[Coin] A few comments on draft-kunze-coin-industrial-use-cases-00.txt
"David R. Oran" <daveoran@orandom.net> Thu, 18 July 2019 18:00 UTC
Return-Path: <daveoran@orandom.net>
X-Original-To: coin@ietfa.amsl.com
Delivered-To: coin@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B8B120B80 for <coin@ietfa.amsl.com>; Thu, 18 Jul 2019 11:00:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UR5EuFjqVGRl for <coin@ietfa.amsl.com>; Thu, 18 Jul 2019 11:00:49 -0700 (PDT)
Received: from spark.crystalorb.net (spark.crystalorb.net [IPv6:2607:fca8:1530::c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A9D3120B72 for <coin@irtf.org>; Thu, 18 Jul 2019 11:00:49 -0700 (PDT)
Received: from [192.168.171.1] (50-193-44-142-static.hfc.comcastbusiness.net [50.193.44.142]) (authenticated bits=0) by spark.crystalorb.net (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id x6II0iC5009203 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NO) for <coin@irtf.org>; Thu, 18 Jul 2019 11:00:46 -0700
From: "David R. Oran" <daveoran@orandom.net>
To: coin@irtf.org
Date: Thu, 18 Jul 2019 11:00:43 -0700
X-Mailer: MailMate (1.12.5r5643)
Message-ID: <F2B01856-B3CF-406C-9A35-A75D1F95441A@orandom.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_8B7BE2D4-F83D-45BF-9B7D-447033BB2117_="
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/coin/CT-ojmNNpOqY1bpY-efI-o5hbKU>
Subject: [Coin] A few comments on draft-kunze-coin-industrial-use-cases-00.txt
X-BeenThere: coin@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "COIN: Computing in the Network" <coin.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/coin>, <mailto:coin-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/coin/>
List-Post: <mailto:coin@irtf.org>
List-Help: <mailto:coin-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/coin>, <mailto:coin-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 18:00:54 -0000
This is a useful first start at documenting an important use case, so thanks for taking the time to write and submit the draft. I think it would be a good document to adopt once the RG is fully formed and operational. I have a few comments: 1. On security, you say: “ Another aspect is that business data leaving the premise and control of the company further comes with security concerns, as sensitive information or valuable business secrets might be contained in it. Typical security measures such as encrypting the data makes in- network computing techniques hardly applicable as they typically work on unencrypted data. Adding security to in-network computing approaches, either by adding functionality for handling encrypted data or devising general security measures, is thus a very promising field for research.” While it is true that data flowing over external links and ISPs represents a security hazard, the converse implication that data staying in the enterprise, or even confined to the factory floor is safe from confidentiality or modification threats and hence needs less protection is not. One would hope that by adopting in-network computing as a paradigm, this would be seen as an opportunity to actually *upgrade* the security of industrial automation by dealing with the multi-party nature of the communication paradigms and in fact allowing data to be: - encrypted over all links - authenticated by any element possessing the keys to read it - provenance tracked through any device that has the necessary keys and permissions to modify it Therefore, from a security standpoint, treating a network element like a switch or router that either observes of modifies data differently from a computational host that does so would be a mistake in my view. 2. On the need for sensor traffic filters, a bit more detail on the question of “how to design” would be helpful, since different design requirements lead to quite different capability requirements on the elements doing it. A few initial thoughts: - fuzzing thresholds with some soft state on values can suppress readings that haven’t changed enough to matter - If there are redundant sensors giving similar readings such that you’d like to suppress the redundancy, you need to either send some periodic suppression stats computed by the filter, or annotate the non-suppressed sensor data with either some count of the samples suppressed, or some error bars computed from the set of received values. - we learned quit painfully for event logs (which are similar time-series data to sensor data) that you need to periodically send something so an upstream computation element can tell the difference among potential data loss, the lack of new readings, or a broken data source. 3. The point about safety is well taken. I’m not sure it’s necessary to say much more about this, however from personal experience I’d like to emphasize that you can’t achieve the requisite level of safety only by measures “inside” the system; especially not by relying on the computational elements alone. For example in the case of industrial robots, the environment needs human-visible safety boundaries that are not computed from the operation of the robot, but in fact mark the absolute physical extent of the robot’s reach. These are either painted on the floor, by placing the robot inside a physical bounding box that cannot be opened by the software, or some other outside-the-system mechanism. It may be that in-network computing doesn’t affect this at all, but it’s worth a conversation to see if there are new hazards introduced. Therefore when you ask “How can the software give guaranteed safety over best-effort networks?” the answer for me is clearly “no” and in fact is “no” for **any** kind of network. 4. I might split up the security discussion into two pieces, or more it to the “security Considerations” section rather than leaving it “N/A”, which is a red flag for much of the community. Thanks, DaveO
- [Coin] A few comments on draft-kunze-coin-industr… David R. Oran
- Re: [Coin] A few comments on draft-kunze-coin-ind… Ike Kunze