Re: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt
"Grossman, Ethan A." <eagros@dolby.com> Sun, 03 November 2019 04:19 UTC
Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53722120096 for <detnet@ietfa.amsl.com>; Sat, 2 Nov 2019 21:19:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65rD8cqLW8yH for <detnet@ietfa.amsl.com>; Sat, 2 Nov 2019 21:19:33 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680137.outbound.protection.outlook.com [40.107.68.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71A04120013 for <detnet@ietf.org>; Sat, 2 Nov 2019 21:19:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CDrSbEz9T3dC/RKhjEMpRZQxPc9Uddpr4RSjLlpuGF03z3vl/UGAEZoyL999EhyJzPSEij3ZZHKimEMD9nCwskwZplZTuoa8wkFI0QwvIMaViRB3nhjfdNs+/lRjkROH3IZNSRPgBBJzfeVw5GI9oTGXWKAN0eTOIQkyP+7bfuE2EM0T5XnF+3Mi0alv89ciZPsdKBkvTJxYd3O03te8+cFAbwQqSxfVC9qk0APd3GcunH6n9wUvPxIX34e3STjXQEsE7Kpu+WgT8jdlfeQDNt5sqDyVuisg/7R6TL6+S8CfpEKLo7lvRKMsjaKoCpidIHylZ7GKRFfqfdVaV1FAUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BdnoVSxDYEMKvnYHxMIJhjzvUUnv9OrdjHYTmgdb49k=; b=kqc48SHIzzOuvN5HpdX35RaKjojUYNFFytYy7IrbYH4KJ4xwIxSF28Er4VN00WFVJ9Bqye2rMap7+NjnzFJIlCZpfxunZKWRH4e7Vltg9IJHlZIhYW089at1lLu3sqhGFg7lx74S58zc2c3psfi4XbrNJ8S6SOH8EWC9kak3v2vmN+BUrxMMroyjE3GEuFGjQtPL7+kdUqW4nUihmKa2hvFCHIi8g88a6mXWvGjxajC8Ssd6B/8SLfmcMXKsx3ViqzHslBtP9gg68wBRpF1mrJqQWo1JLXZ5wXSP/gkTogwOoOIb6KbDIs1XeJvvEc5OsSE+RFWgXTbi7k7fUivAfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dolby.com; dmarc=pass action=none header.from=dolby.com; dkim=pass header.d=dolby.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BdnoVSxDYEMKvnYHxMIJhjzvUUnv9OrdjHYTmgdb49k=; b=mt/3HT4+w8C9vcJeKXpHZcxo09Yizw1yLPYVrWZQpLtJWscHJ3rEYktI+w+sqE3XNlxHBCr3KcZpwQLqzd+sgNnVrkLP3qfOccue/UX8M7jzNEEmQ5godaoYcMqwyk5U2IZvkd/IQFNBNGBvIccsSIdx9/cg7TQ2zzj5DLG1ERE=
Received: from BYAPR06MB4325.namprd06.prod.outlook.com (52.135.240.140) by BYAPR06MB5239.namprd06.prod.outlook.com (20.178.50.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Sun, 3 Nov 2019 04:19:28 +0000
Received: from BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::f8b9:b2ac:1956:c9ba]) by BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::f8b9:b2ac:1956:c9ba%5]) with mapi id 15.20.2387.028; Sun, 3 Nov 2019 04:19:27 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: "detnet@ietf.org" <detnet@ietf.org>
Thread-Topic: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt
Thread-Index: AQHVkfsjBU9EZcfhmE6wLuTco5+nmqd40vtA
Date: Sun, 03 Nov 2019 04:19:27 +0000
Message-ID: <BYAPR06MB43250A6348891C54D091D3F7C47C0@BYAPR06MB4325.namprd06.prod.outlook.com>
References: <157275357735.5994.10091484075877660890@ietfa.amsl.com>
In-Reply-To: <157275357735.5994.10091484075877660890@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-dg-ref: PG1ldGE+PGF0IG5tPSJib2R5LnR4dCIgcD0iYzpcdXNlcnNcZWFncm9zXGFwcGRhdGFccm9hbWluZ1wwOWQ4NDliNi0zMmQzLTRhNDAtODVlZS02Yjg0YmEyOWUzNWJcbXNnc1xtc2ctMWViMTFlZGUtZmRmMS0xMWU5LWI5MTAtODRmZGQxM2NkNGNmXGFtZS10ZXN0XDFlYjExZWRmLWZkZjEtMTFlOS1iOTEwLTg0ZmRkMTNjZDRjZmJvZHkudHh0IiBzej0iNTgzOSIgdD0iMTMyMTcyMjgzNjY2NjI0MTIxIiBoPSIwSTNZOFRveE1mY1lyRWxoSm1OcVBWdndkQzA9IiBpZD0iIiBibD0iMCIgYm89IjEiLz48L21ldGE+
x-dg-rorf:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=eagros@dolby.com;
x-originating-ip: [73.70.15.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b322b6cf-4f10-406f-221a-08d760150456
x-ms-traffictypediagnostic: BYAPR06MB5239:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <BYAPR06MB5239FC7FF36A8307C6A58FBCC47C0@BYAPR06MB5239.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0210479ED8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39830400003)(136003)(346002)(376002)(189003)(53754006)(199004)(13464003)(52536014)(186003)(99286004)(66556008)(5640700003)(64756008)(2906002)(6306002)(66066001)(476003)(3846002)(966005)(229853002)(9686003)(66574012)(6116002)(66946007)(25786009)(316002)(2501003)(53546011)(76116006)(11346002)(446003)(81156014)(1730700003)(486006)(7696005)(74316002)(6916009)(76176011)(305945005)(33656002)(7736002)(55016002)(14454004)(26005)(66446008)(66476007)(15650500001)(71200400001)(478600001)(71190400001)(6246003)(81166006)(6436002)(14444005)(2351001)(8936002)(8676002)(256004)(5660300002)(102836004)(6506007)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR06MB5239; H:BYAPR06MB4325.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:3; A:1;
received-spf: None (protection.outlook.com: dolby.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oSTx3Yxm958dIiiqorUWg4K3cpYJlEEWYpaCOozABA13QEPLVwl9/i0JQCtolCrbsDIUFBpEekZdpmR/Cnw7eDbgTGaJLJQxycerMHhyCvxSXk4vc4GVo+Ha0zP7oSSUvZxQp+VETVwIFHeM5k2lm26Nc2zSHkP1LMogMiwhFIvCmpTZQ7jf+2rTUV15UJi/Vt9ovowOVu0B7duV67GBDHNi9AIztPpD/tUHGOni4L5R/WPqKOsjNMYwvJH+UiDepKrJ/QX2SXEMsU3z7qSgW+9zDmRjRiqWtbY8rAtXnJM707Xo35YJhw3ZZmDVz6HiBJCiBEwLICibt4N/DHWp9gdyLu+3/MaA92yVDZwvlQr+VaVMkSx+sRB039myZxsFaKg5Bery9YuwEeioxk9qL5xMHm2E8IGzJAx0rt5BJBxsBifqWGUYxQq2RDRKA2Vp6AtEVDxAvIeH93BsIrcU1KABTsJ3PvID0FkKhSndXh0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b322b6cf-4f10-406f-221a-08d760150456
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2019 04:19:27.8168 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aojLoBCHw9Emr+mDjZQh+PykOgI79NNhuWRIJRlMSqdgr0p7CK4crcsFNIM5/m4pjv3v0z4ohAsvRxDzqTSFzQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB5239
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/ZDFLcWh6Ev2pr_80puBcqLpFOvU>
Subject: Re: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 04:19:36 -0000
Hi All, The main purpose of this update is to add new (albeit "placeholder") text for security issues specific to DetNet over MPLS, kindly contributed by Stewart. The IP-specific text was already in place, although it doesn't say much more than "nothing to see here, keep moving". The new MPLS text says pretty much the same thing but in many more words ;- ) A few other minor changes crept in along the way, which I characterize in total as: v06 2019-11-02 EAG Add placeholder text from Stewart for MPLS dataplane-specific considerations. Removed Kevin Stanton as author. Added "dummy traffic insertion" based on Norm's comment. Clarified that authentication (not encryption) is used for traffic origin verification, per Henrik. Added "Packet Sequence Number Integrity Considerations" section, per Norm comment. Occasional auto-reformat changes. There is still work identified to do on this draft. Below is my current ToDo list, in no particular order: ToDo list: Update Appendix A security text for various drafts including Architecture and new dataplane drafts. Validate use of words "attack" and "threat" is correct - prefer use of "attack" unless necessary. Add a new attack type for internal knowledge of drivers/firmware (as noted in the existing Multiple Hops section) per Pascal - Is this in scope? Fill in ToDo sections. ?? Should control plane references be moved to an appendix since currently out of scope for DetNet? ?? Is the Security draft going to hold up publication of the DP drafts? It is referenced as Informational in DP drafts. ?? What to do with use case text from appendix? "We believe it would be helpful to establish solid requirements before we can expect external reviewers to review this draft, so our intent is to take the various use case statements in the appendix and turn them into more formal statement of requirements that a reviewer could measure our draft against." ?? Pascal pointed out that we could discuss attacks on the UNI, e.g. buffering Flesh out MPLS-specific considerations, e.g. "dynamic aspects". If anyone has any interest in contributing to any of these items, or any of your own observations on the subject, or any corrections to the above work, that would be much appreciated, please send me raw text or xml or just random notes and I can flesh them out into sentences. Thanks, Ethan (as DetNet Security draft editor) -----Original Message----- From: detnet <detnet-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org Sent: Saturday, November 2, 2019 9:00 PM To: i-d-announce@ietf.org Cc: detnet@ietf.org Subject: [Detnet] I-D Action: draft-ietf-detnet-security-06.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Deterministic Networking WG of the IETF. Title : Deterministic Networking (DetNet) Security Considerations Authors : Tal Mizrahi Ethan Grossman Andrew J. Hacker Subir Das John Dowdell Henrik Austad Norman Finn Filename : draft-ietf-detnet-security-06.txt Pages : 46 Date : 2019-11-02 Abstract: A deterministic network is one that can carry data flows for real- time applications with extremely low data loss rates and bounded latency. Deterministic networks have been successfully deployed in real-time operational technology (OT) applications for some years. However, such networks are typically isolated from external access, and thus the security threat from external attackers is low. IETF Deterministic Networking (DetNet) specifies a set of technologies that enable creation of deterministic networks on IP-based networks of potentially wide area (on the scale of a corporate network) potentially bringing the OT network into contact with Information Technology (IT) traffic and security threats that lie outside of a tightly controlled and bounded area (such as the internals of an aircraft). These DetNet technologies have not previously been deployed together on a wide area IP-based network, and thus can present security considerations that may be new to IP-based wide area network designers. This draft, intended for use by DetNet network designers, provides insight into these security considerations. In addition, this draft collects all security-related statements from the various DetNet drafts (Architecture, Use Cases, etc) into a single location Section 8. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-detnet-security/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-detnet-security-06 https://datatracker.ietf.org/doc/html/draft-ietf-detnet-security-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-detnet-security-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ detnet mailing list detnet@ietf.org https://www.ietf.org/mailman/listinfo/detnet
- [Detnet] I-D Action: draft-ietf-detnet-security-0… internet-drafts
- Re: [Detnet] I-D Action: draft-ietf-detnet-securi… Grossman, Ethan A.