Hello,
While I have not gone through the contents of some of the recent versions of
this draft, the idea of a separate/dedicated confidential mechanism for each
encapsulation/overlay protocol(LISP here) worries me. This gives attackers the
opportunity to play with deficiencies of multiple such protocols/mechanisms as
against using a standard mechanism (IPSec) here that’s likely to be more robust
on that front. Ultimately, the underlay that LISP uses is based on IP (or
IPv6), so it would be preferable to use IPSec, which is a standard robust
proven mechanism for IP security. Having worked on integrating LISP and IPSec
around 4-5 years back, I do realise there could be some challenges but some of
them are clearly the results of ’security as an afterthought’ in the protocol
design.
Thanks,
Manish
On 21-Sep-2016, at 12:54 AM, The IESG <iesg-secretary(_at_)ietf(_dot_)org>
wrote:
The IESG has received a request from the Locator/ID Separation Protocol
WG (lisp) to consider the following document:
- 'LISP Data-Plane Confidentiality'
<draft-ietf-lisp-crypto-07.txt> as Experimental RFC
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2016-10-04. Exceptionally, comments
may be
sent to iesg(_at_)ietf(_dot_)org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.
Abstract
This document describes a mechanism for encrypting LISP encapsulated
traffic. The design describes how key exchange is achieved using
existing LISP control-plane mechanisms as well as how to secure the
LISP data-plane from third-party surveillance attacks.
The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lisp-crypto/
IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-lisp-crypto/ballot/
No IPR declarations have been submitted directly on this I-D.
_______________________________________________
lisp mailing list
lisp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/lisp