Presentation is loading. Please wait.

Presentation is loading. Please wait.

draft-ietf-lisp-sec-12

Published byKarin Palmer Modified over 6 years ago

Similar presentations

Presentation on theme: "draft-ietf-lisp-sec-12"— Presentation transcript:

1 draft-ietf-lisp-sec-12
F. Maino, V. Ermagan, A. Cabellos, D. Saucez IETF 97, Seoul – November 2016

2 Agenda Most Significant Changes LISP-SEC Overview Q&A Scope
Threat Model LISP-SEC Operations Q&A

3 Most Significant Changes
Section 6 (Security Considerations) Section 6.1 (Mapping System Security) states assumptions on mapping system security Section 6.4 (Deploying LISP-SEC) warns that according to RFC2119 the security implications associated with the LISP-SEC threat model need to be well understood before ignoring each specific “SHOULD” recommendation. Two examples are brought up: allowing transport of unencrypted OTK between xTR and MS/MR allowing ETR/MS to choose HMAC algorithms different than the one specified by the ITR

4 Most Significant Changes (cont)
Section 7 (IANA Considerations) rewritten to be compliant with RFC Registries have been requested, and provisioned with initial values, for: ECM Authentication Data Type Map-Reply Authentication Data Type LISP-SEC Authentication Data HMAC ID LISP-SEC Authentication Data Key Wrap ID LISP-SEC Authentication Data Key Derivation Function ID

5 LISP-SEC Overview

6 Scope Protect the Map-Request/Map-Reply exchange
Map-Reply origin authentication, anti-replay and integrity protection Protect from over claiming attacks Prevent the ETR from over claiming EID prefixes

7 Threat Model Map Resolver Map Server ITR ETR Site Y Site X ITR ETR
Mapping System Map Resolver Map Server /16 -> {RLOC} D= , S= ITR EID ETR Site Y Site X /16 ITR ETR

8 Threat Model The Mapping System is secure and well functioning, and delivers Map-Requests to their intended destinations as identified by the EID EID prefix authorization is delegated to mapping Server Configuration Mapping Server asserts EID prefix authorization Mapping Server is trusted to do proper RLOC mapping (proxy case) In the case of ALT Mapping System (as an example), GRE tunnels prevent Man-in-the-Middle (MiM) attacks and provide integrity and confidentiality of the information carried over ALT (i.e. the nonce and the OTK) GRE tunnels can be secured with IPsec Since the LISP-MN ETR is authoritative for his own EID prefix, we need to verify how the ETR certificate can be used to assert prefix authorization in RPKI

9 Threat Model (II) MiM attacks can be mounted outside, and only outside, of the Mapping System infrastructure ETR can mount prefix overclaiming attacks maliciously or unintentionally (e.g. because the ETR is hacked/compromised)

10 One-Time Keyed HMAC on Map-Request/Reply
Mapping System OTK Map Resolver OTK-ETR = HKDF(OTK) Map-Request , n, OTK Map Server K /16 -> {RLOC} Map-Request , n AES_wrap_keyK(OTK) K’ Map-Request ,n AES_wrap_keyK’(OTK-ETR=HKDF(OTK)) EID-AD: HMACOTK-MS[{EID prfx}] K D= , S= ITR K’ : n=nonce, OTK=One Time Key EID OTK-ETR Map-Reply , n EID-AD: HMACOTK-MS[{EID prfx}] LOC-AD: HMACOTK-ETR[{Rlocs}] ETR Site Y Site X /16 ETR ITR

11 Thanks!

Download ppt "draft-ietf-lisp-sec-12"

Similar presentations

LISP Mobile Node LISP Mobile Node draft-meyer-lisp-mn-00.txt Dino Farinacci, Vince Fuller, Darrel Lewis and David Meyer IETF StockholmHiroshima LISP Working.

LISP Mobile Node LISP Mobile Node draft-meyer-lisp-mn-00.txt Dino Farinacci, Vince Fuller, Darrel Lewis and David Meyer IETF StockholmHiroshima LISP Working.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.
IETF 72 – July 2008 Vince Fuller, Darrel Lewis, Eliot Lear, Scott Brim, Dave Oran, Noel Chiappa, John Curran, Dino Farinacci, and David Meyer LISP Deployment.

IETF 72 – July 2008 Vince Fuller, Darrel Lewis, Eliot Lear, Scott Brim, Dave Oran, Noel Chiappa, John Curran, Dino Farinacci, and David Meyer LISP Deployment.
1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012.

1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
21.11.2013 Petteri Sirén. Content Preface Locator/ID Separation Protocol (LISP) How LISP works Methods how LISP was studied Test cases Result Summary.

Petteri Sirén. Content Preface Locator/ID Separation Protocol (LISP) How LISP works Methods how LISP was studied Test cases Result Summary.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
LISP Mapping Request Format And related topics Joel M. Halpern

LISP Mapping Request Format And related topics Joel M. Halpern
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 New LISP Mapping System: LISP-DDT Presentation to LNOG Darrel Lewis on behalf.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 New LISP Mapping System: LISP-DDT Presentation to LNOG Darrel Lewis on behalf.
LISP BOF, IETF Dublin, July, 2008 Vince Fuller (for the LISP crew) LISP+ALT Mapping System.

LISP BOF, IETF Dublin, July, 2008 Vince Fuller (for the LISP crew) LISP+ALT Mapping System.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
1 Julien Laganier MEXT WG, IETF-79, Nov. 2010 Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG 2012.07.30.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

Similar presentations

Ads by Google