thinking about Alberto's request, and reading the document, I wondered
if the security could be improved by sending the first notify back via
the ETR, and coupling it to LISP-SEC to protect the information and
provide needed keys for further messages? It seems like we do need a
way to protect the notifications, and requiring associations from every
ITR to every MS who may provide notifications seems impossible.
Yours,
Joel
On 3/17/2020 11:56 PM, Alberto Rodriguez Natal (natal) wrote:
Thanks Joel, I've tried to summarize my line of thought below. There may be
other aspects I'm missing.
In traditional LISP, there is some shared state between a Map-Server and an ETR
in order to validate Map-Notifies. First, for integrity protection Map-Notifies
include some authentication data generated using a shared key between the
Map-Server and the ETR. Second, to protect against replay attacks the nonce
used in the Map-Register/Map-Notify exchange is incremented over time. This
requires that both the Map-Server and the ETR are in synch regarding the shared
key and incremental nonce.
PubSub introduces a new protocol operation where a Map-Server can send
Map-Notify messages to ITRs. This departs from the traditional ETR-MS
relationship stated above and introduces a few questions. How to keep a shared
key at scale between ITRs and a Map-Server? The ratio of ITRs-to-MS is
potentially orders of magnitude bigger than the ratio of ETRs-to-MS, are shared
keys even feasible? Besides, how to handle the nonce increment when the ITR is
also an ETR? Do we need to keep track of two Map-Notify nonces, one for the
Map-Register exchange and another for PubSub operation?
Thanks,
Alberto
On 3/16/20, 11:24 AM, "Joel Halpern Direct" <[email protected]> wrote:
Thank you Alberto. To see if folks want to engage on the topic, could
you write a short email describing the question and, if you can, some of
the things that you would like to discuss?
Folks, let's be clear. I do expect we will have a virtual interim.
Maybe even more than one. I would really like to see groundwork on the
email list so that any request by the chairs for folks to make time is
for more than just some presentations.
Thank you,
Joel
On 3/16/2020 2:15 PM, Alberto Rodriguez Natal (natal) wrote:
> Joel, all,
>
> I'm in favor of having a virtual interim meeting. One of the points that I have on
my personal list of "things to discuss when we have time" is the aspect of
(unsolicited) Map-Notifies on PubSub. I think it can benefit from some deeper discussion
with the WG regarding, nonces, security associations, ITR-MS relationship, etc. If the WG is
up to it, I can bring the topic for discussion and get some opinions on an interim.
>
> Thanks,
> Alberto
>
>
_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp
_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp
