Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic

[Norman Finn <norman.finn@mail01.huawei.com>]

Certainly, this is meat for the security draft.  Some comments --

The time required to perform crypto processing is either unbounded, in which case that method is not suitable for DetNet, or it is bounded, in which case we're OK.  Maybe slow, but still deterministic.

To give differentiated QoS on a flow-by-flow basis, you must be able to identify the flows.  This opens one up to traffic analysis.  That cost of DetNet.

Many encryption suites (e.g. MACsec) can be configured to provide message integrity without obscuring all of the data.  The IP/TCP headers, for example, can be left in the clear by MACsec.  That allows hop-by-hop deep inspection, if that's what you want to do.

Crypto considerations make it even more desirable to export the flow ID to lower layers (e.g., to the MPLS label or destination MAC address), rather than depending on deep packet inspection at every hop.

-- Norm

________________________________
From: detnet [detnet-bounces@ietf.org] on behalf of Grossman, Ethan A. [eagros@dolby.com]
Sent: Tuesday, January 08, 2019 10:38 AM
To: Pascal Thubert (pthubert); Black, David
Cc: ekr@rtfm.com; detnet@ietf.org
Subject: Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic

Thanks David and Pascal for these thoughts; it looks like there is enough specific information here for me to spin up a section for the DetNet Security draft, something like “Encryption Considerations for DetNet”. At this point it looks like it would be in the form of describing the situation, then describing the pros and cons of the use of symmetric vs asymmetric crypto in this context (as noted below).

If y’all or anyone else on the list (DetNet Security draft co-authors??) has any further input on this topic I would love to incorporate it.
Thanks,
Ethan (as DetNet Security draft editor).

From: Pascal Thubert (pthubert) <pthubert@cisco.com>
Sent: Saturday, December 22, 2018 12:30 AM
To: Black, David <David.Black@dell.com>
Cc: Grossman, Ethan A. <eagros@dolby.com>; detnet@ietf.org; ekr@rtfm.com
Subject: Re: DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic

Hello David

We want every intermediate node to be able to detect bad packets as part of ingress filtering. If we use symmetrical keys then the key must be given to all relays which augments the risk of a leak. And if any relay is compromised or misbehaving it may inject traffic in the flow.
This is why if we could afford it an asymmetrical crypto would be preferable.

Merry Christmas!

Pascal

Le 21 déc. 2018 à 23:53, Black, David <David.Black@dell.com<mailto:David.Black@dell.com>> a écrit :
Hi Pascal,

I would not preclude that, but I would discourage it, as, if I understand what is proposed, it involves checking a digital signature on each packet at arbitrary intermediate points along the flow, which is indeed rather expensive.

If only endpoint checks or checks at a small number of intermediate points are required, a more effective approach is to use asymmetric crypto to authenticate distribution or exchange of a secret key for symmetric crypto – a successful check based on that key provides traffic origin verification as long as the key is kept secret by the participants.  Both TLS and IKE (for IPsec) are examples of this for endpoint checks.

In both cases, origin verification also requires replay detection mechanism as part of the security protocol to prevent an attacker from recording and resending traffic, e.g., as a denial of service attack on flow forwarding resources.

Thanks, --David

From: detnet [mailto:detnet-bounces@ietf.org] On Behalf Of Pascal Thubert (pthubert)
Sent: Thursday, December 20, 2018 2:34 AM
To: Black, David; Grossman, Ethan A.; detnet@ietf.org<mailto:detnet@ietf.org>
Cc: ekr@rtfm.com<mailto:ekr@rtfm.com>
Subject: Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic


[EXTERNAL EMAIL]
Hello David :

Asymmetric is a lot more expensive, I’m hearing, but could be very useful to ensure that the packets in a DetNet flow are from the proper source.
Say that the DetNet flow is associated with a keypair, and that the private key is available to the source of the flow whereas the public key is distributed with the flow information.
We should not preclude that should we? As long as the crypto time is bounded we should be OK.

All the best

pascal

From: detnet <detnet-bounces@ietf.org<mailto:detnet-bounces@ietf.org>> On Behalf Of Black, David
Sent: jeudi 20 décembre 2018 03:47
To: Grossman, Ethan A. <eagros@dolby.com<mailto:eagros@dolby.com>>; detnet@ietf.org<mailto:detnet@ietf.org>
Cc: ekr@rtfm.com<mailto:ekr@rtfm.com>
Subject: Re: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic

> Good question, for example do such algorithms have deterministic execution times?

Generally, yes, to a first approximation, as the algorithms used to encrypt and verify traffic are usually symmetric crypto algorithms such as AES and SHA-2 which perform the same computation regardless of input.   Non-deterministic execution times are associated with asymmetric crypto algorithms (e.g., public key algorithms), which are not typically used on a packet-by-packet basis - they’re used for session setup, including key exchange, from which keys are derived for the symmetric algorithms.

Thanks, --David

From: detnet [mailto:detnet-bounces@ietf.org] On Behalf Of Grossman, Ethan A.
Sent: Wednesday, December 19, 2018 7:42 PM
To: detnet@ietf.org<mailto:detnet@ietf.org>
Cc: ekr@rtfm.com<mailto:ekr@rtfm.com>
Subject: [Detnet] DetNet Use Cases comment - time properties of cryptographic algorithms used to verify traffic


[EXTERNAL EMAIL]

Hi All,

In going over the remaining IESG review comments, there is this question on Sec 11.5 (Security). I don’t think it is worth holding up the Use Cases draft for, but it seems worth a conversation on the list.



Text from Section 11.5:

>      addition to arriving with the data content as intended, the data must

>      also arrive at the expected time.  This may present "new" security

>      challenges to implementers, and must be addressed accordingly.  There

>      are other security implications, including (but not limited to) the

>      change in attack surface presented by packet replication and

>      elimination.



Reviewer’s Comment:

Do these requirements impose new requirements on the cryptographic algorithms used to verify traffic?



Ethan’s thoughts:

Good question, for example do such algorithms have deterministic execution times? Is there a large spread between best- and worst-case execution times? Is this a topic for the Security draft? The Architecture draft? Or is this a more general matter of network (or network silicon) design/implementation/performance, and thus doesn’t get covered in DetNet drafts?
--------------------------------------------------