On Thu, May 15, 2014 at 11:02 PM, Ronald Bonica <[email protected]> wrote: > Roger, > > Having considered this, it appears that the LISP data plane can operate in > trusted or untrusted mode. In the trusted mode, when one XTR receives a > data-plane packet from another, it can trust control plane information that > it might glean from the packet's outer IP header and LISP header. Such trust > is based on the assumption that: > > - the sending XTR is who it claims to be > - the sending XTR is not intentionally offering bad mapping information to > the receiving XTR > > In trusted mode, the receiving XTR can glean control information from the > data plane. However, in untrusted mode, the receiving XTR must not do so. > Alternatively, it must send a verifying MAP-REQUEST to the mapping system. > > So far, all of this is covered nicely between RFC 6830 and the LISP threats > document. However, we have yet to explore the threats associated with > unsecured mode operation, where gleaned information cannot be used. > > For example, assume that two XTRs and an attacker are connected to the global > Internet. The attacker is neither an XTR nor contained by a LISP site. The > attacker is capable of spoofing its sources address. > > The attacker can launch a DoS attack against an XTRs control plan by sending > a barrage of crafted packets to the victim XTR. Each crafted packet cause the > victim XTR to send a verifying MAP-REQUEST to the mapping system. The attack > stream may be so large that it causes the victim XTR to exceed the rate limit > for MAP-REQUEST messages.
Lots of other people that know LISP way better than I do have responded already. Do I understand you correct that you think there is a hole in the threat draft, or are you talking about another miss, that is what will happen if the mapping-system fail to reply in time when encryption or other form for verification of both ends (iTR and eTR) are used? -- Roger Jorgensen | ROJO9-RIPE [email protected] | - IPv6 is The Key! http://www.jorgensen.no | [email protected] _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
