IETF Logo Mail Archive

Re: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt

"Grossman, Ethan A." <eagros@dolby.com> Sun, 03 November 2019 04:19 UTC

Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53722120096 for <detnet@ietfa.amsl.com>; Sat, 2 Nov 2019 21:19:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65rD8cqLW8yH for <detnet@ietfa.amsl.com>; Sat, 2 Nov 2019 21:19:33 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680137.outbound.protection.outlook.com [40.107.68.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71A04120013 for <detnet@ietf.org>; Sat, 2 Nov 2019 21:19:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CDrSbEz9T3dC/RKhjEMpRZQxPc9Uddpr4RSjLlpuGF03z3vl/UGAEZoyL999EhyJzPSEij3ZZHKimEMD9nCwskwZplZTuoa8wkFI0QwvIMaViRB3nhjfdNs+/lRjkROH3IZNSRPgBBJzfeVw5GI9oTGXWKAN0eTOIQkyP+7bfuE2EM0T5XnF+3Mi0alv89ciZPsdKBkvTJxYd3O03te8+cFAbwQqSxfVC9qk0APd3GcunH6n9wUvPxIX34e3STjXQEsE7Kpu+WgT8jdlfeQDNt5sqDyVuisg/7R6TL6+S8CfpEKLo7lvRKMsjaKoCpidIHylZ7GKRFfqfdVaV1FAUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BdnoVSxDYEMKvnYHxMIJhjzvUUnv9OrdjHYTmgdb49k=; b=kqc48SHIzzOuvN5HpdX35RaKjojUYNFFytYy7IrbYH4KJ4xwIxSF28Er4VN00WFVJ9Bqye2rMap7+NjnzFJIlCZpfxunZKWRH4e7Vltg9IJHlZIhYW089at1lLu3sqhGFg7lx74S58zc2c3psfi4XbrNJ8S6SOH8EWC9kak3v2vmN+BUrxMMroyjE3GEuFGjQtPL7+kdUqW4nUihmKa2hvFCHIi8g88a6mXWvGjxajC8Ssd6B/8SLfmcMXKsx3ViqzHslBtP9gg68wBRpF1mrJqQWo1JLXZ5wXSP/gkTogwOoOIb6KbDIs1XeJvvEc5OsSE+RFWgXTbi7k7fUivAfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BdnoVSxDYEMKvnYHxMIJhjzvUUnv9OrdjHYTmgdb49k=; b=mt/3HT4+w8C9vcJeKXpHZcxo09Yizw1yLPYVrWZQpLtJWscHJ3rEYktI+w+sqE3XNlxHBCr3KcZpwQLqzd+sgNnVrkLP3qfOccue/UX8M7jzNEEmQ5godaoYcMqwyk5U2IZvkd/IQFNBNGBvIccsSIdx9/cg7TQ2zzj5DLG1ERE=
Received: from BYAPR06MB4325.namprd06.prod.outlook.com (52.135.240.140) by BYAPR06MB5239.namprd06.prod.outlook.com (20.178.50.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Sun, 3 Nov 2019 04:19:28 +0000
Received: from BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::f8b9:b2ac:1956:c9ba]) by BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::f8b9:b2ac:1956:c9ba%5]) with mapi id 15.20.2387.028; Sun, 3 Nov 2019 04:19:27 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: "detnet@ietf.org" <detnet@ietf.org>
Thread-Topic: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt
Thread-Index: AQHVkfsjBU9EZcfhmE6wLuTco5+nmqd40vtA
Date: Sun, 03 Nov 2019 04:19:27 +0000
Message-ID: <BYAPR06MB43250A6348891C54D091D3F7C47C0@BYAPR06MB4325.namprd06.prod.outlook.com>
References: <157275357735.5994.10091484075877660890@ietfa.amsl.com>
In-Reply-To: <157275357735.5994.10091484075877660890@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-dg-ref: PG1ldGE+PGF0IG5tPSJib2R5LnR4dCIgcD0iYzpcdXNlcnNcZWFncm9zXGFwcGRhdGFccm9hbWluZ1wwOWQ4NDliNi0zMmQzLTRhNDAtODVlZS02Yjg0YmEyOWUzNWJcbXNnc1xtc2ctMWViMTFlZGUtZmRmMS0xMWU5LWI5MTAtODRmZGQxM2NkNGNmXGFtZS10ZXN0XDFlYjExZWRmLWZkZjEtMTFlOS1iOTEwLTg0ZmRkMTNjZDRjZmJvZHkudHh0IiBzej0iNTgzOSIgdD0iMTMyMTcyMjgzNjY2NjI0MTIxIiBoPSIwSTNZOFRveE1mY1lyRWxoSm1OcVBWdndkQzA9IiBpZD0iIiBibD0iMCIgYm89IjEiLz48L21ldGE+
x-dg-rorf:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=eagros@dolby.com;
x-originating-ip: [73.70.15.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b322b6cf-4f10-406f-221a-08d760150456
x-ms-traffictypediagnostic: BYAPR06MB5239:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <BYAPR06MB5239FC7FF36A8307C6A58FBCC47C0@BYAPR06MB5239.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0210479ED8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39830400003)(136003)(346002)(376002)(189003)(53754006)(199004)(13464003)(52536014)(186003)(99286004)(66556008)(5640700003)(64756008)(2906002)(6306002)(66066001)(476003)(3846002)(966005)(229853002)(9686003)(66574012)(6116002)(66946007)(25786009)(316002)(2501003)(53546011)(76116006)(11346002)(446003)(81156014)(1730700003)(486006)(7696005)(74316002)(6916009)(76176011)(305945005)(33656002)(7736002)(55016002)(14454004)(26005)(66446008)(66476007)(15650500001)(71200400001)(478600001)(71190400001)(6246003)(81166006)(6436002)(14444005)(2351001)(8936002)(8676002)(256004)(5660300002)(102836004)(6506007)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR06MB5239; H:BYAPR06MB4325.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:3; A:1;
received-spf: None (protection.outlook.com: dolby.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oSTx3Yxm958dIiiqorUWg4K3cpYJlEEWYpaCOozABA13QEPLVwl9/i0JQCtolCrbsDIUFBpEekZdpmR/Cnw7eDbgTGaJLJQxycerMHhyCvxSXk4vc4GVo+Ha0zP7oSSUvZxQp+VETVwIFHeM5k2lm26Nc2zSHkP1LMogMiwhFIvCmpTZQ7jf+2rTUV15UJi/Vt9ovowOVu0B7duV67GBDHNi9AIztPpD/tUHGOni4L5R/WPqKOsjNMYwvJH+UiDepKrJ/QX2SXEMsU3z7qSgW+9zDmRjRiqWtbY8rAtXnJM707Xo35YJhw3ZZmDVz6HiBJCiBEwLICibt4N/DHWp9gdyLu+3/MaA92yVDZwvlQr+VaVMkSx+sRB039myZxsFaKg5Bery9YuwEeioxk9qL5xMHm2E8IGzJAx0rt5BJBxsBifqWGUYxQq2RDRKA2Vp6AtEVDxAvIeH93BsIrcU1KABTsJ3PvID0FkKhSndXh0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b322b6cf-4f10-406f-221a-08d760150456
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2019 04:19:27.8168 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aojLoBCHw9Emr+mDjZQh+PykOgI79NNhuWRIJRlMSqdgr0p7CK4crcsFNIM5/m4pjv3v0z4ohAsvRxDzqTSFzQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB5239
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/ZDFLcWh6Ev2pr_80puBcqLpFOvU>
Subject: Re: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 04:19:36 -0000

Hi All,
The main purpose of this update is to add new (albeit "placeholder") text for security issues specific to DetNet over MPLS, kindly contributed by Stewart. The IP-specific text was already in place, although it doesn't say much more than "nothing to see here, keep moving". The new MPLS text says pretty much the same thing but in many more words ;- ) 
A few other minor changes crept in along the way, which I characterize in total as: 

v06 2019-11-02 EAG   
	Add placeholder text from Stewart for MPLS dataplane-specific considerations.
              Removed Kevin Stanton as author. 
              Added "dummy traffic insertion" based on Norm's comment.
              Clarified that authentication (not encryption) is used for traffic origin verification, per Henrik.
              Added "Packet Sequence Number Integrity Considerations" section, per Norm comment.
              Occasional auto-reformat changes.

There is still work identified to do on this draft. Below is my current ToDo list, in no particular order: 

ToDo list:
              Update Appendix A security text for various drafts including Architecture and new dataplane drafts.
              Validate use of words "attack" and "threat" is correct - prefer use of "attack" unless necessary.
              Add a new attack type for internal knowledge of drivers/firmware (as noted in the existing Multiple Hops section) per Pascal - Is this in scope?
              Fill in ToDo sections.
              ?? Should control plane references be moved to an appendix since currently out of scope for DetNet?
              ?? Is the Security draft going to hold up publication of the DP drafts? It is referenced as 
               Informational in DP drafts.
              ?? What to do with use case text from appendix? "We believe it would be helpful to establish 
                solid requirements before we can expect external reviewers 
                to review this draft, so our intent is to take the various use case statements in the appendix and 
                turn them into more formal statement of requirements that a reviewer could measure our draft against."
              ?? Pascal pointed out that we could discuss attacks on the UNI, e.g. buffering
	Flesh out MPLS-specific considerations, e.g. "dynamic aspects". 

If anyone has any interest in contributing to any of these items, or any of your own observations on the subject, or any corrections to the above work, that would be much appreciated, please send me raw text or xml or just random notes and I can flesh them out into sentences. 

Thanks,
Ethan (as DetNet Security draft editor) 


-----Original Message-----
From: detnet <detnet-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: Saturday, November 2, 2019 9:00 PM
To: i-d-announce@ietf.org
Cc: detnet@ietf.org
Subject: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Deterministic Networking WG of the IETF.

        Title           : Deterministic Networking (DetNet) Security Considerations
        Authors         : Tal Mizrahi
                          Ethan Grossman
                          Andrew J. Hacker
                          Subir Das
                          John Dowdell
                          Henrik Austad
                          Norman Finn
	Filename        : draft-ietf-detnet-security-06.txt
	Pages           : 46
	Date            : 2019-11-02

Abstract:
   A deterministic network is one that can carry data flows for real-
   time applications with extremely low data loss rates and bounded
   latency.  Deterministic networks have been successfully deployed in
   real-time operational technology (OT) applications for some years.
   However, such networks are typically isolated from external access,
   and thus the security threat from external attackers is low.  IETF
   Deterministic Networking (DetNet) specifies a set of technologies
   that enable creation of deterministic networks on IP-based networks
   of potentially wide area (on the scale of a corporate network)
   potentially bringing the OT network into contact with Information
   Technology (IT) traffic and security threats that lie outside of a
   tightly controlled and bounded area (such as the internals of an
   aircraft).  These DetNet technologies have not previously been
   deployed together on a wide area IP-based network, and thus can
   present security considerations that may be new to IP-based wide area
   network designers.  This draft, intended for use by DetNet network
   designers, provides insight into these security considerations.  In
   addition, this draft collects all security-related statements from
   the various DetNet drafts (Architecture, Use Cases, etc) into a
   single location Section 8.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-detnet-security/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-detnet-security-06
https://datatracker.ietf.org/doc/html/draft-ietf-detnet-security-06

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-detnet-security-06


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
detnet mailing list
detnet@ietf.org
https://www.ietf.org/mailman/listinfo/detnet

v2.23.0 | Report a Bug | By Email