Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
János Farkas <janos.farkas@ericsson.com> Mon, 25 March 2019 21:54 UTC
Return-Path: <Janos.Farkas@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3841120115 for <detnet@ietfa.amsl.com>; Mon, 25 Mar 2019 14:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.041
X-Spam-Level:
X-Spam-Status: No, score=-4.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yc81P1ZmdaMT for <detnet@ietfa.amsl.com>; Mon, 25 Mar 2019 14:54:34 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 627B7120118 for <detnet@ietf.org>; Mon, 25 Mar 2019 14:54:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553550866; x=1556142866; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=KIOiIzQkAfDe/kqEQI835+P8UlL0x8OqduPgj+BdJp8=; b=VmGubeRJrWoXlaPi0D7jVlyiqymSNLkThYGDFvpjCX+sS8C2PtfyF4+PIVxbtL6o XpV24Vbx1ya38SsdtFMETp0apZ48bMRGgUKI7LuvxJu4F+QzyY9w89FpUQ4EQPf2 pENuoqqmpo/T/PrXGXeoo4J6c6Pgsrw1DnKPoILSD+g=;
X-AuditID: c1b4fb30-307ff70000007fec-72-5c994e123eb4
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 3D.4D.32748.21E499C5; Mon, 25 Mar 2019 22:54:26 +0100 (CET)
Received: from ESESSMB505.ericsson.se (153.88.183.166) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Mon, 25 Mar 2019 22:54:26 +0100
Received: from [100.94.33.129] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.193) with Microsoft SMTP Server id 15.1.1713.5 via Frontend Transport; Mon, 25 Mar 2019 22:54:25 +0100
To: Alvaro Retana <aretana.ietf@gmail.com>
CC: draft-ietf-detnet-architecture@ietf.org, Lou Berger <lberger@labn.net>, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org, detnet@ietf.org
References: <155067820715.31361.3746519237969586434.idtracker@ietfa.amsl.com> <108f9294-fb9d-557a-011a-6a53156bcb37@labn.net> <CAMMESsx4juKOjPNPQW2iLDYRC6REr8jKWLJLBDUt-AsmC-eFmA@mail.gmail.com> <7056c886-3aa9-2d85-7824-ee5f1ac9bb33@labn.net> <CAMMESszvQ-QgZLNfPF2MMq6UNtCR5DLzhMvzuFF_eCiyUiu5qg@mail.gmail.com> <f647a19c-584f-6a34-77d5-702d26d31013@labn.net> <150fb3c5-0f60-8426-0345-a17d9be984b9@ericsson.com> <06a42687-5942-2591-4c71-5a5ff5090474@ericsson.com> <CAMMESszuOLAWrAB2wTo-CNqcos2X1WD3KbNz6zq3SGpxvCiQOQ@mail.gmail.com>
From: János Farkas <janos.farkas@ericsson.com>
Message-ID: <a2767783-49fd-a744-64ed-45a3fe6b6628@ericsson.com>
Date: Mon, 25 Mar 2019 22:54:25 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CAMMESszuOLAWrAB2wTo-CNqcos2X1WD3KbNz6zq3SGpxvCiQOQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DD7402E23A5BAE782928CC37"
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphkeLIzCtJLcpLzFFi42KZGbG9TFfIb2aMwds7whY3Dm1gsrjW/4PF 4ven2SwWH77NZLGY8Wcis0VH81sWBzaPnbPusnssWfKTyePDpma2AOYoLpuU1JzMstQifbsE roxla0+zFNztYK64vJO9gfHPW8YuRg4OCQETibv3dLoYuTiEBI4wSlw7uJgZwvnGKPHv7E9m uMymFztZuhg5OYQFCiS+Hm1gB7FFBLQkbu/cyQ5SxCwwlVFi/sfjbBAdS1gkLr9+yAxSxSZg L3H30gYwmxfIbmvezAKym0VAVeLrgxqQsKhArMSnK4uhSgQlTs58AraMUyBQ4szrb2BxZoEw icd/JrBA2OISt57MZwKxhQTUJD69fcg+gVFwFpL2WUhaZiFpgbAtJGbOP88IYctLNG+dzQxh a0i0zpnLjiy+gJF9FaNocWpxUm66kZFealFmcnFxfp5eXmrJJkZgHB3c8ttgB+PL546HGAU4 GJV4eE1dZ8YIsSaWFVfmHmKU4GBWEuF9IjojRog3JbGyKrUoP76oNCe1+BCjNAeLkjjvHyHB GCGB9MSS1OzU1ILUIpgsEwenVAOjV6H9HKmVqVoF0Ze3/mZ4yrlUxSHX2PucU8SEV7eTFSYs rij40huy77nDrEXC7fnHP5Udr4jWFBOXXr91zdrpK76VPor+dGZisoXy55My+556ajednRdV JFRwf9GGz8usGBdH88fJ/epYxpu7Syd47flDh5Jm/q9J8uZ5+Lh20YTZuxVFEv+9UWIpzkg0 1GIuKk4EAHFIPumfAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/PaSX3S0H1gXZiE_1IctW6irTzGA>
Subject: Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 21:54:38 -0000
Thank you Alvaro! Janos On 3/25/2019 7:37 PM, Alvaro Retana wrote: > János: > > Hi! > > Yes…I’m happy with the changes. I’m clearing my DISCUSS. > > Thanks! > > Alvaro. > > On March 25, 2019 at 5:20:37 PM, János Farkas > (janos.farkas@ericsson.com <mailto:janos.farkas@ericsson.com>) wrote: > >> Hi Alvaro, >> >> We believe that we have addressed your comments in the most recent >> revision: >> https://tools.ietf.org/html/draft-ietf-detnet-architecture-12. >> (https://mailarchive.ietf.org/arch/msg/detnet/utVL9ZVGcOeGtRIASRFx5WT_ErM) >> >> Please let us know what else you would like to see done before you >> clear your DISCUSS. >> >> I/we would be happy to meet with you this week if there is anything >> you would like to discuss. >> >> Regards, >> Janos >> >> >> On 3/6/2019 6:56 AM, János Farkas wrote: >>> Hi Alvaro, >>> >>> Do the updates we are making the security section resolve your comments: >>> https://mailarchive.ietf.org/arch/msg/detnet/btWvDFtp4F3JY2rY3wZEYdNn42o >>> >>> The current proposed text: >>> >>> 5. Security Considerations >>> >>> Security considerations for DetNet are described in detail in >>> [I-D.ietf-detnet-security]. This section considers exclusively >>> security considerations which are specific to the DetNet >>> Architecture. >>> >>> Security aspects which are unique to DetNet are those whose aim is to >>> provide the specific quality of service aspects of DetNet, which are >>> primarily to deliver data flows with extremely low packet loss rates >>> and bounded end-to-end delivery latency. A DetNet may be implemented >>> using MPLS and/or IP (including both v4 and v6) technologies, and >>> thus inherits the security properties of those technologies at both >>> the control plane and the data plane. >>> >>> Security considerations for DetNet are constrained (compared to, for >>> example, the open Internet) because DetNet is defined to operate only >>> within a single administrative domain (see Section 1). The primary >>> considerations are to secure the request and control of DetNet >>> resources, maintain confidentiality of data traversing the DetNet, >>> and provide the availability of the DetNet quality of service. >>> >>> To secure the request and control of DetNet resources, authentication >>> and authorization can be used for each device connected to a DetNet >>> domain, most importantly to network controller devices. Control of a >>> DetNet network may be centralized or distributed (within a single >>> administrative domain). In the case of centralized control, >>> precedent for security considerations as defined for Abstraction and >>> Control of Traffic Engineered Networks (ACTN) can be found in >>> [RFC8453], Section 9. In the case of a distributed control >>> protocols, DetNet security is expected to be provided by the security >>> properties of the protocols in use. In any case, the result is that >>> manipulation of administratively configurable parameters is limited >>> to authorized entities. >>> >>> To maintain confidentiality of data traversing the DetNet, >>> application flows can be protected through whatever means is provided >>> by the underlying technology. For example, encryption may be used, >>> such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and >>> by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows. >>> >>> DetNet flows are identified on a per-flow basis, which may provide >>> attackers with additional information about the data flows (when >>> compared to networks that do not include per-flow identification). >>> This is an inherent property of DetNet which has security >>> implications which should be considered when determining if DetNet is >>> a suitable technology for any given use case. >>> >>> To provide uninterrupted availability of the DetNet quality of >>> service, provisions can be made against DOS attacks and delay >>> attacks. To protect against DOS attacks, excess traffic due to >>> malicious or malfunctioning devices can be prevented or mitigated, >>> for example through the use of traffic admission control applied at >>> the input of a DetNet domain, as described in Section 3.2.1, and >>> through the fault mitigation methods described in Section 3.3.2. To >>> prevent DetNet packets from being delayed by an entity external to a >>> DetNet domain, DetNet technology definition can allow for the >>> mitigation of Man-In-The-Middle attacks, for example through use of >>> authentication and authorization of devices within the DetNet domain. >>> >>> Because DetNet mechanisms or applications that rely on DetNet can >>> make heavy use of methods that require precise time synchronization, >>> the accuracy, availability, and integrity of time synchronization is >>> of critical importance. Extensive discussion of this topic can be >>> found in [RFC7384]. >>> >>> DetNet use cases are known to have widely divergent security >>> requirements. The intent of this section is to provide a baseline >>> for security considerations which are common to all DetNet designs >>> and implementations, without burdening individual designs with >>> specifics of security infrastructure which may not be germane to the >>> given use case. Designers and Implementers of DetNet systems are >>> expected to take use case specific considerations into account in >>> their DetNet designs and implementations. >>> >>> >>> Please let us know if you have any remaining comments and what they are. >>> >>> Thank you! >>> Janos >>> >>> >>> On 2/23/2019 9:39 PM, Lou Berger wrote: >>>> >>>> Hi *Alvaro*, >>>> >>>> see below. >>>> >>>> On 2/22/2019 6:02 AM, Alvaro Retana wrote: >>>>> On February 21, 2019 at 7:35:32 PM, Lou Berger (lberger@labn.net >>>>> <mailto:lberger@labn.net>) wrote: >>>>> >>>>> Hi! >>>>> >>>>>> >>> ---------------------------------------------------------------------- >>>>>> >>> DISCUSS: >>>>>> >>> >>>>>> ---------------------------------------------------------------------- >>>>>> >>> >>>>>> >>> I support Mirja's and Alissa's DISCUSSes...and have a related >>>>>> set of concerns >>>>>> >>> about the coexistence with non-DetNet traffic and privacy: >>>>>> >>> >>>>>> >>> §3.3.1 talks about what I think is a hard to achieve balance >>>>>> between coexisting >>>>>> >>> with non-DetNet traffic and keeping that traffic from >>>>>> disrupting DetNet flows. >>>>>> >>> Because of the constraints, the intent of prioritizing DetNet >>>>>> flows is clear >>>>>> >>> (and that is ok), but that may result in starvation of non-DetNet >>>>>> >>> traffic...even if the text does explicitly say that it "must >>>>>> be avoided". >>>>>> >>> >>>>>> >>> I would like to see the potential case of starving non-DetNet >>>>>> traffic called >>>>>> >>> out somewhere. >>>>>> >> >>>>>> >> This is the objective of section 3.3.1.. >>>>>> >> >>>>>> >> >>>>>> >>> I'm looking for something similar to the first paragraph in §5, >>>>>> >>> but focused on the non-DetNet traffic. >>>>>> >> >>>>>> >> The current text reads: >>>>>> >> >>>>>> >> 3.3.1. Coexistence with normal traffic >>>>>> >> >>>>>> >> A DetNet network supports the dedication of a high proportion >>>>>> of the >>>>>> >> network bandwidth to DetNet flows. But, no matter how much is >>>>>> >> dedicated for DetNet flows, it is a goal of DetNet to coexist with >>>>>> >> existing Class of Service schemes (e.g., DiffServ). It is also >>>>>> >> important that non-DetNet traffic not disrupt the DetNet flow, of >>>>>> >> course (see Section 3.3.2 and Section 5). For these reasons: >>>>>> >> >>>>>> >> o Bandwidth (transmission opportunities) not utilized by a DetNet >>>>>> >> flow is available to non-DetNet packets (though not to other >>>>>> >> DetNet flows). >>>>>> >> >>>>>> >> o DetNet flows can be shaped or scheduled, in order to ensure that >>>>>> >> the highest-priority non-DetNet packet is also ensured a worst- >>>>>> >> case latency. >>>>>> >> >>>>>> >> o When transmission opportunities for DetNet flows are >>>>>> scheduled in >>>>>> >> detail, then the algorithm constructing the schedule should leave >>>>>> >> sufficient opportunities for non-DetNet packets to satisfy the >>>>>> >> needs of the users of the network. Detailed scheduling can also >>>>>> >> permit the time-shared use of buffer resources by different DetNet >>>>>> >> flows. >>>>>> >> >>>>>> >> Starvation of non-DetNet traffic must be avoided, e.g., by traffic >>>>>> >> policing functions (e.g., [RFC2475]). Thus, the net effect of the >>>>>> >> presence of DetNet flows in a network on the non-DetNet flows is >>>>>> >> primarily a reduction in the available bandwidth. >>>>>> >> >>>>>> >> >>>>>> >> I think we need a little bit more to understand what you'd >>>>>> like to see changed or added. Can you suggest text or what >>>>>> specific topic you'd like to see added/addressed? >>>>>> > >>>>>> > Yes, let me try to explain better…while comparing with the current >>>>>> > text in §5, which basically says that even though the objective of >>>>>> > DetNet is to provide bounded latency, a MIIM may delay the >>>>>> traffic and >>>>>> > the objective may not be achieved. >>>>>> > >>>>>> > For non-DetNet traffic, the objective is to not starve it, while >>>>>> > providing specific guarantees to the DetNet flows — said other way >>>>>> > (from the Introduction): "Unused reserved resources are >>>>>> available to >>>>>> > non-DetNet packets as long as all guarantees are fulfilled.” >>>>>> However, >>>>>> > the algorithms (maybe error, misconfiguration…or even >>>>>> maliciously) may >>>>>> > end up*not* constructing the schedule to leave sufficient >>>>>> > opportunities for non-DetNet packets (as suggested in the text >>>>>> above >>>>>> > from §3.3.1). >>>>>> > >>>>>> > I see a parallel in how there is a risk of the intention for DetNet >>>>>> > flows not being met (because of an attack) and how the >>>>>> intention for >>>>>> > non-DetNet traffic may also not be met. >>>>>> > >>>>>> Okay, this sounds like basically the same point that Benjamin was >>>>>> making, i.e., there must be mechanisms preventing non-detnet traffic >>>>>> from impacting detnet traffic, and detnet traffic trying to use more >>>>>> than its allocation and impacting non-detnet traffic. Is this >>>>>> correct or >>>>>> are you asking for something different/additional? >>>>> >>>>> Yes. I’m not asking so much for a mechanism, but for at least the >>>>> recognition that it is a risk. >>>>> >>>> Fair enough- I expect the response a response for the architecture >>>> and security draft authors to address this. I'm sure you will >>>> confirm that it does! >>>> >>>> >>>>>> >>>>>> >>>>>> >>>>>> > >>>>>> >>> Related to the above is the fact that the identification of >>>>>> flows could be used >>>>>> >>> to specifically *not* include some of them as DetNet flows. >>>>>> This is a >>>>>> >>> variation of the concern outlined in §6, but applied to >>>>>> non-DetNet flows, with >>>>>> >>> the potential starvation mentioned above. Again, I would like >>>>>> to at least see >>>>>> >>> some discussion of this risk. >>>>>> >> >>>>>> >> I don't follow - what is the risk that should be addressed? >>>>>> >> >>>>>> > §6 talks about potential privacy concerns due to the >>>>>> identification of >>>>>> > flows. I interpret that as potentially being able to identify the >>>>>> > user (application, or both maybe). >>>>>> > >>>>>> Currently flow identification is based on IP headers (6 tuple) and/or >>>>>> MPLS labels. So DetNet has the same privacy concerns as standard >>>>>> IP/MPLS. >>>>>> >>>>>> >>>>>> > As far as I understand the architecture, DetNet flows are >>>>>> identified >>>>>> > at the edge and then assigned to specific paths. If the >>>>>> > identification of flows can be used to identify the user (for >>>>>> > example), then it can be used to not only attack specific >>>>>> DetNet flow, >>>>>> > but also to decide to not provide guarantees to a specific flow >>>>>> based >>>>>> > on who the user or the application may be. >>>>>> > >>>>>> Given DetNet flow identification, is this any different than >>>>>> standard PBR? >>>>> >>>>> Right, it is not really different. It is just not mentioned >>>>> anywhere that identification (or misidentification as it may be, >>>>> maybe maliciously) can lead to not providing guarantees, potential >>>>> starving, etc.. >>>>> >>>> I thought the quotes capture in the various mails on the topic >>>> showed how it was -- but let's wait for the updated text and see if >>>> it sufficiently addresses your concern/point, and then go from there. >>>> >>>> Thanks again for the feedback. >>>> >>>> Lou >>>> >>>> >>>>> Thanks! >>>>> >>>>> Alvaro. >>>>> >>>>> >>>>> _______________________________________________ >>>>> detnet mailing list >>>>> detnet@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/detnet >>> >>
- [Detnet] Alvaro Retana's Discuss on draft-ietf-de… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Lou Berger
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… János Farkas
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… János Farkas
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… Alvaro Retana
- Re: [Detnet] Alvaro Retana's Discuss on draft-iet… János Farkas