IETF Logo Mail Archive

Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

Lou Berger <lberger@labn.net> Thu, 21 February 2019 20:32 UTC

Return-Path: <lberger@labn.net>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBA99130E83 for <detnet@ietfa.amsl.com>; Thu, 21 Feb 2019 12:32:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUKHSuF6oOBp for <detnet@ietfa.amsl.com>; Thu, 21 Feb 2019 12:32:20 -0800 (PST)
Received: from alt-proxy16.mail.unifiedlayer.com (alt-proxy16.mail.unifiedlayer.com [70.40.197.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A560130E7F for <detnet@ietf.org>; Thu, 21 Feb 2019 12:32:20 -0800 (PST)
Received: from CMGW (unknown [10.9.0.13]) by gproxy9.mail.unifiedlayer.com (Postfix) with ESMTP id 80B831E076D for <detnet@ietf.org>; Thu, 21 Feb 2019 13:32:17 -0700 (MST)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id wv0zgT7SZeyBxwv0zg1vqn; Thu, 21 Feb 2019 13:32:17 -0700
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WEJ1w0REHCzPyujUKH+cecrupFsAHyKbRlYh9VAEkwI=; b=dcVkoS7f67G6wy6DDg4sZ6XGZ+ dt6VVIYK7d9z0XkG2tBzB6MsOviuOU7KLQVGqoKjHV2dpLoA9O6BWVYpcCcWo8Jtr8IqOo2ny2Uhj bYucTPOcRYa2GgdOIaUntJ1GT;
Received: from pool-72-66-11-201.washdc.fios.verizon.net ([72.66.11.201]:59514 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <lberger@labn.net>) id 1gwv0z-004E5w-3T; Thu, 21 Feb 2019 13:32:17 -0700
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-detnet-architecture@ietf.org, detnet@ietf.org, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org
References: <155063426136.20704.6779201119170972943.idtracker@ietfa.amsl.com> <cb52062a-b4fb-b51a-2dc3-ca7f161c8f89@labn.net> <20190220160743.GD69562@kduck.mit.edu> <36c4ce97-5c4a-89ab-d648-3e7705a6acd3@labn.net> <20190220212104.GK69562@kduck.mit.edu>
From: Lou Berger <lberger@labn.net>
Message-ID: <30e27625-da32-7e67-6e3a-a923830b9e5c@labn.net>
Date: Thu, 21 Feb 2019 15:32:15 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <20190220212104.GK69562@kduck.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 72.66.11.201
X-Source-L: No
X-Exim-ID: 1gwv0z-004E5w-3T
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-72-66-11-201.washdc.fios.verizon.net ([IPv6:::1]) [72.66.11.201]:59514
X-Source-Auth: lberger@labn.net
X-Email-Count: 3
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/eq6TgVWUMmFCF79OftR7Ip8BMBA>
Subject: Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 20:32:23 -0000

Hi Benjamin,

On 2/20/2019 4:21 PM, Benjamin Kaduk wrote:
> Hi Lou,
>
> On Wed, Feb 20, 2019 at 11:34:11AM -0500, Lou Berger wrote:
>> On 2/20/2019 11:07 AM, Benjamin Kaduk wrote:
>>> On Wed, Feb 20, 2019 at 09:33:34AM -0500, Lou Berger wrote:
>>>> On 2/19/2019 10:44 PM, Benjamin Kaduk wrote:
>>>>> I note that the DETNET WG is explicitly chartered with a work item for the
>>>>> "overall architecture: This work encompasses ... and security aspects".
>>>>> It seems incomplete to specify an architecture for a topic such as
>>>>> deterministic networking without specifically considering what threats are
>>>>> and are not in scope to be protected against.
>>>> The working group certainly recognizes that security is an important
>>>> topic and necessary part of the work. The WG's  approach to ensure that
>>>> this significant topic is sufficiently covered is to have a  document
>>>> dedicated to the topic.  As you note below this work,
>>>> draft-ietf-detnet-security, is not at the same level maturity - so
>>>> please stay tuned.  Of course, the WG would welcome any input on this
>>>> security draft now or even a full early-review or security area advisor.
>>> I do appreciate that the WG has taken the time to work on a dedicated
>>> security document, that goes through the (tedious!) effort to tabulate the
>>> various known attacker capabilities, threats, and their interactions.
>>>
>>> What I think is missing from the high-level architecture document is a
>>> sense for what security goals the architecture intends to achieve.  It's
>>> fine to have this be separate from the nitty-gritty stuff in the separate
>>> document, but these high-level questions can have an impact on the
>>> high-level design of the protocol ecosystem as a whole.  We have mounds of
>>> examples of "come up with a design; bolt security on as an afterthought"
>>> working poorly or being nigh-impossible, and I haven't seen any attempt at
>>> justification for why doing so here is likely to be any different.
>>> Including the security concepts from the start and wholly integrating them
>>> into the system tends to produce a much more elegant design and smoother
>>> outcomes all around.
>> We went back and forth on how much of the security topic to include in
>> the architecture document and settled on the current text of section 5
>> where just high level security requirements are identified.  From your
>> list below, the architecture covers the points you raise (non-detnet
>> traffic impacting detnet traffic, and detnet traffic trying to use more
>> than its allocation) mainly from a service delivery perspective.  It
>> does mention "shaping" as a security concern, the document could expand
>> these if helpful. But I think the real discussion point is how much of
>> the security details should be in the base (vs dedicated) document  --
>> and that you disagree with where the WG has drawn the line.  Is this
>> correct?
> Well, it's not as much that I disagree about where the line is drawn, as
> that I disagree with the characterization as "high level security
> requirements".
>
> The first paragraph covers topics worth including here, certainly -- an
> attacker that can introduce delay can inherently break the DetNet
> guarantees, and there is no further defense.  But the text could probably
> go further than its current version and explicitly call out that no
> technical measures can defend against such delay, other than by
> rerouting/avoiding the compromised position.
>
> The second paragraph also covers a topic worth noting, that entropy and
> Murphy as as important of risks to consider as active attacks.
>
> The rest of the section/list don't seem to match up with the high-level
> view, though -- "protection of the signaling protocol", but protection
> against what?  Authentication and authorization are important parts of
> security, but authorization is tied to actions and entities, not just
> entities in vacuo.  For "identification and shaping of DetNet flows", if
> security must cover them, what security properties are needed.  Do we need
> to provide integrity protection for the marking, or confidentiality
> protection, too?  Does authentication/integrity need to be provided for
> in-line or are out-of-band considerations in play?
>
> The rest of the document presents a good high level picture of what pieces
> will be involved in a system, and how they fit together.  I'm hoping to see
> a high-level picture of what attacks/failures the architecture does and
> does not aim to protect against.  It's somewhat implied that we need to
> protect against the failure of any single node or link (except at the
> boundary) due to random faults; explicitly saying this would be a perfect
> hting to include in the security considerations here!  Once we get beyond
> entropy as an attack, into more active attack scenarios, though, we need to
> consider what capabilities an attacker might have.  Do we protect against
> an entity with the ability to inject various forms of traffic?  Modify or
> drop valid traffic?  Are there any (classes of) credentials that we assume
> must be securely held, or will we attempt to protect against attackers that
> have some privilege within the system?  (Note that misbehaving hardware can
> sometimes present as similar or identical to such an attacker.)
>
> Does this give a better picture of what I'm thinking of as "high-level
> security requirements"?  I don't necessarily need details of specific
> hardware or credentials at play, and certainly not for the solutions, but I
> want to have a clear picture of what the scope of future security analysis
> will be.  "How will I be able to tell if the actual protocols meet the
> security requirements of the architecture?"

I'll get with authors (of both the architecture and security docs) and 
see how much they think can be reasonably be added to this document -- 
to be clear you *are* asking for a change in how the WG decide to 
address this topic and what would go in which document.

Lou

> -Benjamin
>
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet
>

v2.23.0 | Report a Bug | By Email