Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
Lou Berger <lberger@labn.net> Wed, 20 February 2019 16:43 UTC
Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D66712870E for <detnet@ietfa.amsl.com>; Wed, 20 Feb 2019 08:43:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iz1Re8nnS2aA for <detnet@ietfa.amsl.com>; Wed, 20 Feb 2019 08:43:39 -0800 (PST)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 150461277D2 for <detnet@ietf.org>; Wed, 20 Feb 2019 08:43:39 -0800 (PST)
Received: from cmgw12.unifiedlayer.com (unknown [10.9.0.12]) by gproxy4.mail.unifiedlayer.com (Postfix) with ESMTP id C0BAD1795C5 for <detnet@ietf.org>; Wed, 20 Feb 2019 09:34:12 -0700 (MST)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id wUp2ghw1Cmds9wUp2gUXnN; Wed, 20 Feb 2019 09:34:12 -0700
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+pVaXKNUgDlYg56bKXiMiolurTazy2ds1IkW6NwyPwk=; b=G8mLRtld9nkPIV4rdolWjpNuhB ZOhyAxAlfJs0Ka9uNIZTVSfd//eR9gQ2HVirPsuj8gACU3d888rDEkZgWKNGbwt5jywodmYzBMvis JB5KSZ2x5lA6PhXvVJCsmSlS0;
Received: from pool-72-66-11-201.washdc.fios.verizon.net ([72.66.11.201]:35608 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <lberger@labn.net>) id 1gwUp2-000jUG-6s; Wed, 20 Feb 2019 09:34:12 -0700
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-detnet-architecture@ietf.org, detnet@ietf.org, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org
References: <155063426136.20704.6779201119170972943.idtracker@ietfa.amsl.com> <cb52062a-b4fb-b51a-2dc3-ca7f161c8f89@labn.net> <20190220160743.GD69562@kduck.mit.edu>
From: Lou Berger <lberger@labn.net>
Message-ID: <36c4ce97-5c4a-89ab-d648-3e7705a6acd3@labn.net>
Date: Wed, 20 Feb 2019 11:34:11 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <20190220160743.GD69562@kduck.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 72.66.11.201
X-Source-L: No
X-Exim-ID: 1gwUp2-000jUG-6s
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-72-66-11-201.washdc.fios.verizon.net ([IPv6:::1]) [72.66.11.201]:35608
X-Source-Auth: lberger@labn.net
X-Email-Count: 13
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/duKa7ZVTNgA2RjLcnnJjb2kqBn8>
Subject: Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 16:43:40 -0000
Hi Benjamin, Please see below. On 2/20/2019 11:07 AM, Benjamin Kaduk wrote: > Hi Lou, > > On Wed, Feb 20, 2019 at 09:33:34AM -0500, Lou Berger wrote: >> Hi Benjamin, >> >> I'm responding as doc shepherd (and chair). Thank you for your >> comments. Please see below for specific responses. >> >> On 2/19/2019 10:44 PM, Benjamin Kaduk wrote: >>> Benjamin Kaduk has entered the following ballot position for >>> draft-ietf-detnet-architecture-11: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> https://datatracker.ietf.org/doc/draft-ietf-detnet-architecture/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> I note that the DETNET WG is explicitly chartered with a work item for the >>> "overall architecture: This work encompasses ... and security aspects". >>> It seems incomplete to specify an architecture for a topic such as >>> deterministic networking without specifically considering what threats are >>> and are not in scope to be protected against. >> The working group certainly recognizes that security is an important >> topic and necessary part of the work. The WG's approach to ensure that >> this significant topic is sufficiently covered is to have a document >> dedicated to the topic. As you note below this work, >> draft-ietf-detnet-security, is not at the same level maturity - so >> please stay tuned. Of course, the WG would welcome any input on this >> security draft now or even a full early-review or security area advisor. > I do appreciate that the WG has taken the time to work on a dedicated > security document, that goes through the (tedious!) effort to tabulate the > various known attacker capabilities, threats, and their interactions. > > What I think is missing from the high-level architecture document is a > sense for what security goals the architecture intends to achieve. It's > fine to have this be separate from the nitty-gritty stuff in the separate > document, but these high-level questions can have an impact on the > high-level design of the protocol ecosystem as a whole. We have mounds of > examples of "come up with a design; bolt security on as an afterthought" > working poorly or being nigh-impossible, and I haven't seen any attempt at > justification for why doing so here is likely to be any different. > Including the security concepts from the start and wholly integrating them > into the system tends to produce a much more elegant design and smoother > outcomes all around. We went back and forth on how much of the security topic to include in the architecture document and settled on the current text of section 5 where just high level security requirements are identified. From your list below, the architecture covers the points you raise (non-detnet traffic impacting detnet traffic, and detnet traffic trying to use more than its allocation) mainly from a service delivery perspective. It does mention "shaping" as a security concern, the document could expand these if helpful. But I think the real discussion point is how much of the security details should be in the base (vs dedicated) document -- and that you disagree with where the WG has drawn the line. Is this correct? Thanks, Lou >> (We have one from the transport area.) >> >>> Some easy questions should >>> be whether the system is expected to be robust in the face of an attacker >>> that generates non-DetNet traffic? Or an attacker that generates DetNet >>> traffic in excess of reservations? It can even be a fine engineering goal >>> to produce a solution that only protects against media corruption and >>> hardware crashes and leaves active attacks out of scope, but the actual >>> intended scope of the work needs to be clear. At the other end of the >>> spectrum, protecting against as potent an attacker as a malicious traffic >>> policer is probably a lost cause, especially if the policer is authorized >>> to direct remote nodes to take action to terminate "misbehaving" flows. >>> The referenced draft-ietf-detnet-security is not at a comparable maturity >>> level to this document and also fails to present a clear threat model for >>> the DetNet architecture. (The section entitled "Threat Model" reads as >>> more of a taxonomy of threats than a model for what threats are and are not >>> to be addressed.) It also presents the usage of cryptographic mechanisms >>> as mitigation techniques without provisioning for the prerequisties of such >>> mechanisms (e.g., using HMAC for message integrity protection without >>> mention of infrastructure for distributing the keys for keying the HMAC). >>> >> These are all great input for draft-ietf-detnet-security - I'll touch >> with authors to ensure that they are aware of your comments. > I noticed a few other things of note while skimming; I'll try to send those > over as well. > >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> I agree with Alexey that Informational would (also) be a fine status in >>> which to publish this document. >> I defer to the IESG and our AD. >> >> I think the authors can address/respond to the remaining comments. > Sounds good. > > -Benjamin > > _______________________________________________ > detnet mailing list > detnet@ietf.org > https://www.ietf.org/mailman/listinfo/detnet >
- [Detnet] Benjamin Kaduk's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Lou Berger
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Lou Berger
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Lou Berger
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Grossman, Ethan A.
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas