Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Document 13214141

advertisement 
Security Aspects of
Locator/ID Separation Protocol Gregg Schudel
Cisco Systems, Inc. gschudel@cisco.com Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 2 Agenda
1.  LISP Overview
2.  LISP Benefits
3.  Security Aspects of LISP
4.  Questions?
5.  References
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 3 LISP Overview
LISP is the “Locator/ID Separation Protocol”
LISP is being developed under the IETF LISP WG
Similarly named ITU-T efforts (e.g. SG13) are not the
same as the IETF version of LISP
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 4 LISP Overview
Today’s Internet Behavior
Internet
x.y.z.1
Device IPv4 or IPv6
address represents
identity and location
w.z.y.9
When the device moves, it gets
a new IPv4 or IPv6 address for
its new identity and location
LISP Behavior
Internet
x.y.z.1
Device IPv4 or IPv6 a.b.c.1
address represents
identity only
e.f.g.7
When the device moves, keeps
its IPv4 or IPv6 address.
It has the same identity
x.y.z.1
Only the location changes
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 5 LISP Overview
IP encapsulation scheme
  Decouples host IDENTITY and LOCATION
  Dynamic IDENTITY-to-LOCATION mapping resolution
  Address Family agnostic day-one
IPv4-in-IPv4, IPv4-in-IPv6, IPv6-in-IPv4, IPv6-in-IPv6
Minimal Deployment Impact
  No changes to end systems or core
  Minimal changes to edge devices
Incrementally deployable
  LISP-to-LISP and LISP-to-non-LISP considered day-one
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 6 LISP Overview
LISP Map Lookup is analogous to a DNS lookup
  DNS resolves IP addresses for URLs
[ who is www.itu.int ] ?
host
[ 156.106.202.5 ]
DNS
Server
DNS
URL Resolution
  LISP resolves locators for queried identities
[ where is x.y.z.1 ] ?
LISP
router
Geneva, 6-­‐7 December 2010 [ location is a.b.c.1 ]
LISP
Mapping
System
Addressing security challenges on a global scale LISP
Identity-to-location
Map Resolution
7 LISP Overview
LISP Forwarding
S
x.y.z.1
Geneva, 6-­‐7 December 2010 LISP
router
Internet
a.b.c.1
LISP
router
r.s.t.7
Addressing security challenges on a global scale D
e.f.g.9
8 LISP Overview
Efficient Multi-Homing
  IP Portability
Internet
  Ingress Traffic Engineering
without BGP
LISP
Site
LISP
routers
v6
IPv6 Transition Support
LISP
routers
  v6-over-v4
LISP
routers
  v4-over-v6
IPv6
Internet
IPv4
Internet
v4 v6
v6
VM-Mobility
  Cloud Computing
Data
Center 1
LISP
routers
VM
a.b.c.1
Addressing security challenges on a global scale LISP
routers
VM move
  Segmentation
Geneva, 6-­‐7 December 2010 Data
Center 2
Internet
VM
a.b.c.1
9 LISP Overview
LISP is deployed!
  >3 years
  >85 sites
  13 countries
Six Implementations
  Cisco: IOS, NX-OS
  FreeBSD: OpenLISP
  Linux: two (2) implementations
  Android
No Intellectual Property – open design
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 10 Security Aspects of LISP
Security…
… of the protocol
  Inherent security of the protocol itself
… impact of the protocol on existing network security
  Changes that can be/need be made to a site and core
network to handle the protocol
… enabled by the protocol
  New types of network security that can be deployed
because of the new protocol
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 11 Security Aspects of LISP
Security… of the protocol
Internet + LISP is no less secure than existing Internet
  The protocol must be “deployable”
Security of the protocol is added as driven by
operational requirements
  Authentication of Map-Registers
  Nonce in Map-Request/Map-Reply
  Other internal specifications (see Internet draft)
Protocol developed to be enhanced by other security
mechanisms as needed: e.g.
  IPsec and Group Encrypted Transport (GET)
  PKI for control plane
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 12 Security Aspects of LISP
Security… impact of protocol on existing network
security
Core/Internet Point of Reference
  Inner (host) address still
available to core for policy
enforcement
−  Requires recognition of
LISP encapsulation
−  No different than GRE,
MPLS, or other
encapsulations
Host IP
available
Internet
S
x.y.z.1
a.b.c.1
LISP
router
Topological
location
r.s.t.7
LISP
router
D
e.f.g.9
−  This is much better than NAT which obscures original IP address
  Outer address points to “topological” location
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 13 Security Aspects of LISP
Security… impact of protocol on existing network
security
Site Point of Reference
  No changes to existing
Firewall and ACL policies
since the original packets
are still visible
  Simplified access-control
policy development and
enforcement
Geneva, 6-­‐7 December 2010 Primary
Data Center
Internet
LISP
router
Disaster-Recovery
Data Center
LISP
router
Same
FW Rules
a.b.c.0/16
Addressing security challenges on a global scale Same
IP addresses
a.b.c.0/16
14 Security Aspects of LISP
Security… enabled by the protocol
Simplified Firewall and ACL policies
  Host IP address (identity) never changes
−  policy enforcement by “identity” not by “location”
New Mechanisms from “built-in” LISP functions
  Ingress traffic engineering
mechanism can be used as
a DDoS “push-back” policy
Non-LISP
Site
LISP Site
−  Push a “drop” policy all
the way back to the
encapsulator
Non-LISP
Site
−  Simple “redirection” to
scrubber center
Geneva, 6-­‐7 December 2010 “drop”
policy push
Internet
Addressing security challenges on a global scale LISP
router
LISP Site
15 Security Aspects of LISP
Security… enabled by the protocol
New Mechanisms from “built-in” LISP functions (cont.)
  Enables ability to deploy “high-scale VPNs” of >10,000 sites
−  Routing protocol (and other state) typically limit the scale of VPNs
−  Out-of-band LISP control-plane enables high-scale VPNs
Data
Center
User
Network
HQ LISP Site
Internet
Remote
LISP Site
Geneva, 6-­‐7 December 2010 Remote
LISP Site
. . x10,000 . .
Remote
LISP Site
Addressing security challenges on a global scale Remote
LISP Site
16 Questions?
Geneva, 6-­‐7 December 2010 Addressing security challenges on a global scale 17 References
LISP Information
•  IETF LISP WG h/p://tools.ie4.org/wg/lisp/ •  LISP Beta Network h/p://www.lisp4.net h/p://www.lisp6.net
•  Cisco LISP Site h/p://lisp4.cisco.com h/p://lisp6.cisco.com Mailing Lists
•  IETF LISP WG lisp@ie4.org •  LISP Interest
Geneva, 6-­‐7 December 2010 lisp-­‐interest@puck.nether.net Addressing security challenges on a global scale 18
Related documents
3460:460/560 Artificial Intelligence and Heuristic Programming
3460:460/560 Artificial Intelligence and Heuristic Programming
COURSE OUTLINE: CS 462 “Artificial Intelligence”
COURSE OUTLINE: CS 462 “Artificial Intelligence”
Unlicensed-7-PDF221-222_lips leangue programming
Unlicensed-7-PDF221-222_lips leangue programming
purify
purify
Approaches to Teaching the Programming Languages Course
Approaches to Teaching the Programming Languages Course
COURSE OUTLINE: CS 462 “Artificial Intelligence”
COURSE OUTLINE: CS 462 “Artificial Intelligence”
Download
advertisement