Locator/ID Separation Protocol M. Boucadair Internet-Draft Orange Intended status: Informational 7 February 2023 Expires: 11 August 2023 LISP PubSub Flow Examples draft-boucadair-lisp-pubsub-flow-examples-01 Abstract This document provides a set of flow examples to illustrate the use of LISP PubSub specification. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Locator/ID Separation Protocol Working Group mailing list (lisp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/lisp/. Source for this draft and an issue tracker can be found at https://github.com/boucadair/lisp-pubsub-flow-examples. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 11 August 2023. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. Boucadair Expires 11 August 2023 [Page 1] Internet-Draft LISP PubSub Examples February 2023 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Initial Successful Subscription . . . . . . . . . . . . . . . 3 4. Successful Notification . . . . . . . . . . . . . . . . . . . 4 5. Successful Notification with Retransmission . . . . . . . . . 5 6. Failed Notification with Retransmission . . . . . . . . . . . 6 7. Successful Subscription Update . . . . . . . . . . . . . . . 7 8. Failed Subscription with Lost Map-Notify-Ack . . . . . . . . 8 9. Bootstrapping an xTR . . . . . . . . . . . . . . . . . . . . 9 10. Stale Subscriptions . . . . . . . . . . . . . . . . . . . . . 10 11. xTR-triggered Subscription Withdrawal . . . . . . . . . . . . 11 12. 'Map-Server'-triggered Subscription Withdrawal . . . . . . . 12 12.1. Replay Attacks . . . . . . . . . . . . . . . . . . . . . 13 12.1.1. Replayed Subscription (Update) . . . . . . . . . . . 13 12.1.2. Replayed Withdrawal . . . . . . . . . . . . . . . . 15 12.1.3. Replayed Notification Updates . . . . . . . . . . . 15 13. Explicit Subscriptions . . . . . . . . . . . . . . . . . . . 16 14. Security Considerations . . . . . . . . . . . . . . . . . . . 16 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 16. Normative References . . . . . . . . . . . . . . . . . . . . 16 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction This document provides a set of flow examples as a companion to the LISP PubSub specification [I-D.ietf-lisp-pubsub]. The document is meant to illustrate and assess the behavior of LISP control nodes under specific conditions. The examples use a simplified/simple setup for the sake of illustration. 2. Terminology This document uses the terms defined in [I-D.ietf-lisp-pubsub]. Boucadair Expires 11 August 2023 [Page 2] Internet-Draft LISP PubSub Examples February 2023 The following terms and notations are used in this document: init_nonce: the nonce that is initially included in a Map-Request to create a subscription. initial subscription request: the Map-Request that was used to create the initial subscription. This request has the nonce value set to init_nonce. nonce++: incremented nonce by 1. init_key_id: the key identifier that was used in the Map-Request with init_nonce. trans_count: retransmission counter as per Section 5.7 of [RFC9301]. trans_timer: retransmission timer as per Section 5.7 of [RFC9301]. AT: Attacker 3. Initial Successful Subscription Figure 1 shows the example a successful subscription. The example assumes that a security association is in place between the xTR ad the Map-Server (Section 7.1 of [I-D.ietf-lisp-pubsub]) and that all integrity-protection checks are successfully passed. Boucadair Expires 11 August 2023 [Page 3] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | .--------------------. | | | Generate a new key | | Map-Request(init_nonce, | .--------------------. | and an initial | | init_key_id,..) | | Security/integrity | | nonce. Store them +-+=========================+-+ protection check. | | locally for this | | | | No State for this | | subscription | | | | xTR-ID/EID is found| '--------------------' | | | Create the sub and | | Map-Notify(init_nonce, | | store init_nonce, | .--------------------. | ,...) | | init_key_id, ... | | Security/integrity +-+<========================+-+ | | protection check. | | | '--------------------' | Check that rcv | |Map-Notify-Ack(init_nonce| | nonce == init_nonce| | ,...)| .--------------------. | Confirm the sub and+-+========================>+-+ Security/integrity | | wait for notifs | | | | protection checks. | '--------------------' | | | This subscription | | | | is now ACKed | | | '--------------------' Figure 1: An Example of Successful Initial Subscription 4. Successful Notification Figure 2 illustrates the example of a successful delivery of notification updates that match an existing subscription state. This example assumes that a security association is in place between the xTR and the Map-Server (Section 7.1 of [I-D.ietf-lisp-pubsub]) and that all subsequent integrity-protection checks are successfully passed. Boucadair Expires 11 August 2023 [Page 4] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | .--------------------. | | .--------------------. | Security/integrity | | Map-Notify(nonce++, ...) | | Update is triggered| | protection check. +-+<=========================+-+ Increment the nonce| | Check that rcv | | | | Set trans_count and| | nonce >= local | | | | trans_timer | | nonce + 1 | | | '--------------------' | | | | | Confirms the notif | | | .--------------------. | and update the | |Map-Notify-Ack(nonce++,..)| | Security/integrity | | entry +-+=========================>+-+ protection checks. | | | | | | This notification | '--------------------' | | | is now ACKed | | | '--------------------' Figure 2: An Example of Successful Notification 5. Successful Notification with Retransmission Unlike the example depicted in Figure 2, Figure 3 illustrates the behavior that is experienced when a subset of Map-Notify messages are lost during their transfer. This example assumes that at least one of these Map-Notify messages is received by the target xTR. Boucadair Expires 11 August 2023 [Page 5] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | | | .--------------------. | Map-Notify(nonce, ...) | | Update is triggered| | <==================+-+ Increment the nonce| | | | Set trans_count and| | | | trans_timer | | | '--------------------' | | | | .--------------------. | Map-Notify(nonce, ...) | | Increment | | <==================+-+ trans_count and | | | | reset trans_timer | | | '--------------------' | | .--------------------. | | .--------------------. | Security/integrity | |Map-Notify(nonce, ...) | | Increment | | protection check. +-+<=======================+-+ trans_count and | | Check that rcv | | | | reset trans_timer | | nonce >= local | | | '--------------------' | nonce + 1 | | | | | | | .--------------------. | Confirms the notif | |Map-Notify-Ack(nonce,...) | Security/integrity | | and update the +-+=======================>+-+ protection checks. | | entry | | | | This notification | '--------------------' | | | is now ACKed | | | '--------------------' Figure 3: An Example of Successful Notification with Retransmission 6. Failed Notification with Retransmission Figure 4 assumes that, due to network conditions, all Map-Notifies are lost. Boucadair Expires 11 August 2023 [Page 6] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | | | .--------------------. | Map-Notify(nonce, ...) | | Update is triggered| | <==================+-+ Increment the nonce| | | | Set trans_count and| | | | trans_timer | | | '--------------------' | | | | .--------------------. | Map-Notify(nonce, ...) | | Increment | | <==================+-+ trans_count and | | | | reset trans_timer | | | '--------------------' | | | | .--------------------. | Map-Notify(nonce, ...) | | Increment | | <==================+-+ trans_count and | | | | reset trans_timer | | | '--------------------' Figure 4: An Example of Failed Notification Delivery Note that no specific action is currently specified in [I-D.ietf-lisp-pubsub] when such a failure occurs. That is, the entry is kept active and future updates will trigger new Map-Notify cycles. Also, the current specification does not recommend a behavior (e.g., regular refreshes) so that the xTR avoids maintaining stale mappings. Such details are implementation specific (see, for example, Section 7). In order to accommodate Map-Notify message lost, the nonce checks on the xTR should not be on the exact match vs "nonce + 1"; messages with "received nonce >= local nonce + 1" should be accepted. 7. Successful Subscription Update Figure 5 illustrates the example of successful update of an existing subscription. The triggers for such a refresh are implementation specific. Boucadair Expires 11 August 2023 [Page 7] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | .--------------------. | | .--------------------. | Increment the last | | Map-Request(nonce, ...) | | Security/integrity | | seen nonce +-+=========================>+-+ protection check. | '--------------------' | | | Found an entry for | | | | this xTR-ID | .--------------------. | Map-Notify(nonce,...) | | Check that rcv | | Security/integrity +-+<=========================+-+ nonce >= local | | protection check. | | | | nonce + 1 | | Check that rcv | | | '--------------------' | nonce == snd nonce | | | | Confirm the sub and| | Map-Notify-Ack(nonce,...) .--------------------. | wait for notifs +-+=========================>+-+ Security/integrity | '--------------------' | | | protection check. | | | | This subscription | | | | update is ACKed | | | '--------------------' Figure 5: An Example of Successful Subscription Update 8. Failed Subscription with Lost Map-Notify-Ack This example is similar to Section 3, except that the Map-Notify-Ack is not delivered to the Map-Server. The Map-Server retransmits the Map-Notify 3 times, and then removes the subscription. A Map-Notify to explicitly indicate the reason for such a removal is also generated by the Map-Server. If the xTR receives this Map-Notify, the xTR may decide to send the Map-Request to reinstall back the removed state. The procedure to reinstall the state is similar to Figure 1. Boucadair Expires 11 August 2023 [Page 8] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | .--------------------. | | | Generate a new key | | Map-Request(init_nonce, | .--------------------. | and an initial | | init_key_id,..) | | Security/integrity | | nonce. Store them +-+==============================>+-+ protection check. | | locally for this | | | | No State for this | | subscription | | | | xTR-ID/EID is found| '--------------------' | | | Create the sub and | | | | store init_nonce, | .--------------------. | Map-Notify(init_nonce,...) | | init_key_id, ... | | Security/integrity +-+<==============================+-+ Set trans_count and| | protection check. | | | | trans_timer | | Check that rcv | | | '--------------------' | nonce == init_nonce| | Map-Notify-Ack(init_nonce,...)| | Confirm the sub and+-+===========> | | wait for notifs | | | '--------------------' | | | | .--------------------. | Map-Notify(nonce, ...) | | Increment | | <==================+-+ trans_count and | | | | reset trans_timer | | | '--------------------' | | | | .--------------------. | Map-Notify(nonce, ...) | | Increment | | <==================+-+ trans_count and | | | | reset trans_timer | | | '--------------------' | | | | .--------------------. |Map-Notify(nonce, AFI, ACT,...)| | Remove the subscri-| | <=========================+-+ ption | | | '--------------------' ... | Figure 6: An Example of Failed Initial Subscription 9. Bootstrapping an xTR When first bootrsapped, an xTR may delete any (stale) state that might be associated with its provisioned xTR-ID and security association. To that aim, the xTR sends a Map-Request that has only one ITR-RLOC with AFI = 0. Boucadair Expires 11 August 2023 [Page 9] Internet-Draft LISP PubSub Examples February 2023 A Map-Notify will be sent back by the Map-Server even if no subscription is found. 10. Stale Subscriptions For various reasons, an xTR may lose its subscriptions (or at least the nonce of a subscription). Note that losing the nonce is not compliant with the following from the PubSub specification: The xTR MUST keep track of the last nonce seen in a Map-Notify received as a publication from the Map-Server for the EID-Record. If the same key is used, the Map-Request is likely to be rejected by the Map-Server and, thus, stale subscriptions will be maintained by the Map-Server. The request is silently discarded by the Map-Server. This behavior is similar to thsi behavior in [RFC9301]: If a Map-Register is received with a nonce value that is not greater than the saved nonce, it MUST drop the Map-Register message and SHOULD log the fact that a replay attack could have occurred. +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | | Map-Request(nonce, | .--------------------. | init_key_id,..) | | Security/integrity | +==============================>+-+ protection check. | | | | A state for | | | | xTR-ID/EID is found| | | | but the nonce check| | | | fails: rcv nonce < | | | | local nonce + 1. | | | | Discard the packet | | | '--------------------' Figure 7: An Example of Stale Subscriptions If the Map-Server stores all the key-ids that were used by an xTR for its subscriptions, the Map-Server may accept overriding an existing state without enforcing the nonce check but if and only if a new key is used (see Figure 8). Boucadair Expires 11 August 2023 [Page 10] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | | Map-Request(nonce, | .--------------------. | new key_id, ...) | | Security/integrity | +==============================>+-+ protection check. | | | | A state for | | Map-Notify (nonce, ...) | | xTR-ID/EID is found| |<==============================+-+ but the new auth | | | | key is used, the | | | | state is updated | | | '--------------------' Figure 8: An Example of Stale Subscriptions Avoidance with New KEys However, the approach in Figure 8 may have scalability issues as the Map-Server must store all the key identifiers that were ever used. Otherwise, an attacker can replay a message for which the key-id is not stored anymore by the Map-Server. This issue is not encountered if LISP-SEC messages are timestamped. Note that currently none of LISP specifications use timestamps. 11. xTR-triggered Subscription Withdrawal Figure 9 illustrates the observed exchange to successfully delete a subscription. Boucadair Expires 11 August 2023 [Page 11] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | .--------------------. | | .--------------------. | Increment the last | | Map-Request(nonce, AF=0...) | | Security/integrity | | seen nonce +-+==============================>+-+ protection check. | '--------------------' | | | Found an entry for | | | | this xTR-ID | .--------------------. | Map-Notify(nonce,...) | | Check that rcv | | Security/integrity +-+<==============================+-+ nonce >= local | | protection check. | | | | nonce + 1 | | Check that rcv | | | '--------------------' | nonce == snd nonce | | | | Send Map-Notfiy-ACK| | Map-Notify-Ack(nonce,...) | .--------------------. | +-+==============================>+-+ Security/integrity | '--------------------' | | | protection check. | | | | This withdrawal is | | | | confirmed | | | '--------------------' Figure 9: An Example of Successful Subscription Withdrawal 12. 'Map-Server'-triggered Subscription Withdrawal Figure 10 illustrates the observed exchange to notify the withdrawal of a subscription at the initiative of the Map-Server. +---+ +----+ |xTR| | MS | +-+-+ +--+-+ | | .--------------------. | | .--------------------. | Security/integrity | | Map-Notify(nonce, TTL=0, ...) | | Update is triggered| | protection check. +-+<==============================+-+ Increment the nonce| | Check that rcv | | | | Set trans_count and| | nonce >= local | | | | trans_timer | | nonce + 1 | | | '--------------------' | | | | | Confirms the notif | | | .--------------------. | and remove the | | Map-Notify-Ack(nonce, ...) | | Security/integrity | | entry +-+==============================>+-+ protection checks. | | | | | | This notification | '--------------------' | | | is now ACKed | | | '--------------------' Figure 10: An Example of Successful Notification of Subscription withdrawal Boucadair Expires 11 August 2023 [Page 12] Internet-Draft LISP PubSub Examples February 2023 12.1. Replay Attacks 12.1.1. Replayed Subscription (Update) Figure 11 shows the example of a replayed subscription request. The request will be silently dropped the Map-Server because of nonce check failure. +---+ +----+ | AT| | MS | +-+-+ +--+-+ | | | Map-Request(init_nonce, | .--------------------. | init_key_id,..) | | Security/integrity | +==============================>+-+ protection check. | | | | A state is for | +---+ | | xTR-ID/EID is found| |xTR| | | but the nonce check| +-+-+ | | fails: rcv nonce < | | | | local nonce + 1. | | | | Discard the packet | | | '--------------------' | | Figure 11: An Example of Handling of Replayed Initial Subscription Note that legitimate Map-Requests issued from the authentic xTR may be blocked as a side effect of enforcing a rate-lmit of the replayed messages. An example is shown in Figure 12. Boucadair Expires 11 August 2023 [Page 13] Internet-Draft LISP PubSub Examples February 2023 +---+ +----+ | AT| | MS | +-+-+ +--+-+ | | | Map-Request(init_nonce, | .--------------------. | init_key_id,..) | | Security/integrity | +==========================>+-+ protection check. | | ... | | A state is found | +==========================>+-+ xTR-ID/EID is found| | | | but the nonce check| | | | fails: rcv nonce < | | | | local nonce + 1 | | | '--------------------' | | | (more requests) | .--------------------. | +-+ Rate-limit xTR-ID | | | | requests is reached| +----+ | '--------------------' |xTR | | +-+--+ Map-Request(...) | .--------------------. |==========================================>+-+ Discard | | '--------------------' Figure 12: An Example of Handling of Replayed Initial Subscription If replayed attacks are not counted as part of the rate-limit policy, legitimate Map-Requests will be procecced as illustrate in Figure 13. +---+ +----+ | AT| | MS | +-+-+ +--+-+ | | | Map-Request(init_nonce, | .--------------------. | init_key_id,..) | | Security/integrity | +==========================>+-+ protection check. | | ... | | A state is found | +==========================>+-+ xTR-ID/EID is found| | | | but the nonce check| | | | fails: rcv nonce < | | | | local nonce + 1 | | | '--------------------' +----+ | |xTR | | +-+--+ Map-Request(...) | .--------------------. |==========================================>+-+ Process | | '--------------------' Figure 13: An Example of Handling of Replayed Initial Subscription Boucadair Expires 11 August 2023 [Page 14] Internet-Draft LISP PubSub Examples February 2023 12.1.2. Replayed Withdrawal Figure 14 depicts the example of the exchange that occurs when an attacker sends a replayed withdrawal request. The request will be silently discared by the Map-Server. +---+ +----+ | AT| | MS | +-+-+ +--+-+ | | | | .--------------------. | Map-Request(nonce, AFI=0,...) | | Security/integrity | +==============================>+-+ protection check. | | | | A state is found | +---+ | | xTR-ID/EID is found| |xTR| | | but the nonce check| +-+-+ | | fails: rcv nonce < | | | | local nonce + 1 | | | | Discard the packet | | | '--------------------' | | Figure 14: An Example of Handling of Replayed Removal of a Subscription 12.1.3. Replayed Notification Updates Figure 15 illustrates the observed exchange when a replayed notification update is sent by a misbehaving node (AT) to an xTR. +---+ +----+ |xTR| | AT | +-+-+ +--+-+ | | .--------------------. | | | Security/integrity | | Map-Notify(nonce, TTL=0, ...) | | protection check. +-+<==============================+ | Check that rcv | | | | nonce >= local | | | | nonce + 1 | | | | | | | | Discard the message| | | | because the nonce | | | | checks failed | | | '--------------------' | | | | Boucadair Expires 11 August 2023 [Page 15] Internet-Draft LISP PubSub Examples February 2023 Figure 15: An Example of Replayed Notification of Subscription Withdrawal 13. Explicit Subscriptions TBC. 14. Security Considerations This document does not introduce any security considerations beyond those already discussed in [I-D.ietf-lisp-pubsub]. 15. IANA Considerations This document does not make any request to IANA. 16. Normative References [I-D.ietf-lisp-pubsub] Rodriguez-Natal, A., Ermagan, V., Cabellos-Aparicio, A., Barkai, S., and M. Boucadair, "Publish/Subscribe Functionality for the Locator/ID Separation Protocol (LISP)", Work in Progress, Internet-Draft, draft-ietf- lisp-pubsub-10, 6 January 2023, . [RFC9301] Farinacci, D., Maino, F., Fuller, V., and A. Cabellos, Ed., "Locator/ID Separation Protocol (LISP) Control Plane", RFC 9301, DOI 10.17487/RFC9301, October 2022, . Acknowledgments Thanks to TBC. Author's Address Mohamed Boucadair Orange 35000 Rennes France Email: mohamed.boucadair@orange.com Boucadair Expires 11 August 2023 [Page 16]