Locator/ID Separation Protocol (LISP) Threat Analysis
draft-ietf-lisp-threats-15

[Ballot comment]

Thanks for doing this document. I think it's a useful part
of the LISP documentation set.

general: I think you underestimate the purely passive
threats - my point on 2.2 below was almost a DISCUSS but
given the WG have already adopted draft-ietf-lisp-crypto I
figured there's no need to try block this. I would really
encourage you to consider the threats that are mitigated by
that specification here, even if those threats weren't
initially considered as being that relevant to LISP (when
the work on LISP began I mean). If that had been done
already in this draft, I'd have been a YES ballot, if that
makes any difference;-)

- intro: I think you should add a few caveats here to say
that you're not covering threats due to specific
implementations and also that the text here captures only
those LISP-specific threats we know about today and that
more *will* be discovered as deployment continues.

- intro: you don't write about DNS here, but if some LISP
configuration settings use DNS names then via DNS with no
DNSSEC an attacker can decide to be on-path sometimes,
off-path other times. That (or similar) might be a nice way
to illustrate the scope here, while also alerting the
implementer to other threats that might affect their
implementations.

- 2.1 I think it'd be valuable to say that the 2.1.x
sections are really just for the sake of exposition - we
cannot assume that all attackers fall into any neat
category. You do note this (more or less) in 2.1.5 but I
think that'd be better done in 2.1. The reason to suggest
this change is that being open to attackers not conforming
to our descriptions is important.

- 2.2 - which section here covers purely passive monitoring?
All the 2.2.x seem to only cover active attacks. (I'd also
suggest moving the 2.2.10 text to 2.2 similarly to the
suggestion above for 2.1.)

- 3.8 - you probably need to note somewhere (not sure where)
that a bad PRNG would improve the attacker's chances in
various ways. I think a calculation of the probability of a
nonce collision (for both a good and not-good PRNG) could be
a useful addition.

- 3.8, 3rd para: I would argue that this threat is a "core"
point to be made, as it's arguably the main LISP-specific
threat and ought be emphasised more, e.g. via a mention and
pointer in the introduction, or otherwise.

- section 4 is pretty weak to be honest. I think you could
at least recognise that LISP, as with any mechanism that
concentrates traffic (between xTRs) means that passively
monitoring plaintext is easier than before and that there is
therefore value in encrypting the traffic between xTRs as is
proposed in draft-ietf-lisp-crypto

- (nit) section 5 has a really odd sentence " The usage will
be designed and defined specific for the needs of the
specification." I've no idea what that means TBH.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-lisp-threats-14.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-lisp-threats@ietf.org, jmh@joelhalpern.com, lisp@ietf.org, db3546@att.com, lisp-chairs@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (LISP Threats Analysis) to Informational RFC


The IESG has received a request from the Locator/ID Separation Protocol
WG (lisp) to consider the following document:
- 'LISP Threats Analysis'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-01-15. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document provides a threat analysis of the Locator/Identifier
  Separation Protocol (LISP).




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lisp-threats/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-lisp-threats/ballot/


No IPR declarations have been submitted directly on this I-D.

WG LC Consensus during 92nd IETF meeting in Dallas.
During the subsequent two weeks WG LC on the mailing list no issue have been raised, hence consensus is confirmed.