Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09 - David Black's initial comments
"Black, David" <David.Black@dell.com> Wed, 22 April 2020 14:48 UTC
Return-Path: <David.Black@dell.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CECF33A0DBD for <detnet@ietfa.amsl.com>; Wed, 22 Apr 2020 07:48:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com header.b=x0SG+rv9; dkim=pass (1024-bit key) header.d=dell.onmicrosoft.com header.b=iF+Et4JO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yS3jhTJjmH2r for <detnet@ietfa.amsl.com>; Wed, 22 Apr 2020 07:48:42 -0700 (PDT)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CC63A0E91 for <detnet@ietf.org>; Wed, 22 Apr 2020 07:48:32 -0700 (PDT)
Received: from pps.filterd (m0170390.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 03MEaaJ4028172; Wed, 22 Apr 2020 10:48:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=AiZ/wQSRRb7mw7o5T6+3iPaEx1w2LC+08mSdmceun5Q=; b=x0SG+rv9pr4ppibOT/POZ7gyotELjvWJUiOeCPOeuKr6rjkPsXXPqw8ik+oMak1JK9CO KWiE1mjizPsZIhHH7V1Mfoc/Fu4BSU650O6eGkUVbvl5WmhlEmYrn6SllX7O21TXD+jB CYkGG8qJng+oDvWB75SJUug4C1ti1BQniN6cG/8jfBYcS86VgtE0L5VbNmoK7cK3+oGQ dStfEGD74giWYdFcu740Xh59L4pRRySQs1y7C8tmWB3DyQ+WprHM3DGLuUxuQIpDzrk3 Tzrx2eDmGW/6HZ2faveHSU2CusQz6YXD03ZGvgXWrelH7xXaBQQ/Jq4xIWnSjxFJ48yh Kw==
Received: from mx0a-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0a-00154904.pphosted.com with ESMTP id 30fvm3fnbm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 22 Apr 2020 10:48:30 -0400
Received: from pps.filterd (m0090351.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 03MEc1EK042033; Wed, 22 Apr 2020 10:48:30 -0400
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2054.outbound.protection.outlook.com [104.47.36.54]) by mx0b-00154901.pphosted.com with ESMTP id 30haf20xsm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Apr 2020 10:48:30 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T5NK1lXfFxROn7OER/aMltVAn41CTrJHPsZBxCJ1zM/eEwJp+W3lZ7VVfJw8zFe2ON2eyfl7MPc86f0gk/0LO81UyHOOtlNoY6CZaEICHr8G+ia8vDl0mNDj7wT5wC07YCEDuN/bW2rnQoJLTz73Hnq6kMMf2Elgmzk72jKSGHKjkiybpaJimYbSlMr+IQvAltmdWcJUIvtIdeM1KbgBhz1ZT72xGCCIeOVEgGSwxNFItRviTNhS0YzoB8eqNvH7yyD7n3KqjpXIASpnZujAlMZp/Gc5iZwEjzfP4KVkdWd1VMRqFqvgB2zcKRSFZrbQcKYexXN4ZfFltuKbq1Auew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AiZ/wQSRRb7mw7o5T6+3iPaEx1w2LC+08mSdmceun5Q=; b=L6mxrQ4hzLaLJ8BCVahLcgOBBG6T9WxM5Y5TUcnmAcFdq7qVPG2ygVSuuWXK6UzfsJG7DwYRF15EnNHwalll+S4+iC85Aoh3bc6F8y1IhcgF+bDPmsAvpPIcGDpr7+Nc5pDjTO5EQDa6wyTJLKV/+HofGUcoTcgDsWdGF0fC3JCFsmaVanUSIcBJg2zQdEV8xITimf5jou2wEpIv/cJpjY/aR07g+s+Zi/OgYqX2bELpU5w1he5o4HS7VeT5UfP8QgcY5RpPLKAuT6BFya5An1La3Ttc1OdckabxlHd07S/7FFlSk8BCVA2lYvsgMHwxLAsxI6WAkqSGyPClLKFMyQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Dell.onmicrosoft.com; s=selector1-Dell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AiZ/wQSRRb7mw7o5T6+3iPaEx1w2LC+08mSdmceun5Q=; b=iF+Et4JO0dMT2qSOJ6KOR5d1XyT+5LMfZnCbZguy6w1sJ4kvNFxroEYqPGexkvI+zprjkkVxyFTHJ/ghWtRMU5TgNba3D979utV2tKUtqbQd2tAKS05kudoOqkTMZ3OTjHAxNLOMD6en8+YQE3elQ7Xdq16w6eZowI8YLDK5JCk=
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB3117.namprd19.prod.outlook.com (2603:10b6:208:13f::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Wed, 22 Apr 2020 14:48:27 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8d12:8a24:ccb2:b2bd]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8d12:8a24:ccb2:b2bd%3]) with mapi id 15.20.2921.027; Wed, 22 Apr 2020 14:48:27 +0000
From: "Black, David" <David.Black@dell.com>
To: "Grossman, Ethan A." <eagros@dolby.com>, Lou Berger <lberger@labn.net>, DetNet WG <detnet@ietf.org>
CC: "Black, David" <David.Black@dell.com>
Thread-Topic: WG Last Call: draft-ietf-detnet-security-09 - David Black's initial comments
Thread-Index: AdYYMUgr2Pyyo4/NQiWVed43h/ACJQAJLQvQABc0OrA=
Date: Wed, 22 Apr 2020 14:48:27 +0000
Message-ID: <MN2PR19MB404530F9AFE1D7894B91DB8383D20@MN2PR19MB4045.namprd19.prod.outlook.com>
References: <MN2PR19MB4045021D3B08F605104933BF83D50@MN2PR19MB4045.namprd19.prod.outlook.com> <BY5PR06MB6611820E4D3B15950C586C19C4D20@BY5PR06MB6611.namprd06.prod.outlook.com>
In-Reply-To: <BY5PR06MB6611820E4D3B15950C586C19C4D20@BY5PR06MB6611.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2020-04-21T21:38:50.6334078Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual; aiplabel=External Public
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2dbd7455-55dd-44d2-1ccd-08d7e6cc37b7
x-ms-traffictypediagnostic: MN2PR19MB3117:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR19MB311702AFB3F0A462DD4D523783D20@MN2PR19MB3117.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03818C953D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(346002)(376002)(136003)(39860400002)(366004)(396003)(71200400001)(8936002)(9686003)(4326008)(786003)(86362001)(53546011)(52536014)(6506007)(7696005)(66946007)(66446008)(478600001)(5660300002)(64756008)(66556008)(66476007)(2906002)(186003)(316002)(110136005)(15650500001)(55016002)(81156014)(8676002)(107886003)(966005)(33656002)(76116006)(26005); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: dell.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4GA5qbOrjgagLDeWDvgMgQSJhUpKmeXArMw+9TSvOWbUTIQOLMIX6B3y9RhbvJ6Sgyh/1FigzR6b/1f1auaA2M0+CeORdYfo+WrebPlfm4H8+tJ3ebIQO5GVk2yJOOfLnkxK090UjRyx16U12okM8gWpmAAwoqL6OI/ub+RobCSw79emRvtTed4m+inFsjpPl2pno+ugUkflIy8C95engNE7+lemuPhDhaEOpthLjDmCo01hDMHbfDGFnDy0Wak/qeAN6WDTWzqrRYTcdac0k8Hyg/tKuN5/oXdab7XcAVgx0Mrj0aQrbU7UiDjLsFC6xjmXp/hAwNprgrTZUpSno5GrD+yO03bvU0t2sy+3y+ce3LZOWyyo24vdh1hm4cKYj+A6yA4VaL27ZlTOXf5bFvIgb0GmfW+mXnsL64OzRx+BdAX5xfADwdvGK3E/dGjpcQq6Ub2zrx4pC1T41B1G8dhaKzsC9Wtc/RQGxjGkJbF+iYjpxFSnoCqdK75v6dpwdXSFzwbAWGO+mBpWGUTKIA==
x-ms-exchange-antispam-messagedata: +1KA6Mru5vXAVHYQCflin0Ds+ub5sLLrfYm7sx0gvvZGDAz7ZhUdyvfgTNeXCdl7fYSfmgOD7aY6M7JfiPLz45Nf6dSNFh+F4YsHAqnRHL23Hp254S+DIdcKFnTuerTR9qfzj9ZvEAYae/lb1ruvVw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2dbd7455-55dd-44d2-1ccd-08d7e6cc37b7
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2020 14:48:27.6846 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MwPYwCwiRZ9jWHdp47K/6BF7leuRF9OOf6VwEpJ1RGE2gOp4tb3MhoVP/T1uh3kilQ8UVCOncWYvNNwyuYRMoQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB3117
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-22_06:2020-04-22, 2020-04-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 phishscore=0 clxscore=1015 impostorscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004220116
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 priorityscore=1501 phishscore=0 spamscore=0 adultscore=0 bulkscore=0 malwarescore=0 clxscore=1015 suspectscore=0 mlxscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004220116
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/-4eIJkhTToFz7Wx0daWcZfIS_Gg>
Subject: Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09 - David Black's initial comments
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 14:48:45 -0000
Hi Ethan, -- #2 [Minor] -- (Remove Effects text from section 4) > Regarding #2, I personally agree that the "Effects" text is on the abstract side > compared to the rest of the draft. That captures my impression of the text. If others feel that it's useful and want to keep it, I'd like to better understand why, but can live with it remaining. -- #5 [Major] -- (absence of implementation recommendations in 5.8) > Regarding #5, this is an informative draft - should we really be saying MUST for > anything in this draft? If you think so, I would be very happy to have a brief call > with you so that I can understand the specifics of your proposal and get them in > there. This may be an informative draft, but other DetNet drafts are effectively outsourcing their security considerations and requirements to this draft (or at least trying to). For that reason, independent of whether IETF 2119/8174 key words (e.g., MUST, SHOULD, MAY) are used in this draft, the draft does need to provide concise recommendations to implementers on what to do. -- #6 [Major] -- (weak IP data plane security considerations) > Regarding #6, as an Editor of Very Little Experience (an attempt at a Winnie > the Pooh homage there) I have tried very hard to get someone more > knowledgeable than I about the IP security issues to contribute text for this, but > so far there just have not been any takers. [... snip ...] > And on behalf of Stewart I humbly accept your compliment on the MPLS section ;- ) There's a WG call on the progressing data plane drafts coming up almost immediately - I will surface this concern in that call. I believe that the security draft has to progress in order to progress the data plane drafts, hence the WG as a whole needs to find Stewart's IP-security-knowledgeable counterpart. Perhaps the WG chairs or Deb (Routing AD for DetNet) could talk to the Security ADs about convincing someone from the Security Directorate to help out? Thanks, --David > -----Original Message----- > From: detnet <detnet-bounces@ietf.org> On Behalf Of Grossman, Ethan A. > Sent: Tuesday, April 21, 2020 11:58 PM > To: Black, David; Lou Berger; DetNet WG > Subject: Re: [Detnet] WG Last Call: draft-ietf-detnet-security-09 - David Black's > initial comments > > > [EXTERNAL EMAIL] > > Hi David, > Thank you for your comments. > > As Editor I claim your items #1, #3 and #4 are valid, and I propose to make > those minor editorial changes unless I hear any objection. > > Regarding #2, I personally agree that the "Effects" text is on the abstract side > compared to the rest of the draft. Having said that, this was part of a > contributed section, and the Effects portion of the section is a part of the > overall organization of the section, and I have some concern that eviscerating > one leg of the stool may make the whole thing unstable. FWIW, another > purpose of that section is to get people thinking about these kinds of effects, > and how such effects might have analogies in their implementation - not > necessarily to have the examples given be particularly salient in and of > themselves. My feeling about the whole section is that it might appeal to a > certain audience (e.g. perhaps the more corporate crowd) but not every > audience (e.g. perhaps not the deep techie crowd). Does that make any sense? > Of course I'd love to have more opinions on this from the WG. > > Regarding #5, this is an informative draft - should we really be saying MUST for > anything in this draft? If you think so, I would be very happy to have a brief call > with you so that I can understand the specifics of your proposal and get them in > there. > > Regarding #6, as an Editor of Very Little Experience (an attempt at a Winnie > the Pooh homage there) I have tried very hard to get someone more > knowledgeable than I about the IP security issues to contribute text for this, but > so far there just have not been any takers. Again if you would be willing to sit > down with me and discuss or brainstorm on this I would be more than happy to > make time for that, just let me know. Failing that, I don't know what to tell you. > And on behalf of Stewart I humbly accept your compliment on the MPLS section > ;- ) > > Best, > Ethan (as DetNet Security Draft editor/co-author). > > -----Original Message----- > From: detnet <detnet-bounces@ietf.org> On Behalf Of Black, David > Sent: Tuesday, April 21, 2020 4:05 PM > To: Lou Berger <lberger@labn.net>; DetNet WG <detnet@ietf.org> > Cc: Black, David <David.Black@dell.com> > Subject: [Detnet] WG Last Call: draft-ietf-detnet-security-09 - David Black's > initial comments > > Hi Lou, > > > The working group last call ends on April 4. > > Please send your comments to the working group mailing list. > > Surely May 4 was intended ... as a WG chair, I've been there ... and been off by > much more than one month :-). > > Here are some initial relatively high-level comments (I may have more to add > after a detailed read): > > [1-Editorial] The relationship to RFC 7384 deserves more mention. A > statement towards the end of the introduction to indicate that the threat model > and the structure of at least the threat analysis are similar because of the > importance of time to the security of both time protocols and DetNet would be > good to add. > > [2-Minor] In section 4, I suggest removing the discussion of Effects and the > Effects rows in the table, as they don't appear to play much of a role in the > draft. > > [3-Editorial] This draft uses a lot of internal cross references to other sections, > e.g., in the Related Attacks discussions in section 5. It would be helpful to the > reader to include section names and/or short description of the contents of the > referenced section with each cross reference. > > [4-Minor] Sections 5.1 and 5.2 should state that path replication and > elimination are not available in the IP data plane > > [5-Major] Section 5.8 seems incomplete. It contains a sizeable summary table > of attacks, impacts and mitigations, but doesn't provide recommendations on > what to do. Scanning the mitigations column, a good start would be to > characterize control message protection and performance analytics as [MUST > implement, SHOULD use] and the combination of DetNet authentication and > integrity protection as [MUST implement, MAY use]. Both "MUST" > requirements are my initial take that I'd be happy to discuss further. > > [6-Major] Section 7.1 on the IP data plane seems rather weak - I'm not sure > whether it says anything that's seriously useful. Section 7.2 on the MPLS data > plane is much better in directing the reader to relevant security considerations > in other documents. > > Thanks, --David > > > -----Original Message----- > > From: detnet <detnet-bounces@ietf.org> On Behalf Of Lou Berger > > Sent: Monday, April 20, 2020 11:01 AM > > To: DetNet WG > > Subject: [Detnet] WG Last Call: draft-ietf-detnet-security-09 > > > > > > [EXTERNAL EMAIL] > > > > All, > > > > This starts a two-week working group last call for > > draft-ietf-detnet-security-09 > > > > The working group last call ends on April 4. > > Please send your comments to the working group mailing list. > > > > Positive comments, e.g., "I've reviewed this document and believe it > > is ready for publication", are welcome! > > This is useful and important, even from authors. > > > > Thank you, > > Lou (DetNet Co-Chair & doc Shepherd) > > > > _______________________________________________ > > detnet mailing list > > detnet@ietf.org > > https://www.ietf.org/mailman/listinfo/detnet > > _______________________________________________ > detnet mailing list > detnet@ietf.org > https://www.ietf.org/mailman/listinfo/detnet > > _______________________________________________ > detnet mailing list > detnet@ietf.org > https://www.ietf.org/mailman/listinfo/detnet
- [Detnet] WG Last Call: draft-ietf-detnet-security… Black, David
- Re: [Detnet] WG Last Call: draft-ietf-detnet-secu… Lou Berger
- Re: [Detnet] WG Last Call: draft-ietf-detnet-secu… Grossman, Ethan A.
- Re: [Detnet] WG Last Call: draft-ietf-detnet-secu… Black, David