Re: [lisp] Restarting last call on LISP threats

Tue, 10 Jun 2014 10:19:01 -0700

I think that the treat scopes for the two cases are different. Gleaning new RLOCs is clearly a significant risk. Gleaning the liveness of an RLOC from the fact that it appears to be talking to you is a much lower risk. With a much higher benefit. I have no problem with noting that there is a risk, albeit somewhat complex. But it should not be viewed in the same manner. (All security is a matter of costs and benefits.) 

Yours,
Joel

On 6/10/14, 1:06 PM, Ronald Bonica wrote:

Hi Dino,

Given that the LISP data packet or ICMP packet may be from an attacker, is it 
even safe to glean that? I think not.

                                                                                
                                 Ron



-----Original Message-----
From: Dino Farinacci [mailto:[email protected]]
Sent: Tuesday, June 10, 2014 1:04 PM
To: Ronald Bonica
Cc: LISP mailing list list
Subject: Re: [lisp] Restarting last call on LISP threats


On Jun 10, 2014, at 9:57 AM, Ronald Bonica <[email protected]> wrote:


Earlier in this thread, we agreed that when LISP is deployed on the global

Internet, mapping information cannot be gleaned safely from incoming LISP
data packets. Following that train of thought, when LISP is deployed on the
global Internet, is it safe to glean routing locator reachability information
from incoming LISP data packets as described in RFC 6830, Section 6.3, bullet
1. If not, I think that we need to mention this in the threats document.

What you can glean is that the source RLOC is up, but you cannot glean your
path to it is reachable.


Given that ICMP packets are easily spoofed, when LISP is deployed on the

global Internet, is it safe to glean routing locator reachability information
from incoming ICMP packets as described in RFC 6830, Section 6.3, bullet 2
and bullet 4. If not, I think that we need to mention this in the threats
document.

What you can glean is that the source RLOC is up, but you cannot glean your
path to it is reachable.

Dino



_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp



_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp

Reply via email to