2013.
* This version is updated according to the thorough review made * This version is updated according to the thorough review made
skipping to change at page 19, line 26 skipping to change at page 19, line 40
o Version 04 Posted February 2013. o Version 04 Posted February 2013.
* Clear statement that the document compares threats of public * Clear statement that the document compares threats of public
LISP deployments with threats in the current Internet LISP deployments with threats in the current Internet
architecture. architecture.
* Addition of a severity level discussion at the end of each * Addition of a severity level discussion at the end of each
section. section.
* Addressed comments from V. Ermagan and D. Lewis' reviews. * Addressed comments from V. Ermagan and D. Lewis' reviews.
* Updated References. * Updated References.
* Further editorial polishing. * Further editorial polishing.
o Version 03 Posted October 2012. o Version 03 Posted October 2012.
* Dropped Reference to RFC 2119 notation because it is not * Dropped Reference to RFC 2119 notation because it is not
actually used in the document. actually used in the document.
skipping to change at page 20, line 32 skipping to change at page 21, line 4
Authors' Addresses Authors' Addresses
Damien Saucez Damien Saucez
INRIA INRIA
2004 route des Lucioles BP 93 2004 route des Lucioles BP 93
06902 Sophia Antipolis Cedex 06902 Sophia Antipolis Cedex
France France
Email: damien.saucez@inria.fr Email: damien.saucez@inria.fr
Luigi Iannone Luigi Iannone
Telecom ParisTech Telecom ParisTech
23, Avenue d'Italie, CS 51327 23, Avenue d'Italie, CS 51327
75214 PARIS Cedex 13 75214 PARIS Cedex 13
France France
Email: luigi.iannone@telecom-paristech.fr Email: ggx@gigix.net
Olivier Bonaventure Olivier Bonaventure
Universite catholique de Louvain Universite catholique de Louvain
Place St. Barbe 2 Place St. Barbe 2
Louvain la Neuve Louvain la Neuve
Belgium Belgium
Email: olivier.bonaventure@uclouvain.be Email: olivier.bonaventure@uclouvain.be
 End of changes. 26 change blocks. 
80 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/