As I keep saying Ron, you need to verify anything you intend to glean. The spec says the gleaning is "a hint" and not gospel.
Dino On Jun 10, 2014, at 10:06 AM, Ronald Bonica <[email protected]> wrote: > Hi Dino, > > Given that the LISP data packet or ICMP packet may be from an attacker, is it > even safe to glean that? I think not. > > > Ron > > >> -----Original Message----- >> From: Dino Farinacci [mailto:[email protected]] >> Sent: Tuesday, June 10, 2014 1:04 PM >> To: Ronald Bonica >> Cc: LISP mailing list list >> Subject: Re: [lisp] Restarting last call on LISP threats >> >> >> On Jun 10, 2014, at 9:57 AM, Ronald Bonica <[email protected]> wrote: >> >>> Earlier in this thread, we agreed that when LISP is deployed on the global >> Internet, mapping information cannot be gleaned safely from incoming LISP >> data packets. Following that train of thought, when LISP is deployed on the >> global Internet, is it safe to glean routing locator reachability information >> from incoming LISP data packets as described in RFC 6830, Section 6.3, bullet >> 1. If not, I think that we need to mention this in the threats document. >> >> What you can glean is that the source RLOC is up, but you cannot glean your >> path to it is reachable. >> >>> Given that ICMP packets are easily spoofed, when LISP is deployed on the >> global Internet, is it safe to glean routing locator reachability information >> from incoming ICMP packets as described in RFC 6830, Section 6.3, bullet 2 >> and bullet 4. If not, I think that we need to mention this in the threats >> document. >> >> What you can glean is that the source RLOC is up, but you cannot glean your >> path to it is reachable. >> >> Dino >> > _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
