Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
Alvaro Retana <aretana.ietf@gmail.com> Mon, 25 March 2019 18:37 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18EB712074B; Mon, 25 Mar 2019 11:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGdKI78HOg20; Mon, 25 Mar 2019 11:37:03 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7213F120700; Mon, 25 Mar 2019 11:37:03 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id 103so9008073otd.9; Mon, 25 Mar 2019 11:37:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=vtUZ/jFAoAYLsUr/EJqQTjeyIek9IdTvP+7qoUpDnlg=; b=lxWMcqUERYMNQbs7Snsr66HK3SCq3a41dMiHu8hwFjjz7a6R0opGyuN/wNTGvo1IhI SmW3TM85bM/yWRXTOxDdHx/org0nPmKqGrAC2cPxgumpFSSIs7WGrKa6AHp3XUXcAUpU odd5YcTIg1HuTxZ3zsUQOMCWRLmTb7+yBogZMqch6aOBb2DaySra/tZlaj4k2mDypiPN Nr3PB4bvMzGWz8iBZLgvmBTAmBJ3rS7K8hDhzfEsxv7v6A1lk2ka7+UAZjS+yrFRvP62 exAKqaxmVOEDLuZOERhGJE2SmsCodGPjZQ6q4WM3rHkiRKqUVWZuFV7zxI6J415mXaI3 +qAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=vtUZ/jFAoAYLsUr/EJqQTjeyIek9IdTvP+7qoUpDnlg=; b=eIxV5FwgqYbZ64SlphXKv563GVg18UFN6HxPv3yM0rVtNdvqkxTXVlUYOGEpSe6G/E crNbdKhav9fT8DJ2dQvvVrOY/TyJIB4sim7BiJA0KRqtFAhxZJG89SJ28n7rp22F4A/7 LbWtxgAi7tYH/UaMeY65w8gwSm4zKjCus3Z3TwKValSs7i0KE1EdMt2oKeixROzxDBNH BS+IcijNVC8fN2xhTmr6l4jBFxFfgsxrxQtthuWPdOCmyScgQVXyPBjPLWZjnJuymPUi rE/lmolXh26imZSgNBnlT8dd+fn7iSHyEPaMuoc85m6w8DrWQ4xGjP6QY7C9zZ290/da Nycg==
X-Gm-Message-State: APjAAAUANj1CKy3QjladPlGz2ilyFKiHLaJxsc5DwjdeUW1ljvxYvatr XPzVfsriSitRIEBUVFsx/fSPlTtk2SVdYvHW9hQ=
X-Google-Smtp-Source: APXvYqx0WvFifSVm6e2VWvVwRF5R5VNF+fDy43dMZpHKGnIp3X+k8EZnJ8nQfdqm3k3mrtLFs2iDqrjKavZvFYo1lKQ=
X-Received: by 2002:a9d:63d1:: with SMTP id e17mr19432886otl.239.1553539022637; Mon, 25 Mar 2019 11:37:02 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 25 Mar 2019 19:37:02 +0100
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <06a42687-5942-2591-4c71-5a5ff5090474@ericsson.com>
References: <155067820715.31361.3746519237969586434.idtracker@ietfa.amsl.com> <108f9294-fb9d-557a-011a-6a53156bcb37@labn.net> <CAMMESsx4juKOjPNPQW2iLDYRC6REr8jKWLJLBDUt-AsmC-eFmA@mail.gmail.com> <7056c886-3aa9-2d85-7824-ee5f1ac9bb33@labn.net> <CAMMESszvQ-QgZLNfPF2MMq6UNtCR5DLzhMvzuFF_eCiyUiu5qg@mail.gmail.com> <f647a19c-584f-6a34-77d5-702d26d31013@labn.net> <150fb3c5-0f60-8426-0345-a17d9be984b9@ericsson.com> <06a42687-5942-2591-4c71-5a5ff5090474@ericsson.com>
MIME-Version: 1.0
Date: Mon, 25 Mar 2019 19:37:02 +0100
Message-ID: <CAMMESszuOLAWrAB2wTo-CNqcos2X1WD3KbNz6zq3SGpxvCiQOQ@mail.gmail.com>
To: János Farkas <janos.farkas@ericsson.com>
Cc: draft-ietf-detnet-architecture@ietf.org, Lou Berger <lberger@labn.net>, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org, detnet@ietf.org
Content-Type: multipart/alternative; boundary="00000000000096cfcb0584ef7d8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/N7NLWlbEAn83lkSyfUUYTEFC7FI>
Subject: Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 18:37:07 -0000
János: Hi! Yes…I’m happy with the changes. I’m clearing my DISCUSS. Thanks! Alvaro. On March 25, 2019 at 5:20:37 PM, János Farkas (janos.farkas@ericsson.com) wrote: Hi Alvaro, We believe that we have addressed your comments in the most recent revision: https://tools.ietf.org/html/draft-ietf-detnet-architecture-12. ( https://mailarchive.ietf.org/arch/msg/detnet/utVL9ZVGcOeGtRIASRFx5WT_ErM) Please let us know what else you would like to see done before you clear your DISCUSS. I/we would be happy to meet with you this week if there is anything you would like to discuss. Regards, Janos On 3/6/2019 6:56 AM, János Farkas wrote: Hi Alvaro, Do the updates we are making the security section resolve your comments: https://mailarchive.ietf.org/arch/msg/detnet/btWvDFtp4F3JY2rY3wZEYdNn42o The current proposed text: 5. Security Considerations Security considerations for DetNet are described in detail in [I-D.ietf-detnet-security]. This section considers exclusively security considerations which are specific to the DetNet Architecture. Security aspects which are unique to DetNet are those whose aim is to provide the specific quality of service aspects of DetNet, which are primarily to deliver data flows with extremely low packet loss rates and bounded end-to-end delivery latency. A DetNet may be implemented using MPLS and/or IP (including both v4 and v6) technologies, and thus inherits the security properties of those technologies at both the control plane and the data plane. Security considerations for DetNet are constrained (compared to, for example, the open Internet) because DetNet is defined to operate only within a single administrative domain (see Section 1). The primary considerations are to secure the request and control of DetNet resources, maintain confidentiality of data traversing the DetNet, and provide the availability of the DetNet quality of service. To secure the request and control of DetNet resources, authentication and authorization can be used for each device connected to a DetNet domain, most importantly to network controller devices. Control of a DetNet network may be centralized or distributed (within a single administrative domain). In the case of centralized control, precedent for security considerations as defined for Abstraction and Control of Traffic Engineered Networks (ACTN) can be found in [RFC8453], Section 9. In the case of a distributed control protocols, DetNet security is expected to be provided by the security properties of the protocols in use. In any case, the result is that manipulation of administratively configurable parameters is limited to authorized entities. To maintain confidentiality of data traversing the DetNet, application flows can be protected through whatever means is provided by the underlying technology. For example, encryption may be used, such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows. DetNet flows are identified on a per-flow basis, which may provide attackers with additional information about the data flows (when compared to networks that do not include per-flow identification). This is an inherent property of DetNet which has security implications which should be considered when determining if DetNet is a suitable technology for any given use case. To provide uninterrupted availability of the DetNet quality of service, provisions can be made against DOS attacks and delay attacks. To protect against DOS attacks, excess traffic due to malicious or malfunctioning devices can be prevented or mitigated, for example through the use of traffic admission control applied at the input of a DetNet domain, as described in Section 3.2.1, and through the fault mitigation methods described in Section 3.3.2. To prevent DetNet packets from being delayed by an entity external to a DetNet domain, DetNet technology definition can allow for the mitigation of Man-In-The-Middle attacks, for example through use of authentication and authorization of devices within the DetNet domain. Because DetNet mechanisms or applications that rely on DetNet can make heavy use of methods that require precise time synchronization, the accuracy, availability, and integrity of time synchronization is of critical importance. Extensive discussion of this topic can be found in [RFC7384]. DetNet use cases are known to have widely divergent security requirements. The intent of this section is to provide a baseline for security considerations which are common to all DetNet designs and implementations, without burdening individual designs with specifics of security infrastructure which may not be germane to the given use case. Designers and Implementers of DetNet systems are expected to take use case specific considerations into account in their DetNet designs and implementations. Please let us know if you have any remaining comments and what they are. Thank you! Janos On 2/23/2019 9:39 PM, Lou Berger wrote: Hi *Alvaro*, see below. On 2/22/2019 6:02 AM, Alvaro Retana wrote: On February 21, 2019 at 7:35:32 PM, Lou Berger (lberger@labn.net) wrote: Hi! >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> I support Mirja's and Alissa's DISCUSSes...and have a related set of concerns >>> about the coexistence with non-DetNet traffic and privacy: >>> >>> §3.3.1 talks about what I think is a hard to achieve balance between coexisting >>> with non-DetNet traffic and keeping that traffic from disrupting DetNet flows. >>> Because of the constraints, the intent of prioritizing DetNet flows is clear >>> (and that is ok), but that may result in starvation of non-DetNet >>> traffic...even if the text does explicitly say that it "must be avoided". >>> >>> I would like to see the potential case of starving non-DetNet traffic called >>> out somewhere. >> >> This is the objective of section 3.3.1.. >> >> >>> I'm looking for something similar to the first paragraph in §5, >>> but focused on the non-DetNet traffic. >> >> The current text reads: >> >> 3.3.1. Coexistence with normal traffic >> >> A DetNet network supports the dedication of a high proportion of the >> network bandwidth to DetNet flows. But, no matter how much is >> dedicated for DetNet flows, it is a goal of DetNet to coexist with >> existing Class of Service schemes (e.g., DiffServ). It is also >> important that non-DetNet traffic not disrupt the DetNet flow, of >> course (see Section 3.3.2 and Section 5). For these reasons: >> >> o Bandwidth (transmission opportunities) not utilized by a DetNet >> flow is available to non-DetNet packets (though not to other >> DetNet flows). >> >> o DetNet flows can be shaped or scheduled, in order to ensure that >> the highest-priority non-DetNet packet is also ensured a worst- >> case latency. >> >> o When transmission opportunities for DetNet flows are scheduled in >> detail, then the algorithm constructing the schedule should leave >> sufficient opportunities for non-DetNet packets to satisfy the >> needs of the users of the network. Detailed scheduling can also >> permit the time-shared use of buffer resources by different DetNet >> flows. >> >> Starvation of non-DetNet traffic must be avoided, e.g., by traffic >> policing functions (e.g., [RFC2475]). Thus, the net effect of the >> presence of DetNet flows in a network on the non-DetNet flows is >> primarily a reduction in the available bandwidth. >> >> >> I think we need a little bit more to understand what you'd like to see changed or added. Can you suggest text or what specific topic you'd like to see added/addressed? > > Yes, let me try to explain better…while comparing with the current > text in §5, which basically says that even though the objective of > DetNet is to provide bounded latency, a MIIM may delay the traffic and > the objective may not be achieved. > > For non-DetNet traffic, the objective is to not starve it, while > providing specific guarantees to the DetNet flows — said other way > (from the Introduction): "Unused reserved resources are available to > non-DetNet packets as long as all guarantees are fulfilled.” However, > the algorithms (maybe error, misconfiguration…or even maliciously) may > end up*not* constructing the schedule to leave sufficient > opportunities for non-DetNet packets (as suggested in the text above > from §3.3.1). > > I see a parallel in how there is a risk of the intention for DetNet > flows not being met (because of an attack) and how the intention for > non-DetNet traffic may also not be met. > Okay, this sounds like basically the same point that Benjamin was making, i.e., there must be mechanisms preventing non-detnet traffic from impacting detnet traffic, and detnet traffic trying to use more than its allocation and impacting non-detnet traffic. Is this correct or are you asking for something different/additional? Yes. I’m not asking so much for a mechanism, but for at least the recognition that it is a risk. Fair enough- I expect the response a response for the architecture and security draft authors to address this. I'm sure you will confirm that it does! > >>> Related to the above is the fact that the identification of flows could be used >>> to specifically *not* include some of them as DetNet flows. This is a >>> variation of the concern outlined in §6, but applied to non-DetNet flows, with >>> the potential starvation mentioned above. Again, I would like to at least see >>> some discussion of this risk. >> >> I don't follow - what is the risk that should be addressed? >> > §6 talks about potential privacy concerns due to the identification of > flows. I interpret that as potentially being able to identify the > user (application, or both maybe). > Currently flow identification is based on IP headers (6 tuple) and/or MPLS labels. So DetNet has the same privacy concerns as standard IP/MPLS. > As far as I understand the architecture, DetNet flows are identified > at the edge and then assigned to specific paths. If the > identification of flows can be used to identify the user (for > example), then it can be used to not only attack specific DetNet flow, > but also to decide to not provide guarantees to a specific flow based > on who the user or the application may be. > Given DetNet flow identification, is this any different than standard PBR? Right, it is not really different. It is just not mentioned anywhere that identification (or misidentification as it may be, maybe maliciously) can lead to not providing guarantees, potential starving, etc.. I thought the quotes capture in the various mails on the topic showed how it was -- but let's wait for the updated text and see if it sufficiently addresses your concern/point, and then go from there. Thanks again for the feedback. Lou Thanks! Alvaro. _______________________________________________ detnet mailing listdetnet@ietf.orghttps://www.ietf.org/mailman/listinfo/detnet
- [Detnet] Alvaro Retana's Discuss on draft-ietf-de… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… János Farkas
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… János Farkas
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… János Farkas