Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

PROTECTING SEGMENT ROUTING SID DISTRIBUTION WITH LISP CONTROL PLANE

IP.com Disclosure Number: IPCOM000245357D
Publication Date: 2016-Mar-03
Document File: 6 page(s) / 131K

Publishing Venue

The IP.com Prior Art Database

Related People

Fabio Maino: AUTHOR [+4]

Abstract

Locator ID Separation Protocol (LISP)-Security (LISP-SEC), the security protocol of the LISP mapping infrastructure, is extended to protect the distribution of the Binding Segment Identifier (BSID) used by operators to advertise path identifiers (corresponding also to traffic classes, policies, requirements, etc.) without exposing their topology. The BSID is protected against: (1) tampering attacks mounted by attackers on the SID distribution path (control plane) and on the Customer Premises Equipment-Provider Edge (CPE-PE) data path; and (2) impersonation attacks mounted by the CPE itself.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 42% of the total text.

Page 01 of 6

PROTECTING SEGMENT ROUTING SID DISTRIBUTION WITH LISP CONTROL PLANE

AUTHORS:

 Fabio Maino Vina Ermagan Stefano Previdi Clarence Filsfils

CISCO SYSTEMS, INC.

ABSTRACT

    Locator ID Separation Protocol (LISP)-Security (LISP-SEC), the security protocol of the LISP mapping infrastructure, is extended to protect the distribution of the Binding Segment Identifier (BSID) used by operators to advertise path identifiers (corresponding also to traffic classes, policies, requirements, etc.) without exposing their topology. The BSID is protected against: (1) tampering attacks mounted by attackers on the SID distribution path (control plane) and on the Customer Premises Equipment- Provider Edge (CPE-PE) data path; and (2) impersonation attacks mounted by the CPE itself.

DETAILED DESCRIPTION

     In certain Segment Routing (SR) deployments, a mapping system is used to dynamically provision CPEs with the appropriate Segment Identifier (SID) that identifies the SR policy that the service provider wants to apply to a particular packet at the ingress of the SP network (PE).

The Segment Routing specific information consists of: . Binding Segment Identifier (BSID)
. HMAC Key
. HMAC Key Identifier

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 6

    The Binding Segment Identifier (BSID) is a SID representing the path across the SR infrastructure. The BSID is programmed at the ingress of the operator network and any packet received with that BSID as the active segment, will be segment routed across the corresponding, pre-computed, path. The BSID allows an operator to advertise path identifiers (corresponding also to traffic classes, policies, requirements, etc.) without exposing the topology.

    The HMAC Key and HMAC Key ID are used in order to validate the Segment List (i.e.: the BSID) present in the Segment Routing Header (SRH) of the packet once it reaches the ingress of the operator network. See draft-previdi-6man-segment-routing- header for more details on SRH and security associated to it.

    As shown in Figure 1 below, the CPE will include the BSID in the data path using SR-IPv6 encapsulations. When the PE receives a data packet, the SR policy corresponding to the carried BSID is applied (e.g. sending the packet over a specific path in the SP network).

  The BSID needs to be protected from the following threats:
A. SID tampering, performed by either:


• (T1) an attacker on the SID distribution path (control plane) to the CPE
• (T2) an attacker on the CPE-PE data path, or

B. (T3) SID impersonation (unauthorized SID use), performed by the CPE itself (e.g. the CPE uses a different SID than the one provided by the mapping system, i.e. to get a better path in the SP network)

Copyright 2016 Cisco Systems, Inc.

2


Page 03 of 6

Figure 1

    These attacks can lead to the violation of the Service Level Agreements (SLAs) in place between the customer and the service provider, and to misuse of resources in the SP network.

The Solution

    When the LISP mapping service is used to distri...