On Tue, Jul 12, 2011 at 8:56 AM, Darrel Lewis <[email protected]> wrote: > Just so I can understand, are you saying that the attack may send unsolicited > Map-Replies to an ITR? > > Or are you suggesting you send, say, a syn packet with a spoofed source to a > host within the site, expecting the resultant syn-ack to result in a > map-request sent into the mapping system?
I suggest the second case. I assume here that the LISP MS infrastructure itself is not accessible to a malicious attacker. Whatever way the "bad packets" reach a host downstream of an ITR, if they generate responses (SYN|ACK, etc.) then the ITR must try to forward them. Like you said above, if the ITR doesn't know what to do with these packets, it is going to try to learn how by punting to the CPU, initiating a MS query, and so on. You might say that if LISP can be further developed and deployed, in an ideal world, there might not be any spoofed traffic. This would be nice, except if a LISP ETR has to do a similar look-up when bringing traffic into the network subject to attack, then the ETR may also suffer from essentially the same problem as the ITR. -- Jeff S Wheeler <[email protected]> Sr Network Operator / Innovative Network Concepts _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
