Re: [Detnet] WG adoption poll draft-sdt-detnet-security-01
"Maik Seewald (maseewal)" <maseewal@cisco.com> Wed, 13 September 2017 14:22 UTC
Return-Path: <maseewal@cisco.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22F813305A for <detnet@ietfa.amsl.com>; Wed, 13 Sep 2017 07:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nRrE-_XRBJj for <detnet@ietfa.amsl.com>; Wed, 13 Sep 2017 07:22:49 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75E8613304C for <detnet@ietf.org>; Wed, 13 Sep 2017 07:22:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4418; q=dns/txt; s=iport; t=1505312566; x=1506522166; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=qv8/PoCNOnTzyfWV/nTalpD7PCEq3EATlttOvdk5xJY=; b=ThR6q1+R0ZPDjIdEC8od5BwduVDiA59mm/+VXraDb08nMP6oWoFF8Apj OrQG5FMykpnLH/gUlLgdJTUReNpiwFqorOn6qEx0viaI0yDMfCxqlO7MK QZpRNlV5b0r3Cd5tnW7mNxIDDIqsqTWqFXgNwsqzW/yfHEStXSdxvYM/A 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CkAQAsPrlZ/5tdJa1XBhkBAQEBAQEBAQEBAQcBAQEBAYNaZG4nB44RkCSBdJYmDoIEChgLhExPAoRTPxgBAgEBAQEBAQFrKIUYAQEBBAEBODQXBAIBCBEBAwEBHwkHJwsUAwYIAgQBEhSKHRCvTYs2AQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWDJwSCAoFQgWIBghuBDYQ7CQESAQMONIVOBaB4ApRQghOFaIp5lQICERkBgTgBHziBAgt3FUqHGwF2hgiBI4EPAQEB
X-IronPort-AV: E=Sophos;i="5.42,388,1500940800"; d="scan'208";a="298495470"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Sep 2017 14:22:45 +0000
Received: from XCH-RTP-003.cisco.com (xch-rtp-003.cisco.com [64.101.220.143]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v8DEMiWP032352 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Sep 2017 14:22:45 GMT
Received: from xch-rtp-002.cisco.com (64.101.220.142) by XCH-RTP-003.cisco.com (64.101.220.143) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 13 Sep 2017 10:22:44 -0400
Received: from xch-rtp-002.cisco.com ([64.101.220.142]) by XCH-RTP-002.cisco.com ([64.101.220.142]) with mapi id 15.00.1263.000; Wed, 13 Sep 2017 10:22:44 -0400
From: "Maik Seewald (maseewal)" <maseewal@cisco.com>
To: "Grossman, Ethan A." <eagros@dolby.com>, Lou Berger <lberger@labn.net>, DetNet WG <detnet@ietf.org>
Thread-Topic: [Detnet] WG adoption poll draft-sdt-detnet-security-01
Thread-Index: AQHTK8CjeV1h4twrRUG+P7OfYx7As6KxwtAAgAGB3YA=
Date: Wed, 13 Sep 2017 14:22:44 +0000
Message-ID: <D5DF0551.648BB%maseewal@cisco.com>
References: <006d7304-7d90-5b73-bcf2-61282bf2ac18@labn.net> <70b759f6aac2491a8daa6fa3fb6a4be6@DLB-XCHPW03.dolby.net>
In-Reply-To: <70b759f6aac2491a8daa6fa3fb6a4be6@DLB-XCHPW03.dolby.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.6.150930
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.60.162.68]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A5C853A75E36194F9DE221FB973955DE@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/B_lvduE9xURUu7E-lHcPO6O_8K8>
Subject: Re: [Detnet] WG adoption poll draft-sdt-detnet-security-01
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 14:22:51 -0000
Hello Ethan, Only a few comments on the use cases for the industries, especially in the utility environment: - Especially in power automation, there is more and more regulation including standards (e.g.: NERC CIP in North America) - Availability and integrity are the most important security objectives (and requirements), confidentiality and privacy are relevant if customer or market data is involved - Along these lines, there is a requirement for end-to-end security which is already standardised (and implemented) for many automation and control protocols (protecting the app layer and/or transport[typically using TLS]) - Another security control which is also standardised and implemented is segmentation (zones and conduits including access control) - These are two trends any communication architecture need to deal with - The requirements in industrial automation are quite similar, especially in new scenarios such as Industry 4.0/Digital Factory where workflows and protocols cross zones, segments, and entities - IEC 62443 (ISA99) defines security for Industrial Automation and Control Systems (IACS), typically for installations in the critical infrastructure - It comprises domains such as industrial automation, oil&gas, and electricity transmission and distribution; the foundational requirements are a great source for industrial security Regarding the Detnet specifics, IMHO, it is imperative to protect the network controller (wherever a controller is used) using strong security controls and mitigation technologies. A hacked/compromised controller would allow any disastrous (attack) scenario. Cheers, Maik On 12.09.17, 19:21, "detnet on behalf of Grossman, Ethan A." <detnet-bounces@ietf.org on behalf of eagros@dolby.com> wrote: >Thanks Lou, >Yes/support. > >On behalf of the DetNet Security Design Team, we are pleased and excited >about achieving workgroup adoption, and we look forward to input from the >broader DetNet community. Below is our current list of items which we >would like to address next in the draft - if anyone has additional >suggestions or would like to help with the next release of the draft, >which we are planning for IETF 100, please reply. > >1) We need to make another pass through every section to clean up loose >ends, unify the writing style and flesh out some of the statements. >2) Given that the Data Plane has been basically established, we need to >extend the draft to address these specifics (e.g. implied by use of IPv6 >and/or MPLS-PW). >3) We believe it would be helpful to establish solid requirements before >we can expect external reviewers to review this draft, so our intent is >to take the various use case statements in the appendix and turn them >into more formal statement of requirements that a reviewer could measure >our draft against. >4) We need to review and improve our threat model to reduce our chances >of being blind-sided by threats we haven't addressed. >5) The current structure of the document has some "unusual" things about >it, for example the section about use cases in which there are statements >that are phrased as questions (like "does the threat attack the timely >arrival of packets?") - we need to come up with a better way to phrase >this information. > >Best, >Ethan Grossman >DetNet Security Draft editor > >-----Original Message----- >From: detnet [mailto:detnet-bounces@ietf.org] On Behalf Of Lou Berger >Sent: Tuesday, September 12, 2017 5:14 AM >To: DetNet WG <detnet@ietf.org> >Cc: DetNet Chairs <detnet-chairs@ietf.org> >Subject: [Detnet] WG adoption poll draft-sdt-detnet-security-01 > >All, > >This is start of a two week poll on making draft-sdt-detnet-security-01 a >working group document. Please send email to the list indicating >"yes/support" or "no/do not support". If indicating no, please state >your reservations with the document. If yes, please also feel free to >provide comments you'd like to see addressed once the document is a WG >document. > >The poll ends Sep 26. > >Thanks, > >Lou (and Pat) > >_______________________________________________ >detnet mailing list >detnet@ietf.org >https://www.ietf.org/mailman/listinfo/detnet > >_______________________________________________ >detnet mailing list >detnet@ietf.org >https://www.ietf.org/mailman/listinfo/detnet
- [Detnet] WG adoption poll draft-sdt-detnet-securi… Lou Berger
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Grossman, Ethan A.
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Pascal Thubert (pthubert)
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Mach Chen
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Maik Seewald (maseewal)
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Patrick Wetterwald (pwetterw)
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Maik Seewald (maseewal)
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Andrew G. Malis
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Loa Andersson
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Rodney Cummings
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Henrik Austad
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Tal Mizrahi
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… János Farkas
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Balázs Varga A
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Jiangyuanlong
- Re: [Detnet] WG adoption poll draft-sdt-detnet-se… Lou Berger