Re: [Detnet] Alissa Cooper's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

Alisa

At the moment we only have an MPLS data-plane that supports PREOF 
although an IPv6 one may perhaps follow one day.

In the case of MPLS the usual security model applies, in that the
network is well managed, and the only way to get a packet into or out of 
the the network is via an trusted router that immediately encapsulates 
the packet or removes any internal encapsulation/metadata.

If we manage to develop an IP version, my expectation is that
it would need an enhancement to the IPv6 data plane, in which case
the design should use the security features that will inevitably 
required to make SRv6 secure.

The other data-plane that we have uses MPLS over UDP encapsulation
and needs to inherit the security model from draft-ietf-mpls-sr-over-ip,
but that needs to called up the specific data plane specification.

I do not see any privacy concerns that are specific to DetNet in the
operation of the network.

If you are thinking about external tags needed on entry to the network
there are none currently specified in the data-plane design. If we
introduced any such tags they would raise a huge security issue and the 
design would inevitably be subjected to a tough security analysis.

- Stewart

On 17/04/2019 02:29, Greg Mirsky wrote:
> Hi Alisa,
> I agree with your observation that the reporting of the location of 
> replication, duplicate elimination and the order preservation functions 
> within a DetNet domain presents the new security concern and may be the 
> threat to the privacy of data. To address your concern, may I propose 
> the following text:
>     To protect against unauthorized sources trying to obtain DetNet 
> network information,
>     e.g., location of replication, elimination, or packet order 
> preservation functions,
>     it is RECOMMENDED that DetNet implementations provide a means
>     of checking the source addresses of queries against an access list 
> before accepting
>     them.
> 
> We'll have a more detailed analysis of the new security threats possible 
> resulting from specific to DetNet OAM functions in theDetNet OAM draft 
> <https://datatracker.ietf.org/doc/draft-mirsky-detnet-oam/>.
> 
> Best regards,
> Greg
> 
> On Fri, Apr 12, 2019 at 10:08 AM Alissa Cooper <alissa@cooperw.in 
> <mailto:alissa@cooperw.in>> wrote:
> 
>     Hi János,
> 
> 
>>     On Mar 25, 2019, at 12:16 PM, János Farkas
>>     <janos.farkas@ericsson.com <mailto:janos.farkas@ericsson.com>> wrote:
>>
>>     Hi Alissa,
>>
>>     We believe that we have addressed your comments in the most recent
>>     revision:
>>     https://tools.ietf.org/html/draft-ietf-detnet-architecture-12.
>>     (https://mailarchive.ietf.org/arch/msg/detnet/utVL9ZVGcOeGtRIASRFx5WT_ErM)
>>
>>     Please let us know what else you would like to see done before you
>>     clear your DISCUSS.
>>
>>     I/we would be happy to meet with you this week if there is
>>     anything you would like to discuss.
>>
>>     Regards,
>>     Janos
>>
>>
>>     On 2/26/2019 2:20 PM, János Farkas wrote:
>>>     Hi Alissa,
>>>
>>>     Thank you for your review!
>>>
>>>     We can replace
>>>     "DetNet is provides a Quality of Service (QoS), and as such, does not
>>>        directly raise any new privacy considerations."
>>>     with
>>>     "DetNet provides a Quality of Service (QoS), and as such, is not
>>>     expected to
>>>        directly raise any new privacy considerations.”
> 
>     I don’t understand why this is not expected. From what I can tell,
>     the architecture allows for the use off domain- or app-flow-specific
>     IDs.. These seem like a new potential vector for tracking, and one
>     that not every QoS architecture requires.
> 
>     This edit also doesn’t seem to cover the potential for additional
>     privacy exposure implied by the discussion of OAM in Section 4.1.1:
> 
>     "OAM can involve specific tagging added in the packets for tracing
>     implementation or
> 
>     network configuration errors; traceability enables to find whether a
>     packet is a replica, which DetNet relay node performed the
>     replication, and which segment was intended for the replica. Active
>     and hybrid OAM methods require additional bandwidth to perform fault
>     management and performance monitoring of the DetNet domain. OAM may,
>     for instance, generate special test probes or add OAM information
>     into the data packet.”
> 
> 
>     Thanks,
> 
>     Alissa
> 
> 
> 
>>>
>>>     I'm not sure what "references to new flow IDs and OAM tags should
>>>     be removed"?
>>>
>>>     Could you point to the text that should be changed?
>>>
>>>     Thank you!
>>>     Janos
>>>
>>>
>>>     On 2/20/2019 4:39 PM, Lou Berger wrote:
>>>>
>>>>
>>>>     On 2/20/2019 10:25 AM, Alissa Cooper wrote:
>>>>>
>>>>>
>>>>>>     On Feb 20, 2019, at 7:17 AM, Lou Berger <lberger@labn.net
>>>>>>     <mailto:lberger@labn.net>> wrote:
>>>>>>
>>>>>>     Hi Alissa,
>>>>>>
>>>>>>     Thanks for the comments - see below.
>>>>>>
>>>>>>     On 2/20/2019 9:54 AM, Alissa Cooper wrote:
>>>>>>>     Alissa Cooper has entered the following ballot position for
>>>>>>>     draft-ietf-detnet-architecture-11: Discuss
>>>>>>>
>>>>>>>     When responding, please keep the subject line intact and
>>>>>>>     reply to all
>>>>>>>     email addresses included in the To and CC lines. (Feel free
>>>>>>>     to cut this
>>>>>>>     introductory paragraph, however.)
>>>>>>>
>>>>>>>
>>>>>>>     Please refer to
>>>>>>>     https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>>>     for more information about IESG DISCUSS and COMMENT positions.
>>>>>>>
>>>>>>>
>>>>>>>     The document, along with other ballot positions, can be found
>>>>>>>     here:
>>>>>>>     https://datatracker.ietf.org/doc/draft-ietf-detnet-architecture/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     ----------------------------------------------------------------------
>>>>>>>     DISCUSS:
>>>>>>>     ----------------------------------------------------------------------
>>>>>>>
>>>>>>>     = Section 6 =
>>>>>>>
>>>>>>>     "DetNet is provides a Quality of Service (QoS), and as such,
>>>>>>>     does not
>>>>>>>        directly raise any new privacy considerations."
>>>>>>>
>>>>>>>     This seems like a false statement given the possibility that
>>>>>>>     DetNet may require
>>>>>>>     novel flow IDs and OAM tags that create additional
>>>>>>>     identification and
>>>>>>>     correlation risk beyond existing fields used to support QoS
>>>>>>>     today.
>>>>>>
>>>>>>     Based on the other work in the WG, I think "is not expected"
>>>>>>     is more accurate than "does not". This is based on the WG
>>>>>>     solutions for the DetNet data plane using existing IP (v4 or
>>>>>>     6) headers or MPLS labels for flow identification.
>>>>>
>>>>>     If that is the case then the references to new flow IDs and OAM
>>>>>     tags should be removed from the architecture.
>>>>
>>>>     sounds reasonable.  Can you point to the specific offending text?
>>>>
>>>>     Thanks,
>>>>
>>>>     Lou
>>>>
>>>>>
>>>>>>
>>>>>>     Would changing to "is not expected" address your concern?
>>>>>
>>>>>     Combined with the above removals, that would work for me.
>>>>>
>>>>>     Thanks,
>>>>>     Alissa
>>>>>
>>>>>>
>>>>>>     Thanks,
>>>>>>
>>>>>>     Lou
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     detnet mailing list
>>>>>     detnet@ietf.org  <mailto:detnet@ietf.org>
>>>>>     https://www.ietf..org/mailman/listinfo/detnet  <https://www.ietf.org/mailman/listinfo/detnet>
>>>
>>
> 
>     _______________________________________________
>     detnet mailing list
>     detnet@ietf.org <mailto:detnet@ietf.org>
>     https://www.ietf.org/mailman/listinfo/detnet
> 
> 
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet
> 