IETF Logo Mail Archive

Re: [Detnet] DetNet Security Draft Proposed Text - Encryption

"Maik Seewald (maseewal)" <maseewal@cisco.com> Wed, 13 February 2019 08:30 UTC

Return-Path: <maseewal@cisco.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8AFC12870E for <detnet@ietfa.amsl.com>; Wed, 13 Feb 2019 00:30:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ca+b2cZ3; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=l+feZbc9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRko-yfc2Hzt for <detnet@ietfa.amsl.com>; Wed, 13 Feb 2019 00:30:49 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5808B128CB7 for <detnet@ietf.org>; Wed, 13 Feb 2019 00:30:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30305; q=dns/txt; s=iport; t=1550046649; x=1551256249; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=YOoAvBTqg7ot2JxWZytciy48cvPJhmiXIM1FQboHXXA=; b=ca+b2cZ3lE6Qgc7Q0E4DmT0P3Ecr/KpzZSUkGPwkqt5AdP/skQH4Pi/+ LhXGErNw8kpcBmhJ17zmCoVnEnYQlfLWYnnE0iuYkiIC/i3r8lLHhPMy/ z6XtEM66y59i6FNMA/kkbrpKSPQDKpSy5qjoIEQZnFeEHGwDnpoCKuJpC E=;
IronPort-PHdr: 9a23:5raxgRZz8QpCW80eWeDgWP7/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavvZjc3EdtLUHdu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AQAABc1GNc/5JdJa1ZChkBAQEBAQEBAQEBAQEHAQEBAQEBgVQBAQEBAQELAYENI1ADZ3QECycKh0IDj3dKgg2YJ4EQA1QLAQEshEACg08iNwYNAQMBAQIBAQJtHAyFSgEBAQQtEwEBNwEPAgEIEQMBAQEhAQYHMhQJCAIEAQ0FH4MGgR1MAxUBnlsCihSCIIJ4AQEFgkWCPxiCCwiJenYQJYEAHReBQD+BEYF9Zy6EVg8EOBaFKooCA4YdMIZQE4sYXAkCiFGCVIcsGYFthVKEfIY0gyWEBIMMkWgCBAIEBQINAQEFgVwigVZwFTuCbIIcg26KU3KBKI0oAYEeAQE
X-IronPort-AV: E=Sophos;i="5.58,365,1544486400"; d="scan'208,217";a="521062547"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2019 08:30:35 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x1D8UXB0000467 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Feb 2019 08:30:33 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 13 Feb 2019 02:30:32 -0600
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 13 Feb 2019 02:30:31 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 13 Feb 2019 02:30:31 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vRS/6SBQfoZ13JufshInly5A859At8hZqXzcxkLketE=; b=l+feZbc9oJPi0i4KlpyK0tlSpeT7NVLH4Kan69BRvWIgdCKBqEZbs3HEGceegtecyvgGoj5+gZZSKRkQhoPWBLX1G16vEVLa32Oa3l8+rS4zHggiL2ASJQ9uQWSAPQQyCxhckUqtB9g6HT6VCvt4bFz+XKth5F9l7ch9RCWVwQQ=
Received: from CY4PR11MB1479.namprd11.prod.outlook.com (10.172.66.137) by CY4PR11MB2054.namprd11.prod.outlook.com (10.173.16.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.16; Wed, 13 Feb 2019 08:30:30 +0000
Received: from CY4PR11MB1479.namprd11.prod.outlook.com ([fe80::582b:d678:23c3:ad22]) by CY4PR11MB1479.namprd11.prod.outlook.com ([fe80::582b:d678:23c3:ad22%4]) with mapi id 15.20.1622.016; Wed, 13 Feb 2019 08:30:30 +0000
From: "Maik Seewald (maseewal)" <maseewal@cisco.com>
To: "Grossman, Ethan A." <eagros@dolby.com>, "detnet@ietf.org" <detnet@ietf.org>
CC: "ekr@rtfm.com" <ekr@rtfm.com>
Thread-Topic: [Detnet] DetNet Security Draft Proposed Text - Encryption
Thread-Index: AQHUwqO59xE6aoAp/UuUS5dNynm9eqXciKZggADv2gA=
Date: Wed, 13 Feb 2019 08:30:30 +0000
Message-ID: <D8899183.79E0F%maseewal@cisco.com>
References: <D8882F50.79D0D%maseewal@cisco.com> <BYAPR06MB4325ED8D44F051EBAA973392C4650@BYAPR06MB4325.namprd06.prod.outlook.com>
In-Reply-To: <BYAPR06MB4325ED8D44F051EBAA973392C4650@BYAPR06MB4325.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.6.150930
authentication-results: spf=none (sender IP is ) smtp.mailfrom=maseewal@cisco.com;
x-originating-ip: [173.38.220.42]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3453eec0-192f-41fc-c5d5-08d6918d839f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020); SRVR:CY4PR11MB2054;
x-ms-traffictypediagnostic: CY4PR11MB2054:
x-microsoft-exchange-diagnostics: 1; CY4PR11MB2054; 23:48zzRgMINxj+jYaHKN34IqomVg1aCqcSD1omLzjJHFW1XGbAcSXbnRbEyhjg5pobrQgzqhrlaj1FOxEB9qtg1Tj2TZHeZcqcArjKGFbPQgt7bv6W5hgAzE4TmaLPIgPoPXxvAlh6L8usXpuNKRcL+qAnL+n5qNpTR3xR+k7vh0qttb9ZXKJFtt7w9lWjvx4drLOgV5U8S+74YCroANZpTUauZoaco7n4jITduAfdM9ihSV0pfwAahzygFp8Yg1iDL9zUd1KZGgUy/FI55kEkRm7doj2gF76U3mcgGRIydg1ToEbJ2eG7nexe4T99yvm105JH2av8yaLulHjAcJFPufj5KxnI64XVNp1N+gxGh3NI7W1l5+lWxXElwYpEcEcqyfMKghyPXSlXDw3ad4PSjGb1xcubj+Pachr6ZnKEnKacMa8IS0VS7BZ3iekednsgqrX+Q7EwVe6fxxd5pH9FjtoVfEgOJmjHiH3KLq3CLz/H+OQKzdJ4LLL9ELYeD09w1LTTe9QW+BboKPFdWemfpwNSbEaCwVPFgyYsYh9jDvie/7llGjHrEPzKOk9SCjdNeq+RsAwR37OxTsDM8pGOnn9HJnq7JeRGOh/FwSnIlGFbLhC418QvkHlGnsD6HgmOebmlfc1hytaqygMgwHUE4EyqekM5qJaqOpN9Kpg4eyu8hXOJAuDCGMK4fuFK1Hl96s3FNlMbDJe2Ghrvxp7D9LWj+gOrck/1AlbYFGgkjShS3cSRatS6JIPqtTZGDkPqsiguc2nF2oFGPGy0XDSvIKyXPUCJGisFZ7J6SEU3PqpfMXjGuXKeXK60b/0uE4Wsop6bjyYf/6MUb1iyjUQXTPY1dIBZz75I9un2McOzte0B+7oXqGhTlmtDsxlg4uuMUgVjNRHra+Y4ccSmevFTMWhz8sUMFG1lYBjU4Odu6ELfupWogFqmlgKBYV2JRNXZk1/GD935nqcvCOLQWlY/lb656bNJ0Qr86odxvKdwJmHMrNGo7sebBnCN8CQvcs4XWRgwzZctT42hlpd0qiyj+LOasEEBAuGxmIdXY2HRFrTM6xZEli2+yWusME6G9jeWtzmoF/czpR4U/FVygP30qQbHMjtAKcPL7YsxD1NRKUmp0wqFMLlXjOiwSQmjPjaWavvyfS9rMVgMG2ybJbqy5e6Bt0mrd2XmK7s/sTObAxKvW2YdHIdPZ2rxzElNiKuA4bskP1nMbgVLObGFLjwAWyYINv9L+IuthKuIl9T2OkTUeaIggKRSMfW2w9Fo4l6u0RVdaIU0SfuRu5QzZoqEuk5M/dkgf0vYEVuhRfulrjp+xfgZs2+LgJ+nnLnbmnZ0aR0J6IYasaBQtht0oCQyHwhzVA++dKetZE0Ha9WQdVA=
x-microsoft-antispam-prvs: <CY4PR11MB2054D523C21428C70CA67A0BC5660@CY4PR11MB2054.namprd11.prod.outlook.com>
x-forefront-prvs: 094700CA91
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(366004)(39860400002)(136003)(396003)(53754006)(189003)(199004)(256004)(6486002)(25786009)(7736002)(68736007)(15650500001)(2420400007)(316002)(6436002)(10710500007)(99286004)(6512007)(53936002)(6246003)(54896002)(236005)(8936002)(4326008)(36756003)(14444005)(81166006)(86362001)(2906002)(6306002)(81156014)(478600001)(8676002)(229853002)(14454004)(11346002)(2616005)(71200400001)(71190400001)(6506007)(486006)(446003)(476003)(7110500001)(97736004)(186003)(102836004)(53546011)(26005)(110136005)(76176011)(105586002)(2501003)(66066001)(106356001)(790700001)(3846002)(6116002)(58126008); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR11MB2054; H:CY4PR11MB1479.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: AlQZhgEZ2R/XNq4SdHUX25M7Az3rfiG8FLUGmh5HjsjVRimOk1jhPjj67v3mmUMMbETqVTOGZRSvwF/wJGmADNr7sDIn4WEUWL/pn6n6vdTxfao4TZu2Sk+GzmQGsVp0u+9VewA8PatLSJQtbFFZQNuly9mEaFD4rTzwnAiED2HtnR3KhtFczU46O36LRPYlFrs+LgLbz6ZVuFkV9zKrQWkNaN8MOB3MpM5BOYA6tBQwXw+BaGjnioFlpb3UEbkZG0TmiRr//SEiDclUXdSIbFqVX1VJKqFd5WnGuPyHNhA8ebUuK3g2o0T3BCKCBRhgAhnOg1rWAMCIGEkBj0Q0pejImEynM8cLbSQgwXxqpCLMQ7ofm9FWnOZuTbaSbwIKPsZ8mOrqPsLJPmDKanpjMr1ymTnleCZZO0oSd7DbOu0=
Content-Type: multipart/alternative; boundary="_000_D889918379E0Fmaseewalciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3453eec0-192f-41fc-c5d5-08d6918d839f
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2019 08:30:30.2735 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB2054
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/4tW5QQUYTwJu4DxlGWSR7qRz7po>
Subject: Re: [Detnet] DetNet Security Draft Proposed Text - Encryption
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 08:30:53 -0000

Hello Ethan,

It looks good!

Thanks.
Maik

From: "Grossman, Ethan A." <eagros@dolby.com<mailto:eagros@dolby.com>>
Date: Tuesday, 12. February 2019 at 20:19
To: Cisco Employee <maseewal@cisco.com<mailto:maseewal@cisco.com>>, "detnet@ietf.org<mailto:detnet@ietf.org>" <detnet@ietf.org<mailto:detnet@ietf.org>>
Cc: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Subject: RE: [Detnet] DetNet Security Draft Proposed Text - Encryption

Maik,
Also I have paraphrased your earlier proposed additions to the Utilities use case text (as copied from the Use Cases draft for reference) in Appendix A of the Security draft. Here is the text I added, please let me know if you have any corrections or other changes.
          <t>Existing power automation security standards can inform network security. For example
            the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure
            Protection) plan is a set of requirements designed to secure the assets required for
            operating North America's bulk electric system. Another standardized security control
            technique is Segmentation (zones and conduits including access control). </t>

          <t>The requirements in Industrial Automation and Control Systems (IACS) are quite similar,
            especially in new scenarios such as Industry 4.0/Digital Factory where workflows and
            protocols cross zones, segments, and entities. IEC 62443 (ISA99) defines security for
            IACS, typically for installations in other critical infrastructure such as oil and
            gas.</t>

          <t>Availability and integrity are the most important security objectives for the lower
            layers of such networks; confidentiality and privacy are relevant if customer or market
            data is involved, typically handled by higher layers.</t>

FYI All of Appendix A will probably be removed from the Security draft before publication, but during draft development we are keeping it there to provide a single reference point.

Thanks again for your input,
Ethan.

From: Maik Seewald (maseewal) <maseewal@cisco.com<mailto:maseewal@cisco.com>>
Sent: Monday, February 11, 2019 11:23 PM
To: Grossman, Ethan A. <eagros@dolby.com<mailto:eagros@dolby.com>>; detnet@ietf.org<mailto:detnet@ietf.org>
Cc: ekr@rtfm.com<mailto:ekr@rtfm.com>
Subject: Re: [Detnet] DetNet Security Draft Proposed Text - Encryption

Hello Ethan,

Only a few comments:

Execution times are essential for flow calculations.
On the other hand, to define bounded execution times is challenging.
And, does it make sense to use the boundary (value) for calculations?

Since this is a new standard, we should recommend agility of crypto algorithms in order to address quantum-safe crypto.
This especially impacts asymmetric algoritms.

Of course, there are implications with symmetric crypto, especially in terms of key management.
But I assume, this won’t be part of the text…

Cheers,
Maik

From: detnet <detnet-bounces@ietf.org<mailto:detnet-bounces@ietf.org>> on behalf of "Grossman, Ethan A." <eagros@dolby.com<mailto:eagros@dolby.com>>
Date: Tuesday, 12. February 2019 at 06:25
To: "detnet@ietf.org<mailto:detnet@ietf.org>" <detnet@ietf.org<mailto:detnet@ietf.org>>
Cc: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Subject: [Detnet] DetNet Security Draft Proposed Text - Encryption

Hi All,
I have consolidated the list discussion about the pros and cons of encryption algorithms into the Mitigation-Encryption section of the security draft (text of the section as it now reads is below). I would like the WG to review it before I publish it in a new version of the Security draft.
Thanks,
Ethan (as editor of the DetNet Security draft)
--------------------------------------------------------------------
5.    Security Threat Mitigation
5.4.         Encryption
Description
               DetNet flows can be forwarded in encrypted form.
Related attacks
Encryption can be used to mitigate recon attacks (Section 3.2.7). However, for the DetNet to give differentiated quality of service on a flow-by-flow basis, it must be able to identify the flows individually. This implies that in a recon attack the attacker may also be able to track individual flows to learn more about the system.
Encryption can also provide traffic origin verification, i.e. to verify that each packet in a DetNet flow is from a verified source, for example as part of ingress filtering.
5.4.1.     Encryption Considerations for DetNet
Any time spent on encryption and decryption processing (“crypto”) must be included in the flow latency calculations.. Thus, crypto algorithms used in a DetNet must have bounded execution times.
Some crypto algorithms are symmetric in encode/decode time (such as AES and SHA-2) and others are asymmetric (such as public key algorithms). There are advantages and disadvantages to the use of either type in a given DetNet context.
Asymmetrical crypto is typically not used in networks on a packet-by-packet basis due to its computational cost. For example, if only endpoint checks or checks at a small number of intermediate points are required, one can use asymmetric crypto to authenticate distribution or exchange of a secret symmetric crypto key; a successful check based on that key will provide traffic origin verification as long as the key is kept secret by the participants.  Both TLS and IKE (for IPsec) are examples of this for endpoint checks.
However, if we use secret symmetrical keys for this purpose we must give the key to all relays, which increases the probability of a secret key being leaked. Also, if any relay is compromised or misbehaving it may inject traffic into the flow.
Alternatively, asymmetric crypto can provide traffic origin verification at every intermediate node. For example, a DetNet flow can be associated with an (asymmetric) keypair, such that the private key is available to the source of the flow and the public key is distributed with the flow information, allowing verification at every node for every packet. However, this is more computationally expensive.
In either case, origin verification also requires replay detection mechanism as part of the security protocol to prevent an attacker from recording and resending traffic, e.g., as a denial of service attack on flow forwarding resources.

v2.23.0 | Report a Bug | By Email