Re: [Detnet] DetNet Security draft update strategy for tomorrow's update (3rd try, plain text format)
Henrik Austad <henrik@austad.us> Mon, 13 January 2020 22:18 UTC
Return-Path: <henrik@austad.us>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46C0120A56 for <detnet@ietfa.amsl.com>; Mon, 13 Jan 2020 14:18:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=austad-us.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWHfjTega-op for <detnet@ietfa.amsl.com>; Mon, 13 Jan 2020 14:18:42 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1645212006D for <detnet@ietf.org>; Mon, 13 Jan 2020 14:18:42 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id r14so8151521lfm.5 for <detnet@ietf.org>; Mon, 13 Jan 2020 14:18:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=austad-us.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=aEc6SODlQI8BIXGw8Nj88Hsisy8Gb8/jdmx+BReAEyk=; b=owPapwvwBOpm2RpXhbdrSN15hML7e8x3b5qGvJXRc0359dEIfHSzPkgDbYq/wY42GE 5Hw00ZQJ9K1ngDaRqotK041U/0FDkLExfp4LyZv+nvH9Pr9+mGQ11Xu9tzA9E6WzRl49 KTXx0V80t27M1tAEp5DbFh6fUPW9iVODzmwbYXmF6+8c1h9RJUf2/yR0IVcgZVhhsr7a J4U0nlWPVwAxf0DJ8Mj/75yB1Fmalo3glUDKYvyNSGcYnDfkfy6H8tQ0qgKuRpS8m88x TdIHUY/Z7eeEQTVmROLIikP4/BBN109HUC80sEcslNvaWxwBAomeuQiOkzrX1asSxAKk ieyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=aEc6SODlQI8BIXGw8Nj88Hsisy8Gb8/jdmx+BReAEyk=; b=qYW1Q3JhfMLYbncBM8uKrzYCU0hdpG+mw7oVbcWJlUXwIj3GvbmA0USRQujew6oIO9 nagVnQckQjpA5TJ56wtLBZKsSz9uNgzMmsXB0Y4pJkHhLd7Q6UJ2RyretqVs6bPWRP84 7QRZfERX/tiP3bE+xlTShsvodTkTBDXyfFS0RHwtFernovIGTVH/XZTbULS2oY+6qfVs S+IQAp9mR+6O0/ywFyJ1NWPONFJOKnfW0Pd9GspsXQrKNJLpR3mJjjD1wfXtR7INBCPz Hj/4J5+EIVXDgs68B1Ug5scLC8bFcsfkTlqU0/vid71seNutPVjw3TEo5gVhITGQKBvH Eq8Q==
X-Gm-Message-State: APjAAAUK1AnyS5BmF7ZkWTna7UhA5uEir7+LPJSIMr2SY7aMyzqwoQrT jaxRCw6rG+kd8g/0iB6Ys7Q+LQ==
X-Google-Smtp-Source: APXvYqyZT5uNP/qLWV9H2FE34oqWcFJhgrshEXJkqdKRVobhC8DhTQbWVZMi/REqjYposerpsXo6Pw==
X-Received: by 2002:a19:ca59:: with SMTP id h25mr11587186lfj.27.1578953919850; Mon, 13 Jan 2020 14:18:39 -0800 (PST)
Received: from icarus.home.austad.us ([188.113.66.217]) by smtp.gmail.com with ESMTPSA id z13sm6571488ljh.21.2020.01.13.14.18.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 13 Jan 2020 14:18:38 -0800 (PST)
Date: Mon, 13 Jan 2020 23:18:36 +0100
From: Henrik Austad <henrik@austad.us>
To: "Black, David" <David.Black@dell.com>
Cc: "Grossman, Ethan A." <eagros@dolby.com>, "detnet@ietf.org" <detnet@ietf.org>, "Le Boudec Jean-Yves (jean-yves.leboudec@epfl.ch)" <jean-yves.leboudec@epfl.ch>, "draft-ietf-detnet-security@ietf.org" <draft-ietf-detnet-security@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
Message-ID: <20200113221836.bhrlyhcqtxwjzfp4@icarus.home.austad.us>
References: <BYAPR06MB4325A49BA29805B949F04F7DC4390@BYAPR06MB4325.namprd06.prod.outlook.com> <CAM6o_m1S7Qa1GuOWr81Y378H7iYkY7E_TPF2bJH0SrMS1mUxCQ@mail.gmail.com> <MN2PR19MB4045B65981BC8CA7EB5BDF4483380@MN2PR19MB4045.namprd19.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="soi5p5s4eugcrrke"
Content-Disposition: inline
In-Reply-To: <MN2PR19MB4045B65981BC8CA7EB5BDF4483380@MN2PR19MB4045.namprd19.prod.outlook.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/XhcuG6riG-e1QoM6HoDh34dvUxs>
Subject: Re: [Detnet] DetNet Security draft update strategy for tomorrow's update (3rd try, plain text format)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 22:18:52 -0000
On Fri, Jan 10, 2020 at 11:53:24PM +0000, Black, David wrote: > Hi Henrik, > > Comments inline on some of your points/thoughts ... Hi David, Thanks for the reply! I replied inline below, but tl;dr; I got my concerns answered. -Henrik > > -----Original Message----- > > From: detnet <detnet-bounces@ietf.org> On Behalf Of Henrik Austad > > Sent: Friday, January 10, 2020 4:08 AM > > To: Grossman, Ethan A. > > Cc: detnet@ietf.org; Le Boudec Jean-Yves (jean-yves.leboudec@epfl.ch); > > draft-ietf-detnet-security@ietf.org; detnet-chairs@ietf.org > > Subject: Re: [Detnet] DetNet Security draft update strategy for tomorrow's > > update (3rd try, plain text format) > > > > > > [EXTERNAL EMAIL] > > > > Hi all, > > > > Some points/thoughts on the summary of last confcall. I added a number > > to each point from Ethans mail (in an attempt) to appear more coherent. > > > > tl;dr: I agree with the sentiment, but I'm not fully on board with > > stripping out as much as what I understood the proposal wanted. > > > > Detailed comments below. > > > > 1. "On recommendation for using IPSec for DetNet IP - problem: Can't see > > enough of the flow to do flow differentiation; e.g. need 6tuple but is > > always hidden in IPSec. Lou wrote that section, need to check with him." > > > > I think I missed this discussion. AFAIK, the only parts where we discuss > > IPSec is potentional ways an end-user can protect the content of its > > stream. Is the concern here that IPSec will hide too much of the header > > for DetNet bridges to be able to properly prioritize them? I must > > confess I am not familiar with exactly how the headers of IPSec is > > constructed. > > [David>] And the IPsec headers is where the problems are to be found. > The DetNet IP data plane identifies flows via a 6-tuple that consists of > two IP addresses, the transport protocol ID, two transport protocol port > numbers and the DSCP in the IP header. When IPsec is used, the transport > header is encrypted and the next protocol ID is an IPsec protocol, > usually ESP, and not a transport protocol (e.g., neither TCP nor UDP nor > ...), leaving only three components of the 6-tuple, the two IP addresses > and the DSCP. This assumes that DetNet nodes cannot decrypt IPsec > traffic. Ah, yes. Having each node decrypt the IPSec stream is not a valid approach! I see Ethan added the clarification in 2dbbf18d, so I have no further argument here. > > 2. "We want to set the initial expectation that the DetNet network to be > > secured is already a well-designed and well-managed network (other > > possible phrasing: "a traffic-managed, controlled environment" or "a > > traffic-engineered network") following existing best practices. We > > assume that all such relevant characteristics are in place as a > > starting place for this DetNet Security Considerations > > draft/discussion. We can thus simplify our draft by setting this > > assumption. Having the draft be shorter is a positive step. > > > > If we assume that the network is already well designed and well managed, > > then what does this document really provide? I.e. if I were to set up a > > DetNet network, I would come to *this* document to see what is relevant > > security-wise. I understand that this document should try to not dictate > > specific steps, but painting a threat landscape with a broad brush is > > not something I think we should leave out. > > [David>] Well-designed and well-managed is primarily about denial-of > service prevention by ensuring that DetNet traffic goes where it's > supposed to and that an external attacker can't inject traffic that > disrupts DetNet's delivery timing assurance. Security involves a *LOT* > more ... Ok, I think I misunderstood your point there then, my bad, or perhaps I did not make my opinions clear. I do not disagree with this. > > 3. "Regarding control plane - we can state that every Control Plane has > > to be well managed and secured by industry standard practice - this > > removes the need to say a lot of the specific things we say in the > > draft." > > > > But this does not make sense, industry standard practice, would this not > > vary depending on what type of network you are setting up? I am > > reluctant to cut out things just because we can hide behind "industry > > standard practice", *this* document is supposed to help guide what is > > industry best practice wrt to DetNet. > > [David>] Actually it does, see RFC 7510 (MPLS/UDP) and the TMCE (Traffic > Managed Controlled Environment) scenario in RFC 8086 (GRE/UDP) for a > couple of worked examples of this sort of approach. RFC 8086 is also a > good place to understand what differs between a scenario that makes this > sort of assumption and a scenario that does not. Ok, I have some reading to do it seems :) > > 4. "We want to the initial expectation that the reader will be familiar > > with the DetNet Use Cases draft, because that is where the > > "expectations" (not saying "requirements") regarding security are > > stated, since there is no DetNet Security Requirements > > ("Expectations") draft. (As a result, our intention is to remove Sec > > 8. Appendix A: DetNet Draft Security-Related Statements from the > > draft - any objections to that?) In review if someone says something > > about lack of specific security "requirements" to review the draft > > against, we can point to the Use Cases drafts. (This is normal in > > IETF specs - each RFC is a chapter in the book, assumed reader will > > read all of chapters. Contrast with other organization > > specifications which are more self-contained)." > > > > I agree that we should expect a reader to be familiar with RFC 8578 > > Determinic Networking Use Cases. > > > > *However*, in the Abstract of detnet-security we state that > > determinsitic networks have been running "real-time operational > > technology (OT) applications", and as of now, the only part of > > detnet-security where we actually raise the concern for the impact a > > disrupted DetNet service will have for RT-apps, is in appendix > > A. Before dropping this, I would like to go through sec. 4 and see if > > we stress this point enough. > > > > 5. "An MPLS network is inherently more secure than an IP network, > > because with MPLS it is difficult to introduce a rogue LSR or PE > > into the network, compared with IP, in which a random device is less > > difficult to introduce onto the network (and from there send packets > > into the network). An MPLS network is highly managed by its > > provider, e.g. BT, ATT, etc. Nothing gets in there." > > > > Not very familiar with MPLS, but I assume this comment is aimed at Sec > > 7.2 "MPLS"? > > > > 6. "In contrast to a PW model for MPLS, an IP model can be thought of as > > an overlay model, so the goal is to protect the overlay forwarding > > resources. To do that, we need to manage the network as tightly as > > an MPLS network, equivalent to MPLS-TE. Need to have that as a > > starting point - should be "this is a mega tight network, nothing > > gets in that we don't allow in". > > > > Yes, agree. But does this not conflict with the desire to leave more out > > from #2 (industry standard practice)? Or did I misunderstand the > > intention behind the cleanup in #2? > > [David>] This may be somewhat overstated, as many IP networks are not > managed exactly as tightly as an MPLS network, but also see my comment on > #2 above. Ok > > 7. "Another way to phrase this is like "with a standard IT network, we > > manage it at least as well as a VPN". We have a lot of experience > > with VPNs running through networks with other VPNs, we know how to > > do that. Perhaps this could be pointed out somewhere near the text > > that says that legacy OT networks are "isolated" (meaning "air > > gapped") (from e.g. the IT network) and are thus less susceptible to > > attack. Assume VPN characteristics, but note that any "bumping > > into" (interference) of one packet with another can have an effect. > > > > What part of the document does this apply to? Not sure if I fully grok > > this section. > > [David>] VPN seems to be a better way to think about this than matching > MPLS, and again, see my comment on #2 above. Ok > > 8. "Network slicing - could this be used for DetNet? Or is it that > > DetNet could be used to implement slicing? This is a meta-problem at > > architecture level; Perhaps the world has changed since Arch doc was > > written. Lots of people working on slicing now, e.g. for > > 3GPP. Perhaps Lou's work in TEAS on TE'd VPN is relevant? Two > > strategies for this: Classical MPLS model vs SR model.. Issue of > > stealing resources - we could describe this as an issue, or maybe > > could even refer to slice drafts, but we don't want to be held up by > > those drafts. Point is that others are thinking about this. > > > > If a bridge allows an actor to inject so much traffic that it > > affects DetNet flows, it is an issue, so a bridge must adequately handle > > flooding. This also goes for control-traffic, the network must be > > configured to handle sudden floods without loosing DetNet flows *or* > > control frames as that is a pretty likely attack scenario. > > > > 9. "Draft needs to set out principles, good quality abstract models, > > rather than details; currently the draft has too many details. Not > > enough focus on delay and packet loss considerations, which are the > > core. Current draft focus is explicit on "now" technologies, as > > opposed to setting considerations for any technology. Need to > > establish what they need to do to conform to security > > considerations. Current draft is drilled down into classical > > existing world, perhaps not the world we will find in the > > future. Need to review what we can assume is known, and what we have > > to do to encompass various technologies. > > > > Yes, I agree to this. I think we discussed this way back, we had a > > pretty lengthy discussion about likely threat vectors to a DetNet setup, > > some of them are a bit heavy on the details in an effort to explain the > > gist of them. > > > > 10. "Section 3 - seems like a basic tutorial on security threats? Is > > that level of tutorial needed, given the expectations set above? > > For example Internal vs external, access to segments, all standard > > in secured traffic engineered MPLS networks. Can assume that is > > taken care of. But delaying a packet is more significant, can be > > very subtle, need to focus more on that. > > > > I'd like to keep a point about the significance of a successful > > injection attack. For an IT network, a replay-attack can do bad things > > to your RDBS, for DetNet you could harm physical things, physically > > harming humans. > > > > I agree that we could focus more on delay-attacks, but we *should* keep > > some points about the other attacks simply to ensure that they are > > taken into consideration. > > > > 11. "Regarding DetNet to transfer clocking - could be beneficial to > > clock distribution, however if using PREOF then it could be > > detrimental to clock sync and ranging. Need to teach people that > > there are limitations - is this the place for that? We are clear > > that we are not addressing how time is to be distributed in a > > DetNet network, but maybe a caveat is in order? Clock xfer is > > subtle, few understand it. > > > > Perhaps this could be used as an example for why delay-attacks can be > > detrimental, help elaborate in #10? Apart from that, the finer details > > of clock distribution is best done elsewhere. I was not under the > > impression that we discussed clock distribution much though. > > > > 12. "Not discussing what a data plane needs to do or how it would do it, > > but describe properties it needs to have in order to conform to > > security properties or expectations or needs. That is, we need to > > state expectations of DP, how it would meet requirements, but if it > > can't, how it would mitigate them. For example, consider a > > requirement for "IT traffic must not affect DetNet traffic". So a > > possible implementation, as one would do in a non-time-sensitive > > network is to put them in their own VPNs or MPLS tunnels to ensure > > they run independently. However DetNet special since packets > > "bumping into" other packets can be a problem. We need to say that > > they have to provide this isolation, but not how to provide it. So > > we can say something like "forwarding bandwidth (and related > > resources) must be protected so that they are available to detnet > > traffic". How they do it is up to the dataplane > > designers. Otherwise we end up committing to solve an infinite > > number of problems, and possibly limit options of designers to > > innovate or otherwise solve problems. > > > > Yes, we've discussed this and I was under the impression that that is > > what we were aiming at. > > > > I read this as a summary of all the above points and infer that we need > > to clean up and strip down a bit in order to meet this goal. Was that > > the intention of #12, or did I read that wrong? > > > > -- > > Best regards, > > Henrik Austad > > > > _______________________________________________ > > detnet mailing list > > detnet@ietf.org > > https://www.ietf.org/mailman/listinfo/detnet -- Henrik Austad
- [Detnet] DetNet Security draft update strategy fo… Grossman, Ethan A.
- Re: [Detnet] DetNet Security draft update strateg… Henrik Austad
- Re: [Detnet] DetNet Security draft update strateg… Black, David
- Re: [Detnet] DetNet Security draft update strateg… Henrik Austad