Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
Lou Berger <lberger@labn.net> Thu, 21 February 2019 20:32 UTC
Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBA99130E83 for <detnet@ietfa.amsl.com>; Thu, 21 Feb 2019 12:32:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUKHSuF6oOBp for <detnet@ietfa.amsl.com>; Thu, 21 Feb 2019 12:32:20 -0800 (PST)
Received: from alt-proxy16.mail.unifiedlayer.com (alt-proxy16.mail.unifiedlayer.com [70.40.197.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A560130E7F for <detnet@ietf.org>; Thu, 21 Feb 2019 12:32:20 -0800 (PST)
Received: from CMGW (unknown [10.9.0.13]) by gproxy9.mail.unifiedlayer.com (Postfix) with ESMTP id 80B831E076D for <detnet@ietf.org>; Thu, 21 Feb 2019 13:32:17 -0700 (MST)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id wv0zgT7SZeyBxwv0zg1vqn; Thu, 21 Feb 2019 13:32:17 -0700
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WEJ1w0REHCzPyujUKH+cecrupFsAHyKbRlYh9VAEkwI=; b=dcVkoS7f67G6wy6DDg4sZ6XGZ+ dt6VVIYK7d9z0XkG2tBzB6MsOviuOU7KLQVGqoKjHV2dpLoA9O6BWVYpcCcWo8Jtr8IqOo2ny2Uhj bYucTPOcRYa2GgdOIaUntJ1GT;
Received: from pool-72-66-11-201.washdc.fios.verizon.net ([72.66.11.201]:59514 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <lberger@labn.net>) id 1gwv0z-004E5w-3T; Thu, 21 Feb 2019 13:32:17 -0700
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-detnet-architecture@ietf.org, detnet@ietf.org, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org
References: <155063426136.20704.6779201119170972943.idtracker@ietfa.amsl.com> <cb52062a-b4fb-b51a-2dc3-ca7f161c8f89@labn.net> <20190220160743.GD69562@kduck.mit.edu> <36c4ce97-5c4a-89ab-d648-3e7705a6acd3@labn.net> <20190220212104.GK69562@kduck.mit.edu>
From: Lou Berger <lberger@labn.net>
Message-ID: <30e27625-da32-7e67-6e3a-a923830b9e5c@labn.net>
Date: Thu, 21 Feb 2019 15:32:15 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <20190220212104.GK69562@kduck.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 72.66.11.201
X-Source-L: No
X-Exim-ID: 1gwv0z-004E5w-3T
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-72-66-11-201.washdc.fios.verizon.net ([IPv6:::1]) [72.66.11.201]:59514
X-Source-Auth: lberger@labn.net
X-Email-Count: 3
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/eq6TgVWUMmFCF79OftR7Ip8BMBA>
Subject: Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 20:32:23 -0000
Hi Benjamin, On 2/20/2019 4:21 PM, Benjamin Kaduk wrote: > Hi Lou, > > On Wed, Feb 20, 2019 at 11:34:11AM -0500, Lou Berger wrote: >> On 2/20/2019 11:07 AM, Benjamin Kaduk wrote: >>> On Wed, Feb 20, 2019 at 09:33:34AM -0500, Lou Berger wrote: >>>> On 2/19/2019 10:44 PM, Benjamin Kaduk wrote: >>>>> I note that the DETNET WG is explicitly chartered with a work item for the >>>>> "overall architecture: This work encompasses ... and security aspects". >>>>> It seems incomplete to specify an architecture for a topic such as >>>>> deterministic networking without specifically considering what threats are >>>>> and are not in scope to be protected against. >>>> The working group certainly recognizes that security is an important >>>> topic and necessary part of the work. The WG's approach to ensure that >>>> this significant topic is sufficiently covered is to have a document >>>> dedicated to the topic. As you note below this work, >>>> draft-ietf-detnet-security, is not at the same level maturity - so >>>> please stay tuned. Of course, the WG would welcome any input on this >>>> security draft now or even a full early-review or security area advisor. >>> I do appreciate that the WG has taken the time to work on a dedicated >>> security document, that goes through the (tedious!) effort to tabulate the >>> various known attacker capabilities, threats, and their interactions. >>> >>> What I think is missing from the high-level architecture document is a >>> sense for what security goals the architecture intends to achieve. It's >>> fine to have this be separate from the nitty-gritty stuff in the separate >>> document, but these high-level questions can have an impact on the >>> high-level design of the protocol ecosystem as a whole. We have mounds of >>> examples of "come up with a design; bolt security on as an afterthought" >>> working poorly or being nigh-impossible, and I haven't seen any attempt at >>> justification for why doing so here is likely to be any different. >>> Including the security concepts from the start and wholly integrating them >>> into the system tends to produce a much more elegant design and smoother >>> outcomes all around. >> We went back and forth on how much of the security topic to include in >> the architecture document and settled on the current text of section 5 >> where just high level security requirements are identified. From your >> list below, the architecture covers the points you raise (non-detnet >> traffic impacting detnet traffic, and detnet traffic trying to use more >> than its allocation) mainly from a service delivery perspective. It >> does mention "shaping" as a security concern, the document could expand >> these if helpful. But I think the real discussion point is how much of >> the security details should be in the base (vs dedicated) document -- >> and that you disagree with where the WG has drawn the line. Is this >> correct? > Well, it's not as much that I disagree about where the line is drawn, as > that I disagree with the characterization as "high level security > requirements". > > The first paragraph covers topics worth including here, certainly -- an > attacker that can introduce delay can inherently break the DetNet > guarantees, and there is no further defense. But the text could probably > go further than its current version and explicitly call out that no > technical measures can defend against such delay, other than by > rerouting/avoiding the compromised position. > > The second paragraph also covers a topic worth noting, that entropy and > Murphy as as important of risks to consider as active attacks. > > The rest of the section/list don't seem to match up with the high-level > view, though -- "protection of the signaling protocol", but protection > against what? Authentication and authorization are important parts of > security, but authorization is tied to actions and entities, not just > entities in vacuo. For "identification and shaping of DetNet flows", if > security must cover them, what security properties are needed. Do we need > to provide integrity protection for the marking, or confidentiality > protection, too? Does authentication/integrity need to be provided for > in-line or are out-of-band considerations in play? > > The rest of the document presents a good high level picture of what pieces > will be involved in a system, and how they fit together. I'm hoping to see > a high-level picture of what attacks/failures the architecture does and > does not aim to protect against. It's somewhat implied that we need to > protect against the failure of any single node or link (except at the > boundary) due to random faults; explicitly saying this would be a perfect > hting to include in the security considerations here! Once we get beyond > entropy as an attack, into more active attack scenarios, though, we need to > consider what capabilities an attacker might have. Do we protect against > an entity with the ability to inject various forms of traffic? Modify or > drop valid traffic? Are there any (classes of) credentials that we assume > must be securely held, or will we attempt to protect against attackers that > have some privilege within the system? (Note that misbehaving hardware can > sometimes present as similar or identical to such an attacker.) > > Does this give a better picture of what I'm thinking of as "high-level > security requirements"? I don't necessarily need details of specific > hardware or credentials at play, and certainly not for the solutions, but I > want to have a clear picture of what the scope of future security analysis > will be. "How will I be able to tell if the actual protocols meet the > security requirements of the architecture?" I'll get with authors (of both the architecture and security docs) and see how much they think can be reasonably be added to this document -- to be clear you *are* asking for a change in how the WG decide to address this topic and what would go in which document. Lou > -Benjamin > > _______________________________________________ > detnet mailing list > detnet@ietf.org > https://www.ietf.org/mailman/listinfo/detnet >
- [Detnet] Benjamin Kaduk's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Lou Berger
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Lou Berger
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Lou Berger
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Grossman, Ethan A.
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas
- Re: [Detnet] Benjamin Kaduk's Discuss on draft-ie… János Farkas