Re: [Coin] A few comments on draft-kunze-coin-industrial-use-cases-00.txt

Ike Kunze <Ike.Kunze@comsys.rwth-aachen.de> Fri, 19 July 2019 14:19 UTC

Return-Path: <Ike.Kunze@comsys.rwth-aachen.de>
X-Original-To: coin@ietfa.amsl.com
Delivered-To: coin@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C14112029E for <coin@ietfa.amsl.com>; Fri, 19 Jul 2019 07:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhvEtEpcE9dU for <coin@ietfa.amsl.com>; Fri, 19 Jul 2019 07:18:58 -0700 (PDT)
Received: from mail-out-4.itc.rwth-aachen.de (mail-out-4.itc.rwth-aachen.de [134.130.5.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FE2B12027F for <coin@irtf.org>; Fri, 19 Jul 2019 07:18:57 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2C9GgDzzzFd/xUN4ollHQIfBQeBUYEuA?= =?us-ascii?q?gERJAUqWRRVLyqEHZN8JX6YFIFnCQEBAQEBAQEBAQgYAQoKAgEBgUuCdQIXgjs?= =?us-ascii?q?jOBMBAwEBBQEBAQEGbYUeDIVLAgEDAQEhMBsLEAIBBgItEgMCAgIlCxQRAgQOB?= =?us-ascii?q?RQHgjxLAYEdbQEOjzeba4EyhUeDJ4FIgTICAQEBiiiBFx2BVz+BEScME4IXNT6?= =?us-ascii?q?CYQGBHQlTJwGCTDKCJgSMBUUFA4IihH6Ia40ZbQcCgTliYZB4gjMbgi2HJYNgL?= =?us-ascii?q?IVxhDuOZpJjg2SBMDchgVhNJE8qAYJBCYZdhGGBH4QgcgGBKI5FAQE?=
X-IPAS-Result: =?us-ascii?q?A2C9GgDzzzFd/xUN4ollHQIfBQeBUYEuAgERJAUqWRRVLyq?= =?us-ascii?q?EHZN8JX6YFIFnCQEBAQEBAQEBAQgYAQoKAgEBgUuCdQIXgjsjOBMBAwEBBQEBA?= =?us-ascii?q?QEGbYUeDIVLAgEDAQEhMBsLEAIBBgItEgMCAgIlCxQRAgQOBRQHgjxLAYEdbQE?= =?us-ascii?q?Ojzeba4EyhUeDJ4FIgTICAQEBiiiBFx2BVz+BEScME4IXNT6CYQGBHQlTJwGCT?= =?us-ascii?q?DKCJgSMBUUFA4IihH6Ia40ZbQcCgTliYZB4gjMbgi2HJYNgLIVxhDuOZpJjg2S?= =?us-ascii?q?BMDchgVhNJE8qAYJBCYZdhGGBH4QgcgGBKI5FAQE?=
Received: from lists.comsys.rwth-aachen.de ([137.226.13.21]) by mail-in-4.itc.rwth-aachen.de with ESMTP; 19 Jul 2019 16:18:53 +0200
Received: from messenger-mbx.win.comsys.rwth-aachen.de (messenger-mbx.win.comsys.rwth-aachen.de [137.226.13.43]) by lists.comsys.rwth-aachen.de (Postfix) with ESMTPS id 7DA6541B83; Fri, 19 Jul 2019 16:18:52 +0200 (CEST)
Received: from MESSENGER-MBX.win.comsys.rwth-aachen.de (2a00:8a60:1014::43) by messenger-mbx.win.comsys.rwth-aachen.de (2a00:8a60:1014::43) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 19 Jul 2019 16:18:52 +0200
Received: from MESSENGER-MBX.win.comsys.rwth-aachen.de ([fe80::c109:b55e:3715:5c2c]) by messenger-mbx.win.comsys.rwth-aachen.de ([fe80::c109:b55e:3715:5c2c%12]) with mapi id 15.00.1076.000; Fri, 19 Jul 2019 16:18:52 +0200
From: Ike Kunze <Ike.Kunze@comsys.rwth-aachen.de>
To: "David R. Oran" <daveoran@orandom.net>
CC: "coin@irtf.org" <coin@irtf.org>
Thread-Topic: [Coin] A few comments on draft-kunze-coin-industrial-use-cases-00.txt
Thread-Index: AQHVPZLClCUeV958hkC+JmkxM3MZYKbR3RqA
Date: Fri, 19 Jul 2019 14:18:51 +0000
Message-ID: <DEF5685A-8648-4E47-9C2D-BA26D2F53E66@comsys.rwth-aachen.de>
References: <F2B01856-B3CF-406C-9A35-A75D1F95441A@orandom.net>
In-Reply-To: <F2B01856-B3CF-406C-9A35-A75D1F95441A@orandom.net>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [2a00:8a60:1014:10:a466:97be:4564:22e9]
Content-Type: multipart/alternative; boundary="_000_DEF5685A86484E479C2DBA26D2F53E66comsysrwthaachende_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/coin/tQdJmr3Q-4a4nX3XdMlc1T7AFa4>
Subject: Re: [Coin] A few comments on draft-kunze-coin-industrial-use-cases-00.txt
X-BeenThere: coin@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "COIN: Computing in the Network" <coin.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/coin>, <mailto:coin-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/coin/>
List-Post: <mailto:coin@irtf.org>
List-Help: <mailto:coin-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/coin>, <mailto:coin-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 14:19:02 -0000

Hi David,

thank you for your very helpful comments.
Please find my thoughts inline.


Am 18.07.2019 um 20:00 schrieb David R. Oran <daveoran@orandom.net<mailto:daveoran@orandom.net>>:


This is a useful first start at documenting an important use case, so thanks for taking the time to write and submit the draft. I think it would be a good document to adopt once the RG is fully formed and operational.

I have a few comments:

  1.  On security, you say:
“ Another aspect is that business data leaving the premise and control
of the company further comes with security concerns, as sensitive
information or valuable business secrets might be contained in it.
Typical security measures such as encrypting the data makes in-
network computing techniques hardly applicable as they typically work
on unencrypted data. Adding security to in-network computing
approaches, either by adding functionality for handling encrypted
data or devising general security measures, is thus a very promising
field for research.”

While it is true that data flowing over external links and ISPs represents a security hazard, the converse implication that data staying in the enterprise, or even confined to the factory floor is safe from confidentiality or modification threats and hence needs less protection is not. One would hope that by adopting in-network computing as a paradigm, this would be seen as an opportunity to actually upgrade the security of industrial automation by dealing with the multi-party nature of the communication paradigms and in fact allowing data to be:
- encrypted over all links
- authenticated by any element possessing the keys to read it
- provenance tracked through any device that has the necessary keys and permissions to modify it

Therefore, from a security standpoint, treating a network element like a switch or router that either observes of modifies data differently from a computational host that does so would be a mistake in my view.

[Ike] I agree with you in that the adoption of in-network computing can also be an incentive to reconsider the current practices within enterprise networks.
In fact, I think that authenticating network elements that access or process the data packets, as well as informing the end-hosts about the fact that the packets
are modified is very important, especially since in-network computing interferes with the traditional end-to-end principle.
These are aspects that COIN certainly has to deal with at some point and we are very interested in examining these issues in more detail.

Regarding the applicability of in-network computing on encrypted traffic: I think that this is a major hurdle in the process of establishing acceptance for COIN in general and has implications on far more application areas than just the industrial domain. This is why I think that it should be discussed in greater detail in a separate draft.


  1.  On the need for sensor traffic filters, a bit more detail on the question of “how to design” would be helpful, since different design requirements lead to quite different capability requirements on the elements doing it. A few initial thoughts:

     *   fuzzing thresholds with some soft state on values can suppress readings that haven’t changed enough to matter
     *   If there are redundant sensors giving similar readings such that you’d like to suppress the redundancy, you need to either send some periodic suppression stats computed by the filter, or annotate the non-suppressed sensor data with either some count of the samples suppressed, or some error bars computed from the set of received values.
     *   we learned quit painfully for event logs (which are similar time-series data to sensor data) that you need to periodically send something so an upstream computation element can tell the difference among potential data loss, the lack of new readings, or a broken data source.

[Ike] Yes, the concrete design/implementation of the filters has a direct impact on the requirements of elements on which these filters are deployed.
The same is true for the different (pre-)processing methods as well as the different control algorithms.
Dealing with and accounting for the different capability requirements of elements is hence essential and has to be considered by COIN going forward.
An in-network computing framework should surely take the different capabilities into account when distributing tasks across the network.

The other critical aspect you mention, e.g. when saying "so an upstream computation element can tell the difference among …“, from my perspective boils down to the question of how in-network computing mechanisms of any sort can be integrated into ’traditional’ communication schemes.
This once again relates to the issue with the end-to-end principle mentioned above.

  1.  The point about safety is well taken. I’m not sure it’s necessary to say much more about this, however from personal experience I’d like to emphasize that you can’t achieve the requisite level of safety only by measures “inside” the system; especially not by relying on the computational elements alone. For example in the case of industrial robots, the environment needs human-visible safety boundaries that are not computed from the operation of the robot, but in fact mark the absolute physical extent of the robot’s reach. These are either painted on the floor, by placing the robot inside a physical bounding box that cannot be opened by the software, or some other outside-the-system mechanism. It may be that in-network computing doesn’t affect this at all, but it’s worth a conversation to see if there are new hazards introduced. Therefore when you ask “How can the software give guaranteed safety over best-effort networks?” the answer for me is clearly “no” and in fact is “no” for any kind of network.

[Ike] I am not sure either if the question will ever be answered with „yes“. However, I think that the increasing dynamics in the production domain in general and, especially, in the interaction between robots & humans make it increasingly difficult to realize these human-visible safety boundaries, although I agree that they would perhaps be the best solutions so that workers could easy perceive the dangerous regions.
Thus, it should be worth it to investigate whether in-network computing can at least complement current safety measures and perhaps even improve them.
Maybe we should rephrase our question, e.g., to "To what extent can the software….?“.
Turning this the other way around, i.e., investigating the impact of in-network computing on already existing safety measures is something that I personally have not thought about before, but I agree that it is certainly worth a conversation.

  1.  I might split up the security discussion into two pieces, or more it to the “security Considerations” section rather than leaving it “N/A”, which is a red flag for much of the community.

[Ike] Thank you for the hint. We will consider that for a possible update of the draft.


Thanks,
DaveO

--
Coin mailing list
Coin@irtf.org<mailto:Coin@irtf.org>
https://www.irtf.org/mailman/listinfo/coin


Best
Ike
--
Ike Kunze, M.Sc.
Researcher

COMSYS - Communication and Distributed Systems
RWTH Aachen University
Ahornstr. 55
52074 Aachen, Germany
Tel: +49 241 80-21422
ike.kunze@comsys.rwth-aachen.de<mailto:ike.kunze@comsys.rwth-aachen.de>
http://www.comsys.rwth-aachen.de/team/ike-kunze/