[bess] Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn

Linda Dunbar <linda.dunbar@futurewei.com> Mon, 06 May 2024 19:39 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A6B5C14F604; Mon, 6 May 2024 12:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g9BXmVCWlJKO; Mon, 6 May 2024 12:39:53 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on2095.outbound.protection.outlook.com [40.107.96.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27F6FC14F603; Mon, 6 May 2024 12:39:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NQZ7uNH4CUweKp6W5n4rvZ9ku4NCvBnL1XIpIRFopQLBkkiKDeG6AaMxmKCTwKMS0s3wwn8mPXDZKTphZOPum6NggQhJyqBGzTQ7Fd8nC6/zqfXSB5LHbzLBhhAthd/foOt8Jn6NXItmqo+3+2w/AiFlAybvufOBI+/cMea0kFJCgBfbXqY28jR0avWZqNvXkq6EqMD4hujkVlYWW5nMoYCybfTwfQfNvUPKSZGQmZVNSePLBIztvWbbUl15Om7Azu5ct1jcl/vnZyA054PZ/887GkKB5SZiIbc1LoyEeRnUwpLvdqIrRT0UBVyVniDz4BYdu/XDP9oV//eTSbrVTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DtfGMdxCRrIlaWnCngLmjr9D6p+2yUSzBMOkR4Us+kA=; b=Cxx6159ByaA2DcrkvMSw5m46KZc1U0S6fKEGMP5IsksuZK3RelHpdV3g5OCi7Aisdzo9T3uWktwVfyMG3tCph7F2uWTxn+yDFbRqAIWBX+CYJ1yFBbJ0RTwe3xRuwwcUzNKc5w+W2FIB/yuW67xovgoVeIpwocw1nvil1cM9hyuw47JQ9+sMb7YUDpp88GTpkO23UmJj+FhwA6d5dn9zaGBnIPE+H3tUHBnrWIqmo+7HQs3zrnmWt9AaBBVjH8H1EFy/AEsm4EOIus1yocau9H3YthgD8KWcu17i4o9jBuVmAtRyfJJdPrNRxn/dUTdqvVlg5aoIcWoAZ91OS+Mi6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DtfGMdxCRrIlaWnCngLmjr9D6p+2yUSzBMOkR4Us+kA=; b=P/gSgvtGhuhAGxOr1HvkHIHth+9sGB3lOpzYJzVQpkKMeFA1UKNqer3FpL1lV086jLKpqQ4p335VDjntRVU1JINbq33dVKfOM+tcuilxC5M6oQvkq4Uv/lYYcBO0Owh32A8vrEuApPdXzv4HtkryQvg1DoZudkhLgXcaCmCIg/U=
Received: from CO1PR13MB4920.namprd13.prod.outlook.com (2603:10b6:303:f7::17) by SN4PR13MB5811.namprd13.prod.outlook.com (2603:10b6:806:21b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.42; Mon, 6 May 2024 19:39:46 +0000
Received: from CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::4021:909f:bb6c:72a6]) by CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::4021:909f:bb6c:72a6%5]) with mapi id 15.20.7544.041; Mon, 6 May 2024 19:39:46 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
Thread-Topic: Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn
Thread-Index: Adqf5r0n8EGG1Zz4QQiJzOIx39malQ==
Date: Mon, 06 May 2024 19:39:46 +0000
Message-ID: <CO1PR13MB4920ED1F49CFE4D3F16A6772851C2@CO1PR13MB4920.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR13MB4920:EE_|SN4PR13MB5811:EE_
x-ms-office365-filtering-correlation-id: d2d7a78f-060e-4d11-6c24-08dc6e04492b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|1800799015|366007|376005|38070700009;
x-microsoft-antispam-message-info: htf7edCaJ7YfxF76faGTxzzJNUMQqqSO+ZzurPoIgOEg+iKzgKO8ElF5H+asrzFCFXoxcW1bBtDEaNaHLfSqxOPqNb6p2EqSUjgH8An/p/72D/iak7vNkIddl1q46Ydv8KokpQyqVijuamhykEe26y0c7lQjXd9TFV4xMnUk9bD/lczMotTIWvTlbgzvtX7LjJBvK9Za2zf0NeYl1itd4uiSX/u2Vb4qK8NSnFDjtgyBDwDX+RHBCyucuelMEyLk0Z3OzQQ4Jw+ePw00vDX+g4Zhx9r+ixPRByg9KzyuVK1ftqudCzSEtaYy7T/jGwhvp8HXhVEf0Dhluu5QnBaOJONK9//Qqzwf0tZT4u0qArwWcaWoDfEHenT015iYfaZkrFnbxNpWSJhZXtiBoz31/0HJzs5s5viBYZK1GmqpUhBXGiZtVDhM3VZXSoTMyeBKgZt4mNnRzkSmXuXRus4S9lkwAHD0kBPXomAwT0vzPQ6FtTVzSaAZsDV28VMCJ8EhnKTsauzDogup88EBBv1lKltVA6wvdRConHr1SSpkMxFqHQZbiQ8zz8j9CIoqVh2h1kcyg+w2rSqZcNFZHXkUhgSNL5ZN1eYBlyEZa8qedujwRrlzYdsL6bTvxzY9g9jH+pr7MCITg2Dk774e7x88zjlupJJ8Ck5Dh6NRt7ymaUMQdQTuRD2ZYqo/6AT23hQMdI3/mSHFEPbWgb9R12+Z8cCktFCWYHLcJdxfbDEmpW07hREkuE1yPL01S0h3cCRae5qdYxBP5c8bKTbQBoc/nKnuBaWWJUOuzKBTyUsYIPXw01I1aYcQz4JrmBlxwX6PbI3dejwrE6xliiKU4TfTdfWJaN8ZejbNbNglif7hE8iX22Eno0x2ZF/bxueCcQhmjMplTbRRql5dZk6pykF1yrohx4zfQu6ySwxcR0QK0IhsCagsHUSBrMFkPep86kfq2L34NORJ/SQoi+SrutSeUYhau1mgfxehF2xJuIjfCoMilyNVUitecq3dQ20tZj4PqkcwnKk1thoytiFncpx9CG+rjqsjFkELWGyuw7LXgrRLR2uU1lDwWW5pB3B5ytycaloVmxxly4/ymxna+mcOfFsJLtopsC5JDjMb0gtFysnOx2lRiXgY1KAp7NgZk1ECwb6UZKesP5YCriw53/BNFGVMoH2MXVr9yP4baEvZLOLuWbHm9/CoohqiUXdnMubiL47fOru0FmMTACni+suGx/Mr7jNNT54NbVoF6BMN30ekG2HTMM9fSyk3UJ9O8QlzQQWIA58j/qS0jchroz6qgBO/ntuRuqGoQ5KOLfD6w3mVRmic1uRKcNsu3NcFW8aFYPCUBrYQer98ynwcsUTpew==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR13MB4920.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(366007)(376005)(38070700009);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kQS8Utn1Cg26yhHxcP3xvFf1RLC1a8AcDl0i6YgpFi1k52m8Ny1YbcuKMlD5Vsbw+EP2ZIjZlVZ+w3XcP4DLXIE62ojHgJuWBvowpcBWyMHTf7ev28UWn4VhlzN5g3IgkIWcvWzASYXUePwY/jyWuV5NTsiix2MPIFt14R3BQtvRjpexB1uCj6vqo4ipKFYrpVUO+zLAsG9BotM9AmHHRAxPkiRxrg+cIlraQJAzEMCmOF7/N49A4GhVTiCJOKUzgj2fhwm7An9/tyHH8+On+2l1XwwumIF804YvquaK2O+ZMNckE2ZedUnGQ0uD+nRzoPb6oxRk/7udqbokFpISXg5CvHDz50cFIN4U6DIFckf0dcUEoGacUzXNQ349ArSqgFcFP/U4pR2TDNxVv04EXaU0pEsAQXNOwsdXT2e5sNYjAY2eWVdOz9ITpl38ZGKBU5Kydvig03e0BD2vCjv6IdW3NOUtlxIULwyP7XIiTB69khHJpAOnHKUgZ14nmcR7XSH6FwuegQKm5GzuNoCiGuwZORbK0SZlH7ZiohCg1O+72cxDSoRY8zKF0wWxUCq36fY6TFIC3oamFlfPThTLUgGUWjkUYKFVveAxA4hj+2VWLsge3+kdaVSx8hwX4zBVMURr7c2l9jw0RdQGWAQEBC71o2BLS5uVjZ1ZyFe39kERpUbtxuKF52R1li9EgfhAjEDS+TotJ52sM+mLwy1Jf5+vHAWA9DyktK5DDri56OhUBd0EsFzmCDDVibI38rum60IsAqANvSG6BBsD2yUzI12broSKOV1Vzhhj5+T2Ad+7/Jc9U2npxe6FyX/snYglm1NefvYirZ4BB1mgX4p2jaUlr/Wtpy67MHlQWPVE0V2ITyikulPioHdxRZ0MAH10w2Pa1kLEBh8kOrqmaLoDoCKboMk1DdphFomzWIPLNHR7bKgwBb8AdJBUmf4ysswAlG2ToUQOnAZGcOZR8NN21w1tiYWldl+NScabZrCKCS7jY8T5amnTd8LPxYr1vnIUxs74kmy1JTl7BGg/H/89XTOKzyDfcgqi83IIlk4gLa2yFpMyy/9GOfqMbI1CSIhpyhMlFXlfp7t/cnGMzYMdEYANaTM1HKMCrkkRU3UGYKyx3fZ7hvnXGPRBRbouK+r8Axz1OkCKsLWxuUmLEOsssrrEXwkVNxLJ7TX4m2z8rLHyiZKNHbry3d7XuwS7oqYTdJY586sZksl0u9K7PFEjlVmaXB0EDgMiNaRKDCl/TKofxU8nyq7A8Y4YqgPgwNx/F4pXIOQ1Xl5+y3Nr/bUcwFQ98eVqHvw3EzkcSUt9nnl4YmF8nGPzvmyE6+fzOgyVK6PQuBG08gJmlmVEXtKqDblKSBo0jma1HXC65Krl4H5WvzQ0ba5JDPryRvHkV9N3qA6x/eKBH4Pt2w1ToCv6p6a3NKzW7nUi8G91FHgPY29t5CuZUaRw22ZQTFav12R05mkmOL6a+mIbG1ul95OrZ5gg6yrXYeRvwWzTYyhAxgOU12PSKbURju+whgC4eURXNW52ploxkuUpnyPVVqPcJdfMMlUyfgIFZXQ1SVJH3VbxLc49Un+5Z2HBGQFHUCJk
Content-Type: multipart/alternative; boundary="_000_CO1PR13MB4920ED1F49CFE4D3F16A6772851C2CO1PR13MB4920namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR13MB4920.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d2d7a78f-060e-4d11-6c24-08dc6e04492b
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2024 19:39:46.6093 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SWBXyHNmaq8Xy6hanKc81J7JAGWZwz22A5eb9/hardT6xTqUiOkzR/eIGPXPlNBfxWA1lO4r0Si/iL0bEvNoNg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR13MB5811
Message-ID-Hash: 74EMYRZOHI4KP7LEIFXIGB6ZIOEPV4NH
X-Message-ID-Hash: 74EMYRZOHI4KP7LEIFXIGB6ZIOEPV4NH
X-MailFrom: linda.dunbar@futurewei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-bess.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-secure-evpn@ietf.org" <draft-ietf-bess-secure-evpn@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [bess] Suggested wording to merge the content from draft-wang-bess-secservice to draft-bess-secure-evpn
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/J8ed27Jt1YxIGk6uJ6R3xr49AiM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Owner: <mailto:bess-owner@ietf.org>
List-Post: <mailto:bess@ietf.org>
List-Subscribe: <mailto:bess-join@ietf.org>
List-Unsubscribe: <mailto:bess-leave@ietf.org>

Ali,

I am writing to follow up on our discussion during the IETF 119 BESS WG session regarding the draft-wang-bess-secservice. As you may recall, you endorsed Option 1 as the preferable approach for using SECURE-EVPN mechanism to encrypt selective SRv6 Flows into the Secure EVPN framework.
Option 1: Merge with Secure EVPN, directly incorporating the section into the main body of the document.
Additionally, consider adding a description of the necessary encapsulation methods in Section 9 and extending the discussion of new tunnel types in Section 10 to accommodate this feature.

Proposed Integration: I suggest adding a new subsection, "Encrypting Selective SRv6 Flows," to Section 3 of the Secure EVPN draft. This addition would detail the use case and requirements for selectively applying IPsec encryption to SRv6 data flows within NSP-managed networks, addressing the need for heightened security measures for sensitive data.

The proposed content for the subsection "Encrypting Selective SRv6 Flows" would include:

Scenario Description: Highlighting environments where SRv6 is deployed and the types of data flows that require enhanced security measures.
Implementation Strategy: Outlining the steps for implementing IPsec encryption, including flow identification, policy configuration, and the encryption mechanism itself.
Security Considerations: Discussing the added complexity and necessary management adjustments to maintain performance and security.
Benefits: Explaining how this approach secures sensitive information and ensures compliance with various regulatory requirements.

Here is the wording proposal. You can modify them to fit the SECURE-EVPN style.

3.6 Encrypting Selective SRv6 Flows
While a Network Service Provider (NSP) managed SRv6 domain is often considered a trusted and secure domain as detailed in RFC 8754, RFC 8402, and RFC 8986, certain scenarios require an enhanced security model. Particularly in cases where data flows carry sensitive or confidential information, there is a compelling need for additional security measures. Encrypting selective SRv6 flows caters to this need by providing robust protection even within a network environment presumed to be secure.

Scenario Description
In environments where SRv6 is deployed, data flows might include transactions requiring confidentiality, integrity, and authenticity assurances that exceed standard network security measures. Examples include financial transactions, personal data transmissions subject to privacy regulations, or corporate communications involving sensitive strategic content. In such cases, selectively encrypting specific SRv6 flows ensures that even if network breaches occur, the encrypted data remains secure.

Implementation Strategy
The implementation of IPsec for encrypting selective SRv6 flows involves the following steps:
1.       Flow Identification: Define criteria for selecting which SRv6 flows require encryption. This could be based on the type of data, the source/destination of the flows, or preconfigured security policies.
2.       Policy Configuration: Configure security policies that dictate the parameters for encryption, such as the algorithms used, the keys to be employed, and the duration of key validity. These policies are applied specifically to the identified SRv6 flows that require encryption.
3.       Encryption Mechanism: Utilize IPsec in transport mode to encrypt the payload of identified SRv6 packets. The SRH (Segment Routing Header) remains unencrypted to allow for the routing of the packet, while the payload is encrypted, ensuring the confidentiality and integrity of the data.

Security Considerations
Encrypting selective SRv6 flows introduces additional complexity into the network management. It requires careful coordination between network security policies and the dynamic requirements of SRv6 routing. Additionally, the overhead introduced by encryption needs to be evaluated to ensure that it does not impact the network performance adversely. Effective monitoring and management are crucial to detect and respond to security incidents in a timely manner.

Benefits
This approach enhances data security by protecting sensitive information from potential eavesdropping and tampering. It also provides compliance with various regulatory requirements for data protection, offering an added layer of security without encrypting all network traffic, which can be resource intensive.
________________________________
This addition will fit seamlessly into your existing document structure under Section 3, providing a detailed examination of how IPsec can be used to enhance the security of selective SRv6 flows in a network environment managed by NSPs.



I look forward to your feedback on this proposal and am eager to assist in any drafting or revisions needed to facilitate this integration. Once we align on the approach, I will provide detailed text for adding a subsection in section 9 to describe encapsulation and adding extension of new tunnel type in section 10.

Thank you for considering this enhancement. I believe it will make a substantial contribution to the deployment and effectiveness of SECURE-EVPN by addressing critical security needs in SRv6 networks.

Linda