IETF Logo Mail Archive

Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09

"Grossman, Ethan A." <eagros@dolby.com> Fri, 15 May 2020 20:10 UTC

Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1603A08D7; Fri, 15 May 2020 13:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oi9j4GOp8Dhw; Fri, 15 May 2020 13:10:33 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680118.outbound.protection.outlook.com [40.107.68.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE3123A08DD; Fri, 15 May 2020 13:10:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UmWOVYpbYQGVPLRIAn7AYjFUVZQAcCQVi2uooxyOkN/ljT8Z0uA7mRsLb2cGFEzKSlNF1dK7Caaqpn+P7soN+ZzI/0PzZXafIVukMlOvMHhRrhCxhKMV5OWHltOko7dXfbMCDPwX7y+HUP2UJFRan4UJX7AUD4T3ZXLVdCvyFk6J61vSQICKZXJFx9fzR6B9UM/PDQFZALdZv71JUyrRTqdXkPpIEJvx8l+K1So61Tzj0Mgeo2d637rL/b8wtKZjDnU/kumanA/Kaj8nr6pegWbcevPAmZKTjbXTjDdMwW2pQbCTxQCe8u/ftXXWU6xu7uHJAoySX01K++rffOHj5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pTmaykES7ytwruLq7PwBCkIFEyabGRbEzLO0fq0BQqc=; b=HLaprn4WwK659Gmzq5+g19s1ucURPh0rkBKEvLt+Y2/oE85YQ/LM1n7GygAsrUWU2ghBAjh5XLMs1D8eYzfW7uZOWiixSJy4aOHAg9qqAO39vTX5pzJHF5Sai+D2wBZPVw/jJ400i1ZYUiLGwCBazuXW4yLf3A/Fzpj+G+5934TddmSdiwExFMpFQrerJWak2Pj6gLmlZbuuGbl/KQB1O7aIB6wKegkdWXSG1b/Vsvbu2YOsaJ84LvioJzpijG8QeDJ6fpJuKp0F1jMpkTIVVL327bodIOgzozzid56Cl2EIocfq02GTHtxfP965+ul1HUdwgkG6Vj9sY3n6bBtgqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pTmaykES7ytwruLq7PwBCkIFEyabGRbEzLO0fq0BQqc=; b=CPPWBkFOHedWvW960doM3At80aIYp4OE9cFXTvN9cSfCX2MKP4yDDP+VHUBXKxCrWYhJnVETE1BZF8TiP8eDN2vZY3QSSgJzR1LNPVK/0ujq8ZEWROZj9trsFlP9Kz2EsmTvKyD4k1gRsr6k2wFNLrvLfb5VVQBGLOm11SC77Ic=
Received: from BY5PR06MB6611.namprd06.prod.outlook.com (2603:10b6:a03:23d::20) by BY5PR06MB6596.namprd06.prod.outlook.com (2603:10b6:a03:236::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.20; Fri, 15 May 2020 20:10:30 +0000
Received: from BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::29b9:ed8f:43ff:5552]) by BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::29b9:ed8f:43ff:5552%4]) with mapi id 15.20.3000.022; Fri, 15 May 2020 20:10:29 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: Lou Berger <lberger@labn.net>, DetNet WG <detnet@ietf.org>
CC: "draft-ietf-detnet-security@ietf.org" <draft-ietf-detnet-security@ietf.org>, "Black, David" <David.Black@dell.com>
Thread-Topic: [Detnet] WG Last Call: draft-ietf-detnet-security-09
Thread-Index: AQHWFySRGe8T77S4wUWFn4ZUYRVDxaipX+qAgAAltXCAAC9mAIAAAm1Q
Date: Fri, 15 May 2020 20:10:29 +0000
Message-ID: <BY5PR06MB6611F002433AF616DC30505DC4BD0@BY5PR06MB6611.namprd06.prod.outlook.com>
References: <e90b23d3-0a76-0d4f-71f9-da45492d9394@labn.net> <812e41d0-9c8a-e1fe-8181-9bc4b488cf31@labn.net> <BY5PR06MB6611D7C8B827D5437C8367A5C4BD0@BY5PR06MB6611.namprd06.prod.outlook.com> <26488001-598a-8960-6a59-44e591a02fdb@labn.net>
In-Reply-To: <26488001-598a-8960-6a59-44e591a02fdb@labn.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: labn.net; dkim=none (message not signed) header.d=none;labn.net; dmarc=none action=none header.from=dolby.com;
x-originating-ip: [104.129.202.58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: de3e2b11-6d93-424c-94d9-08d7f90c0414
x-ms-traffictypediagnostic: BY5PR06MB6596:
x-microsoft-antispam-prvs: <BY5PR06MB659622913E119E4C92398A43C4BD0@BY5PR06MB6596.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04041A2886
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oUCMRA+N/o1No4CPfP0hYPfuGXdF/TC2VOy0CNJkqrQ6ducbCybnOrQPSxUqyCqlpkDe2jIiUUWv0Oo5CHmdGUJtBUjP9EdoEVZQ7CbrTR+fZZIAQdlwmDXkAqwmwPOZj/sCMgCa/UZQqqCEimyQIy9TF5n0WEJkEQ/2ZmLmGMiZdy6gm4JeidduSoCE2wLipITHWJE6fUdgUgzj/pyTuB/IfMjGqzxLkqStEor33ukDZdyRZ10q0OTKqodTaiGJSih+BP2y7PEFHz1AEFMCPrsEdbUjvRkSyU7BwhRE9FPNTTvgm/31kr71kFOoyNJqwf5HCJiayXbyrltRKb/sC+O/Tt8m8vzoFwMZ5TP528eezz8pQelnJ0eoXFDIH7RyUdt63TpFxF0kpBrPwc1M1AQtbwebOFIJgNBqZt1zDocSHUuYHEdPPykM0sorpDAsigXkZAQkdGaUYG4LpbaCoToQWjQDo0iT1b1t1GWi1tgWZFj/W8EyfPfHiVGiGFAXWt0nrcJZnTinHt0X+BGXvw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR06MB6611.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(39860400002)(346002)(376002)(366004)(136003)(396003)(66446008)(64756008)(33656002)(6506007)(53546011)(86362001)(26005)(71200400001)(54906003)(110136005)(186003)(316002)(52536014)(5660300002)(55236004)(7696005)(8676002)(2906002)(966005)(478600001)(55016002)(66476007)(66556008)(15650500001)(76116006)(9686003)(4326008)(66946007)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 9Qx4SURJJxLy6deJpeKkQ59Qjr8IdC1t+f8UeyUUsz8zJQpcjjaK9A3e6Et3ZiplBJbQ0Tac9RJPH8C1Iq/jT8w5Z6K9MMyLS5HDENzKYitBi/Hkl/0vu7W1UEuOn9KVtV998LBaQd7h/YhHhCgrJxmk8qnBfrAciKCX8mL4yTgwUYx+tKdHAEPlSV91kUHrRxfZurCdpdmkWA/IOMa7wUyiAk+22vxdMXB+2AlQufJqVDm63JCr2mgEEvrHF5PDAoBgpog6OEhFhCcTflvZrbkA86rGbM27VgleF/dy1thLglR34YisBH0mhXXZzZuCXOf0R7090oG4nNgY4wPJJlXm84OJZBy+ksSVx7tu+MHfMuyzOeWTHvjWqkkFT15PJ4KUc33Wh0zxmyPJgLdWAlpZX+hj871NnDUZd7KQmnI4xGgJ5mC/8CC51s0scPwLIOI8tWCs1xkcnlbScQs8rkYoqTdhvkNwlEXQTUm51KRiCd4DgMouzkno4pEH4tgG
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: de3e2b11-6d93-424c-94d9-08d7f90c0414
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2020 20:10:29.7893 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ARIDNiIGkRSCRF7Nbwpc2rPffdDlVxvXHlQK9oO08cQV3wu1obUDj1DfvKzfum3XyoaDyrj7yvZ+wWPU9sOdYA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR06MB6596
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/hSLF9zsBNap5NLWXMnEB_oT3lRw>
Subject: Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 20:10:35 -0000

Hi Lou,
Comments inline. 
Ethan (EAG).

-----Original Message-----
From: Lou Berger <lberger@labn.net> 
Sent: Friday, May 15, 2020 12:47 PM
To: Grossman, Ethan A. <eagros@dolby.com>; DetNet WG <detnet@ietf.org>
Cc: draft-ietf-detnet-security@ietf.org; Black, David <David.Black@dell.com>
Subject: Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09

Hi Ethan,

On 5/15/2020 1:09 PM, Grossman, Ethan A. wrote:
> Hi Lou,
> As I understand it, there are two unresolved issues from David Black's last email. These are:
>
>> [5-Major] Section 5.8 seems incomplete.   It contains a sizeable summary table
>> of attacks, impacts and mitigations, but doesn't provide 
>> recommendations on what to do.  Scanning the mitigations column, a 
>> good start would be to characterize control message protection and 
>> performance analytics as [MUST implement, SHOULD use] and the combination of DetNet authentication and
>> integrity protection as [MUST implement, MAY use].   Both "MUST"
>> requirements are my initial take that I'd be happy to discuss further.

There were two points on this, in david's response.

1) there was agreement that conformance language was *not* needed, but that

2) the draft should "provide concise recommendations to implementers on what to do."

I took this as an editorial comment that the authors would address.  Do you think otherwise?

EAG: That is exactly how I take it; the issue is that I cannot find an author who is both willing and able to address this. In other words, I don't have the domain knowledge to "tell implementers what to do", and so far no-one else has stepped up. 


>> [6-Major] Section 7.1 on the IP data plane seems rather weak - I'm 
>> not sure whether it says anything that's seriously useful.  Section 
>> 7.2 on the MPLS data plane is much better in directing the reader to 
>> relevant security considerations in other documents.
> In short, yes, I still need input on these; I can't resolve them myself.

Skimming this section the biggest omissions are  security considerations in prior work. I think it worth while to review the security considerations in [RFC2474] and [RFC2475] and see if content is missing from this document (probably in section 3) or if a simple reference should be added.  Once this is done,  I can also note in the Shepherd/PROTO write-up that this document has already been informally reviewed by the security directorate and that this section has been identified as needing specific review (in the context of the rest of the document).

So I think the action is back on you/the authors to look at the security considerations in [RFC2474] and [RFC2475], update this draft accordingly, and then report back to the WG. Of course if someone else wishes they can propose a specific update to the WG document on the list, and this would be most welcome.

Does this work for you and the other authors?

EAG: OK, regarding item #6 I can read the Security sections of RFCs 2474 and 2475 and incorporate what is relevant from them, or include a reference to them. Regarding item #5, I am still at an impasse unless I have specific actionable guidance such as what you have proposed for #6; if you can point me in a specific direction, and I can understand what is being asked (within a reasonable amount of study time), then I am willing to do the work. 

Thanks,

Lou

> Ethan (as DetNet Security draft editor).
>
>
> -----Original Message-----
> From: Lou Berger <lberger@labn.net>
> Sent: Friday, May 15, 2020 7:43 AM
> To: DetNet WG <detnet@ietf.org>
> Cc: draft-ietf-detnet-security@ietf.org
> Subject: Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09
>
> To follow up on this LC -- the LC is closed, but (as I understand it) there is one unresolved issue.
>
> Authors,
>
>       do you have a plan to address the open issue, or do you still need some additional input?
>
> Lou
>
> On 4/20/2020 11:00 AM, Lou Berger wrote:
>> All,
>>
>> This starts a two-week working group last call for
>> draft-ietf-detnet-security-09
>>
>> The working group last call ends on April 4.
>> Please send your comments to the working group mailing list.
>>
>> Positive comments, e.g., "I've reviewed this document and believe it 
>> is ready for publication", are welcome!
>> This is useful and important, even from authors.
>>
>> Thank you,
>> Lou (DetNet Co-Chair & doc Shepherd)
>>
>> _______________________________________________
>> detnet mailing list
>> detnet@ietf.org
>> https://www.ietf.org/mailman/listinfo/detnet
>>
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet

v2.23.0 | Report a Bug | By Email