Internet-Draft | LISP PubSub Examples | February 2023 |
Boucadair | Expires 14 August 2023 | [Page] |
This document provides a set of flow examples to illustrate the use of LISP PubSub specification.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Locator/ID Separation Protocol Working Group mailing list (lisp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/lisp/.¶
Source for this draft and an issue tracker can be found at https://github.com/boucadair/lisp-pubsub-flow-examples.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 August 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document provides a set of flow examples as a companion to the LISP PubSub specification [I-D.ietf-lisp-pubsub]. The document is meant to illustrate and assess the behavior of LISP control nodes under specific conditions.¶
The examples use a simplified/simple setup for the sake of illustration.¶
This document uses the terms defined in [I-D.ietf-lisp-pubsub].¶
The following terms and notations are used in this document:¶
the nonce that is initially included in a Map-Request to create a subscription.¶
the Map-Request that was used to create the initial subscription. This request has the nonce value set to init_nonce.¶
incremented nonce by 1.¶
the key identifier that was used in the Map-Request with init_nonce.¶
Attacker¶
Figure 1 shows the example of a successful subscription. The example assumes that a security association is in place between the xTR ad the Map-Server (Section 7.1 of [I-D.ietf-lisp-pubsub]) and that all integrity-protection checks are successfully passed.¶
Figure 2 illustrates the example of a successful delivery of notification updates that match an existing subscription state. This example assumes that a security association is in place between the xTR and the Map-Server (Section 7.1 of [I-D.ietf-lisp-pubsub]) and that all subsequent integrity-protection checks are successfully passed.¶
Unlike the example depicted in Figure 2, Figure 3 illustrates the behavior that is experienced when a subset of Map-Notify messages are lost during their transfer. This example assumes that at least one of these Map-Notify messages is received by the target xTR.¶
Figure 4 assumes that, due to network conditions, all Map-Notifies are lost.¶
Note that no specific action is currently specified in [I-D.ietf-lisp-pubsub] when such a failure occurs. That is, the entry is kept active and future updates will trigger new Map-Notify cycles. Also, the current specification does not recommend a behavior (e.g., regular refreshes) so that an xTR avoids maintaining stale mappings. Such details are implementation specific (see, for example, Section 7). In order to accommodate Map-Notify messages lost, the nonce checks on the xTR should not be on the exact match vs "nonce + 1"; messages with "received nonce >= local nonce + 1" should be accepted.¶
Figure 5 illustrates the example of uccessful update of an existing subscription. The triggers for such a refresh are implementation specific.¶
This example is similar to Section 3, except that the Map-Notify-Ack is not delivered to the Map-Server. The Map-Server retransmits the Map-Notify 3 times and then removes the subscription. A Map-Notify to explicitly indicate the reason for such a removal is also generated by the Map-Server. If the xTR receives this Map-Notify, the xTR may decide to send the Map-Request to reinstall back the removed state. The procedure to reinstall the state is similar to Figure 1.¶
For various reasons, an xTR may lose its subscriptions (or at least the nonce of a subscription). Note that losing the nonce is not compliant with the following from the PubSub specification:¶
The xTR MUST keep track of the last nonce seen in a Map-Notify received as a publication from the Map-Server for the EID-Record.¶
If the same key is used, the Map-Request is likely to be rejected by the Map-Server and, thus, stale subscriptions will be maintained by the Map-Server. The request is silently discarded by the Map-Server. This behavior is similar to this behavior in [RFC9301]:¶
If a Map-Register is received with a nonce value that is not greater than the saved nonce, it MUST drop the Map-Register message and SHOULD log the fact that a replay attack could have occurred.¶
If the Map-Server stores all the key-ids that were used by an xTR for its subscriptions, the Map-Server may accept overriding an existing state without enforcing the nonce check but if and only if a new key is used (see Figure 8) and that the new security association succeeds.¶
However, the approach in Figure 8 may have scalability issues as the Map-Server must store all the key identifiers that were ever used. Otherwise, an attacker can replay a message for which the key-id is not stored anymore by the Map-Server. This issue is not encountered if LISP-SEC messages are timestamped.¶
Note that currently none of LISP specifications use timestamps.¶
Figure 9 illustrates the observed exchange to successfully delete a subscription.¶
Figure 10 illustrates the observed exchange to notify the withdrawal of a subscription at the initiative of the Map-Server.¶
When first bootrsapped, an xTR may delete any (stale) state that might be associated with its provisioned xTR-ID and security association. To that aim, the xTR sends a Map-Request that has only one ITR-RLOC with AFI = 0.¶
A Map-Notify will be sent back by the Map-Server even if no subscription is found as illustrated in Figure 11.¶
Figure 12 shows the example of a replayed subscription request. The request will be silently dropped the Map-Server because of nonce check failure.¶
Note that legitimate Map-Requests issued from the authentic xTR may be blocked as a side effect of enforcing a rate-lmit of the replayed messages. An example is shown in Figure 13.¶
If replayed attacks are not counted as part of the rate-limit policy, legitimate Map-Requests will be procecced as illustrate in Figure 14.¶
Figure 15 depicts the example of the exchange that occurs when an attacker sends a replayed withdrawal request. The request will be silently discared by the Map-Server.¶
Figure 16 illustrates the observed exchange when a replayed notification update is sent by a misbehaving node (AT) to an xTR. This example assumes that the replayed message is a replay of Map-Server triggered withdrawal.¶
This document does not introduce any security considerations beyond those already discussed in [I-D.ietf-lisp-pubsub].¶
This document does not make any request to IANA.¶
Thanks to TBC.¶