Re: [conex] Kathleen Moriarty's Discuss on draft-ietf-conex-destopt-09: (with DISCUSS and COMMENT)

Suresh Krishnan <suresh.krishnan@ericsson.com> Tue, 15 December 2015 04:27 UTC

Return-Path: <suresh.krishnan@ericsson.com>
X-Original-To: conex@ietfa.amsl.com
Delivered-To: conex@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2615D1B2AA2; Mon, 14 Dec 2015 20:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhvgnRm0O0Rs; Mon, 14 Dec 2015 20:27:34 -0800 (PST)
Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 621811B2A9E; Mon, 14 Dec 2015 20:27:34 -0800 (PST)
X-AuditID: c618062d-f79d16d000001b1c-25-566f95fd05a6
Received: from EUSAAHC006.ericsson.se (Unknown_Domain [147.117.188.90]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 7B.C5.06940.DF59F665; Tue, 15 Dec 2015 05:24:30 +0100 (CET)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC006.ericsson.se ([147.117.188.90]) with mapi id 14.03.0248.002; Mon, 14 Dec 2015 23:27:33 -0500
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Bob Briscoe <research@bobbriscoe.net>
Thread-Topic: [conex] Kathleen Moriarty's Discuss on draft-ietf-conex-destopt-09: (with DISCUSS and COMMENT)
Thread-Index: AQHQ+7Vq9thQLxuvy0KgOa4wEJ46Lg==
Date: Tue, 15 Dec 2015 04:27:32 +0000
Message-ID: <E87B771635882B4BA20096B589152EF63AAAF796@eusaamb107.ericsson.se>
References: <20150930192253.28856.7833.idtracker@ietfa.amsl.com> <E87B771635882B4BA20096B589152EF63A976DE1@eusaamb107.ericsson.se> <560D469F.4050902@bobbriscoe.net> <CAHbuEH6bMjGQFy+qmwP5mtk6OomG10Q9Enqj_MUToYmOfY0xuA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.11]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplkeLIzCtJLcpLzFFi42KZXLonSvff1PwwgzdfuC3OPbzMZHHo2k9G i/envrBbdK/+xW4x489EZouGnfkWD6c1MTqwe7y6f4HVY+esu+weS5b8ZApgjuKySUnNySxL LdK3S+DKOPvNsuCAXcWiveeZGhi3GXcxcnJICJhIPJ68mAXCFpO4cG89WxcjF4eQwBFGiY4X jxkhnOWMEod3rGcCqWID6tiw8zOYLSKQKDFpQjczSBGzQB+TxK9L75hBEsICuRI3Tx1i72Lk ACrKk5h91R6iXk9ieecxNhCbRUBV4uyP/ewgNq+Ar8S/xS+YIZa9Z5SY8P022EmMQCd9P7UG bBmzgLjErSfzmSBOFZBYsuc8M4QtKvHy8T9WCFtJ4uPv+ewQ9ToSC3Z/YoOwtSWWLXzNDLFM UOLkzCcsExhFZyEZOwtJyywkLbOQtCxgZFnFyFFaXJCTm25ksIkRGEnHJNh0dzDen+55iFGA g1GJh3eDYH6YEGtiWXFl7iFGCQ5mJRHeBb1AId6UxMqq1KL8+KLSnNTiQ4zSHCxK4ryMDAwM QgLpiSWp2ampBalFMFkmDk6pBkaDtN1cn+Iy54g/e6428aTOU+XOACnZ1MMeP1ieHlgowLI/ bGFa8+Ev/zfH75/D4rbszYzs5x2/XBdJSB1fYRQasSn466Xjfi/UMiZvKraee+2OhvY8YxbH GzeOTBJSX/q478OUfp6o26tvfHnjdPDQG/udBdXGASru8/i6//E7qPga3VDPOpOixFKckWio xVxUnAgA99A6GKACAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/conex/yj0s36peUnilUiNPElDov3uEGnI>
Cc: "draft-ietf-conex-destopt@ietf.org" <draft-ietf-conex-destopt@ietf.org>, "draft-ietf-conex-destopt.ad@ietf.org" <draft-ietf-conex-destopt.ad@ietf.org>, "conex-chairs@ietf.org" <conex-chairs@ietf.org>, The IESG <iesg@ietf.org>, "conex@ietf.org" <conex@ietf.org>
Subject: Re: [conex] Kathleen Moriarty's Discuss on draft-ietf-conex-destopt-09: (with DISCUSS and COMMENT)
X-BeenThere: conex@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Congestion Exposure working group discussion list <conex.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/conex>, <mailto:conex-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/conex/>
List-Post: <mailto:conex@ietf.org>
List-Help: <mailto:conex-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/conex>, <mailto:conex-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 04:27:37 -0000

Hi Kathleen,
   I added the text to address the DISCUSSes from you and Stephen. But Mirja 
and Bob were in the process of reworking text concerning audit and that might 
lead to some changes to this text. That is why the text has been removed. I 
am waiting for the new text from Bob/Mirja to send the draft further.

Thanks
Suresh

On 12/14/2015 09:56 PM, Kathleen Moriarty wrote:
> I see the diff has the text added then removed on confidentiality, but
> don't see why it was removed.  I'd like to see if we can wrap this up,
>   Can you explain why the change that was requested was removed?
>
> Thanks,
> Kathleen
>
> On Thu, Oct 1, 2015 at 10:43 AM, Bob Briscoe <research@bobbriscoe.net>; wrote:
>> Suresh, Kathleen,
>>
>> (I'm jumping in because I contributed this IPsec section originally)
>>
>> I think the new sentence about encryption is confusing. It talks about
>> authentication of ConEx information, then it says "similarly confidentiality
>> of transmitted information might be desired". It needs to be clearer that
>> "transmitted information" means the rest of the packet, not the ConEx
>> information. Suggested improvements inline...
>>
>>
>> On 01/10/15 02:41, Suresh Krishnan wrote:
>>>
>>> Hi Kathleen,
>>>      Thanks a lot for your comments. Please find responses inline.
>>>
>>>
>>> On 09/30/2015 03:22 PM, Kathleen Moriarty wrote:
>>>>
>>>> Kathleen Moriarty has entered the following ballot position for
>>>> draft-ietf-conex-destopt-09: Discuss
>>>>
>>>> When responding, please keep the subject line intact and reply to all
>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>> introductory paragraph, however.)
>>>>
>>>>
>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>
>>>>
>>>> The document, along with other ballot positions, can be found here:
>>>> https://datatracker.ietf.org/doc/draft-ietf-conex-destopt/
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>> DISCUSS:
>>>> ----------------------------------------------------------------------
>>>>
>>>> I think this should be easy to address, but wanted to discuss options for
>>>> the text in section 7.  Since there is text that says IPsec
>>>> Authentication should be used when integrity protection and the section
>>>> goes on to also discuss encryption, shouldn't there be a similar
>>>> statement that says IPsec encryption should be used when there is a need
>>>> to protect confidentiality?
>>>
>>> Yes. We were worried more about the authentication because tampering of
>>> the packet to scrub the markings would cause audit devices to penalize
>>> the connection. Encryption on the other hand would be counterproductive
>>> as the intermediate nodes would be unable to observe the markings.
>>>
>>>> Also, in reading this, I think because of the selected wording, I was
>>>> thinking that it wasn't clear enough on the need/recommendation for
>>>> authentication or encryption with IPsec since there are options for both
>>>> to be set to NULL/none.  You can have a NULL cipher-suite and you can
>>>> also have authentication set to none to allow for opportunistic security
>>>> negotiations (fairly new RFC for the latter).  There's no need to mention
>>>> these options explicitly, but rather to make it clear that IPsec can be
>>>> used to provide authentication and encryption.  So I think one additional
>>>> sentence and some possible rewording in this section would be helpful.
>>>
>>> I have added a new sentence about encryption and reworded some of the
>>> text to clarify. Does this text change work for you?
>>>
>>> OLD:
>>>
>>> If the transport network cannot be trusted, IPsec Authentication
>>> should be used to ensure integrity of the ConEx information.  If an
>>> attacker would be able to remove the ConEx marks, this could cause an
>>> audit device to penalize the respective connection, while the sender
>>> cannot easily detect that ConEx information is missing.
>>>
>>> In IPv6 a Destination Option header can be placed in two possible
>>> position in the order of possible headers, either before the Routing
>>> header or after the Encapsulating Security Payload (ESP) header
>>> [RFC2460].  As the CDO is placed in the destination option header
>>> before the AH and/or ESP, it is not encrypted in transport mode
>>> [RFC4301].  Otherwise, if the CDO were placed in the latter position
>>> and an ESP header were used, the CDO would also be encrypted and
>>> could not be interpreted by ConEx-aware devices.
>>>
>>> NEW:
>>>
>>> If the transport network cannot be trusted, the IPsec Authentication
>>> Header (AH) [RFC4302] should be used to ensure integrity of the ConEx
>>> information.
>>
>> I suggest this is stated the other way round:
>>
>> If the transport network cannot be trusted, to ensure integrity of the ConEx
>> information the IPsec Authentication Header (AH) [RFC4302] should be used.
>>
>>
>>> If an attacker would be able to remove the ConEx marks,
>>> this could cause an audit device to penalize the respective connection,
>>> while the sender cannot easily detect that ConEx information is missing.
>>
>>
>>> Similarly, if confidentiality of the transmitted information is desired,
>>> the IPsec Encapsulating Security Payload (ESP) [RFC4303] should be used.
>>
>> Suggest replace above sentence with:
>>
>> If confidentiality of the transmitted packet is desired,
>> the IPsec Encapsulating Security Payload (ESP) [RFC4303] can be used,
>> However, the CDO header is intended to be visible to
>> devices along the path, therefore it will need to be located so that it is
>> not
>> encrypted as well.
>>
>>
>>
>>>
>>> Inside an IPv6 packet, a Destination Option header can be placed in two
>>> possible positions, either before the Routing header or after the ESP/AH
>>> headers as described in Section 4.1 of [RFC2460].  When the CDO is
>>> placed in the destination option header before the AH and/or ESP, it is
>>> not encrypted in transport mode [RFC4301].  Otherwise, if the CDO were
>>> placed in the latter position and an ESP header was used with
>>> encryption, the CDO cannot be viewed and interpreted by ConEx-aware
>>> intermediate nodes effectively rendering it useless.
>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>> COMMENT:
>>>> ----------------------------------------------------------------------
>>>>
>>>> For the Security Considerations section, I'd just ask that you add in
>>>> "IPsec" when AH and ESP are first mentioned so this is clear.
>>>
>>> Does the above wording change work to resolve this as well?
>>>
>>> Cheers
>>> Suresh
>>>
>>>
>>> _______________________________________________
>>> conex mailing list
>>> conex@ietf.org
>>> https://www.ietf.org/mailman/listinfo/conex
>>
>>
>> --
>> ________________________________________________________________
>> Bob Briscoe                               http://bobbriscoe.net/
>>
>
>
>