draft-ietf-lisp-sec-21.txt   draft-ietf-lisp-sec-22.txt 
Network Working Group F. Maino Network Working Group F. Maino
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track V. Ermagan Intended status: Standards Track V. Ermagan
Expires: January 8, 2021 Google Expires: July 16, 2021 Google
A. Cabellos A. Cabellos
Universitat Politecnica de Catalunya Universitat Politecnica de Catalunya
D. Saucez D. Saucez
INRIA INRIA
July 7, 2020 January 12, 2021
LISP-Security (LISP-SEC) LISP-Security (LISP-SEC)
draft-ietf-lisp-sec-21 draft-ietf-lisp-sec-22
Abstract Abstract
This memo specifies LISP-SEC, a set of security mechanisms that This memo specifies LISP-SEC, a set of security mechanisms that
provides origin authentication, integrity and anti-replay protection provides origin authentication, integrity and anti-replay protection
to LISP's EID-to-RLOC mapping data conveyed via mapping lookup to LISP's EID-to-RLOC mapping data conveyed via mapping lookup
process. LISP-SEC also enables verification of authorization on EID- process. LISP-SEC also enables verification of authorization on EID-
prefix claims in Map-Reply messages. prefix claims in Map-Reply messages.
Requirements Language Requirements Language
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 8, 2021. This Internet-Draft will expire on July 16, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 16, line 10 skipping to change at page 16, line 10
Processing of the Map-Request MUST proceed in the order described in Processing of the Map-Request MUST proceed in the order described in
the table below, applying the processing corresponding to the first the table below, applying the processing corresponding to the first
rule that matches the conditions indicated in the first column: rule that matches the conditions indicated in the first column:
+----------------+--------------------------------------------------+ +----------------+--------------------------------------------------+
| Matching | Processing | | Matching | Processing |
| Condition | | | Condition | |
+----------------+--------------------------------------------------+ +----------------+--------------------------------------------------+
| 1. At least | The Map-Server MUST generate a LISP-SEC | | 1. At least | The Map-Server MUST generate a LISP-SEC |
| one of the | protected Map-Reply as specified in Section | | one of the | protected Map-Reply as specified in |
| ETRs | 5.7.2. The ETR-Cant-Sign E-bit in the EID | | ETRs | Section 5.7.2. The ETR-Cant-Sign E-bit in the |
| authoritative | Authentication Data (EID-AD) MUST be set to 0. | | authoritative | EID Authentication Data (EID-AD) MUST be set to |
| for the EID | | | for the EID | 0. |
| prefix | | | prefix | |
| included in | | | included in | |
| the Map- | | | the Map- | |
| Request | | | Request | |
| registered | | | registered | |
| with the P-bit | | | with the P-bit | |
| set to 1 | | | set to 1 | |
| | | | | |
| 2. At least | The Map-Server MUST generate a LISP-SEC | | 2. At least | The Map-Server MUST generate a LISP-SEC |
| one of the | protected Encapsulated Map-Request (as specified | | one of the | protected Encapsulated Map-Request (as specified |
skipping to change at page 16, line 36 skipping to change at page 16, line 36
| for the EID | S-bit set to 1 (and the P-bit set to 0). If | | for the EID | S-bit set to 1 (and the P-bit set to 0). If |
| prefix | there is at least one ETR that registered with | | prefix | there is at least one ETR that registered with |
| included in | the S-bit set to 0, the ETR-Cant-Sign E-bit of | | included in | the S-bit set to 0, the ETR-Cant-Sign E-bit of |
| the Map- | the EID-AD MUST be set to 1 to signal the ITR | | the Map- | the EID-AD MUST be set to 1 to signal the ITR |
| Request | that a non LISP-SEC Map-Request might reach | | Request | that a non LISP-SEC Map-Request might reach |
| registered | additional ETRs that have LISP-SEC disabled. | | registered | additional ETRs that have LISP-SEC disabled. |
| with the S-bit | | | with the S-bit | |
| set to 1 | | | set to 1 | |
| | | | | |
| 3. All the | The Map-Server MUST send a Negative Map-Reply | | 3. All the | The Map-Server MUST send a Negative Map-Reply |
| ETRs | protected with LISP-SEC, as described in Section | | ETRs | protected with LISP-SEC, as described in |
| authoritative | 5.7.2. The ETR-Cant-Sign E-bit MUST be set to 1 | | authoritative | Section 5.7.2. The ETR-Cant-Sign E-bit MUST be |
| for the EID | to signal the ITR that a non LISP-SEC Map- | | for the EID | set to 1 to signal the ITR that a non LISP-SEC |
| prefix | Request might reach additional ETRs that have | | prefix | Map-Request might reach additional ETRs that |
| included in | LISP-SEC disabled. | | included in | have LISP-SEC disabled. |
| the Map- | | | the Map- | |
| Request | | | Request | |
| registered | | | registered | |
| with the S-bit | | | with the S-bit | |
| set to 0 | | | set to 0 | |
+----------------+--------------------------------------------------+ +----------------+--------------------------------------------------+
In this way the ITR that sent a LISP-SEC protected Map-Request always In this way the ITR that sent a LISP-SEC protected Map-Request always
receives a LISP-SEC protected Map-Reply. However, the ETR-Cant-Sign receives a LISP-SEC protected Map-Reply. However, the ETR-Cant-Sign
E-bit set to 1 specifies that a non LISP-SEC Map-Request might reach E-bit set to 1 specifies that a non LISP-SEC Map-Request might reach
skipping to change at page 25, line 37 skipping to change at page 25, line 37
Noll for their valuable suggestions provided during the preparation Noll for their valuable suggestions provided during the preparation
of this document. of this document.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-lisp-rfc6833bis] [I-D.ietf-lisp-rfc6833bis]
Farinacci, D., Maino, F., Fuller, V., and A. Cabellos- Farinacci, D., Maino, F., Fuller, V., and A. Cabellos-
Aparicio, "Locator/ID Separation Protocol (LISP) Control- Aparicio, "Locator/ID Separation Protocol (LISP) Control-
Plane", draft-ietf-lisp-rfc6833bis-27 (work in progress), Plane", draft-ietf-lisp-rfc6833bis-30 (work in progress),
January 2020. November 2020.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 27, line 10 skipping to change at page 27, line 10
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-lisp-rfc6830bis] [I-D.ietf-lisp-rfc6830bis]
Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A.
Cabellos-Aparicio, "The Locator/ID Separation Protocol Cabellos-Aparicio, "The Locator/ID Separation Protocol
(LISP)", draft-ietf-lisp-rfc6830bis-32 (work in progress), (LISP)", draft-ietf-lisp-rfc6830bis-36 (work in progress),
March 2020. November 2020.
Authors' Addresses Authors' Addresses
Fabio Maino Fabio Maino
Cisco Systems Cisco Systems
170 Tasman Drive 170 Tasman Drive
San Jose, California 95134 San Jose, California 95134
USA USA
Email: fmaino@cisco.com Email: fmaino@cisco.com
 End of changes. 9 change blocks. 
18 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/