[Detnet] DetNet Security - Items for Work Session 11Sep20
"Grossman, Ethan A." <eagros@dolby.com> Wed, 09 September 2020 02:15 UTC
Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB7D3A0D0F for <detnet@ietfa.amsl.com>; Tue, 8 Sep 2020 19:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ka1thpSIZkqd for <detnet@ietfa.amsl.com>; Tue, 8 Sep 2020 19:15:12 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-eopbgr750120.outbound.protection.outlook.com [40.107.75.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E13DC3A0D03 for <detnet@ietf.org>; Tue, 8 Sep 2020 19:15:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YLUHD1pTjWOv0sLsJzEtjIW/4ddcOvQBgkvVLLKusQMXRxPdA49TT3d5IpxuJHYszYJjPq/GY/B7zm7nwkAfYSLWjV8Rv9G3l8vWZegaX4p4/iFqwhmU3y6WzShzY6mISZi++242DQ5amDA37fjVmLYM9Oz/kko9UXnuAsmdHYuUPHORXeYpN/ArezjcbzUWSTAzA2J3RCufSCkezAH964aAYeQ8MMrtZmDBCNa6+JEc7O574rzH/ZrsV6Kizj+e2RqLKe7fZhCX48RMKPXktLkasOW0Sp1GMJfxb85pw4onDgJDul1Lj4QCz95uWpH8QycYq5J6vadQGFQ5t1vO6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8EAoTyuCdv2/qq7inersPSpahPELoJxLh3cBG/Yf/4k=; b=eYVIzAFFLHe/P0kAPN9fps28J2fx0gCXs2W6TkfZTkBRMbQy0kXzkUNOZCoLdjEbdD/4IbJ/6+S/LvjM3Gk4sG+wuU4orbJOeOuTuDCU609TJmLFvx1OrHI9qrTFBjmDimKaGH475S2T5mzIFXRViwDGSNief4eBFqW4ef3DMUdXFD2AFrF6or7xSHbTpfnjM8YZrbCV3NqLNRmdcSUlA7QIRYjbGCDZdFMUeCHIYrPYel175rQrHnXu2nKYRxQu20gw66f16/Fx8wbhYJrNS0ZJzNtdSJrLuErOpEABhIoy14bYAWDmyHufKCXCHLmJizgNoPeuspPfUFKHIMFQHA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8EAoTyuCdv2/qq7inersPSpahPELoJxLh3cBG/Yf/4k=; b=pCrTOZdDfGsTY7PeAQoctrh7JpDSOimOI8Do3NmgC05RcbNaGEhUNWJGi0Ez4iutO++WmAq2n/38BfkvLfd9WeTU7MYzPAxL7JeihfaIr7gIsSC7ecisxx13rQHNipACECe7s+PWc82z6vZzp1QeLQsUj6YQZs+18p2dzVf31J8=
Received: from BY5PR06MB6611.namprd06.prod.outlook.com (2603:10b6:a03:23d::20) by SJ0PR06MB6893.namprd06.prod.outlook.com (2603:10b6:a03:285::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Wed, 9 Sep 2020 02:15:04 +0000
Received: from BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::59d0:9610:aeb8:ca84]) by BY5PR06MB6611.namprd06.prod.outlook.com ([fe80::59d0:9610:aeb8:ca84%5]) with mapi id 15.20.3348.019; Wed, 9 Sep 2020 02:15:04 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: "detnet@ietf.org" <detnet@ietf.org>, Stewart Bryant <stewart.bryant@gmail.com>, Lou Berger <lberger@labn.net>, Janos Farkas <Janos.Farkas@ericsson.com>, "Black, David" <David.Black@dell.com>, "Dr A. Paventhan" <paventhan@eis.ernet.in>
CC: Deborah Brungard <db3546@att.com>
Thread-Topic: DetNet Security - Items for Work Session 11Sep20
Thread-Index: AdaGS3K2v07Ha/cNQMazuFKFxqfnlQ==
Date: Wed, 09 Sep 2020 02:15:04 +0000
Message-ID: <BY5PR06MB6611E7A1E182BB0427CD4003C4260@BY5PR06MB6611.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=dolby.com;
x-originating-ip: [104.129.202.58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3ab3bc8d-8db7-46f8-7f9b-08d854662a4d
x-ms-traffictypediagnostic: SJ0PR06MB6893:
x-microsoft-antispam-prvs: <SJ0PR06MB6893EBF069F047997B949BE1C4260@SJ0PR06MB6893.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zBAOKCxF00JrGO4tA+CnVdDMQObs73oWwJ4wuxq7gY3fjJ2dmE4HVb6lI8iwdNMBNFXvKOh7q0jDIUMGBOMTCHBOZo9k5V6wgW67WwQGQfRqUlfASRC8K3Tz2sucI3c5154OwuaAlvnGv0kd0UrHzYTeayDnRoe6czvF/tA+ZDQxUrkgnT9DdXNhTmqrmEKIo6OF7Hs6eyRxsPQ+s3cEsn5Z24xbm1QKHFNtrqsJgFIaiLa7BH2MM5b7zH1C8Zk9ez9Vqczkd23Xq4xcKnMacIH3oM9DxONPOs0c1VlgH+7mPZCkIEIVdp11ZKZ7MtxW5VGIx0kwGlhC/J1Ed6qa/Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR06MB6611.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(346002)(396003)(39850400004)(136003)(2906002)(86362001)(8936002)(110136005)(7696005)(8676002)(316002)(33656002)(4326008)(9686003)(71200400001)(478600001)(66476007)(76116006)(66946007)(66446008)(66556008)(64756008)(15650500001)(55016002)(52536014)(186003)(55236004)(26005)(6506007)(5660300002)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: i4TfIsWZusqW+cXs19+vb6FZ1BcpKqRTQVP4NiUoJDiapuECsxnUNl1u/UeVq1uy4t7VTXasi8Y+scT9FL6KKuKTr8aC7X9s1S9bfO/twIBNmOQfFBBn8ZjBC3gIhT/GYsPt4GucI/lhrfAQK9mtDnrOUA3L/gkGawJ8Bacu18OZQBqLpOYSGWQY7R3uo6Qbyopz3bVqO0Tv32qVBuxo/4lFptDDeYTQgFZ9UxuB289PRn3CXa2NsQzNMDx66NZYqd5FtqvOfJ96ys9kYWkgwIFOsGt2YJK1Hd2S6onrwSkWdSHwIL8nUMeKOJkEGk0hU0W1pCZTRWhDXUnFEUuwbZWyLeqO4G4jMgozbtBa0JyqugZzRYeJDufHnaL1IPGl637VK+ZVOqAWIxc9dla0RQhkWhAAzKEnUphlwFudwiY5vEO8pjzBrlW+94n93G7fX/Rcdw1D0nEa25nLgR7/6K5ybjMdW9k0m6YBq0P7iE2pUzgaS3RXLceXTrR6P2B0CfpzzizkYgm3GkHAzbnXQsOIsVhgRixo+pQCh8pixD7XvtTbTYGlAL5YWNGVb5T+Algv56cJGlvGBqEDQ3W1j3/Pvak3UogFMa22Hq1tPGRyegTykJecVmBKh3Gj4bSgHNI0WoVoQ4aLkaRS52Xlkg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR06MB6611.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3ab3bc8d-8db7-46f8-7f9b-08d854662a4d
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 02:15:04.4302 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UCksnTc3TVO1rignqWrBq5rOy8SCvPjOj88Qv1EmqUNFZuqbK6BjU5PhwmPdco7msPjEevaFCxH1NqIKYLIj9A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR06MB6893
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/MHPPcL1AmSsXVn7yTE45kyjcV3w>
Subject: [Detnet] DetNet Security - Items for Work Session 11Sep20
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 02:15:14 -0000
Hi All (read: anyone interested in helping resolve review comments on the DetNet Security draft), Here are the last few remaining items that are on my radar that we would like to resolve at this Friday's work session (11Sep20, 9am PDT). If you know of any other items I may have missed, please let me know. Thanks, Ethan (as Editor, DetNet Security draft) +++++++++++++++++++++ Start ++++++++++++++++++++++++++++++++ I3) I looked for, but didn't find issues of bogus or compromised central controllers. This ranges from a node falsely representing itself as a controller so that the network nodes believe it to be authorised to instruct them (and that includes both being discovered as a controller and impersonating a real controller), to software subversion of the real controller. It might even include malicious acts by a network operator. Much, but not all, of this is hard to protect against. Some of it can be mitigated by monitoring and logging. --- S5) I didn't understand the practicality of node authenticaiton as described in 7.3. Is this intended as a check on entry into the network (only authenticated sources can introduce traffic to the network), a check at the destiantion (only authenticated sources can send to this destination), or a per-hop check (is this traffic authenticated to be in the network? Furthermore, are the checks per packet or per flow? There are obvious scaling and and key exchange issues involved. EAG HOLD --- From Ben Kaduk: 1) "security considerations for when flow aggregation is in play, namely that misbehavior from one component flow can affect sibling flows as collateral damage." 2) "the use of HMAC without a co-located discussion of the need for key distribution " 3) "having a taxonomy of threats titled "threat model"". Additional comments from Ben that were forwarded by Deborah on 27aug20: > > I don't know of a recent document that has a dedicated/generic > > threat model written out. In my opinion the model in (Section 3 of) > > RFC 3552 still does a reasonable job of listing out the common > > threats (though the language is a bit dated, and it includes some > > topics that are not very relevant for the detnet cases). I agree > > with you that 7835 is a better fit for detnet's case than 7384 is > > (not least because, being concerned only with time protocols, 7384 > > skips one or two classes of threat that are not relevant for timekeeping). > > > > If I was writing a threat model for detnet, I'd probably keep the > > internal/external distinction but pair that with off-path/on-path, > > and then further characterize the specific capabilities (some of > > which are only possible when on-path): reading valid packets (an > > attacker that only does this is "passive on-path"; doing anything > > more makes it "active", which is not necessarily on-path), dropping > > valid packets, modifying initially-valid packets, injecting packets, > > etc. Some of these capabilities can be combined to provide other > > behaviors, which may be worth considering as first-class > > capabilities for conveince in the threat model: delaying valid > > packets can be achieved by reading, dropping, and later injecting; > > replaying valid packets can be achieved by reading and later > > injecting; reordering valid packets can be achieved by reading (and storing) and injecting, etc. RFC 7835 covers most of that but doesn't mention delay, at least. > > > > (FWIW, my present thinking is that a MITM is a special-case of an > > active on-path attacker that is doing "connection splicing" and > > impersonating both parties on the connections in question.) Also Deborah wrote: Recently, I helped with RFC7835, it was organized with internal/external and on-path/off-path. They used both together, so you may want to look how they defined. It may help also as it does data plane and control plane. 4) Re: "The primary considerations for the data plane is to maintain integrity of data and delivery of the associated DetNet service traversing the DetNet network. Application flows can be protected" - "I'd suggest leading in to this with "As for all communications protocols," to be clear that this paragraph is not trying to cover the bits that are "unique to DetNet" as much as remind the reader of general best practices." These I don't know what to do with: 5) "This might also be a good place to note that correct operation of the PREOF functions is pretty critical, and failures there could lead to pretty catastrophic situations for the operational technology relying on them. I don't think there are ways for an attacker to try to attack them directly, but Murphy's Law can be a pretty effective attacker, too." Stewart commented: The incorrect operation of many elements of a routed network can be pretty catastrophic. An incorrectly operating routing system supporting multicast would have very similar failure modes to PREOF. So I don’t think we are dealing with anything unusual here. 6) Re: "At the management and control level DetNet flows are identified on a per-flow basis, which may provide controller plane attackers with additional information about the data flows (when compared to controller planes that do not include per-flow identification). This is an inherent property of DetNet which has security implications that should be considered when determining if DetNet is a suitable technology for any given use case." - "I might also note that attackers with access to the controller plan already have pretty significant attacks available to them." +++++++++++++++++ End ++++++++++++++++++++++++
- [Detnet] DetNet Security - Items for Work Session… Grossman, Ethan A.
- Re: [Detnet] DetNet Security - Items for Work Ses… Grossman, Ethan A.