Inline....
> -----Original Message-----
> From: Dino Farinacci [mailto:[email protected]]
> Sent: Tuesday, May 27, 2014 7:19 PM
> To: Ronald Bonica
> Cc: Paul Vinciguerra; Joel M. Halpern; Damien Saucez; Roger Jorgensen; LISP
> mailing list list
> Subject: Re: [lisp] Restarting last call on LISP threats
>
>
> > Hi Paul,
> >
> > The attack scenario that I envision is slightly different from the on that
> > you
> describe below:
> >
> > - LISP is widely deployed. Tens of thousands of XTRs are deployed world-
> wide. The mapping system data base contains hundreds of thousands of EID
> prefixes.
> > - The attack stream is large
> > - Each packet in the attack stream has a unique source LOC
> > - All packets in the attack stream have the same destination LOC. This LOC
> represents the XTR under attack.
> > - Each packet in the attack stream has a destination EID that will cause it
> > to
> reach a valid destination (i.e., a destination that will respond). However,
> all
> packets in the attack stream don't have the same destination. The attack
> stream is spread out across multiple valid EID destinations to make it less
> detectable.
> > - Each packet in the attack stream has a carefully chosen source EID. It is
> chosen to maximize the ratio of attack packets to map-requests.
> >
> > One attack stream attacks an XTR. Multiple simultaneous attacks against
> multiple XTRs can DoS the mapping system, itself.
> >
> > A PxTR probably won't generate this attack stream. However, an attack tool
> might.
>
> Ignoring the unique source RLOC (which makes no difference in this attack
> because we are not doing a RPF check on the ETR), it is the same as if a PITR
> was encapsulating from the same set of source-EIDs to the same set of
> destination-EIDs you describe above.
>
> That was his point.
>
> So some clarifications:
>
> (1) What does unique source LOC mean? I assume you mean each packet as
> a different source RLOC and that the address is not duplicated from multiple
> sites (i.e. is it not a private address like 192.168.1.1), or do you meawn
> something else?
[RPB]
No two packets in the attack stream have the same Source RLOC.
>
> (2) And what is carefully chosen mean? You might mean a scan of differnet
> source EIDs in each packet so the xTR that returns packets will get more map-
> cache misses?
[RPB]
Exactly. Source EIDs are chosen to maximize the ratio of attack packets to
map-requests sent by the victim XTR.
This is what make the attack stream so different from a stream that a PiTR is
likely to send during normal operation.
Ron
>
> Dino
_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp
