[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lisp] [#3] lisp-ms needs security between ITR and map resolver

From: Sam Hartman <hartmans-ietf at mit.edu>
To: Jari Arkko <jari.arkko at piuha.net>
Cc: Noel Chiappa <jnc at mercury.lcs.mit.edu>, lisp at ietf.org
Date: Mon, 07 Sep 2009 18:47:11 -0400
In-reply-to: <4AA56AB7.9020909 at piuha.net> (Jari Arkko's message of "Mon\, 07 Sep 2009 23\:19\:03 +0300")
References: <20090811205547.C318B6BE59B at mercury.lcs.mit.edu> <4AA56AB7.9020909 at piuha.net>

>>>>> "Jari" == Jari Arkko <jari.arkko at piuha.net> writes:

    Jari> Not sure about this though. I think the debate about using
    Jari> nothing-vs-nonce-vs-ipsec-vs-tls is too early. First we have
    Jari> to figure out what the security model is. And frankly I'm
    Jari> not sure we have a good idea about that yet, but maybe I'm
    Jari> missing something. If -- as Noel suggests below -- the
    Jari> mapping data itself is protected, then the map request/reply
    Jari> protection has far less to do, and a nonce is likely
    Jari> sufficient to handle DoS attacks.


I agree it's really too early to be having this discussion.  I brought
it up because it was on my mind if it didn't get written down I'd
forget it.

My suspicion is that we'll end up divinding the security into three legs:

* ITR to map resolver
* inside the mapping system
* map server to ETR.

My suspicion is that each mapping system will have its own internal
security model.  For example, ALT probably ends up using something
similar to SIDR internally.  Some mapping system based on DHTs and
cryptographically generated prefixes would not benefit from something
like SIDR at all.

In addition, I'm not sure that all ITRs will be in the position to
have the CRLs, trust anchors, trust anchor updates and intermediate
certificates necessary to verify mappings. So, it might be better to
have a simpler trust relationship between an ITR and its map resolver
and to have the map resolver do the heavy lifting for security.

Also, before we have real security in the map system--while the map
system security looks a lot like current core BGP security--then the
link between the ITR and map resolver looks a lot more attractive as a
target.  It may well run over access networks or other relatively low
security links.  We may be able to assure that the alt runs mostly or
completely in the core.q So, before there is real mapping security
within the alt, we may get significant benefit from security the
ITR->map resolver link.

However, as you point out, it's too early for this discussion.  Also,
the above assumes some significant changes to the ITR<->map resolver
protocol.  I believe those changes are needed for other reasons.

References:
- Re: [lisp] [#3] lisp-ms needs security between ITR and map resolver
  - From: Noel Chiappa
- Re: [lisp] [#3] lisp-ms needs security between ITR and map resolver
  - From: Jari Arkko

Prev by Date: Re: [lisp] [#3] lisp-ms needs security between ITR and map resolver
Next by Date: [lisp] #18: record count >1 for map request
Previous by thread: Re: [lisp] [#3] lisp-ms needs security between ITR and map resolver
Next by thread: [lisp] Issue tracking--policy on wiki, let's start!
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.