[Detnet] New DetNet Security Draft Text 23May20
"Grossman, Ethan A." <eagros@dolby.com> Sun, 24 May 2020 01:18 UTC
Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A664A3A0FE3 for <detnet@ietfa.amsl.com>; Sat, 23 May 2020 18:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6msmUoZ8DsR9 for <detnet@ietfa.amsl.com>; Sat, 23 May 2020 18:18:53 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2103.outbound.protection.outlook.com [40.107.94.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 479373A0FD0 for <detnet@ietf.org>; Sat, 23 May 2020 18:18:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VFCaB89yDkdraJ9EriNUlO4PHWvbGK1WeY4Ld3lx6fSy7bKndnYT6xw3hk5v3L7v5Spl/XEP+hA5pwv4zdL5HweASrg88UqzZ7XpLbxiDmwDD+565S4Mf9UX78cYHvLTgl5lWl7Rq9Bf0/5ldmXhyWabpEP7ET4gkKGC+w4arnNhW8RRXi24gzDy0yEAsaNFjq9bcJcqp0gcCHn5n96KZdo3mTuv0WlEDhW/YV0ACh5nIJKLu2ddpK/DoWqwOxdfBsEWrfoXuvZmbARbyUxOC+ky87frt1ACcgxP351GSnm23wXfyJHOadxpNb9I9Bb49UUl7UEFq3RE+fHQJHAZ6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S1TCPqheQ08oi0lodYABaYFFypWJzfKUvL3czNqcCbY=; b=aAGy1i8uHNDlg016g+yr8XlDOHwP/AJvlNqN8/R7wT+B2HFCg8g/zYcmHzhtLB1twVqVtwDd5s6Xi4kMu19eExjWbAaYg45Zkhti+K/yy4CemgopyVKAaWRujHa87kePcWAxUHYpal0iyDtOCxi3BhkNzDFBDz+q5gPVOlEfwaTDrhKwWUerOgkG0MUMbuHN+utdqqybW3N4bI/UBc98qEDjhVHWoJRt7UWOk4v8ah3Ac3HCjkPBfPsfmuFHwNZFirwolkldK29lKAL1Y69rkjjgcJUX5QI9D9F4aiAl2n8QHhoS10DLlPm3Jl0PRiDGLDDDNmdIeIsbLSPKR4ahOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S1TCPqheQ08oi0lodYABaYFFypWJzfKUvL3czNqcCbY=; b=b3XMhsjXUQyyAVG8LCMM5AK6akHGv0JjMGtg63jXjSrh8yPMQ0eKDQ31ueDSdvAsc8uOwv5fkJyBggCXr0sHvrSZLrSMDF2oMhdbh0qHTwX8Tc8xpkYehiZBmENd1aixAjAGrw8emushfaQu/pS6uiQ+aaMWLVcOrlYEaTHCJrw=
Received: from BY5PR06MB6611.namprd06.prod.outlook.com (2603:10b6:a03:23d::20) by BY5PR06MB6497.namprd06.prod.outlook.com (2603:10b6:a03:21f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.24; Sun, 24 May 2020 01:18:51 +0000
Received: from BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::29b9:ed8f:43ff:5552]) by BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::29b9:ed8f:43ff:5552%3]) with mapi id 15.20.3021.027; Sun, 24 May 2020 01:18:51 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: Lou Berger <lberger@labn.net>, "Black, David" <David.Black@dell.com>, DetNet WG <detnet@ietf.org>
Thread-Topic: New DetNet Security Draft Text 23May20
Thread-Index: AdYxaA0oZXMTKD2CSE+aJeVdQ7ZVUQ==
Date: Sun, 24 May 2020 01:18:50 +0000
Message-ID: <BY5PR06MB66116C6D86EB4608E3AA0034C4B20@BY5PR06MB6611.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: labn.net; dkim=none (message not signed) header.d=none;labn.net; dmarc=none action=none header.from=dolby.com;
x-originating-ip: [73.70.15.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4684489d-cd3a-4f75-ad39-08d7ff806ae1
x-ms-traffictypediagnostic: BY5PR06MB6497:
x-microsoft-antispam-prvs: <BY5PR06MB6497D0A995D44C53A6158F73C4B20@BY5PR06MB6497.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0413C9F1ED
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BRAuxWhVMls/fbFExWCp+VzVXWCcgQT3uMsqY8FExOqP1p9NVZrKTdXAPWDv9KyNh8fKmS/RMrxSub1VbjqNf9cEHeksIjZLyWc+yNvYfdSuVD72f+y7r4CSY4Q9CHpQmmBomGW+TZE59UbgcizxUk/wyt3BFDN76SSa7ISgYL0t7TWW+yZk824Ld3+rQCgO8nWnxCDszZY6g3kqrgmJmty955jDtjxcYj0IuEX/SrLqwnLuDoTBe/oYGisEvHMsvLDvXUPXakNAiwFBHEKejSCga5KHGqhPMcsGDdWncAYXfRwjbMlQkRhmLfjJc6DfMZJ++Rssm2+YEMqsxX/e/A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR06MB6611.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(346002)(366004)(396003)(39850400004)(376002)(136003)(5660300002)(76116006)(66946007)(66476007)(66556008)(64756008)(66446008)(71200400001)(66574014)(52536014)(110136005)(55016002)(9686003)(15650500001)(8676002)(478600001)(316002)(30864003)(6506007)(8936002)(186003)(26005)(33656002)(86362001)(2906002)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Q5dzsXGYwQAA/J7wpFJ7vajPFwQan9GQRZloyxFfHTphPQWsDy+egcGk7Z5RWZV9OYmLYT61w22K7ruoiY17/btL2/0lh0T97MLOA/kCLe7IWa3aPT2uiCfUE4dBDaV/DMCYelaC5H2Jx1plQJF1MdDLiMdZJ0wk1xBgDGlLmfr6rqD1biRNrPhSXBydWzuGlCGLqmSVqp5zZgmfPDyouAtfNR48XB0vPcqIpSaFgmysehMAlV26ri3VbC4U+itixJqVuujYgB9o+64mKnqqPkbagdNz3Y9Gq50zuHvv9jbml3F8z347qEPfG7x1XF4YnTJRMsNEHgVGLgJbUjG/W2OOyrH/XwmRioOLwVrk9mOjZLlxWEL3b42LA4EGfqcRSkItQO+n1R/1O5yuwFLOKXNJRXidMymOgQmqO9FN1CvYMRZITrNQotWNeSwoyvX0VypXpUBSmlstg+4uPacu6z4sBO/DSVA3p51qx5BhYEA=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR06MB66116C6D86EB4608E3AA0034C4B20BY5PR06MB6611namp_"
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4684489d-cd3a-4f75-ad39-08d7ff806ae1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2020 01:18:50.9081 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tp1cYCuLGxfOarY9K2p7gV5GSoJUf98L4Btvld1g+CO/9ZYPwAshTVRlL5Z4XnqkXJqAUQiKAFDlXp9RCbxg+w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR06MB6497
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/60BsULJup95fxvPgTC8unpob8So>
Subject: [Detnet] New DetNet Security Draft Text 23May20
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2020 01:18:58 -0000
Hi Lou, David, All,
I have made an attempt below to craft some new text to address David's issue around "we have to tell them what to do" in the DetNet Security draft (keeping in mind that it is an informational draft). There are two basic lines of reasoning that I have used here: the first is David's suggestion to incorporate the DiffServ RFCs' Security sections as appropriate, the second was following my own thought that the draft thus far has focused exclusively on system-level DetNet designers, but not component (such as router) designers, so I have attempted to say something useful there (or at least spark some discussion). Please let me know what you think, such as whether you feel this text addresses the current remaining concerns (given that there are a few editorial comments outstanding that I could fix in the same revision) and any other input you may have in order to get it to that point.
Thanks,
Ethan (as DetNet Security Consideration draft editor and co-author)
-------------------------------
Proposed changes to Abstract:
Was:
A DetNet (deterministic network) provides specific performance
guarantees to its data flows, such as extremely low data loss rates
and bounded latency. As a result, securing a DetNet implies that in
addition to the best practice security measures taken for any
mission-critical network, additional security measures may be needed
whose purpose is exclusively to secure the intended operation of
these novel service properties.
This document addresses specifically
those security considerations, with the assumption that the reader is
already familiar with network security best practices for the data
plane technologies underlying a given DetNet implementation. This
document defines a threat model and a taxonomy of relevant attacks,
including their potential impacts and mitigations.
Is:
A DetNet (deterministic network) provides specific performance
guarantees to its data flows, such as extremely low data loss rates
and bounded latency. As a result, securing a DetNet implies that in
addition to the best practice security measures taken for any
mission-critical network, additional security measures may be needed
whose purpose is exclusively to secure the intended operation of
these novel service properties.
Designers of DetNet components (such as routers) that provide these unique DetNet properties have the responsibility to uphold certain security-related properties that can be assumed by DetNet system-level designers. For example, the assumption that network traffic associated with a given flow can never affect traffic associated with a different flow is only true if the underlying components make it so.
This document addresses DetNet-specific security considerations from the perspective of both the DetNet component designer and the DetNet system-level designer. It is assumed that both classes of reader are already familiar with network security best practices for the data plane technologies underlying a given DetNet implementation. Component-level considerations include isolation of data flows from each other, ingress filtering, and detection and reporting of packet arrival time violations. System-level considerations include a threat model and a taxonomy of relevant attacks, including their potential impacts and mitigations.
Proposed changes to Introduction:
Was:
These DetNet technologies have not previously been
deployed together on a wide area IP-based network, and thus can
present security considerations that may be new to IP-based wide area
network designers. This document, intended for use by DetNet network
designers, provides insight into these security considerations.
Is:
... These DetNet technologies have not previously been
deployed together on a wide area IP-based network, and thus can
present security considerations that may be new to IP-based wide area
network designers; this document provides insight into such system-level security considerations. In addition, designers of DetNet components (such as routers) face new security-related challenges in providing DetNet services, for example maintaining reliable isolation between traffic flows in an environment where IT traffic co-mingles with critical reserved-bandwidth OT traffic; this document examines security implications internal to DetNet components.
Was:
Given the above considerations, securing a DetNet starts with a
scrupulously well-designed and well-managed engineered network
following industry best practices for security at both the data plane
and controller plane; this is the assumed starting point for the
considerations discussed herein. In this context we view the network
design and managment aspects of network security as being primarily
concerned with denial-of service prevention by ensuring that DetNet
traffic goes where it's supposed to and that an external attacker
can't inject traffic that disrupts the DetNet's delivery timing
assurance. The time-specific aspects of DetNet security presented
here take up where the design and management aspects leave off.
Is:
Given the above considerations, securing a DetNet starts with a
scrupulously well-designed and well-managed engineered network
following industry best practices for security at both the data plane
and controller plane; this is the assumed starting point for the
considerations discussed herein. Such assumptions also depend on the network components themselves upholding the security-related properties that are to be assumed by DetNet system-level designers; for example, the assumption that network traffic associated with a given flow can never affect traffic associated with a different flow is only true if the underlying components make it so. Such properties, which may represent new challenges to component designers, are also considered herein.
In this context we view the network
design and management aspects of network security as being primarily
concerned with denial-of service prevention by ensuring that DetNet
traffic goes where it's supposed to and that an external attacker
can't inject traffic that disrupts the DetNet's delivery timing
assurance. The time-specific aspects of DetNet security presented
here take up where the design and management aspects leave off.
Was:
o Provide explicit routes for DetNet flows that do not rapidly
change with the network topology
Is:
o Provide explicit routes for DetNet flows that do not dynamically
change with the network topology in ways that affect the quality of service received by the affected flow(s).
Was:
This document includes sections on threat modeling and analysis,
threat impact and mitigation, and the association of attacks with use
cases based on the Use Case Common Themes section of the DetNet Use
Cases.
Is:
This document includes sections on component design considerations as well as system
considerations including threat modeling and analysis, threat impact and mitigation,
and the association of attacks with use cases based on the Use Case Common Themes
section of the DetNet Use Cases.
Proposed new section:
Security Considerations for DetNet Component Design
As noted above, DetNet provides resource allocation, explicit routes and redundant path support. Each of these have associated security implications, which are discussed in this section. Detection, reporting and appropriate action in the case of packet arrival time violations is also discussed.
Resource allocation
A DetNet system security designer relies on the premise that any resources allocated to a resource-reserved (OT-type) flow are inviolable, in other words there is no physical possibility within a DetNet component that resources allocated to a given flow can be compromised by any type of traffic in the network; this includes both malicious traffic as well as inadvertent traffic such as might be produced by a malfunctioning component, for example one made by a different manufacturer. From a security standpoint, this is a critical assumption, for example when designing against DOS attacks. It is the responsibility of the component designer to ensure that this condition is met; this implies protection against excess traffic from adjacent flows, and against compromises to the resource allocation/deallocation process.
Explicit Routes
The DetNet-specific purpose for constraining the network's ability to re-route OT traffic is to maintain the specified service parameters (such as upper and lower latency boundaries) for a given flow. For example if the network were to re-route a flow (or some part of a flow) based exclusively on statistical path usage metrics, or due to malicious activity, it is possible that the new path would have a latency that is outside the required latency bounds which were designed into the original TE-designed path, thereby violating the quality of service for the affected flow (or part of that flow). (However, is acceptable for the network to re-route OT traffic in such a way as to maintain the specified latency bounds (and any other specified service properties) for any reason, for example in response to a runtime component or path failure). From a security standpoint, the system designer relies on the premise that the packets will be delivered with the specified latency boundaries; thus any component that is involved in controlling or implementing any change of the initially TE-configured flow routes needs to prevent malicious or accidental re-routing of OT flows that might adversely affect delivering the traffic within the specified service parameters.
Redundant Path Support
Provision for redundant paths is one of the most complex areas of the DetNet design, with a number of subtleties that .
Timing Violation Reporting
Another fundamental assumption of a secure DetNet is that in any case in which an incoming packet arrives outside of its prescribed time window or exceeding the reserved flow bandwidth, something can be done about it. That means that the component's data plane must be able to detect such cases, then at least alert the control plane, and/or drop the packet, and/or shut down the link if violations persist. Logging of such issues may not be adequate, since a delay in response to the situation could result in material damage, for example to mechanical devices controlled by the network.
Proposed new section:
DetNet Security Considerations Compared With DiffServ Security Considerations
DetNet is designed to be compatible with DiffServ as applied to IT traffic in the DetNet. DetNet also incorporates the use of the 6-bit value of the DSCP field of the TOS field of the IP header for flow identification for OT traffic, however the DetNet interpretation of the DSCP value for OT traffic is not equivalent to the PHB selection behavior as defined by DiffServ.
Thus security consideration for DetNet have some aspects in common with DiffServ, in fact overlapping 100% with respect to IP IT traffic. Security considerations for these aspects are part of the existing literature on IP network security, specifically the Security sections of RFC 2474 (DiffServ Definition) and RFC 2475 (DiffServ Architecture). However DetNet also introduce timing and other considerations which are not present in DiffServ, so the DiffServ security considerations are necessary but not sufficient for DetNet.
In the case of DetNet OT traffic, the DSCP value, although interpreted differently than in DiffServ, does contribute to determination of the service provided to the packet. Thus in DetNet there are similar consequences to DiffServ for lack of detection of, or incorrect handling of, packets with mismarked DSCP values, and thus many of the points made in the DiffServ draft Security discussions are also relevant to DetNet OT traffic, though perhaps in modified form. For example, in DetNet the effect of an undetected or incorrectly handled maliciously mismarked DSCP field in an OT packet is not identical to affecting that packet's PHB, since DetNet does not use the PHB concept for OT traffic, but nonetheless the service provided to the packet could be affected, so mitigation measures analogous to those prescribed by DiffServ would be appropriate for DetNet. For example, mismarked DSCP values should not cause failure of network nodes, and any internal link that cannot be adequately secured against modification of DSCP values should be treated as a boundary link (and hence any arriving traffic on that link is treated as if it were entering the domain at an ingress node). The remarks in RFC2474 regarding IPsec and Tunnelling Interactions are also relevant (though this is not to say that other sections are less relevant).
-------------------------------------------------
- [Detnet] New DetNet Security Draft Text 23May20 Grossman, Ethan A.
- Re: [Detnet] New DetNet Security Draft Text 23May… Lou Berger