Re: [Detnet] Secdir last call review of draft-ietf-detnet-security-12
Ethan Grossman <ethan@ieee.org> Mon, 09 November 2020 18:24 UTC
Return-Path: <ethan@ieee.org>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEEAA3A12AC for <detnet@ietfa.amsl.com>; Mon, 9 Nov 2020 10:24:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ieee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TeezNOKl_uuQ for <detnet@ietfa.amsl.com>; Mon, 9 Nov 2020 10:24:34 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20683A12B8 for <detnet@ietf.org>; Mon, 9 Nov 2020 10:24:34 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id d17so10428872lfq.10 for <detnet@ietf.org>; Mon, 09 Nov 2020 10:24:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=dZAUQr9eGv1Xlgq1jkG2imScMwioD9o9TdOpOZxkikU=; b=Kt8h5tckY4F8mOITBUsO9KtTMG0Z25bk0gHflRrRYVKQOeW8HL/p2xg8WfLoCV4VNJ +KdYZ/E3+yH0vyjfcIgIPxtKmPDCdb9wnlY+VG3CJimnXZGdAohjqHfgLNqhjIe4DK40 xosKG3QOJa1PVTrM0IP4cHXrLkWRYiJmEClw0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=dZAUQr9eGv1Xlgq1jkG2imScMwioD9o9TdOpOZxkikU=; b=fsVatvjCP+yXc452Ihcv7x8Ica9fN8F23s8WUXtZ4avMqmDIXngjMAT4ORlYp9UOdZ VYis+n1FugrWeA5taPzvuSgMtYuiXytlypc12YAMmTvj4BPqqkW2HPmoB0YA8HrgWzZ0 cnbaEJgxu9g0mBcfbm7ObEzmCNYTwCB3RdmsQ0VoMto7UR5BNNP7CGcb77YqKIHPElXL CxvRs4dHe7+JQkDMY13T79h/I1WuzmEH0gEHOo5lqsfWswEV5y/XRZh9tlAyLIjmc5ID rYqgiP9UgxHBl+591hTeUnJ5XZscF5Y+tGYag6WnhJmkGPOBOkF6vrEmx/vcIhnTJN2j QLUg==
X-Gm-Message-State: AOAM533MHPYfhiMPDe9QzviGBMtUjZk8PYdVhRz0awHJhYe1B9UWxvuI rNmeOeghSRuPeBggcTSDAixZWyQpQjakVZbjn5371ovTLoJrNg==
X-Google-Smtp-Source: ABdhPJyhLN2QtiDAuJuFZxm12OjAvMBo2TOitBc3ObDmd691DCBImFhcSinA109Wdk0XuNVHBqwVkWtAnbwQJnMJr0k=
X-Received: by 2002:a05:6512:33b8:: with SMTP id i24mr2759409lfg.69.1604946271997; Mon, 09 Nov 2020 10:24:31 -0800 (PST)
MIME-Version: 1.0
References: <160458609008.18764.7738961429715355351@ietfa.amsl.com>
In-Reply-To: <160458609008.18764.7738961429715355351@ietfa.amsl.com>
From: Ethan Grossman <ethan@ieee.org>
Date: Mon, 09 Nov 2020 10:24:19 -0800
Message-ID: <CAAP+WfH12LZNwK73qDK9HYvo9bZ91NX87ocsEuNHcGBT8UgB4A@mail.gmail.com>
To: "detnet@ietf.org" <detnet@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d4c9505b3b0ac4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/4q4k8DXXvEyJpPYjh8iSGPO1lYE>
Subject: Re: [Detnet] Secdir last call review of draft-ietf-detnet-security-12
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 18:24:37 -0000
Hi All, Yaron has proposed that we make the DetNet Security draft Normative rather than Informational, and that we grade recommendations as MAY/SHOULD/MUST. Clearly this needs to be considered by the WG and Chairs, and the intent of this email is to start that discussion. I personally don't have a strong stance on it; I'm willing to take on the work of driving the requested changes if the WG feels this is appropriate. Thoughts? Thanks, Ethan (as DetNet Security draft editor) On Thu, Nov 5, 2020 at 6:21 AM Yaron Sheffer via Datatracker < noreply@ietf.org> wrote: > Reviewer: Yaron Sheffer > Review result: Has Issues > > Comments: draft-ietf-detnet-security-12 > > The name says it all: this document is all about Deterministic Networking > (DetNet) security. > > To summarize my perspective on this document: you chose to publish this > document as Informational and to not include any normative text. I > understand > the motivation, presumably all normative text should be included in the > base > documents. But it makes the document a lot less useful: network architects > would be guided much better if you made specific recommendations > (specifically, > in Sec. 7, "Mitigation") and graded these recommendations as > MAY/SHOULD/MUST. I > think deployers and architects would expect much more specific treatment of > security technologies and how they can/should be applied to DetNet rather > than > an open-ended discussion that they may be able to apply to their own > network, > but only after they have themselves gone through a deep dive into the > technical > options. > > One way you may want to improve the "usability" of the document is by > adding > references from Sec. 7 ("mitigations") to the specific mitigations > proposed in > the various technology-specific documents: for IP, MPLS, Ethernet etc. That > would make the discussion much more concrete. It would also allow users (as > well as WG participants) to understand more clearly which security areas > are > addressed well and which are not. > > * 1. "These DetNet technologies have not previously been deployed together > on a > wide area IP-based network". Referring to the previous paragraph, I think > you > mean to say, "DetNet technologies have not previously been deployed > together > with a wide area IP-based network" > > * "primarily concerned with denial-of service prevention" - this paragraph > seems to assume orthogonality/composability of architectural elements that > appears somewhat naive. Can we ensure basic security concerns > (confidentiality, > integrity) on DetNet networks using standard mechanisms, such as TLS/DTLS > or > IPsec while retaining the "deterministic" properties? Even if this is the > case, > it needs to be mentioned explicitly. For example, throttling or retry > mechanisms might well interact badly between security protocols and the > underlying transport. > > * 3.3 "integrity of the values in any header" - please provide a reference > to a > recommendation on how to protect these values. > > * 3.4: we punt the response of the network in the face of malicious actions > (e.g., a replayed, out-of-time-window packet) to admin configuration. > DetNet > specifies (or at least refers to) queuing and shaping algorithms in RFC > 8655, > Sec. 4.5. I would expect a similar reference to attack-resistant > algorithms, > instead of having the admin choose from a menu of choices that appear to be > simplistic - drop the packet or shut down the link. > > * 4: Sec. 7.1 of the DiffServ RFC has a different threat model in mind. The > introductory sections to the current document make it clear that we care > about > mixed IT/OT networks ("insider threat") whereas DiffServ assumes a secure > network that can be policed on the perimeter, in boundary nodes. I think > the > reference to "internal link[s] that cannot be adequately secured against > modification of DSCP values" is awkward - in a campus network, this would > be > *any* link, because there is no perimeter. > > * 5.2.2: as well as simple elimination of packets from the flow. > > * 5.3 (table): an Internal, on-path attacker can inject some signaling > packets. > Also, isn't a DDoS attack from the outside potentially an "inter-segment > attack" by an External attacker? > > * 7.2: the section on sequence number integrity appears to assume that this > protection is achieved by using encryption. This is not necessarily true, > protocols such as ESP-null (or the deprecated AH) integrity-protect packets > without encrypting them. Similar solutions are available in MACsec. > > * 7.4: if dummy packet insertion is presented as a mitigation against > reconnaissance (e.g. now my flow doesn't look like VoIP any more), I would > appreciate a reference to a proposed algorithm and a demonstration that > this > really works. Personally I am skeptical of that. > > * 7.5.1: I suggest to add to the end of the paragraph "However, if secret > symmetrical keys are used": Group key management protocols can be used to > automate management of such symmetric keys, see > [draft-ietf-ipsecme-g-ikev2-01] > for an example in the context of IPsec. > > * 7.6: and if we are worried about recon, then signaling needs to be > encrypted, > not just integrity-protected. > > * 8.1.3: this is phrased in a negative way, essentially saying, "the > network > should accommodate insecure packet flows". A more positive way to address > the > same issue would be "deployments should allow for dynamic and secure > registration of new devices, and possibly manual deregistration of retired > devices." > > * 8.1.4: this short section is totally opaque. What is the threat? What are > deployers supposed to do about it? The same in fact applies to 8.1.5. > > * 8.1.8: I would have liked to see treatment of the more complicated > issues, > such as IT packets that need to "cross the line" into OT. Are there > application-level dependencies on the IT network? For example, does the OT > network need to use the IT network for DNS or OAM services? If such > dependencies exist, how are malicious packet flows handled? > > * 8.1.11: this begs the question: are there unambiguous specifications of > the > DetNet security mechanisms, so as to enable interoperability? > > * 8.1.21: This section ends on a pessimistic note. It doesn't have to be > that > way... One way to deal with your conclusions is for network designers to > adopt > a standard risk-based approach, where only those attacks are mitigated > whose > potential cost is higher than the cost of mitigation. > > * Sec. 9, when discussing IPsec, again omits to mention that packet > integrity > protection *without* encryption is an option. > > >
- [Detnet] Secdir last call review of draft-ietf-de… Yaron Sheffer via Datatracker
- Re: [Detnet] Secdir last call review of draft-iet… Ethan Grossman