draft-ietf-lisp-threats-14.txt   draft-ietf-lisp-threats-15.txt 
Network Working Group D. Saucez Network Working Group D. Saucez
Internet-Draft INRIA Internet-Draft INRIA
Intended status: Informational L. Iannone Intended status: Informational L. Iannone
Expires: June 22, 2016 Telecom ParisTech Expires: August 1, 2016 Telecom ParisTech
O. Bonaventure O. Bonaventure
Universite catholique de Louvain Universite catholique de Louvain
December 20, 2015 January 29, 2016
LISP Threats Analysis LISP Threats Analysis
draft-ietf-lisp-threats-14.txt draft-ietf-lisp-threats-15.txt
Abstract Abstract
This document provides a threat analysis of the Locator/Identifier This document provides a threat analysis of the Locator/Identifier
Separation Protocol (LISP). Separation Protocol (LISP).
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 22, 2016. This Internet-Draft will expire on August 1, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Threat model . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Threat model . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Attacker's Operation Modes . . . . . . . . . . . . . . . . 4 2.1. Attacker's Operation Modes . . . . . . . . . . . . . . . . 4
2.1.1. On-path vs. Off-path Attackers . . . . . . . . . . . . 4 2.1.1. On-path vs. Off-path Attackers . . . . . . . . . . . . 4
2.1.2. Internal vs. External Attackers . . . . . . . . . . . 4 2.1.2. Internal vs. External Attackers . . . . . . . . . . . 4
2.1.3. Live vs. Time-shifted attackers . . . . . . . . . . . 4 2.1.3. Live vs. Time-shifted attackers . . . . . . . . . . . 5
2.1.4. Control-plane vs. Data-plane attackers . . . . . . . . 5 2.1.4. Control-plane vs. Data-plane attackers . . . . . . . . 5
2.1.5. Cross mode attackers . . . . . . . . . . . . . . . . . 5 2.1.5. Cross mode attackers . . . . . . . . . . . . . . . . . 5
2.2. Threat categories . . . . . . . . . . . . . . . . . . . . 5 2.2. Threat categories . . . . . . . . . . . . . . . . . . . . 5
2.2.1. Replay attack . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Replay attack . . . . . . . . . . . . . . . . . . . . 5
2.2.2. Packet manipulation . . . . . . . . . . . . . . . . . 5 2.2.2. Packet manipulation . . . . . . . . . . . . . . . . . 6
2.2.3. Packet interception and suppression . . . . . . . . . 6 2.2.3. Packet interception and suppression . . . . . . . . . 6
2.2.4. Spoofing . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4. Spoofing . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.5. Rogue attack . . . . . . . . . . . . . . . . . . . . . 7 2.2.5. Rogue attack . . . . . . . . . . . . . . . . . . . . . 7
2.2.6. Denial of Service (DoS) attack . . . . . . . . . . . . 7 2.2.6. Denial of Service (DoS) attack . . . . . . . . . . . . 7
2.2.7. Performance attack . . . . . . . . . . . . . . . . . . 7 2.2.7. Performance attack . . . . . . . . . . . . . . . . . . 7
2.2.8. Intrusion attack . . . . . . . . . . . . . . . . . . . 7 2.2.8. Intrusion attack . . . . . . . . . . . . . . . . . . . 7
2.2.9. Amplification attack . . . . . . . . . . . . . . . . . 7 2.2.9. Amplification attack . . . . . . . . . . . . . . . . . 7
2.2.10. Multi-category attacks . . . . . . . . . . . . . . . . 7 2.2.10. Passive Monitoring Attacks . . . . . . . . . . . . . . 8
3. Attack vectors . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.11. Multi-category attacks . . . . . . . . . . . . . . . . 8
3. Attack vectors . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Gleaning . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Gleaning . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. Locator Status Bits . . . . . . . . . . . . . . . . . . . 9 3.2. Locator Status Bits . . . . . . . . . . . . . . . . . . . 9
3.3. Map-Version . . . . . . . . . . . . . . . . . . . . . . . 10 3.3. Map-Version . . . . . . . . . . . . . . . . . . . . . . . 10
3.4. Routing Locator Reachability . . . . . . . . . . . . . . . 11 3.4. Routing Locator Reachability . . . . . . . . . . . . . . . 11
3.5. Instance ID . . . . . . . . . . . . . . . . . . . . . . . 12 3.5. Instance ID . . . . . . . . . . . . . . . . . . . . . . . 12
3.6. Interworking . . . . . . . . . . . . . . . . . . . . . . . 12 3.6. Interworking . . . . . . . . . . . . . . . . . . . . . . . 12
3.7. Map-Request messages . . . . . . . . . . . . . . . . . . . 12 3.7. Map-Request messages . . . . . . . . . . . . . . . . . . . 12
3.8. Map-Reply messages . . . . . . . . . . . . . . . . . . . . 13 3.8. Map-Reply messages . . . . . . . . . . . . . . . . . . . . 13
3.9. Map-Register messages . . . . . . . . . . . . . . . . . . 14 3.9. Map-Register messages . . . . . . . . . . . . . . . . . . 15
3.10. Map-Notify messages . . . . . . . . . . . . . . . . . . . 15 3.10. Map-Notify messages . . . . . . . . . . . . . . . . . . . 15
4. Note on Privacy . . . . . . . . . . . . . . . . . . . . . . . 15 4. Note on Privacy . . . . . . . . . . . . . . . . . . . . . . . 15
5. Threats Mitigation . . . . . . . . . . . . . . . . . . . . . . 15 5. Threats Mitigation . . . . . . . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17
9.2. Informative References . . . . . . . . . . . . . . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . . 18
Appendix A. Document Change Log (to be removed on publication) . 18 Appendix A. Document Change Log (to be removed on publication) . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
The Locator/ID Separation Protocol (LISP) is specified in [RFC6830]. The Locator/ID Separation Protocol (LISP) is specified in [RFC6830].
This document provides an assessment of the potential security This document provides an assessment of the potential security
threats for the current LISP specifications if LISP is deployed in threats for the current LISP specifications if LISP is deployed in
the Internet (i.e., a public non-trustable environment). the Internet (i.e., a public non-trustable environment).
The document is composed of three main parts: the first defines a The document is composed of three main parts: the first defines a
general threat model that attackers use to mount attacks. The second general threat model that attackers use to mount attacks. The second
part, using this threat model, describes the techniques based on the part, using this threat model, describes the techniques based on the
LISP protocol and LISP architecture that attackers may use to LISP protocol and LISP architecture that attackers may use to
construct attacks. The third part discusses mitigation techniques construct attacks. The third part discusses mitigation techniques
and general solutions to protect the LISP protocol and architecture and general solutions to protect the LISP protocol and architecture
from attacks. from attacks.
This document does not consider all the possible uses of LISP as This document does not consider all the possible uses of LISP as
discussed in [RFC6830] and [RFC7215]. The document focuses on LISP discussed in [RFC6830] and [RFC7215] and does not cover threats due
unicast, including as well LISP Interworking [RFC6832], LISP Map- to specific implementations. The document focuses on LISP unicast,
Server [RFC6833]), and LISP Map-Versioning [RFC6834]. The reader is including as well LISP Interworking [RFC6832], LISP Map-Server
assumed to be familiar with these documents for understanding the [RFC6833]), and LISP Map-Versioning [RFC6834]. Additional threats
present document. may be discovered in the future while deployment continues. The
reader is assumed to be familiar with these documents for
understanding the present document.
This document assumes a generic IP service and does not discuss the This document assumes a generic IP service and does not discuss the
difference, from a security viewpoint, between using IPv4 or IPv6. difference, from a security viewpoint, between using IPv4 or IPv6.
2. Threat model 2. Threat model
This document assumes that attackers can be located anywhere in the This document assumes that attackers can be located anywhere in the
Internet (either in LISP sites or outside LISP sites) and that Internet (either in LISP sites or outside LISP sites) and that
attacks can be mounted either by a single attacker or by the attacks can be mounted either by a single attacker or by the
collusion of several attackers. collusion of several attackers.
skipping to change at page 4, line 11 skipping to change at page 4, line 13
particular entity, or arbitrarily, i.e., any entity. Finally, an particular entity, or arbitrarily, i.e., any entity. Finally, an
attacker can aim at attacking one or several targets with a single attacker can aim at attacking one or several targets with a single
attack. attack.
Section 2.1 specifies the different modes of operation that attackers Section 2.1 specifies the different modes of operation that attackers
can follow to mount attacks and Section 2.2 specifies the different can follow to mount attacks and Section 2.2 specifies the different
categories of attacks that attackers can build. categories of attacks that attackers can build.
2.1. Attacker's Operation Modes 2.1. Attacker's Operation Modes
Attackers can be classified according to the following four modes of In this document attackers are classified according to their modes of
operation, i.e., the temporal and spacial diversity of the attacker. operation, i.e., the temporal and spacial diversity of the attacker.
These modes are not mutually exclusive, they can be used by attackers
in any combination, and other modes may be discovered in the future.
Further, attackers are not at all bound by our classification scheme,
so implementers and those deploying will always need to do additional
risk analysis for themselves.
2.1.1. On-path vs. Off-path Attackers 2.1.1. On-path vs. Off-path Attackers
On-path attackers, also known as Men-in-the-Middle, are able to On-path attackers, also known as Men-in-the-Middle, are able to
intercept and modify packets between legitimate communicating intercept and modify packets between legitimate communicating
entities. On-path attackers are located either directly on the entities. On-path attackers are located either directly on the
normal communication path (either by gaining access to a node on the normal communication path (either by gaining access to a node on the
path or by placing themselves directly on the path) or outside the path or by placing themselves directly on the path) or outside the
location path but manage to deviate (or gain a copy of) packets sent location path but manage to deviate (or gain a copy of) packets sent
between the communication entities. On-path attackers hence mount between the communication entities. On-path attackers hence mount
skipping to change at page 5, line 35 skipping to change at page 5, line 46
For example, an attacker can launch an attack using the control-plane For example, an attacker can launch an attack using the control-plane
directly from within a LISP site to which it is able to get temporary directly from within a LISP site to which it is able to get temporary
access (i.e., internal + control-plane attacker) to create a access (i.e., internal + control-plane attacker) to create a
vulnerability on its target and later on (i.e., time-shifted + vulnerability on its target and later on (i.e., time-shifted +
external attacker) mount an attack on the data plane (i.e., data- external attacker) mount an attack on the data plane (i.e., data-
plane attacker) that leverages the vulnerability. plane attacker) that leverages the vulnerability.
2.2. Threat categories 2.2. Threat categories
Attacks can be classified according to the nine following categories. Attacks can be classified according to the nine following categories.
These categories are not mutually exclusive and can be used by
attackers in any combination.
2.2.1. Replay attack 2.2.1. Replay attack
A replay attack happens when an attacker retransmits at a later time, A replay attack happens when an attacker retransmits at a later time,
and without modifying it, a packet (or a sequence of packets) that and without modifying it, a packet (or a sequence of packets) that
has already been transmitted. has already been transmitted.
2.2.2. Packet manipulation 2.2.2. Packet manipulation
A packet manipulation attack happens when an attacker receives a A packet manipulation attack happens when an attacker receives a
skipping to change at page 7, line 40 skipping to change at page 8, line 5
In an amplification attack, the traffic generated by the target of In an amplification attack, the traffic generated by the target of
the attack in response to the attack is larger than the traffic that the attack in response to the attack is larger than the traffic that
the attacker must generate. the attacker must generate.
In some cases, the data-plane can be several orders of magnitude In some cases, the data-plane can be several orders of magnitude
faster than the control-plane at processing packets. This difference faster than the control-plane at processing packets. This difference
can be exploited to overload the control-plane via the data-plane can be exploited to overload the control-plane via the data-plane
without overloading the data-plane. without overloading the data-plane.
2.2.10. Multi-category attacks 2.2.10. Passive Monitoring Attacks
An attacker can use pervasive monitoring, which is a technical attack
[RFC7258], targeting information about LISP traffic that may or not
be used to mount other type of attacks.
2.2.11. Multi-category attacks
Attacks categories are not mutually exclusive and any combination can Attacks categories are not mutually exclusive and any combination can
be used to perform specific attacks. be used to perform specific attacks.
For example, one can mount a rogue attack to perform a performance For example, one can mount a rogue attack to perform a performance
attack starving the memory of an ITR (Ingress Tunnel Router) attack starving the memory of an ITR (Ingress Tunnel Router)
resulting in a DoS (Denial-of-Service) on the ITR. resulting in a DoS (Denial-of-Service) on the ITR.
3. Attack vectors 3. Attack vectors
skipping to change at page 13, line 29 skipping to change at page 13, line 45
elements to relay its attacks and hide the origin of the attack. elements to relay its attacks and hide the origin of the attack.
Indeed, on the one hand, a Map Resolver is used to dispatch Map- Indeed, on the one hand, a Map Resolver is used to dispatch Map-
Request to the mapping system and, on the other hand, a Map Server is Request to the mapping system and, on the other hand, a Map Server is
used to dispatch Map-Requests coming from the mapping system to ETRs used to dispatch Map-Requests coming from the mapping system to ETRs
that are authoritative for the EID in the Map-Request. that are authoritative for the EID in the Map-Request.
3.8. Map-Reply messages 3.8. Map-Reply messages
Most of the security risks associated with Map-Reply messages will Most of the security risks associated with Map-Reply messages will
depend on the 64 bits nonce that is included in a Map-Request and depend on the 64 bits nonce that is included in a Map-Request and
returned in the Map-Reply. If an ETR does not accept Map-Reply returned in the Map-Reply. Given the size of the nonce (64 bits), if
messages with an invalid nonce, the risk of an off-path attack is best current practice is used [RFC4086] and if an ETR does not accept
limited given the size of the nonce (64 bits). Nevertheless, the Map-Reply messages with an invalid nonce, the risk of an off-path
nonce only confirms that the Map-Reply received was sent in response attack is limited. Nevertheless, the nonce only confirms that the
to a Map-Request sent, it does not validate the contents of that Map- Map-Reply received was sent in response to a Map-Request sent, it
Reply. does not validate the contents of that Map-Reply.
If an attacker manages to send a valid (i.e., in response to a Map- If an attacker manages to send a valid (i.e., in response to a Map-
Request and with the correct nonce) Map-Reply to an ITR, then it can Request and with the correct nonce) Map-Reply to an ITR, then it can
perform any of the attacks categorised in Section 2.2 as it can perform any of the attacks categorised in Section 2.2 as it can
inject forged mappings directly in the ITR EID-to-RLOC cache. For inject forged mappings directly in the ITR EID-to-RLOC cache. For
instance, if the mapping injected to the ITR points to the address of instance, if the mapping injected to the ITR points to the address of
a node controlled by the attacker, it can mount replay, packet a node controlled by the attacker, it can mount replay, packet
manipulation, packet interception and suppression, or DoS attacks, as manipulation, packet interception and suppression, or DoS attacks, as
it will receive every packet destined to a destination lying in the it will receive every packet destined to a destination lying in the
EID prefix of the injected mapping. In addition, the attacker can EID prefix of the injected mapping. In addition, the attacker can
skipping to change at page 16, line 11 skipping to change at page 16, line 26
The control-plane is the most critical part of LISP from a security The control-plane is the most critical part of LISP from a security
viewpoint and it is worth to notice that the LISP specifications viewpoint and it is worth to notice that the LISP specifications
already offer an authentication mechanism for mappings registration already offer an authentication mechanism for mappings registration
([RFC6833]). This mechanism, combined with LISP-SEC ([RFC6833]). This mechanism, combined with LISP-SEC
[I-D.ietf-lisp-sec], strongly mitigates threats in non-trustable [I-D.ietf-lisp-sec], strongly mitigates threats in non-trustable
environments such as the Internet. Moreover, an authentication data environments such as the Internet. Moreover, an authentication data
field for Map-Request messages and Encapsulated Control messages was field for Map-Request messages and Encapsulated Control messages was
allocated [RFC6830]. This field provides a general authentication allocated [RFC6830]. This field provides a general authentication
mechanism technique for the LISP control-plane which future mechanism technique for the LISP control-plane which future
specifications may use while staying backward compatible. The usage specifications may use while staying backward compatible. The exact
will be designed and defined specific for the needs of the technique still has to be designed and defined. To maximally
specification. The exact technique still has to be designed and mitigate the threats on the mapping system, authentication must be
defined. To maximally mitigate the threats on the mapping system, used, whenever possible, for both Map-Request and Map-Reply messages
authentication must be used, whenever possible, for both Map-Request and for messages exchanged internally among elements of the mapping
and Map-Reply messages and for messages exchanged internally among system, such as specified in [I-D.ietf-lisp-sec] and
elements of the mapping system, such as specified in [I-D.ietf-lisp-ddt].
[I-D.ietf-lisp-sec] and [I-D.ietf-lisp-ddt].
Systematically applying filters and rate-limitation, as proposed in Systematically applying filters and rate-limitation, as proposed in
[RFC6830], will mitigate most of the threats presented in this [RFC6830], will mitigate most of the threats presented in this
document. In order to minimise the risk of overloading the control- document. In order to minimise the risk of overloading the control-
plane with actions triggered from data-plane events, such actions plane with actions triggered from data-plane events, such actions
should be rate limited. should be rate limited.
Moreover, all information opportunistically learned (e.g., with LSB Moreover, all information opportunistically learned (e.g., with LSB
or gleaning) should be used with care until they are verified. For or gleaning) should be used with care until they are verified. For
example, a reachability change learned with LSB should not be used example, a reachability change learned with LSB should not be used
skipping to change at page 18, line 22 skipping to change at page 18, line 35
[I-D.ietf-lisp-ddt] [I-D.ietf-lisp-ddt]
Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP
Delegated Database Tree", draft-ietf-lisp-ddt-03 (work in Delegated Database Tree", draft-ietf-lisp-ddt-03 (work in
progress), April 2015. progress), April 2015.
[I-D.ietf-lisp-sec] [I-D.ietf-lisp-sec]
Maino, F., Ermagan, V., Cabellos-Aparicio, A., and D. Maino, F., Ermagan, V., Cabellos-Aparicio, A., and D.
Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-09 Saucez, "LISP-Security (LISP-SEC)", draft-ietf-lisp-sec-09
(work in progress), October 2015. (work in progress), October 2015.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005,
<http://www.rfc-editor.org/info/rfc4086>.
[RFC7215] Jakab, L., Cabellos-Aparicio, A., Coras, F., Domingo- [RFC7215] Jakab, L., Cabellos-Aparicio, A., Coras, F., Domingo-
Pascual, J., and D. Lewis, "Locator/Identifier Separation Pascual, J., and D. Lewis, "Locator/Identifier Separation
Protocol (LISP) Network Element Deployment Protocol (LISP) Network Element Deployment
Considerations", RFC 7215, DOI 10.17487/RFC7215, Considerations", RFC 7215, DOI 10.17487/RFC7215,
April 2014, <http://www.rfc-editor.org/info/rfc7215>. April 2014, <http://www.rfc-editor.org/info/rfc7215>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258,
May 2014, <http://www.rfc-editor.org/info/rfc7258>.
[Trilogy] Saucez, D. and L. Iannone, "How to mitigate the effect of [Trilogy] Saucez, D. and L. Iannone, "How to mitigate the effect of
scans on mapping systems", Trilogy Future Internet Summer scans on mapping systems", Trilogy Future Internet Summer
School., 2009. School., 2009.
Appendix A. Document Change Log (to be removed on publication) Appendix A. Document Change Log (to be removed on publication)
o Version 15 Posted January 2016.
* Few changes to address Stephen Farrel comments as part of the
IESG Review.
o Version 14 Posted December 2015. o Version 14 Posted December 2015.
* Editorial changes according to Deborah Brungard's (Routing AD) * Editorial changes according to Deborah Brungard's (Routing AD)
review. review.
o Version 13 Posted August 2015. o Version 13 Posted August 2015.
* Keepalive version. * Keepalive version.
o Version 12 Posted March 2015. o Version 12 Posted March 2015.
 End of changes. 21 change blocks. 
36 lines changed or deleted 65 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/