I may have missed something, but I think that in the case of the first
notify, it does actually start at the Itr. Specifically, it starts with
an ItR sending a subscribe request. The MS responds to that with a
notify. What I am suggesting is that (when security is desired) the Itr
includes the same kind of information in its subscribe that goes into
lisp-sec. And that the reply, instead of going directly from the MS
back to the ITR goes through the ETR so that the rest of the lisp-sec
procedures can be applied.
I would then use that as a bootstrap, putting necessary secrets to
create the key information so that the MS can sign and the ITR can
verify future notifies that go directly from the MS to the ITR.
Yours,
Joel
On 3/31/2020 1:33 PM, Dino Farinacci wrote:
thinking about Alberto's request, and reading the document, I wondered if the
security could be improved by sending the first notify back via the ETR, and
coupling it to LISP-SEC to protect the information and provide needed keys for
further messages? It seems like we do need a way to protect the notifications,
and requiring associations from every ITR to every MS who may provide
notifications seems impossible.
You can’t use LISP-SEC because the transactional nature of it starts with an
ITR and a one-time-key, that is used to signed Map-Replies returning to it.
For Map-Notify messages send from Map-Server via ETR, there would be no ITR
one-time-key. And if the Map-Server used its own one-time-key, the ITR couldn’t
derive it. Note with LISP-SEC the map-server one-time-key is derived from the
ITR’s one-time-key in the Map-Request.
Dino
_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp
