IETF Logo Mail Archive

Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

János Farkas <janos.farkas@ericsson.com> Mon, 25 March 2019 16:20 UTC

Return-Path: <Janos.Farkas@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F18B120420 for <detnet@ietfa.amsl.com>; Mon, 25 Mar 2019 09:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.041
X-Spam-Level:
X-Spam-Status: No, score=-4.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtCkKRemKQRR for <detnet@ietfa.amsl.com>; Mon, 25 Mar 2019 09:20:44 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 320BC120412 for <detnet@ietf.org>; Mon, 25 Mar 2019 09:20:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553530836; x=1556122836; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=9h3gaidmzJIjr6eZV3lZ7gl0h4xda80z5U9TWFXNIaM=; b=TBsiWxeR/huUAlEfMMuwbIUAU64wJc2j/jcHkfsU2Vf4jzGogRU876jD/IRbSb7D gDE39WlW2TnN4WCb9JhBk+MV3oHLGKrAsHap02erbEctFXEnN+XwCRRIuc/dRK80 5W8AkFHoauEvdRp+SbxbELCZVfEYpGKaPqkVKL4jXMo=;
X-AuditID: c1b4fb2d-fc7ff70000002218-4f-5c98ffd4130c
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 2D.E5.08728.4DFF89C5; Mon, 25 Mar 2019 17:20:36 +0100 (CET)
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Mon, 25 Mar 2019 17:20:36 +0100
Received: from [100.94.53.247] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.187) with Microsoft SMTP Server id 15.1.1713.5 via Frontend Transport; Mon, 25 Mar 2019 17:20:35 +0100
To: Alvaro Retana <aretana.ietf@gmail.com>
CC: Lou Berger <lberger@labn.net>, The IESG <iesg@ietf.org>, draft-ietf-detnet-architecture@ietf.org, detnet@ietf.org, detnet-chairs@ietf.org
References: <155067820715.31361.3746519237969586434.idtracker@ietfa.amsl.com> <108f9294-fb9d-557a-011a-6a53156bcb37@labn.net> <CAMMESsx4juKOjPNPQW2iLDYRC6REr8jKWLJLBDUt-AsmC-eFmA@mail.gmail.com> <7056c886-3aa9-2d85-7824-ee5f1ac9bb33@labn.net> <CAMMESszvQ-QgZLNfPF2MMq6UNtCR5DLzhMvzuFF_eCiyUiu5qg@mail.gmail.com> <f647a19c-584f-6a34-77d5-702d26d31013@labn.net> <150fb3c5-0f60-8426-0345-a17d9be984b9@ericsson.com>
From: János Farkas <janos.farkas@ericsson.com>
Message-ID: <06a42687-5942-2591-4c71-5a5ff5090474@ericsson.com>
Date: Mon, 25 Mar 2019 17:20:35 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <150fb3c5-0f60-8426-0345-a17d9be984b9@ericsson.com>
Content-Type: multipart/alternative; boundary="------------78FC0D36E29D42531BF03C2A"
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphkeLIzCtJLcpLzFFi42KZGbG9VPfK/xkxBidXq1jcOLSByeJa/w8W i9+fZrNYfPg2k8Vixp+JzBYdzW9ZHNg8ds66y+6xZMlPJo8Pm5rZApijuGxSUnMyy1KL9O0S uDLmfj/GWPBsB1PF0ZuvmRsYn9xl7GLk5JAQMJG4dv8pcxcjF4eQwBFGiSUHNrGBJIQEvjFK tO01hLCBEn/ex4HYwgIFEl+PNrCD2CICWhK3d+5kB2lmFpjOKHF+/gs2iEnLmSXO/trDBFLF JmAvcffSBmYQmxfI/np8PpDNwcEioCpx4DFYiahArMSnK4uhSgQlTs58wgJicwo4SOw+tg4s ziwQJtG7+SsLhC0ucevJfCaI49QkPr19yD6BUXAWkvZZSFpmIWmBsC0kZs4/zwhhy0s0b53N DGFrSLTOmcuOLL6AkX0Vo2hxanFxbrqRsV5qUWZycXF+nl5easkmRmAcHdzyW3cH4+rXjocY BTgYlXh4T3yYESPEmlhWXJl7iFGCg1lJhPeJKFCINyWxsiq1KD++qDQntfgQozQHi5I47x8h wRghgfTEktTs1NSC1CKYLBMHp1QD4/y7PIkxXTrbND/WsTOwL/vG8D9t28eN7cEs1z5XP31S u+Xji802DHsLFfTPafy7rnRignPT2uMh+6bZnvly5n/KVQke9swVa7JYlQ7NbVyg9j7RQkXs Q4jLcxmG7o/1vUl28i3qXxqks+QkgySuGVyrXZZ7sOrOD5+F91OZDid5eHxJcn+eqcRSnJFo qMVcVJwIAEksKXOfAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/CCKNsey9Tcg3bTWENoNzlu5Drcc>
Subject: Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 16:20:49 -0000

Hi Alvaro,

We believe that we have addressed your comments in the most recent 
revision: https://tools.ietf.org/html/draft-ietf-detnet-architecture-12. 
(https://mailarchive.ietf.org/arch/msg/detnet/utVL9ZVGcOeGtRIASRFx5WT_ErM)

Please let us know what else you would like to see done before you clear 
your DISCUSS.

I/we would be happy to meet with you this week if there is anything you 
would like to discuss.

Regards,
Janos


On 3/6/2019 6:56 AM, János Farkas wrote:
> Hi Alvaro,
>
> Do the updates we are making the security section resolve your comments:
> https://mailarchive.ietf.org/arch/msg/detnet/btWvDFtp4F3JY2rY3wZEYdNn42o
>
> The current proposed text:
>
> 5.  Security Considerations
>
>    Security considerations for DetNet are described in detail in
>    [I-D.ietf-detnet-security].  This section considers exclusively
>    security considerations which are specific to the DetNet
>    Architecture.
>
>    Security aspects which are unique to DetNet are those whose aim is to
>    provide the specific quality of service aspects of DetNet, which are
>    primarily to deliver data flows with extremely low packet loss rates
>    and bounded end-to-end delivery latency.  A DetNet may be implemented
>    using MPLS and/or IP (including both v4 and v6) technologies, and
>    thus inherits the security properties of those technologies at both
>    the control plane and the data plane.
>
>    Security considerations for DetNet are constrained (compared to, for
>    example, the open Internet) because DetNet is defined to operate only
>    within a single administrative domain (see Section 1).  The primary
>    considerations are to secure the request and control of DetNet
>    resources, maintain confidentiality of data traversing the DetNet,
>    and provide the availability of the DetNet quality of service.
>
>    To secure the request and control of DetNet resources, authentication
>    and authorization can be used for each device connected to a DetNet
>    domain, most importantly to network controller devices. Control of a
>    DetNet network may be centralized or distributed (within a single
>    administrative domain).  In the case of centralized control,
>    precedent for security considerations as defined for Abstraction and
>    Control of Traffic Engineered Networks (ACTN) can be found in
>    [RFC8453], Section 9.  In the case of a distributed control
>    protocols, DetNet security is expected to be provided by the security
>    properties of the protocols in use.  In any case, the result is that
>    manipulation of administratively configurable parameters is limited
>    to authorized entities.
>
>    To maintain confidentiality of data traversing the DetNet,
>    application flows can be protected through whatever means is provided
>    by the underlying technology.  For example, encryption may be used,
>    such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and
>    by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows.
>
>    DetNet flows are identified on a per-flow basis, which may provide
>    attackers with additional information about the data flows (when
>    compared to networks that do not include per-flow identification).
>    This is an inherent property of DetNet which has security
>    implications which should be considered when determining if DetNet is
>    a suitable technology for any given use case.
>
>    To provide uninterrupted availability of the DetNet quality of
>    service, provisions can be made against DOS attacks and delay
>    attacks.  To protect against DOS attacks, excess traffic due to
>    malicious or malfunctioning devices can be prevented or mitigated,
>    for example through the use of traffic admission control applied at
>    the input of a DetNet domain, as described in Section 3.2.1, and
>    through the fault mitigation methods described in Section 3.3.2.  To
>    prevent DetNet packets from being delayed by an entity external to a
>    DetNet domain, DetNet technology definition can allow for the
>    mitigation of Man-In-The-Middle attacks, for example through use of
>    authentication and authorization of devices within the DetNet domain.
>
>    Because DetNet mechanisms or applications that rely on DetNet can
>    make heavy use of methods that require precise time synchronization,
>    the accuracy, availability, and integrity of time synchronization is
>    of critical importance.  Extensive discussion of this topic can be
>    found in [RFC7384].
>
>    DetNet use cases are known to have widely divergent security
>    requirements.  The intent of this section is to provide a baseline
>    for security considerations which are common to all DetNet designs
>    and implementations, without burdening individual designs with
>    specifics of security infrastructure which may not be germane to the
>    given use case.  Designers and Implementers of DetNet systems are
>    expected to take use case specific considerations into account in
>    their DetNet designs and implementations.
>
>
> Please let us know if you have any remaining comments and what they are.
>
> Thank you!
> Janos
>
>
> On 2/23/2019 9:39 PM, Lou Berger wrote:
>>
>> Hi *Alvaro*,
>>
>> see below.
>>
>> On 2/22/2019 6:02 AM, Alvaro Retana wrote:
>>> On February 21, 2019 at 7:35:32 PM, Lou Berger (lberger@labn.net 
>>> <mailto:lberger@labn.net>) wrote:
>>>
>>> Hi!
>>>
>>>> >>> ----------------------------------------------------------------------
>>>> >>> DISCUSS:
>>>> >>> 
>>>> ----------------------------------------------------------------------
>>>> >>>
>>>> >>> I support Mirja's and Alissa's DISCUSSes...and have a related 
>>>> set of concerns
>>>> >>> about the coexistence with non-DetNet traffic and privacy:
>>>> >>>
>>>> >>> §3.3.1 talks about what I think is a hard to achieve balance 
>>>> between coexisting
>>>> >>> with non-DetNet traffic and keeping that traffic from 
>>>> disrupting DetNet flows.
>>>> >>> Because of the constraints, the intent of prioritizing DetNet 
>>>> flows is clear
>>>> >>> (and that is ok), but that may result in starvation of non-DetNet
>>>> >>> traffic...even if the text does explicitly say that it "must be 
>>>> avoided".
>>>> >>>
>>>> >>> I would like to see the potential case of starving non-DetNet 
>>>> traffic called
>>>> >>> out somewhere.
>>>> >>
>>>> >> This is the objective of section 3.3.1..
>>>> >>
>>>> >>
>>>> >>> I'm looking for something similar to the first paragraph in §5,
>>>> >>> but focused on the non-DetNet traffic.
>>>> >>
>>>> >> The current text reads:
>>>> >>
>>>> >> 3.3.1. Coexistence with normal traffic
>>>> >>
>>>> >> A DetNet network supports the dedication of a high proportion of the
>>>> >> network bandwidth to DetNet flows. But, no matter how much is
>>>> >> dedicated for DetNet flows, it is a goal of DetNet to coexist with
>>>> >> existing Class of Service schemes (e.g., DiffServ). It is also
>>>> >> important that non-DetNet traffic not disrupt the DetNet flow, of
>>>> >> course (see Section 3.3.2 and Section 5). For these reasons:
>>>> >>
>>>> >> o Bandwidth (transmission opportunities) not utilized by a DetNet
>>>> >> flow is available to non-DetNet packets (though not to other
>>>> >> DetNet flows).
>>>> >>
>>>> >> o DetNet flows can be shaped or scheduled, in order to ensure that
>>>> >> the highest-priority non-DetNet packet is also ensured a worst-
>>>> >> case latency.
>>>> >>
>>>> >> o When transmission opportunities for DetNet flows are scheduled in
>>>> >> detail, then the algorithm constructing the schedule should leave
>>>> >> sufficient opportunities for non-DetNet packets to satisfy the
>>>> >> needs of the users of the network. Detailed scheduling can also
>>>> >> permit the time-shared use of buffer resources by different DetNet
>>>> >> flows.
>>>> >>
>>>> >> Starvation of non-DetNet traffic must be avoided, e.g., by traffic
>>>> >> policing functions (e.g., [RFC2475]). Thus, the net effect of the
>>>> >> presence of DetNet flows in a network on the non-DetNet flows is
>>>> >> primarily a reduction in the available bandwidth.
>>>> >>
>>>> >>
>>>> >> I think we need a little bit more to understand what you'd like 
>>>> to see changed or added. Can you suggest text or what specific 
>>>> topic you'd like to see added/addressed?
>>>> >
>>>> > Yes, let me try to explain better…while comparing with the current
>>>> > text in §5, which basically says that even though the objective of
>>>> > DetNet is to provide bounded latency, a MIIM may delay the 
>>>> traffic and
>>>> > the objective may not be achieved.
>>>> >
>>>> > For non-DetNet traffic, the objective is to not starve it, while
>>>> > providing specific guarantees to the DetNet flows — said other way
>>>> > (from the Introduction): "Unused reserved resources are available to
>>>> > non-DetNet packets as long as all guarantees are fulfilled.” 
>>>>  However,
>>>> > the algorithms (maybe error, misconfiguration…or even 
>>>> maliciously) may
>>>> > end up*not* constructing the schedule to leave sufficient
>>>> > opportunities for non-DetNet packets (as suggested in the text above
>>>> > from §3.3.1).
>>>> >
>>>> > I see a parallel in how there is a risk of the intention for DetNet
>>>> > flows not being met (because of an attack) and how the intention for
>>>> > non-DetNet traffic may also not be met.
>>>> >
>>>> Okay, this sounds like basically the same point that Benjamin was
>>>> making, i.e., there must be mechanisms preventing non-detnet traffic
>>>> from impacting detnet traffic, and detnet traffic trying to use more
>>>> than its allocation and impacting non-detnet traffic. Is this 
>>>> correct or
>>>> are you asking for something different/additional?
>>>
>>> Yes.  I’m not asking so much for a mechanism, but for at least the 
>>> recognition that it is a risk.
>>>
>> Fair enough- I expect the response a response for the architecture 
>> and security draft authors to address this.  I'm sure you will 
>> confirm that it does!
>>
>>
>>>>
>>>>
>>>>
>>>> >
>>>> >>> Related to the above is the fact that the identification of 
>>>> flows could be used
>>>> >>> to specifically *not* include some of them as DetNet flows. 
>>>> This is a
>>>> >>> variation of the concern outlined in §6, but applied to 
>>>> non-DetNet flows, with
>>>> >>> the potential starvation mentioned above. Again, I would like 
>>>> to at least see
>>>> >>> some discussion of this risk.
>>>> >>
>>>> >> I don't follow - what is the risk that should be addressed?
>>>> >>
>>>> > §6 talks about potential privacy concerns due to the 
>>>> identification of
>>>> > flows.  I interpret that as potentially being able to identify the
>>>> > user (application, or both maybe).
>>>> >
>>>> Currently flow identification is based on IP headers (6 tuple) and/or
>>>> MPLS labels.  So DetNet has the same privacy concerns as standard 
>>>> IP/MPLS.
>>>>
>>>>
>>>> > As far as I understand the architecture, DetNet flows are identified
>>>> > at the edge and then assigned to specific paths.  If the
>>>> > identification of flows can be used to identify the user (for
>>>> > example), then it can be used to not only attack specific DetNet 
>>>> flow,
>>>> > but also to decide to not provide guarantees to a specific flow based
>>>> > on who the user or the application may be.
>>>> >
>>>> Given DetNet flow identification, is this any different than 
>>>> standard PBR?
>>>
>>> Right, it is not really different.  It is just not mentioned 
>>> anywhere that identification (or misidentification as it may be, 
>>> maybe maliciously) can lead to not providing guarantees, potential 
>>> starving, etc..
>>>
>> I thought the quotes capture in the various mails on the topic showed 
>> how it was -- but let's wait for the updated text and see if it 
>> sufficiently addresses your concern/point, and then go from there.
>>
>> Thanks again for the feedback.
>>
>> Lou
>>
>>
>>> Thanks!
>>>
>>> Alvaro.
>>>
>>>
>>> _______________________________________________
>>> detnet mailing list
>>> detnet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/detnet
>

v2.23.0 | Report a Bug | By Email