--- 1/draft-ietf-lisp-threats-12.txt 2015-08-26 04:15:20.684429114 -0700 +++ 2/draft-ietf-lisp-threats-13.txt 2015-08-26 04:15:20.728430188 -0700 @@ -1,101 +1,101 @@ Network Working Group D. Saucez Internet-Draft INRIA Intended status: Informational L. Iannone -Expires: September 6, 2015 Telecom ParisTech +Expires: February 27, 2016 Telecom ParisTech O. Bonaventure Universite catholique de Louvain - March 5, 2015 + August 26, 2015 LISP Threats Analysis - draft-ietf-lisp-threats-12.txt + draft-ietf-lisp-threats-13.txt Abstract This document proposes a threat analysis of the Locator/Identifier Separation Protocol (LISP). -Status of This Memo +Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 6, 2015. + This Internet-Draft will expire on February 27, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. Threat model . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2.1. Attacker's Operation Modes . . . . . . . . . . . . . . . 4 - 2.1.1. On-path vs. Off-path Attackers . . . . . . . . . . . 4 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Threat model . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.1. Attacker's Operation Modes . . . . . . . . . . . . . . . . 4 + 2.1.1. On-path vs. Off-path Attackers . . . . . . . . . . . . 4 2.1.2. Internal vs. External Attackers . . . . . . . . . . . 4 2.1.3. Live vs. Time-shifted attackers . . . . . . . . . . . 4 - 2.1.4. Control-plane vs. Data-plane attackers . . . . . . . 5 - 2.1.5. Cross mode attackers . . . . . . . . . . . . . . . . 5 + 2.1.4. Control-plane vs. Data-plane attackers . . . . . . . . 5 + 2.1.5. Cross mode attackers . . . . . . . . . . . . . . . . . 5 2.2. Threat categories . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Replay attack . . . . . . . . . . . . . . . . . . . . 5 2.2.2. Packet manipulation . . . . . . . . . . . . . . . . . 5 2.2.3. Packet interception and suppression . . . . . . . . . 6 - 2.2.4. Spoofing . . . . . . . . . . . . . . . . . . . . . . 6 - 2.2.5. Rogue attack . . . . . . . . . . . . . . . . . . . . 7 - 2.2.6. Denial of Service (DoS) attack . . . . . . . . . . . 7 - 2.2.7. Performance attack . . . . . . . . . . . . . . . . . 7 - 2.2.8. Intrusion attack . . . . . . . . . . . . . . . . . . 7 - 2.2.9. Amplification attack . . . . . . . . . . . . . . . . 7 - 2.2.10. Multi-category attacks . . . . . . . . . . . . . . . 7 - 3. Attack vectors . . . . . . . . . . . . . . . . . . . . . . . 7 - 3.1. Gleaning . . . . . . . . . . . . . . . . . . . . . . . . 8 + 2.2.4. Spoofing . . . . . . . . . . . . . . . . . . . . . . . 6 + 2.2.5. Rogue attack . . . . . . . . . . . . . . . . . . . . . 7 + 2.2.6. Denial of Service (DoS) attack . . . . . . . . . . . . 7 + 2.2.7. Performance attack . . . . . . . . . . . . . . . . . . 7 + 2.2.8. Intrusion attack . . . . . . . . . . . . . . . . . . . 7 + 2.2.9. Amplification attack . . . . . . . . . . . . . . . . . 7 + 2.2.10. Multi-category attacks . . . . . . . . . . . . . . . . 7 + 3. Attack vectors . . . . . . . . . . . . . . . . . . . . . . . . 7 + 3.1. Gleaning . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2. Locator Status Bits . . . . . . . . . . . . . . . . . . . 9 3.3. Map-Version . . . . . . . . . . . . . . . . . . . . . . . 10 - 3.4. Routing Locator Reachability . . . . . . . . . . . . . . 11 - 3.5. Instance ID . . . . . . . . . . . . . . . . . . . . . . . 12 - 3.6. Interworking . . . . . . . . . . . . . . . . . . . . . . 12 - 3.7. Map-Request messages . . . . . . . . . . . . . . . . . . 12 - 3.8. Map-Reply messages . . . . . . . . . . . . . . . . . . . 13 + 3.4. Routing Locator Reachability . . . . . . . . . . . . . . . 10 + 3.5. Instance ID . . . . . . . . . . . . . . . . . . . . . . . 11 + 3.6. Interworking . . . . . . . . . . . . . . . . . . . . . . . 12 + 3.7. Map-Request messages . . . . . . . . . . . . . . . . . . . 12 + 3.8. Map-Reply messages . . . . . . . . . . . . . . . . . . . . 13 3.9. Map-Register messages . . . . . . . . . . . . . . . . . . 14 3.10. Map-Notify messages . . . . . . . . . . . . . . . . . . . 15 4. Note on Privacy . . . . . . . . . . . . . . . . . . . . . . . 15 - 5. Threats Mitigation . . . . . . . . . . . . . . . . . . . . . 15 + 5. Threats Mitigation . . . . . . . . . . . . . . . . . . . . . . 15 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 - 9.2. Informative References . . . . . . . . . . . . . . . . . 17 - Appendix A. Document Change Log . . . . . . . . . . . . . . . . 18 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 + 9.2. Informative References . . . . . . . . . . . . . . . . . . 17 + Appendix A. Document Change Log . . . . . . . . . . . . . . . . . 18 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction The Locator/ID Separation Protocol (LISP) is specified in [RFC6830]. The present document assess the potential security threats identified in the LISP specifications if LISP is deployed in the Internet (i.e., a public non-trustable environment). The document is composed of three main parts: the first defines the general threat model that attackers can follow to mount attacks. The @@ -186,25 +186,25 @@ 2.1.4. Control-plane vs. Data-plane attackers A control-plane attacker mounts its attack by using control-plane functionalities, typically the mapping system. A data-plane attacker mounts its attack by using data-plane functionalities. As there is no complete isolation between the control-plane and the - data-plane, an attacker can operate in the control-plane (resp. - data-plane) to mount attacks targeting the data-plane (resp. - control-plane) or keep the attacked and targeted planes at the same - layer (i.e., from control-plane to control-plane or from data-plane - to data-plane). + data-plane, an attacker can operate in the control-plane (resp. data- + plane) to mount attacks targeting the data-plane (resp. control- + plane) or keep the attacked and targeted planes at the same layer + (i.e., from control-plane to control-plane or from data-plane to + data-plane). 2.1.5. Cross mode attackers The attacker modes of operation are not mutually exclusive and hence attackers can combine them to mount attacks. For example, an attacker can launch an attack using the control-plane directly from within a LISP site to which it got temporary access (i.e., internal + control-plane attacker) to create a vulnerability on its target and later on (i.e., time-shifted + external attacker) @@ -746,95 +746,106 @@ The authors would like to thank Ronald Bonica, Albert Cabellos, Ross Callon, Noel Chiappa, Florin Coras, Vina Ermagan, Dino Farinacci, Stephen Farrell, Joel Halpern, Emily Hiltzik, Darrel Lewis, Edward Lopez, Fabio Maino, Terry Manderson, and Jeff Wheeler for their comments. This work has been partially supported by the INFSO-ICT-216372 TRILOGY Project (www.trilogy-project.org). - The work of Luigi Iannone has been partially supported by the ANR- - 13-INFR-0009 LISP-Lab Project (www.lisp-lab.org) and the EIT KIC ICT- + The work of Luigi Iannone has been partially supported by the ANR-13- + INFR-0009 LISP-Lab Project (www.lisp-lab.org) and the EIT KIC ICT- Labs SOFNETS Project. 9. References 9.1. Normative References [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The - Locator/ID Separation Protocol (LISP)", RFC 6830, January - 2013. + Locator/ID Separation Protocol (LISP)", RFC 6830, + DOI 10.17487/RFC6830, January 2013, + . [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, "Interworking between Locator/ID Separation Protocol - (LISP) and Non-LISP Sites", RFC 6832, January 2013. + (LISP) and Non-LISP Sites", RFC 6832, DOI 10.17487/ + RFC6832, January 2013, + . [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation - Protocol (LISP) Map-Server Interface", RFC 6833, January - 2013. + Protocol (LISP) Map-Server Interface", RFC 6833, + DOI 10.17487/RFC6833, January 2013, + . [RFC6834] Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID Separation Protocol (LISP) Map-Versioning", RFC 6834, - January 2013. + DOI 10.17487/RFC6834, January 2013, + . [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy - Considerations for Internet Protocols", RFC 6973, July - 2013. + Considerations for Internet Protocols", RFC 6973, + DOI 10.17487/RFC6973, July 2013, + . 9.2. Informative References [I-D.bagnulo-lisp-threat] - Bagnulo, M., "Preliminary LISP Threat Analysis", draft- - bagnulo-lisp-threat-01 (work in progress), July 2007. + Bagnulo, M., "Preliminary LISP Threat Analysis", + draft-bagnulo-lisp-threat-01 (work in progress), + July 2007. [I-D.ietf-lisp-ddt] Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP - Delegated Database Tree", draft-ietf-lisp-ddt-02 (work in - progress), October 2014. + Delegated Database Tree", draft-ietf-lisp-ddt-03 (work in + progress), April 2015. [I-D.ietf-lisp-sec] Maino, F., Ermagan, V., Cabellos-Aparicio, A., and D. - Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-07 - (work in progress), October 2014. + Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-08 + (work in progress), April 2015. [RFC7215] Jakab, L., Cabellos-Aparicio, A., Coras, F., Domingo- Pascual, J., and D. Lewis, "Locator/Identifier Separation Protocol (LISP) Network Element Deployment - Considerations", RFC 7215, April 2014. + Considerations", RFC 7215, DOI 10.17487/RFC7215, + April 2014, . [Trilogy] Saucez, D. and L. Iannone, "How to mitigate the effect of scans on mapping systems", Trilogy Future Internet Summer School., 2009. Appendix A. Document Change Log + o Version 13 Posted August 2015. + + * Keepalive version. + o Version 12 Posted March 2015. - * Addressed comments by Ross Callon on the mailing list - (http://www.ietf.org/mail-archive/web/lisp/current/ - msg05829.html). + * Addressed comments by Ross Callon on the mailing list (http:// + www.ietf.org/mail-archive/web/lisp/current/msg05829.html). * Addition of a section discussing mitigation techniques for deployments in non-trustable environments. o Version 11 Posted December 2014. * Editorial polishing. Clarifications added in few points. o Version 10 Posted July 2014. * Document completely remodeled according to the discussions on - the mailing list in the thread http://www.ietf.org/mail- - archive/web/lisp/current/msg05206.html and to address comments - from Ronald Bonica and Ross Callon. + the mailing list in the thread + http://www.ietf.org/mail-archive/web/lisp/current/msg05206.html + and to address comments from Ronald Bonica and Ross Callon. o Version 09 Posted March 2014. * Updated document according to the review of A. Cabellos. o Version 08 Posted October 2013. * Addition of a privacy consideration note. * Editorial changes @@ -916,26 +927,25 @@ Authors' Addresses Damien Saucez INRIA 2004 route des Lucioles BP 93 06902 Sophia Antipolis Cedex France Email: damien.saucez@inria.fr - Luigi Iannone Telecom ParisTech 23, Avenue d'Italie, CS 51327 75214 PARIS Cedex 13 France - Email: luigi.iannone@telecom-paristech.fr + Email: ggx@gigix.net Olivier Bonaventure Universite catholique de Louvain Place St. Barbe 2 Louvain la Neuve Belgium Email: olivier.bonaventure@uclouvain.be