Re: [RAM] ETRs checking src & dest addresses
Robin Whittle <rw@firstpr.com.au> Sat, 14 July 2007 08:09 UTC
Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9chI-0001zG-7m; Sat, 14 Jul 2007 04:09:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9chG-0001zB-3C for ram@iab.org; Sat, 14 Jul 2007 04:09:46 -0400
Received: from gair.firstpr.com.au ([150.101.162.123]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I9ch9-0001Oi-T8 for ram@iab.org; Sat, 14 Jul 2007 04:09:46 -0400
Received: from [10.0.0.8] (zita.firstpr.com.au [10.0.0.8]) by gair.firstpr.com.au (Postfix) with ESMTP id 35E4A59DDD; Sat, 14 Jul 2007 18:09:36 +1000 (EST)
Message-ID: <469884B2.1060307@firstpr.com.au>
Date: Sat, 14 Jul 2007 18:09:22 +1000
From: Robin Whittle <rw@firstpr.com.au>
Organization: First Principles
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: ram@iab.org
Subject: Re: [RAM] ETRs checking src & dest addresses
References: <469615D5.4010408@firstpr.com.au> <2EA94A78-B056-4938-B6E0-051EE4013A98@muada.com>
In-Reply-To: <2EA94A78-B056-4938-B6E0-051EE4013A98@muada.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 708bdb947b83e88c58fd603ed07f3c7a
Cc:
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org
A short version of this message is: The easiest and most robust way to enable a network to enforce on its ETRs the rule that encapsulated packets from ITRs outside the network must not contain inner packets with a source address (SA) which matches one of the network's own prefixes is (along with some other requirements) to break with convention and require ITRs to tunnel the packet with the outer SA = the inner SA. That is, the packet sent by the ITR to the ETR has the same source address as the sending host. This means that no-one or nothing in the destination network (or after the ITR), including the ETR itself, can find which ITR tunneled the packet - unless the encapsulation method carries extra data which includes the ITR's address, which is not the case with Ivip or with current LISP plans. The reason is that it is probably very difficult or perhaps impossible to make all ETRs inside the network filter the decapsulated packets to drop those which arrived from an external ITR and have the inner SA matching a local prefix (this would be a packet with a spoofed source address) - so it is better to achieve the same desired protection by: 1 - Requiring all ITRs to set the outer SA = inner SA. 2 - Let the border routers continue to drop packets arriving from outside the network with SA matching any one of the network's local prefixes. 3 - Require all ETRs to drop all decapsulated packets with an SA (inner SA) which is not identical to the SA of the outer header (outer SA). Having the outer SA = inner SA also has the benefit that traceroute functions normally. The current LISP 1 and 1.5 definition has the SA = ETR's address, which means the sending host gets no traceroute results for any router between the ITR and the ETR - and perhaps not from the ETR either. I also explore the idea for LISP or Ivip of there being a service so the current and recent history of the database (multiple databases perhaps, as is the case with Ivip) can be queried to see when any mapping - of any EID (LISP) or DID (Ivip) address - has been to a particular (RLOC) IP address. This would be vital for debugging problems with end-users setting the mapping incorrectly, for determining why streams of encapsulated packets arrived in some unwelcome fashion etc. It would be impossible to prevent this sort of analysis of the mapping data. Hi Iljitsch, I tend to agree with what you wrote: > Oh wait, you mean source address. I don't think it's a good idea > to have node Y send packets where the source address is X, both > because this claims that the sender is different from his/her > actual identity and because return traffic, such as ICMP > messages, will then end up at (arguably) the wrong node. > > Knowing the address of the encapsulating TR is also useful if > the decapsulating TR ever wants to get in touch with it. However, I think there are some strong arguments for making the outer SA = the inner SA, which is contrary to the conventional sensible notion that any packet created by node Y should have its SA = Node Y's address. The general arrangement is: HA-----ITR~~~~~~~~~~~~~~~~~~ETR------HB where HB has the LISP/Ivip-mapped address (maybe HA has such an address too, but that doesn't matter). The current LISP-01 I-D only describes LISP 1 and 1.5, so there's no way of knowing whether with LISP 3.x the outer SA (Source Address of the UDP packet which encapsulates data packets when the ITR tunnels a data packet to an ETR) will be the original packet's SA (HA's IP address) or the ITR's address. In LISP 1 and 1.5 the outer SA is definitely the ITR's address (see Definition of terms: ITR). In LISP 3.x I am not sure to what degree the ITR sends messages to the ETR, or whether the ETR sends anything back to the ITR. Dino's recent message: http://www1.ietf.org/mail-archive/web/ram/current/msg01703.html indicates that the 3.x approaches using CONS or NERD do not involve the ETR sending a Map-Reply message to the ITR and that perhaps with APT there would be such messages. So I am not sure whether some or all 3.x variants of LISP involve no messages at all from the ETR to the ITR. If there is no requirement for such messages or information exchange, then maybe the ETR doesn't need to get any information from the ITR in data packets, or presumably by any other means. In that case, the ETR wouldn't need to know the address of the one or more ITRs which are tunneling packets to it. In that case, it may be possible for LISP to adopt the same "outer SA = inner SA" approach I currently favor for Ivip. As far as I can tell at present, this would have the same benefits for LISP as for Ivip - much greater ease of a network protecting itself from a particular form of attack which I will call "internal source address spoofing", and the retention of the sending host's ability to fully traceroute the path taken by the packets it sends. If LISP or Ivip uses the ITR's address for the outer SA then HA will find that traceroute does not produce any results for any routers between the ITR and ETR. Whether or not it would produce a response from the ETR depends on whether the ETR treats the decapsulated packet just like any newly arrived packet or not. I regard this as a substantial argument against using the original packet's SA for the outer SA. I am assuming in all this that both LISP and Ivip ITRs and ETRs follow the principle that the ITR copies the TTL (Time to Live) from the packet it is encapsulating to the header of the new packet which contains it (the IP-UDP IP header for LISP and the IP-in-IP IP header for Ivip). Similarly, the ETR takes the TTL from the outer IP header and copies it to the TTL field of the IP header of the decapsulated packet. (These operations are specified for Ivip, but are not actually specified in LISP, except for similar concepts with recursive or re-encapsulating tunneling.) My previous message contained some detailed thoughts on why requiring ITRs to make the outer SA = inner SA makes it much easier for the network in which the ETR is located to ensure that packets arriving from outside the network and being decapsulated by its ETRs do not produce decapsulated packets with SAs from local prefixes. Here I develop this line of argument further - in support for the initially unpalatable notion of having the ITR tunnel the packet with outer SA = the packet's original SA (inner SA). I then examine what benefits and difficulties would result from following convention and having the ITR use one of its own addresses as the outer SA. Ivip has no communication from ITR to ETR or from ETR to ITR. There is no header, other than the outer header of IP-in-IP encapsulation. Ivip could be redefined to use the ITR's address as the outer SA, but at present I think it is best not to. Ivip could be redefined to use UDP encapsulation as is currently defined for LISP 1 and 1.5 - then various other items such as the ITR's address could be included in the encapsulated packet - but I am trying to keep Ivip simple and see no reason to do this. In this discussion, when I refer to "network" I mean any Autonomous System network (provider or for an end-user) in which ETRs are deployed. I don't refer in this discussion to the edge networks of a single-homed or multihomed end-user which relies upon LISP-mapped or Ivip-mapped addresses. Those edge networks have different requirements for preventing "internal source address spoofing", which I discuss in Note 1 at the end. Here is a description of the particular security problem I am concerned about: ............. .................... N1 . . N2 . . . . H1---ETR1~~~BR1~~~~~~~~TR~~~~~~BR1~~~~~ETR1---MN1 . / . \ \ ............. / . \---H2 \--MN2 / . \ / . \-H3 / . AT1~~~~~~~~~~~~~~~~~~~TR .................... N1 has a host H1 which is sending a packet to Mapped Node MN1. Whether MN1 is a host with one or multiple IP addresses, or a link to a router at a multihomed end-user's site, doesn't matter. Nor does it matter whether H1's address is Ivip-mapped or not. Also, it probably doesn't matter whether the ETR gets the decapsulated packet to MN1 via a direct link or via relying on N2's internal routing system to forward the packets to MN1. This problem only concerns packets flowing left to right in this diagram. Howe MN1 gets packets to H1 is a separate matter and not affected by the security problem. I assume N2 has BR2 set up to drop any packet which arrives from the outside world where the SA matches any of the one or more prefixes N2 advertises to its BGP peers. If N2 doesn't bother to do this, there is no point in fussing over how the ETRs should filter packets to achieve the same purpose. I assume (for reasons discussed in my first message in this thread and in Note 2 below) that all ETRs will drop any packet which has a DA for any address other than the set of hosts/routers which it knows it can deliver decapsulated packets to, with LISP/Ivip-mapped addresses. This means that if the ETR decapsulates a packet and finds its DA is for H2, then it drops the packet. This also means that if it decapsulates a packet and finds its DA is for some other LISP/Ivip-mapped address which it can't deliver packets to (either directly or via support from the local routing system) then this packet will be dropped too. The purpose of this "internal source address spoofing" protection is to stop MN1 receiving a packet with SA matching any of N2's BGP-advertised prefixes, for instance the address of H2. Without this protection, an attacker AT1 can easily create an encapsulated packet, with outer DA = ETR1, inner DA = MN1 and inner SA = H2. It is not the purpose of "internal source address spoofing" to stop ETR1 from decapsulating and forwarding an inner packet to MN1 when its SA is any LISP/Ivip-mapped address, including some address of another host/node MN2, which happens to be "within" N2 or potentially (multihomed link which may not be working) connected to N2. An attacker can already do this by sending a packet with a spoofed SA to any ITR, or by generating its own encapsulated packet. The only purpose is to prevent attackers spoofing source addresses of the non-LISP/Ivip-mapped addresses within N2. Attackers are assumed to be outside N2. (It's all over if an attacker is inside N2.) I start with some further assumptions: A1 - Whatever new architecture is adopted - LISP, Ivip etc. - the new architecture must not force a lower level of security than currently exists (RRG Design Goals 3.9) and should not make it significantly more difficult, costly or error-prone to ensure the same levels of security are maintained. A2 - Therefore, for networks which protect against "internal source address spoofing" the new architecture must make it easy to maintain this protection for packets being decapsulated by ETRs. A3 - That the ETR needs to decapsulate packets which were encapsulated by ITRs in this same network. I argue in Note 2 at the end of this message why this is a reasonable requirement. A4 - We can't expect the border router to perform deep packet inspection on every incoming packet - for instance to find any packet which looks like it might be intended to be decapsulated by an ETR, and to then decapsulate it, and filter it according to the SA of its inner packet. So we can assume that BR1 drops any packet arriving from outside if the SA matches, for instance, H3's (ordinary, BGP reachable) address. Preventing SA spoofing when outer SA = inner SA ----------------------------------------------- In the above framework, it becomes very easy to protect against "internal source address spoofing" if all ITRs make their outer SA equal to the source address of the sending host (the inner SA). All that needs to be added is that ETRs drop any packet whose inner SA does not match the outer SA. This means that there are two classes of spoofed SA packets being filtered: 1 - Those sent as ordinary packets, from outside. This is handled by the border router's existing filters. 2 - Those in inner packets with an outer header with DA = an ETR. This is performed in two stages - by the border router and then by the ETR dropping packets where inner and outer SA do not match. This seems to be a bullet-proof arrangement, and works fine with encapsulated packets created by ITRs in the network. These are assumed not to arise from attackers, since attackers are defined to be outside the network. Preventing SA spoofing when outer SA = ITR's address ---------------------------------------------------- In this arrangement, the ETR can't drop packets with inner SA != outer SA. So there is no way the ETR can use this simple technique to extend the border router's filtering to the inner SA. The only alternative is for the ETR to drop the inner packet according to the following criteria: 1 - If the inner SA matches any of the network's BGP advertised prefixes. and 2 - The outer SA does not match any of these prefixes. (So the packet arrived in encapsulated form from outside the network while pretending to be sent from inside the network.) Assuming the ETR needs to accept encapsulated packets from ITRs inside the network (Note 2 below) then both these tests are required. However, this is likely to be prohibitively difficult for an ETR to perform. Firstly, the FIB hardware of a proper router isn't necessarily able to perform these gymnastics. (The decapsulation and "drop if inner SA != outer SA is still tricky, but does not involve any knowledge of the potentially numerous local prefixes.) Secondly, the list of prefixes this network advertises could be very large indeed. This would make it perhaps impossible for FIBs to cope with such a list. Thirdly, we want to be able to do ETR functions in servers, not just hardware-FIB "routers", including in the destination host (if it has a BGP-reachable care-of address). There is no way with ordinary software of applying a huge list of rules to the inner SA to decide if the packet should be dropped, and then applying the same set of rules to the outer SA as well. Finally, even if routers and software ETRs could do this, there are serious problems with the network's control system finding all these ETR functions ensuring they comply with these rules. With my idea towards the end of Note 2 below - that ETRs should know how to deliver packets directly to the destination host, rather than use the internal routing system (which is compatible with LISP-01 page 11 point 7: "attached destination host") - there is no need for a general system to control all ETRs at once (as would be required if every ETR was to decapsulate packets for any host in the network with a LISP/Ivip-mapped address, relying on the local routing system to get the packets there). What is lost by making outer SA == inner SA? -------------------------------------------- By defying convention and having ITRs send tunneled packets without their own IP address in the SA of the outer header, we lose certain things: 1 - We can't find directly which ITR tunneled the packet, once it left the ITR. 2 - Therefore, we can't get a message to that ITR, or two whoever runs it. It is an uncomfortable thing to propose such an arrangement, but here I explore exactly what would be lost. (As with all this stuff, I could be mistaken and be missing many important things - so please let me know what I have missed.) Ivip requires no communication from an ETR to an ITR, or vice-versa, so nothing is lost with this arrangement. Some variants of LISP do require this communication, so if this "outer SA == inner SA" was adopted for LISP (for instance because it seems to be the only practical or reasonable way of allowing a destination network to maintain current security limits) then the LISP header would need to contain the ITR's address. I think the remaining reasons for wanting to know the ITR's address are to do with coping with unwelcome packets. Here is a possibly incomplete list of the scenarios which could lead to the perception of unwelcome packets arriving from an ITR. In the case of packets from an attacker, I will assume that the outer SA (Ivip) or any "ITR address" in a LISP header contains a bogus address, which may be part of the attack by encouraging victim V1 (whoever's host gets the unwelcome packets) to send messages to victim V2 who probably runs an ITR, or to V3 which is whoever runs the LISP/Ivip database system, with possible negative consequences for further victims who might use LISP/Ivip-mapped addresses: a - The packets are sent to an ETR but have inner DAs for LISP/Ivip-mapped addresses which the ETR is not configured to deliver to a destination host. This could include an address which is a BGP reachable address, or some other LISP/Ivip-mapped address other than the small subset of those addresses for which the current ETR can deliver packets. b - The packets are sent to an ETR and have inner DAs which is one the ETR is configured to deliver packets for - however the flow of packets is excessive in volume, is regarded by that host as irrelevant or unwelcome etc. c - The packets are sent to an address which is not an ETR - it may be of a host, an ordinary router or to some address which has no destination node. In all these cases, if the encapsulated packets come direct from an attacker (that is they have not been generated by a proper ITR) then there is no point in looking at the outer DA. That will probably not lead to any clues about the location of the attacker. Any attempt to complain about an attack from that outer DA address will probably cause V1 to drag other victims into the attacker's ploy. If the packets do come from one or more genuine ITRs, then I think one of the following must be true: e - The one or more ITRs are functioning properly, with fully updated databases (an ITRD or an ITRC or ITFH with access to properly updated query servers, and getting notifications from those query servers in the event of a database change for some mapping information they cached). f - The one or more ITRs are not functioning correctly. Maybe their FIB is broken and doesn't reflect their RIB (copy of database or cached mapping information). Maybe they are not properly updated. For this reason, ITRDs which for some reason are not getting updates or which have detected some corruption should probably stop forwarding packets. this is a tricky business I will write more about in the future. In the case of 'e', there is no point in knowing which one or more ITR is tunneling the packets, because there is nothing wrong with these or any other ITR - and similar problems can be expected with packets being tunneled by any of the world's hundreds of thousands of ITRs (or millions, with ITFHs widely deployed). The problem is either with the contents of the mapping database(s) or with the behavior of sending hosts. In Note 3 I discuss how to resolve the first problem. The second problem has nothing to do with the LISP or Ivip system, although perhaps changing the mapping to "drop" or pointing it to some other ETR could resolve some problems. In the case of 'f', it would be good to find the ITR which is sending the packets which are considered unfriendly. Ivip as I am currently proposing it would prevent anyone from finding out which one or more broken or out-of-synch ITRs are causing the trouble. This problem is similar to having some router out in the Net malfunction, forwarding packets to some place they don't belong. Generally, the packets wouldn't get to an ETR or a host, because not even a malfunction in a local router could do this (unless the victim host was on a single link, rather than a LAN, from the errant router. The broken ITR is not generating the packet, but it is tunneling a packet which should be tunneled to some ETR which would be happy about it to some other address where the packets are not welcome. If the outer SA was the ITR's address, then victim V1 could potentially find who runs this ITR and complain - but it could be tricky finding out who to complain to, unless there was some global register of ITRs, which won't include the hundreds of millions of ITFHs on host computers if Ivip is widely implemented in the future. There is something lost by not being able to identify the genuine ITR which mistakenly tunneled the packets. However, if the ITR was functioning properly, there is no point in finding out its address or who owns it - the problem is not with the ITR but can only be resolved by either changing the mapping information or by altering the behaviour of sending hosts - which is no different from the situation with unwelcome packets today without LISP or Ivip. Even if it was possible to identify the genuine ITR which tunneled the unwelcome packets, why should the operator of that ITR shut it down just because V1 complains about it? Who is to say that the complaint is not the work of an attacker? There does need to be is a way of V1 finding out the recent history of its IP address being involved in the mapping database. I write more about this in Note 3 below. - Robin Note 1 - Edge networks and "internal source address spoofing" ------------------------------------------------------------- A single-homed or multihomed "edge network" which uses purely LISP-mapped or Ivip-mapped addresses has a very different set of conditions in which it might protect against "internal source address spoofing". Firstly, it has no BGP connections to the Internet. It only receives incoming packets via one or more links to provider networks. Here, I assume that it relies upon ETRs in those provider networks (see Figure 3 in the Ivip I-D). These ETRs feed the inner packets (that is the packets with DA = some LISP/Ivip-mapped address, where this is one of the edge network's address range, such as the address of IH9 in Figure 3) directly to the edge-network's router, Ethernet switch or whatever. However, if the edge network gets from each of its one or more providers one or a few of the provider's PA addresses, on which it runs its own ETRs, and then routes only the inner packets produced by these ETRs to the rest of the edge network, then similar principles apply. The edge network does not contain any ETRs, because ETRs do not reside on addresses which are LISP/Ivip-mapped. Therefore, the edge network doesn't need to worry about packets emerging from ETRs within its own network. I can think of two scenarios which require different approaches to protecting against an attacker (implicitly any host outside this edge network) from sending packets with spoofed local addresses - meaning addresses within the range of LISP-Ivip-mapped addresses of this edge network. 1 - The edge network has no ITRs - including any ITFHs - which might be tricky to establish if ITFHs became a common part of operating systems . . . but then an ITFH will always send queries to some Query Server, so if there was a way of preventing this from succeeding at the network's router, then this would prevent any ITFH function working. In this case, the edge network relies on its internal routing system to forward packets from its hosts to its hosts. In this case, raw packets with DA matching a LISP or Ivip-mapped address range will be forwarded directly to the correct host if that is their DA, or to the router and out one of the links to the provider network if they don't match one of the edge network's addresses. There they will soon be encapsulated by one or a series of ITRCs, ITRD etc. Protection against packets from the outside with spoofed local SAs must be done by the edge network's router - it must drop any incoming packet with a SA which matches one of the edge network's LISP/Ivip-mapped addresses. 2 - The edge network has its own ITRD, ITRC and/or ITFH functions - and these may encapsulate packets which were addressed to one of the edge network's LISP/Ivip-mapped addresses. This is probably a bad idea, since it makes it much more difficult, or impossible, to protect against "internal source address spoofing". There are various reasons I won't explore here why this is a messy arrangement to be avoided, but for instance how can the edge network's router know whether decapsulated packets from an ETR originated in its own network or were decapsulated from a packet of an attacker? 3 - Probably some other scenarios I can't think of now. Note 2 - ETRs must handle packets from ITRs in the same network --------------------------------------------------------------- (See assumption A3 above.) In a large network, for scaling purposes, there needs to be lots of ITRs. We can't make all the ITR functionality be in the border routers. Also, at least with Ivip, it would be advantageous to allow and encourage caching ITR functions in sending hosts (both those on ordinary BGP reachable IP addresses and those with Ivip-mapped addresses). This is an ITFH function. It needs to send queries to QSD or QSC query servers, and it doesn't necessarily have to tunnel every packet - because those it doesn't tunnel will (in a well designed network) be forwarded (or perhaps explicitly tunneled to) one or more ITRCs or an ITRD which can encapsulate it. The ITFH greatly reduces the load on ITRCs and ITRDs, without any cost to anyone and with the path taken by the packets to the ETR being entirely optimal, since they never need to go via an ITRC or ITRD. (ITRCs and ITFHs may not tunnel all packets, so they need a backup of some other ITRCs or ideally an ITRD to handle these.) I assume ITFHs can't easily be detected (except by detecting or blocking their requests to query servers - maybe the autodiscovery system returns a message "ITFHs not supported here", which may be as simple as an empty list of Query Servers) and that they can't be highly managed, at least in terms of rapid changes to their behavior. For instance there could be thousands or hundred of thousands of ITFHs in a large network, in many hosts or in DSL modem NAT functions (I call this "function in host" because the "router" is just a CPU and software, with no FIB hardware etc.). Nonetheless, I expect there to be autodiscovery arrangements for an ITRC or ITFH to find where to send queries to and perhaps where to tunnel packets it doesn't encapsulate for some reason, but which should be - for instance because it doesn't have mapping information for that packet's DA. It is probably much more robust and easier to plaster ITRs all over the network and to encourage the adoption of ITFHs in many hosts and DSL etc. modem-routers - than to try to ban ITFHs and centralise all ITRs in a few places where their activities can be carefully controlled. If all the ITRs in a network could be carefully controlled, then it would be possible to ensure that the local routing system took precedence over encapsulation, so that if a host H3 wanted to send a packet to MN1, then the packet would be sent via the local routing system to MN1, and not encapsulated and tunneled to ETR1. However this is unlikely to be practical, because it could be difficult or impossible to immediately change the internal routing system and all local ITR behaviour to reflect the fact that MN1's one or more LISP/Ivip-mapped addresses have just become reachable inside this network, or have just become unreachable. If the local routing system forwards packets to MN1 - this must be stopped the moment MN1 is no longer reachable - such as if MN1 has moved and changed its mapping to some other ETR or another network's ETR. Even if the local routing system forwards packets to MN1, then it would still be best if any packet which is encapsulated by an ITR anywhere will be delivered properly. Generally, I think there should be no exception to the rule "if the raw packet finds its way to an ITR which encapsulates it according to the current state of the database(s), then it definitely will be delivered to the currently selected ETR". A local routing system which attempts to get the packet to the destination host might be acceptable, provided it changed its behavior very rapidly to reflect the contents of the mapping database. Overall, I think it will be best if: 1 - One or more ETRs have some explicit tunnel system for getting decapsulated packets to the destination host, rather than relying on the local routing system. 2 - Hosts inside the same network should rely on ITRs (and perhaps their own ITFH function) to deliver the packets, in accordance with the current state of the database(s) - and not have this interfered with by the local routing system trying to take packets directly to the destination host. 3 - We don't want to concentrate all the ITR functions in border routers. To maintain optimal path lengths within the network, we want the packets to encounter an ITR ASAP, including in the sending host's own ITFH function. 4 - Therefore, we need ITRs all over the network, and these ITRs will be encapsulating packets to be sent to ETRs in the network, which will directly get the decapsulated packets to the proper destination. All this only applies to Autonomous System networks - not the end-user networks which consist only of LISP/Ivip-mapped addresses. Note 3 - A "search-mapping" service to debug LISP/Ivip mapping -------------------------------------------------------------- This proposal would work with Ivip as currently defined - and perhaps with some forms of LISP. I think there really needs to be some kind of service like this, for LISP or Ivip. There are some security and privacy implications of such a service being open to anyone to query about any IP address, but there is absolutely no way of preventing such a service being created, so there is no point in trying to prohibit misuse of such a service. This service could be implemented as part of the main Ivip system, but there is no need for this to be done, since one or more separate companies, organisations or individuals could set up their own system to do the same job. The service has a server which gets a full feed of the update stream - "US-Complete" in the current Ivip I-D. It can also download the IMAB-DBD periodic dumps of the complete set of mapping databases. It is absolutely required that this information be freely available to anyone, so anyone can set up their own ITRD and QSD-QSC-ITRC-ITFH systems. No practical measures could prevent anyone from gaining access to this information. The service analyses the data and stores a copy of its analysis in some database, covering the last few weeks of activity. Then, the service is able to definitively answer queries such as: What is the history of RLOC (LISP) or TELOC (Ivip) mapping of this particular EID (LISP) or DID (Ivip) address? What is the history of the RLOC/TELOC mapping of any EID/DID over the past minutes, weeks etc. which involved the ITRs being told to tunnel packets to this particular IP address? This means that if the unwelcome packets resulted from something in the mapping system, now or in the past, that V1 could find out for sure which one or more EID/DID addresses was involved. Then, it could quickly establish which RUAS (Ivip Root Update Authorisation System) the update was made through. If that RUAS considered the complaint to be genuine, it could try to resolve it with the end-user who it authorises (directly or via one or more branch and leave UASes) to control the mapping of this IP address. Spies, dodgy detectives and the security authorities will be watching the changes in the database, so anyone with something to hide (which includes ordinary folk who are targeted by nosey authorities and those with malicious intent) need to consider how changes to their mapping might leak information to others. BTW, future generations will want to know why LISP, Ivip or whatever was foisted on the Internet - because it is certain to add to the difficulty of understanding and managing the system, with its own set of gotchas and security problems. They will hopefully realise that BGP couldn't be asked to do much more and that IPv6 wasn't ready for mass adoption, and doesn't solve the major problems anyway. _______________________________________________ RAM mailing list RAM@iab.org https://www1.ietf.org/mailman/listinfo/ram
- [RAM] ETRs checking src & dest addresses Robin Whittle
- Re: [RAM] ETRs checking src & dest addresses Iljitsch van Beijnum
- Re: [RAM] ETRs checking src & dest addresses Robin Whittle