IETF Logo Mail Archive

Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

János Farkas <janos.farkas@ericsson.com> Mon, 25 March 2019 21:54 UTC

Return-Path: <Janos.Farkas@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3841120115 for <detnet@ietfa.amsl.com>; Mon, 25 Mar 2019 14:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.041
X-Spam-Level:
X-Spam-Status: No, score=-4.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yc81P1ZmdaMT for <detnet@ietfa.amsl.com>; Mon, 25 Mar 2019 14:54:34 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 627B7120118 for <detnet@ietf.org>; Mon, 25 Mar 2019 14:54:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553550866; x=1556142866; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=KIOiIzQkAfDe/kqEQI835+P8UlL0x8OqduPgj+BdJp8=; b=VmGubeRJrWoXlaPi0D7jVlyiqymSNLkThYGDFvpjCX+sS8C2PtfyF4+PIVxbtL6o XpV24Vbx1ya38SsdtFMETp0apZ48bMRGgUKI7LuvxJu4F+QzyY9w89FpUQ4EQPf2 pENuoqqmpo/T/PrXGXeoo4J6c6Pgsrw1DnKPoILSD+g=;
X-AuditID: c1b4fb30-307ff70000007fec-72-5c994e123eb4
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 3D.4D.32748.21E499C5; Mon, 25 Mar 2019 22:54:26 +0100 (CET)
Received: from ESESSMB505.ericsson.se (153.88.183.166) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Mon, 25 Mar 2019 22:54:26 +0100
Received: from [100.94.33.129] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.193) with Microsoft SMTP Server id 15.1.1713.5 via Frontend Transport; Mon, 25 Mar 2019 22:54:25 +0100
To: Alvaro Retana <aretana.ietf@gmail.com>
CC: draft-ietf-detnet-architecture@ietf.org, Lou Berger <lberger@labn.net>, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org, detnet@ietf.org
References: <155067820715.31361.3746519237969586434.idtracker@ietfa.amsl.com> <108f9294-fb9d-557a-011a-6a53156bcb37@labn.net> <CAMMESsx4juKOjPNPQW2iLDYRC6REr8jKWLJLBDUt-AsmC-eFmA@mail.gmail.com> <7056c886-3aa9-2d85-7824-ee5f1ac9bb33@labn.net> <CAMMESszvQ-QgZLNfPF2MMq6UNtCR5DLzhMvzuFF_eCiyUiu5qg@mail.gmail.com> <f647a19c-584f-6a34-77d5-702d26d31013@labn.net> <150fb3c5-0f60-8426-0345-a17d9be984b9@ericsson.com> <06a42687-5942-2591-4c71-5a5ff5090474@ericsson.com> <CAMMESszuOLAWrAB2wTo-CNqcos2X1WD3KbNz6zq3SGpxvCiQOQ@mail.gmail.com>
From: János Farkas <janos.farkas@ericsson.com>
Message-ID: <a2767783-49fd-a744-64ed-45a3fe6b6628@ericsson.com>
Date: Mon, 25 Mar 2019 22:54:25 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CAMMESszuOLAWrAB2wTo-CNqcos2X1WD3KbNz6zq3SGpxvCiQOQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DD7402E23A5BAE782928CC37"
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphkeLIzCtJLcpLzFFi42KZGbG9TFfIb2aMwds7whY3Dm1gsrjW/4PF 4ven2SwWH77NZLGY8Wcis0VH81sWBzaPnbPusnssWfKTyePDpma2AOYoLpuU1JzMstQifbsE roxla0+zFNztYK64vJO9gfHPW8YuRg4OCQETibv3dLoYuTiEBI4wSlw7uJgZwvnGKPHv7E9m uMymFztZuhg5OYQFCiS+Hm1gB7FFBLQkbu/cyQ5SxCwwlVFi/sfjbBAdS1gkLr9+yAxSxSZg L3H30gYwmxfIbmvezAKym0VAVeLrgxqQsKhArMSnK4uhSgQlTs58AraMUyBQ4szrb2BxZoEw icd/JrBA2OISt57MZwKxhQTUJD69fcg+gVFwFpL2WUhaZiFpgbAtJGbOP88IYctLNG+dzQxh a0i0zpnLjiy+gJF9FaNocWpxUm66kZFealFmcnFxfp5eXmrJJkZgHB3c8ttgB+PL546HGAU4 GJV4eE1dZ8YIsSaWFVfmHmKU4GBWEuF9IjojRog3JbGyKrUoP76oNCe1+BCjNAeLkjjvHyHB GCGB9MSS1OzU1ILUIpgsEwenVAOjV6H9HKmVqVoF0Ze3/mZ4yrlUxSHX2PucU8SEV7eTFSYs rij40huy77nDrEXC7fnHP5Udr4jWFBOXXr91zdrpK76VPor+dGZisoXy55My+556ajednRdV JFRwf9GGz8usGBdH88fJ/epYxpu7Syd47flDh5Jm/q9J8uZ5+Lh20YTZuxVFEv+9UWIpzkg0 1GIuKk4EAHFIPumfAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/PaSX3S0H1gXZiE_1IctW6irTzGA>
Subject: Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 21:54:38 -0000

Thank you Alvaro!
Janos


On 3/25/2019 7:37 PM, Alvaro Retana wrote:
> János:
>
> Hi!
>
> Yes…I’m happy with the changes.  I’m clearing my DISCUSS.
>
> Thanks!
>
> Alvaro.
>
> On March 25, 2019 at 5:20:37 PM, János Farkas 
> (janos.farkas@ericsson.com <mailto:janos.farkas@ericsson.com>) wrote:
>
>> Hi Alvaro,
>>
>> We believe that we have addressed your comments in the most recent 
>> revision: 
>> https://tools.ietf.org/html/draft-ietf-detnet-architecture-12. 
>> (https://mailarchive.ietf.org/arch/msg/detnet/utVL9ZVGcOeGtRIASRFx5WT_ErM)
>>
>> Please let us know what else you would like to see done before you 
>> clear your DISCUSS.
>>
>> I/we would be happy to meet with you this week if there is anything 
>> you would like to discuss.
>>
>> Regards,
>> Janos
>>
>>
>> On 3/6/2019 6:56 AM, János Farkas wrote:
>>> Hi Alvaro,
>>>
>>> Do the updates we are making the security section resolve your comments:
>>> https://mailarchive.ietf.org/arch/msg/detnet/btWvDFtp4F3JY2rY3wZEYdNn42o
>>>
>>> The current proposed text:
>>>
>>> 5.  Security Considerations
>>>
>>>    Security considerations for DetNet are described in detail in
>>>    [I-D.ietf-detnet-security].  This section considers exclusively
>>>    security considerations which are specific to the DetNet
>>>    Architecture.
>>>
>>>    Security aspects which are unique to DetNet are those whose aim is to
>>>    provide the specific quality of service aspects of DetNet, which are
>>>    primarily to deliver data flows with extremely low packet loss rates
>>>    and bounded end-to-end delivery latency.  A DetNet may be implemented
>>>    using MPLS and/or IP (including both v4 and v6) technologies, and
>>>    thus inherits the security properties of those technologies at both
>>>    the control plane and the data plane.
>>>
>>>    Security considerations for DetNet are constrained (compared to, for
>>>    example, the open Internet) because DetNet is defined to operate only
>>>    within a single administrative domain (see Section 1).  The primary
>>>    considerations are to secure the request and control of DetNet
>>>    resources, maintain confidentiality of data traversing the DetNet,
>>>    and provide the availability of the DetNet quality of service.
>>>
>>>    To secure the request and control of DetNet resources, authentication
>>>    and authorization can be used for each device connected to a DetNet
>>>    domain, most importantly to network controller devices.  Control of a
>>>    DetNet network may be centralized or distributed (within a single
>>>    administrative domain).  In the case of centralized control,
>>>    precedent for security considerations as defined for Abstraction and
>>>    Control of Traffic Engineered Networks (ACTN) can be found in
>>>    [RFC8453], Section 9.  In the case of a distributed control
>>>    protocols, DetNet security is expected to be provided by the security
>>>    properties of the protocols in use.  In any case, the result is that
>>>    manipulation of administratively configurable parameters is limited
>>>    to authorized entities.
>>>
>>>    To maintain confidentiality of data traversing the DetNet,
>>>    application flows can be protected through whatever means is provided
>>>    by the underlying technology.  For example, encryption may be used,
>>>    such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and
>>>    by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows.
>>>
>>>    DetNet flows are identified on a per-flow basis, which may provide
>>>    attackers with additional information about the data flows (when
>>>    compared to networks that do not include per-flow identification).
>>>    This is an inherent property of DetNet which has security
>>>    implications which should be considered when determining if DetNet is
>>>    a suitable technology for any given use case.
>>>
>>>    To provide uninterrupted availability of the DetNet quality of
>>>    service, provisions can be made against DOS attacks and delay
>>>    attacks.  To protect against DOS attacks, excess traffic due to
>>>    malicious or malfunctioning devices can be prevented or mitigated,
>>>    for example through the use of traffic admission control applied at
>>>    the input of a DetNet domain, as described in Section 3.2.1, and
>>>    through the fault mitigation methods described in Section 3.3.2.  To
>>>    prevent DetNet packets from being delayed by an entity external to a
>>>    DetNet domain, DetNet technology definition can allow for the
>>>    mitigation of Man-In-The-Middle attacks, for example through use of
>>>    authentication and authorization of devices within the DetNet domain.
>>>
>>>    Because DetNet mechanisms or applications that rely on DetNet can
>>>    make heavy use of methods that require precise time synchronization,
>>>    the accuracy, availability, and integrity of time synchronization is
>>>    of critical importance.  Extensive discussion of this topic can be
>>>    found in [RFC7384].
>>>
>>>    DetNet use cases are known to have widely divergent security
>>>    requirements.  The intent of this section is to provide a baseline
>>>    for security considerations which are common to all DetNet designs
>>>    and implementations, without burdening individual designs with
>>>    specifics of security infrastructure which may not be germane to the
>>>    given use case.  Designers and Implementers of DetNet systems are
>>>    expected to take use case specific considerations into account in
>>>    their DetNet designs and implementations.
>>>
>>>
>>> Please let us know if you have any remaining comments and what they are.
>>>
>>> Thank you!
>>> Janos
>>>
>>>
>>> On 2/23/2019 9:39 PM, Lou Berger wrote:
>>>>
>>>> Hi *Alvaro*,
>>>>
>>>> see below.
>>>>
>>>> On 2/22/2019 6:02 AM, Alvaro Retana wrote:
>>>>> On February 21, 2019 at 7:35:32 PM, Lou Berger (lberger@labn.net 
>>>>> <mailto:lberger@labn.net>) wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>>> >>> ----------------------------------------------------------------------
>>>>>> >>> DISCUSS:
>>>>>> >>> 
>>>>>> ----------------------------------------------------------------------
>>>>>> >>>
>>>>>> >>> I support Mirja's and Alissa's DISCUSSes...and have a related 
>>>>>> set of concerns
>>>>>> >>> about the coexistence with non-DetNet traffic and privacy:
>>>>>> >>>
>>>>>> >>> §3.3.1 talks about what I think is a hard to achieve balance 
>>>>>> between coexisting
>>>>>> >>> with non-DetNet traffic and keeping that traffic from 
>>>>>> disrupting DetNet flows.
>>>>>> >>> Because of the constraints, the intent of prioritizing DetNet 
>>>>>> flows is clear
>>>>>> >>> (and that is ok), but that may result in starvation of non-DetNet
>>>>>> >>> traffic...even if the text does explicitly say that it "must 
>>>>>> be avoided".
>>>>>> >>>
>>>>>> >>> I would like to see the potential case of starving non-DetNet 
>>>>>> traffic called
>>>>>> >>> out somewhere.
>>>>>> >>
>>>>>> >> This is the objective of section 3.3.1..
>>>>>> >>
>>>>>> >>
>>>>>> >>> I'm looking for something similar to the first paragraph in §5,
>>>>>> >>> but focused on the non-DetNet traffic.
>>>>>> >>
>>>>>> >> The current text reads:
>>>>>> >>
>>>>>> >> 3.3.1. Coexistence with normal traffic
>>>>>> >>
>>>>>> >> A DetNet network supports the dedication of a high proportion 
>>>>>> of the
>>>>>> >> network bandwidth to DetNet flows. But, no matter how much is
>>>>>> >> dedicated for DetNet flows, it is a goal of DetNet to coexist with
>>>>>> >> existing Class of Service schemes (e.g., DiffServ). It is also
>>>>>> >> important that non-DetNet traffic not disrupt the DetNet flow, of
>>>>>> >> course (see Section 3.3.2 and Section 5). For these reasons:
>>>>>> >>
>>>>>> >> o Bandwidth (transmission opportunities) not utilized by a DetNet
>>>>>> >> flow is available to non-DetNet packets (though not to other
>>>>>> >> DetNet flows).
>>>>>> >>
>>>>>> >> o DetNet flows can be shaped or scheduled, in order to ensure that
>>>>>> >> the highest-priority non-DetNet packet is also ensured a worst-
>>>>>> >> case latency.
>>>>>> >>
>>>>>> >> o When transmission opportunities for DetNet flows are 
>>>>>> scheduled in
>>>>>> >> detail, then the algorithm constructing the schedule should leave
>>>>>> >> sufficient opportunities for non-DetNet packets to satisfy the
>>>>>> >> needs of the users of the network. Detailed scheduling can also
>>>>>> >> permit the time-shared use of buffer resources by different DetNet
>>>>>> >> flows.
>>>>>> >>
>>>>>> >> Starvation of non-DetNet traffic must be avoided, e.g., by traffic
>>>>>> >> policing functions (e.g., [RFC2475]). Thus, the net effect of the
>>>>>> >> presence of DetNet flows in a network on the non-DetNet flows is
>>>>>> >> primarily a reduction in the available bandwidth.
>>>>>> >>
>>>>>> >>
>>>>>> >> I think we need a little bit more to understand what you'd 
>>>>>> like to see changed or added. Can you suggest text or what 
>>>>>> specific topic you'd like to see added/addressed?
>>>>>> >
>>>>>> > Yes, let me try to explain better…while comparing with the current
>>>>>> > text in §5, which basically says that even though the objective of
>>>>>> > DetNet is to provide bounded latency, a MIIM may delay the 
>>>>>> traffic and
>>>>>> > the objective may not be achieved.
>>>>>> >
>>>>>> > For non-DetNet traffic, the objective is to not starve it, while
>>>>>> > providing specific guarantees to the DetNet flows — said other way
>>>>>> > (from the Introduction): "Unused reserved resources are 
>>>>>> available to
>>>>>> > non-DetNet packets as long as all guarantees are fulfilled.” 
>>>>>>  However,
>>>>>> > the algorithms (maybe error, misconfiguration…or even 
>>>>>> maliciously) may
>>>>>> > end up*not* constructing the schedule to leave sufficient
>>>>>> > opportunities for non-DetNet packets (as suggested in the text 
>>>>>> above
>>>>>> > from §3.3.1).
>>>>>> >
>>>>>> > I see a parallel in how there is a risk of the intention for DetNet
>>>>>> > flows not being met (because of an attack) and how the 
>>>>>> intention for
>>>>>> > non-DetNet traffic may also not be met.
>>>>>> >
>>>>>> Okay, this sounds like basically the same point that Benjamin was
>>>>>> making, i.e., there must be mechanisms preventing non-detnet traffic
>>>>>> from impacting detnet traffic, and detnet traffic trying to use more
>>>>>> than its allocation and impacting non-detnet traffic. Is this 
>>>>>> correct or
>>>>>> are you asking for something different/additional?
>>>>>
>>>>> Yes.  I’m not asking so much for a mechanism, but for at least the 
>>>>> recognition that it is a risk.
>>>>>
>>>> Fair enough- I expect the response a response for the architecture 
>>>> and security draft authors to address this.  I'm sure you will 
>>>> confirm that it does!
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> >
>>>>>> >>> Related to the above is the fact that the identification of 
>>>>>> flows could be used
>>>>>> >>> to specifically *not* include some of them as DetNet flows. 
>>>>>> This is a
>>>>>> >>> variation of the concern outlined in §6, but applied to 
>>>>>> non-DetNet flows, with
>>>>>> >>> the potential starvation mentioned above. Again, I would like 
>>>>>> to at least see
>>>>>> >>> some discussion of this risk.
>>>>>> >>
>>>>>> >> I don't follow - what is the risk that should be addressed?
>>>>>> >>
>>>>>> > §6 talks about potential privacy concerns due to the 
>>>>>> identification of
>>>>>> > flows.  I interpret that as potentially being able to identify the
>>>>>> > user (application, or both maybe).
>>>>>> >
>>>>>> Currently flow identification is based on IP headers (6 tuple) and/or
>>>>>> MPLS labels.  So DetNet has the same privacy concerns as standard 
>>>>>> IP/MPLS.
>>>>>>
>>>>>>
>>>>>> > As far as I understand the architecture, DetNet flows are 
>>>>>> identified
>>>>>> > at the edge and then assigned to specific paths.  If the
>>>>>> > identification of flows can be used to identify the user (for
>>>>>> > example), then it can be used to not only attack specific 
>>>>>> DetNet flow,
>>>>>> > but also to decide to not provide guarantees to a specific flow 
>>>>>> based
>>>>>> > on who the user or the application may be.
>>>>>> >
>>>>>> Given DetNet flow identification, is this any different than 
>>>>>> standard PBR?
>>>>>
>>>>> Right, it is not really different.  It is just not mentioned 
>>>>> anywhere that identification (or misidentification as it may be, 
>>>>> maybe maliciously) can lead to not providing guarantees, potential 
>>>>> starving, etc..
>>>>>
>>>> I thought the quotes capture in the various mails on the topic 
>>>> showed how it was -- but let's wait for the updated text and see if 
>>>> it sufficiently addresses your concern/point, and then go from there.
>>>>
>>>> Thanks again for the feedback.
>>>>
>>>> Lou
>>>>
>>>>
>>>>> Thanks!
>>>>>
>>>>> Alvaro.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> detnet mailing list
>>>>> detnet@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/detnet
>>>
>>

v2.23.0 | Report a Bug | By Email