Opened 9 years ago

Last modified 8 years ago

#27 resolved technical (fixed)

ETR may claim a larger prefix than is delegated to it

Reported by: hartmans-ietf@… Owned by:
Priority: major Component: draft-ietf-lisp
Severity: - Keywords:
Cc:

Description

In my security presentation at IETF 76, I discussed an attack where an ETR can claim a prefix larger than is delegated to it. In the extreme case, an ETR could try to claim in its map reply that it covers 0/0 and requests all LISP traffic be routed through it. Handling that simple case can be accomplished by requiring prefixes be a certain length. In general, though, this attack is very serious and we need a better mechanism. See the Security01 wiki page for more discussion of this attack. In that terminology, it is a delegation integrity attack.

Darrel proposed a number of solutions to consider:

  • Requiring prefixes be a certain length
  • Sending the map reply through the mapping system
  • Sending the map reply both from the ETR and through the mapping system.

I'd like to consider the option of having the MS send a packet to the ITR immediately on receiving the map request telling the ITR what the prefix length that the ETR is allowed to claim is; then the ETR can send the standard map reply. The ITR would need to wait for both packets to arrive, but this would introduce significantly less delay than another round trip through the mapping system itself. I believe this can also be made to work when no MS is present. If people are interested I'd be happy to flesh this out or work with Darrel on any of his options.

Change History (5)

comment:1 Changed 8 years ago by luigi@…

  • Resolution set to fixed
  • Status changed from new to resolved

comment:2 Changed 8 years ago by luigi@…

  • Status changed from resolved to closed

comment:3 Changed 8 years ago by yakov@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

Before closing the ticket please document how the issue raised by the ticket is resolved.

comment:4 Changed 8 years ago by jmh@…

  • Resolution set to fixed
  • Status changed from reopened to resolved

While the base question of over-claiming is valid, it is also complicated and multi-faceted. As such, we will not be adding additional mechanisms in the base LISP specification to address this. Significant improvements are proposed in LISP-SEC, including noting that the use of a structure such as RPKI is for further study.

comment:5 Changed 8 years ago by yakov@…

If the base LISP spec is not going to have additional mechanisms to address over-claiming, then I would suggest to add to the base LISP spec some text that would just describe the issue of over-claiming, and state that handling this issue is outside the scope of the document.

Note: See TracTickets for help on using tickets.