[Detnet] DetNet Security Considerations 17Dec19 call notes
"Grossman, Ethan A." <eagros@dolby.com> Wed, 18 December 2019 23:12 UTC
Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAC69120013 for <detnet@ietfa.amsl.com>; Wed, 18 Dec 2019 15:12:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFInWHpXExrD for <detnet@ietfa.amsl.com>; Wed, 18 Dec 2019 15:12:10 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2119.outbound.protection.outlook.com [40.107.244.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C210112008C for <detnet@ietf.org>; Wed, 18 Dec 2019 15:12:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J25SF0z4nxYURlTLgsJbGKlKE6aNI1MSo4OvBnLrGOi2RISMSMXMUrLWvNBpuOchs4L1ldbQMNW8cFWjx1Iyzkzcikti7g3/nxAoHAleGotgHNhTU9cIa9B9oS+hM5fsfHnysxMzDKXp5U5BOs/fztIigFtrA7gwznIqCp1+q35j9JjcdJVEn3aIk2FjQZj4z2U3bbc9SGtE8FIy+gJE/8q/CTtchyaep/ZJA/s3uAmKOF26q2KnJpfz/BR8fWkSiwiiCu3Uio/Y0HNcrf/TEv6/qwpvDAipAWUnsyYcKCdeXpyc3tnfrlvoF3Ahbc8Lmj/rtEF5DR07Kjn67jEugw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SDYC5TakPVEFx6f/6inSzEnmWMs63yyQe4zVWEGUeaQ=; b=alYgig29yNNo4TGv2o9LzEnhcVqTF4EwLyuHjXH4MaAaF0jcjVZb/LRpSeeJUQxCHgpzQv4xpn1ZWCrsmpwM4CBlyZsnoqmE8z+0vYEFfpa6P8YG9BSC9ANFkHrm/3sihDIvXPmjjpwP7qf+EFPDrSVkBi+i4tJ7iz7mWIKe+pihqms+9VWUveXdS/LMnzKBYgpZ5+ft3go0vysSsrRHffp5BWlvu/TQwISuVbHIW8cyxsumg2XY1LcEDO8z+xunBaOQx/sCqmZedwPakN6E+KXBi27Z98W6tuDocsPUK9PS+2SKf/ChmLtzJwqvKXRK3Ub6fi/tyoergiOzJUqmbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SDYC5TakPVEFx6f/6inSzEnmWMs63yyQe4zVWEGUeaQ=; b=lm1EHS8toPte2UHh5/V7lhB0ehv4VLjLNXepjA9vGEBt4WZSIYFOIwd9a/1i8dHQJIZUKoT/iZJLAsS1qOXyxR1jJesWqvfCoEdzxNVF6C/4Wz0S0PMnLdTk5TeRstOr6IXurqs8Cl86l8Ml1PmQpfPZzKO1daRKXcKJ9229ldM=
Received: from BYAPR06MB4325.namprd06.prod.outlook.com (52.135.240.140) by BYAPR06MB4342.namprd06.prod.outlook.com (52.135.239.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.19; Wed, 18 Dec 2019 23:12:09 +0000
Received: from BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::d4d3:b053:f4cd:48ce]) by BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::d4d3:b053:f4cd:48ce%7]) with mapi id 15.20.2538.019; Wed, 18 Dec 2019 23:12:09 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: "detnet@ietf.org" <detnet@ietf.org>, "Le Boudec Jean-Yves (jean-yves.leboudec@epfl.ch)" <jean-yves.leboudec@epfl.ch>
Thread-Topic: DetNet Security Considerations 17Dec19 call notes
Thread-Index: AdW1+D5h3czPQaBOTtqNxVCaHTizuQ==
Date: Wed, 18 Dec 2019 23:12:09 +0000
Message-ID: <BYAPR06MB4325B8B7A61DB7A73F6ACB77C4530@BYAPR06MB4325.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-dg-ref: PG1ldGE+PGF0IG5tPSJib2R5Lmh0bWwiIHA9ImM6XHVzZXJzXGVhZ3Jvc1xhcHBkYXRhXHJvYW1pbmdcMDlkODQ5YjYtMzJkMy00YTQwLTg1ZWUtNmI4NGJhMjllMzViXG1zZ3NcbXNnLWNmOGM3YjZhLTIxZWItMTFlYS1iOTEyLTg0ZmRkMTNjZDRjZlxhbWUtdGVzdFxjZjhjN2I2Yi0yMWViLTExZWEtYjkxMi04NGZkZDEzY2Q0Y2Zib2R5Lmh0bWwiIHN6PSIxMjQzOSIgdD0iMTMyMjExODQzMjgzMjU3MzI0IiBoPSJPTHhZZnpmYXRrV3EwSHRXUk8wNVg5dUt0Rk09IiBpZD0iIiBibD0iMCIgYm89IjEiLz48L21ldGE+
authentication-results: spf=none (sender IP is ) smtp.mailfrom=eagros@dolby.com;
x-originating-ip: [8.39.141.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cb239e27-5c33-4a85-fb10-08d7840fb538
x-ms-traffictypediagnostic: BYAPR06MB4342:
x-microsoft-antispam-prvs: <BYAPR06MB434209749298F10BEE95D5E4C4530@BYAPR06MB4342.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0255DF69B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(346002)(39850400004)(136003)(396003)(53754006)(199004)(189003)(81156014)(2906002)(5660300002)(86362001)(9326002)(8936002)(26005)(4743002)(7696005)(478600001)(81166006)(15650500001)(6506007)(9686003)(33656002)(66556008)(66446008)(55016002)(66946007)(66476007)(110136005)(76116006)(71200400001)(316002)(64756008)(186003)(52536014)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR06MB4342; H:BYAPR06MB4325.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: dolby.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Re9AktmWoLTIpbyEDYhJtYWljJZa00PzHVDcRAduAWm5CgO4sHVpWXuhRA35caIXSnDyyWInqsQgLaILHudySWrR30U//bPZ1g93V3ufHmg3iqj9zXin3vJhQs4kXHVHRZlb9dLHAz5QiSssiF7VM+1VbUXcza+HQE9kyspODAkh9bg2VtkMZvkVYcGlUIjF5dqLQ6gsfmX9hVUpCHdQD2yK18ms3Ipcrder6IU5+isSGNUDHBVUdmVCxm0VojzhtDL4PLDVCVcTFn30naJ70qQVuaw+jzc43Ayy23ROqnlWx2oilVkfwftbDOuscXdDIHvvLdU0kvr7CqgtVNFAe2zsBoYXQL/gEIKIfXHsu2Kv4S+cKSg+IzpbRjuGIr/iyYWQGqjbzOlM5D9d6BG1UtPVoqEFb79tx6o2k/IFegk8EmIRAVxjF3+z1MhVhnjwFN1moVF/Q6vVfFNpkOEEqO9LQkJoSHAoSyD47SUbcZAO7PEhFGyI02vqTxYkYfR6
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR06MB4325B8B7A61DB7A73F6ACB77C4530BYAPR06MB4325namp_"
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb239e27-5c33-4a85-fb10-08d7840fb538
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2019 23:12:09.4801 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KIg4AlSyvMZj1eQ52L1yW0TkyGBJ5Uj4W6XQonCIOyFM5ehqLfljCMlCKkuKiqbrnRSyvzx6CNMM7zYoraFYag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB4342
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/YnPHVxp_R-58Ot09plJ_yutNHmA>
Subject: [Detnet] DetNet Security Considerations 17Dec19 call notes
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 23:12:14 -0000
Hi All,
Here are my notes on the DetNet Security call we had last week (attendees: Stewart Bryant, David Black and me). Thus far I have not made any changes to the draft, because the implications of the discussions below, if implemented, could result in a significant revision of the draft, and I would like to hear what y'all think about the proposed direction. So please put in your $0.02.
Jean-Yves, if you're out there, I would be particularly interested in your input since I know you have experience with observing non-DetNet-WG peoples' reactions to the draft in its current form.
Reminder that we have scheduled another call for Tuesday Jan 21, 2020, 10am.
Thanks,
Ethan (as DetNet Security Draft editor)
-----------------------------------------------------------------------
* On recommendation for using IPSec for DetNet IP - problem: Can't see enough of the flow to do flow differentiation; e.g. need 6tuple but is always hidden in IPSec. Lou wrote that section, need to check with him.
* We want to set the initial expectation that the DetNet network to be secured is already a well-designed and well-managed network (other possible phrasing: "a traffic-managed, controlled environment" or "a traffic-engineered network") following existing best practices. We assume that all such relevant characteristics are in place as a starting place for this DetNet Security Considerations draft/discussion. We can thus simplify our draft by setting this assumption. Having the draft be shorter is a positive step.
* Regarding control plane - we can state that every Control Plane has to be well managed and secured by industry standard practice - this removes the need to say a lot of the specific things we say in the draft.
* We want to the initial expectation that the reader will be familiar with the DetNet Use Cases draft, because that is where the "expectations" (not saying "requirements") regarding security are stated, since there is no DetNet Security Requirements ("Expectations") draft. (As a result, our intention is to remove Sec 8. Appendix A: DetNet Draft Security-Related Statements from the draft - any objections to that?) In review if someone says something about lack of specific security "requirements" to review the draft against, we can point to the Use Cases drafts. (This is normal in IETF specs - each RFC is a chapter in the book, assumed reader will read all of chapters. Contrast with other organization specifications which are more self-contained).
* An MPLS network is inherently more secure than an IP network, because with MPLS it is difficult to introduce a rogue LSR or PE into the network, compared with IP, in which a random device is less difficult to introduce onto the network (and from there send packets into the network). An MPLS network is highly managed by its provider, e.g. BT, ATT, etc. Nothing gets in there.
* In contrast to a PW model for MPLS, an IP model can be thought of as an overlay model, so the goal is to protect the overlay forwarding resources. To do that, we need to manage the network as tightly as an MPLS network, equivalent to MPLS-TE. Need to have that as a starting point - should be "this is a mega tight network, nothing gets in that we don't allow in".
* Another way to phrase this is like "with a standard IT network, we manage it at least as well as a VPN". We have a lot of experience with VPNs running through networks with other VPNs, we know how to do that. Perhaps this could be pointed out somewhere near the text that says that legacy OT networks are "isolated" (meaning "air gapped") (from e.g. the IT network) and are thus less susceptible to attack. Assume VPN characteristics, but note that any "bumping into" (interference) of one packet with another can have an effect.
* Network slicing - could this be used for DetNet? Or is it that DetNet could be used to implement slicing? This is a meta-problem at architecture level; Perhaps the world has changed since Arch doc was written. Lots of people working on slicing now, e.g. for 3GPP. Perhaps Lou's work in TEAS on TE'd VPN is relevant? Two strategies for this: Classical MPLS model vs SR model. Issue of stealing resources - we could describe this as an issue, or maybe could even refer to slice drafts, but we don't want to be held up by those drafts. Point is that others are thinking about this.
* Draft needs to set out principles, good quality abstract models, rather than details; currently the draft has too many details. Not enough focus on delay and packet loss considerations, which are the core. Current draft focus is explicit on "now" technologies, as opposed to setting considerations for any technology. Need to establish what they need to do to conform to security considerations. Current draft is drilled down into classical existing world, perhaps not the world we will find in the future. Need to review what we can assume is known, and what we have to do to encompass various technologies.
* Section 3 - seems like a basic tutorial on security threats? Is that level of tutorial needed, given the expectations set above? For example Internal vs external, access to segments, all standard in secured traffic engineered MPLS networks. Can assume that is taken care of. But delaying a packet is more significant, can be very subtle, need to focus more on that.
* Regarding DetNet to transfer clocking - could be beneficial to clock distribution, however if using PREOF then it could be detrimental to clock sync and ranging. Need to teach people that there are limitations - is this the place for that? We are clear that we are not addressing how time is to be distributed in a DetNet network, but maybe a caveat is in order? Clock xfer is subtle, few understand it.
* Not discussing what a data plane needs to do or how it would do it, but describe properties it needs to have in order to conform to security properties or expectations or needs. That is, we need to state expectations of DP, how it would meet requirements, but if it can't, how it would mitigate them. For example, consider a requirement for "IT traffic must not affect DetNet traffic". So a possible implementation, as one would do in a non-time-sensitive network is to put them in their own VPNs or MPLS tunnels to ensure they run independently. However DetNet special since packets "bumping into" other packets can be a problem. We need to say that they have to provide this isolation, but not how to provide it. So we can say something like "forwarding bandwidth (and related resources) must be protected so that they are available to detnet traffic". How they do it is up to the dataplane designers. Otherwise we end up committing to solve an infinite number of problems, and possibly limit options of designers to innovate or otherwise solve problems.
-----------------------------------------------------------------------
- [Detnet] DetNet Security Considerations 17Dec19 c… Grossman, Ethan A.