[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lisp-interest] LISP-ALT and security

To: Darrel Lewis (darlewis) <darlewis@cisco.com>
Subject: Re: [lisp-interest] LISP-ALT and security
From: Roque Gagliano <rgaglian@fing.edu.uy>
Date: Thu, 31 Jul 2008 13:56:01 +0100
Cc: "Erik Nordmark" <erik.nordmark@sun.com>, "Scott Brim" <swb@employees.org>, <lisp-interest@lists.civil-tongue.net>
In-reply-to: <60C4A248E730F249990993E3B9BD44D8060FF9B8@xmb-sjc-218.amer.cisco.com>
References: <48904930.7060702@sun.com> <48905DD6.6000102@employees.org> <48907B96.8000709@sun.com> <60C4A248E730F249990993E3B9BD44D8060FF9B8@xmb-sjc-218.amer.cisco.com>
Sender: owner-list-interest@lists.civil-tongue.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Darrel,


1)  The ITR gets a map reply from the remote ETR, and insert's the /32
(or configurable longer) prefix for the destination in the data cache.
This lets the traffic for the dest-IP to get flowing.  The ITR could
also insert or not insert the shorter EID prefix of the map-reply
pending verifification, described in step 2).

2) Then the ITR takes the EID prefix from the map-reply andinitiates a

new map-request to the an RIR server reachable the ALT (a well known,
configured destination).  The EID-RIR server replies with a map-reply
packet with no RLOCs, it merely matches the length of the EID prefix

from the EID-RIR database. If the length of the EID prefix returnedinthis map-reply is the same or longer than the original ITR-ETR map-reply

then the mapping is validated and therefore inserted into the ITRs
data-cache.

I believe it is good hack, well though!. I wonder if it is a good ideato off load the cryoto check from the ITR to another box inside theITR network.

Here is what I though, the CMS signed matierial with the certificatekey could contain:

	- All my IPv4 an IPv6 prefixes with their valid prefix lengths.
	- All the RLOC that I may be using.

These info should be pretty long term. So you can download the Signingmaterial once a day such as you are doing with the ROAs.


Roque

So this requires a bit more mechanisms in the alt (a new servercalled a

reply verification server) that the EID-RIR would operate, but no new
protocol messages.  It could be a viable work around until SIDR is
deployed.

What do you think?  Comments welcome.

-Darrel


P.S. thanks to Dino, Dave, and Vince for their ideas on this during
breakfast.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiRtmEACgkQnk+WSgHpbO7ncACfainQSvHjzDgd1KHhNiC4gbZn
RasAoNwEhNzXEEd81eqUVoLdLds4f4Fh
=l9LE
-----END PGP SIGNATURE-----

References:
- [lisp-interest] LISP-ALT and security
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: [lisp-interest] LISP-ALT and security
  - From: Scott Brim <swb@employees.org>
- Re: [lisp-interest] LISP-ALT and security
  - From: Erik Nordmark <erik.nordmark@sun.com>
- RE: [lisp-interest] LISP-ALT and security
  - From: "Darrel Lewis (darlewis)" <darlewis@cisco.com>

Prev by Date: Re: [lisp-interest] LISP-ALT and security
Next by Date: Re: [lisp-interest] LISP-ALT and security
Previous by thread: Re: [lisp-interest] LISP-ALT and security
Next by thread: Re: [lisp-interest] LISP-ALT and security
Index(es):
- Date
- Thread