One of the most prominent ID/Loc split based addressing scheme is Locator/Identifier Separa- tion Protocol (LISP) [2]. LISP is a Cisco initiative promoted as an open standard through IETF LISP Working Group [9]. It separates the location and identity information of a device into Routing Locators (RLOCs) and Endpoint Identifiers (EIDs). LISP supports provider indepen- dent and globally unique Identifier addresses, and employs a network-based Map-and-Encap scheme, along with an Identifier-to-Locator Mapping System to bind the two address spaces. Another important feature is that LISP is address family agnostic, so the Map-and-Encap and Decap processes can handle mixes of IPv4 and IPv6 indistinctively. These features have made it highly flexible, and therefore, it is considered an enabler for a variety of applications. LISP achieves the Map-and-Encap (i.e., the address translation) and Decap with the help of two border network elements, Ingress Tunnel Router (ITR) and Egress Tunnel Router. The ITR border router is responsible for performing the map-and-encap procedure for the IP packets received from the hosts (i.e., EID holders) within the domain. For every packet destined for an alien domain, the ITR consults the mapping system for an up-to-date EID-to-RLOC mapping of the EID address present in the destination field of the IP header of the received packet. Based on the EID-to-RLOC mapping, the ITR prepends another IP header in the packet with its own RLOC address as the source address and mapped RLOC address, from the EID-to-RLOC mapping query, as the destination address before pushing it out toward the Internet. That is the ITR encapsulates the EID IP header inside the RLOC IP header. The mapped RLOC address is in fact the RLOC address of the ETR of the destination domain. When the ETR receives a packet destined for itself, it strips off the outer IP header (i.e., Decap) containing the RLOC addresses and pushes the packet, now with one IP header containing the EID addresses, in to the destination domain to reach its target. This map-and-encap procedure is also referred to as LISP data-plane operation. Fig. 8.1 illustrates how an IP packet moves from one LISP site to another.
8.2. Locator/Identifier Separation Protocol (LISP) Control Plane Mapping System MS MR LISP-Site1 xTR xTR LISP-Site2 Data Plane Control Plane Data Plane
EID Address Space RLOC Address Space EID Address Space
1.1.1.1 2.2.2.2 EID RLOC 2.2.2.0/24 22.22.22.22 3.3.3.0/24 33.33.33.33 Map Request Map Reply Data flow EID1 EID2
Figure 8.1: LISP overview.
The process of retrieving EID-to-RLOC mappings through a mapping system is termed as LISP control-plane operation. The LISP data-plane is not dependent on a particular map- ping system and remains agnostic of the mapping system as long as the messages to query and receive responses from the mapping system remain compliant with the LISP baseline specifications. The two mapping systems considered by LISP include LISP Alternative Logical Topology (LISP-ALT) [139] and LISP Delegated Database Tree (LISP-DDT) [140]. LISP-ALT employs routing protocol for its operations whereas LISP-DDT uses a hierarchical distributed database infrastructure, similar to the DNS system. The ITR requests the mapping system for an EID-to-RLOC mapping lookup by sending Map Request message to the Map Resolver (MR). The MR alerts the Map Server (MS) responsible for containing the particular EID-to-RLOC mapping for the mapping query. The respective MS directs the mapping query to the corre- sponding ETR which owns the particular RLOC address. The ETR sends a Map Reply message directly to the querying ITR. The ITR caches the EID-to-RLOC mappings to avoid consulting the mapping system every time.
In Fig. 8.1, E I D1in LI SP −Si te1sends an IP packet to E I D2in LI SP −Si te2. For that purpose
the ITR of LI SP −Si te1initiates a Map request for which it receives a Map reply from ETR of the
destination domain, LI SP − Si te2. Once the EID-to-RLOC mapping is learned, LI SP − Si te1’s
ITR performs map-and-encap before the IP packets is on it way toward the destination. It is worth mentioning that an ETR has to register the EID prefixes in its domain along with the associated RLOC addresses on a MS in the mapping system before those EID prefixes become reachable. The registration could be done against a single or a set of RLOC addresses, thus enabling global reachability. As currently defined in [2], this map registration process
Chapter 8. Locator/Identifier Separation Protocol (LISP)
is a static procedure based on manual configurations that need to be set in advance. These configurations have to be done both on the ETRs and on the Map Server. Once the manual configurations are in place, each ETR will attempt to register its mappings with the Map Server. It does so by sending a Map Register message containing the list of EID-prefixes it claims to represent along with authentication data. The MS can verify the requests against the predefined configuration using pre-shared keys. The pre-shared keys allow to assess the validity of the map registration, since each ETR has its own key which is shared only with the Map Server.
From the security perspective, LISP defines few intrinsic security mechanism as a first line of defense including Map Request and Map Reply nonces, Map Register authentication, and EID source check.
The ITR inserts a pseudo-randomly generated 64-bit nonce in the Map Request message which the ETR must copy in the Map Reply message in order for ITR to accept it as a genuine reply to a mapping lookup request it made earlier. LISP also suggests to use a 24-bit nonce for sending IP packets on the data-plane, i.e., the ITR inserts different nonces for different destinations in the IP packet during the map-and-encap procedure. The use of nonce attempts to provide some level of integrity to Map Request and Map Reply messages however it can be undermine by on-path as well by off-path attackers with use of brute force techniques.
The Map Register authentication refers to the authentication data included in the Map Register message. The authentication data provides a minimum security level in the map registration process. The current specification define configuring the MS and the ETR with a shared secret key to produce the authentication data using Message Authentication Code (MAC) algorithms. In this way the map register message can be authenticated. The digest information is encrypted by the shared key on the ETR and only the MS who has the same key is able to verify the authenticity of the registration message, and allow the EID-prefix registration. Although, LISP specifications recommend that an ITR should verify the EID source of a received packet but it does not lay out any particular procedure to achieve the task.