Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-security-13: (with DISCUSS and COMMENT)

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 07 January 2021 10:23 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E74003A0E88; Thu, 7 Jan 2021 02:23:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7UQbC9n3Tdq; Thu, 7 Jan 2021 02:23:00 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2072.outbound.protection.outlook.com [40.107.22.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BE543A0E8D; Thu, 7 Jan 2021 02:23:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BxCsr/v4xRAtM+WlD0WP7ESHeMovABuTWdKCIblxVtRIsPxrzjhFioiz1Mir6Xe9tZheBXfwBYsS87DsbrqGbvsHSR9uTfa7hpALOwPvWcJhTGjZHRMBO2KtVrX3nDD7yZTUbL7KDiYeQfn/1sTOrPoExuklEu8xLESiZs22W0uUw5hK13goHdJc6z5kiTQtQz/DcjNdb4xTUE14MFJEIULY/rCrZHO+ZJPiL1v54S2H3Q/8TpLg77BUnN4O05xIt2CmNubIBh7aWiu6vEDFVUm0pgRQzZPEeachYdSqWfZTxdyzcHFY3wsL5xg+lBhTZgMDuhvOAXjhtRE2aU1fIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=imKmKtPnYkRFtILJrDrycQ4Wp+kyPkKDLsDC7koifWg=; b=PGDCReBXLFH5fShe6WQ18h+ocoVY24MBFdLAcp/cc9nhbz0U4lACYTkIxjJnxBKQ6jFVej4FWmfD1yrlMjPjP691t1gbqznkQlD3MzWsA9G6kQCmSmiywaai8H03W4PE9ZO5eQEqW9+bdZFo6OhfizCeLU+rW/5BKuhx+I2Ib35lCgkiaNAFMmkkaBk+8sVecWD/hFeouiQ8Mo8bb9/oEwc++yHqV5kXFUGFqLFX1q6I5HjnXHun9484jeQf17jRx+X8Ib5an1ktHG/ZthXus/Nyrw+NbnUD76ddjcPZYc1d9FEUyBtaDwGqN3Vk19ZQCqfmw4KJ8H9YSDWBG2hExQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=imKmKtPnYkRFtILJrDrycQ4Wp+kyPkKDLsDC7koifWg=; b=YuQMYdunJ5TwdX3QhdxxgXKTrqfxI4Q3tnerKrbo1LzAoC706e2XmgNUhs3yIUHQpgD9Uko20zojG3xE7/DMXpI0HAoKwnkgo4G4dJidThl6hINqnnB12WOyPb4oMebs1U6HhZERZQOTkCHsgMyfzYcBwQTdq8F9nbY+iEsMkLU=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB4443.eurprd07.prod.outlook.com (2603:10a6:7:a1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.2; Thu, 7 Jan 2021 10:22:57 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%6]) with mapi id 15.20.3742.006; Thu, 7 Jan 2021 10:22:57 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "ethan@ieee.org" <ethan@ieee.org>
CC: "detnet@ietf.org" <detnet@ietf.org>, "draft-ietf-detnet-security@ietf.org" <draft-ietf-detnet-security@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>, "David.Black@dell.com" <David.Black@dell.com>
Thread-Topic: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-security-13: (with DISCUSS and COMMENT)
Thread-Index: AQHW2Gx8UD3yjueSTECZOXuaCTpEiqoDXCkAgBf7twCAALVmgA==
Date: Thu, 7 Jan 2021 10:22:56 +0000
Message-ID: <95c9bebe84acd87c157ae72420338e213c521ee6.camel@ericsson.com>
References: <160864632278.13800.15298127874258170906@ietfa.amsl.com> <MN2PR19MB40456E5376B115C147B7E08C83DF0@MN2PR19MB4045.namprd19.prod.outlook.com> <0a5e01d6e484$5dbdbca0$193935e0$@ieee.org>
In-Reply-To: <0a5e01d6e484$5dbdbca0$193935e0$@ieee.org>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ieee.org; dkim=none (message not signed) header.d=none;ieee.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21ba12fb-520d-4c5b-d8fb-08d8b2f633a2
x-ms-traffictypediagnostic: HE1PR07MB4443:
x-microsoft-antispam-prvs: <HE1PR07MB44438ECBBCF2085FA1FBFBD095AF0@HE1PR07MB4443.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bf4uqYhOiSTPO75omEJm51mt5JIdil+R1gQ2/9hrZkArYY5zYK4eNjH2ZJWUHvJ51bG3wd/mZAAAYfHbH+bP6t99xK6AHoSkK1toG3KgQSSb35MJcU74prrdUTCdeUAzVMLwGh/yNmppRMSLLIUVE/ynl5PJt+5wlG94xniuunUqXTTlTYV//cFVHRXj3ZPWttHn1PEgxeCpnJfdnOqlPpPpsj1e6QmalXO5SYT4B3NKj+NlZdPolQJI1yz0tAYvpepmmU7yeZS02ZFJ1d7iS4ECxFdPSCPP0cu2sYOXnDJpMLji+ZPYNNakQFLaEuly+KYsjI5BYp30UqDtBbfbOW99MpiucKz3hBpnVHiVa2UaayrYzkE+UjCn10XaE7FRERZpDl2EZVN3iTVp5SLt8PJ/BTP0IoDxqIQYOHwsJV9Ocs72s6Ew1Ts5UOqUBK1O1C1cfE+j6JkHUWTR7czJyDAoi2bPwVaAI2DhRLg9pJA1p+hKmRbHtK3f5vKUFEUqB8NrvntLpkJFcn8HcnTThA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(366004)(396003)(39860400002)(2616005)(4326008)(36756003)(6486002)(99936003)(8676002)(6512007)(8936002)(30864003)(5660300002)(316002)(186003)(86362001)(83380400001)(26005)(71200400001)(66556008)(44832011)(66616009)(76116006)(66476007)(6916009)(66946007)(66446008)(64756008)(2906002)(15650500001)(966005)(478600001)(54906003)(6506007)(66574015)(53546011)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?UzJocE9QSVo4ZHVmalUxOHRLendaMkZGYTRFK0w1bTNKMkV3aXJEZkNzeHRu?= =?utf-8?B?VkMzSWk2aTM4UmVxaUtRUFUwcmNPMkUxMzVTS0Q1VUJtc2l1NExSYkhyKzhq?= =?utf-8?B?SHoycXNLNUNFaTJCUXd6cGdBL2JiN3pZSUlweXlZVjNwak9aV3p6aWVEbHkr?= =?utf-8?B?czgvQTQ4Y3lrMHRBZHQwNVd0WU1jNnc1Qm1YSDY5SS9ZS3VjbVJQWUIwSzBM?= =?utf-8?B?K2NjOTNHTVllM3dLOEMwb3JuU0k5ZCs3Y2RZdzJJTm01WUpyR2dQL05LK0Fv?= =?utf-8?B?c0hvZHpPdWpRNjhtNXlJZ2lyc0swTjV1azgzTWdIbkc1b3JtbExaY0RqMkJ6?= =?utf-8?B?ZWlUVnlFU0hSWjE3TTNpWUtSd1FvOXFtamRXUzZMbHYyZEM3MkhRYS9IYU9p?= =?utf-8?B?U1BlOWNlZE9YMlJMY2dEaFBFaC8xY0hvYzdzYmZQU2JWRnBTU1hsblBmVGQz?= =?utf-8?B?N0ZCQ2JFSlZWUUN6ck9qUm80OHNlS2VJbUNQMjQzYlpVMDhLOUZVeGFBR1gr?= =?utf-8?B?NWRDOTMzTzlxdTJZNzlIMW9QMG1vQzZZRjcxdk54Mm0yclNpMHZCcndoNmxG?= =?utf-8?B?ZXFzWjQrL2JWdkk1K0JqZmdVaW91cHcyWmRTZlhRS28zaG5sVjd1a3NLV1VB?= =?utf-8?B?eGNaUTVKZkthaTdmTnB4eWo5WlFFTXMzU2NId3VmVEdZdzlTYUlCQ0V2eDVp?= =?utf-8?B?KytLVC8vTmNVVGtTMGc0b0s0S2czVTNKWDhiL21OZGl2c2kyNEZwenVxelRr?= =?utf-8?B?dnV4blpYeHlKUHpHRlFUT1hIeFJqQ2VXYzJTRi83WUMrbEdVRFlZVWdLKzFK?= =?utf-8?B?dGxMdWJ5bUR2cU0wcGpDcVJFRzJUdWVSZUxBRlFqSis5WHhtVFpZRHFEb09u?= =?utf-8?B?U2kwWVk5MUdyeW1jWVZDdFE2bFVpb1RYSS9OUmdUYmxvZjlLbTUvN3RaeFN2?= =?utf-8?B?eHR1ZThRNGlsZDF1d0tVNzE3YUFIMitXWmVVV1NELzFWU3M5MWgyY3dwb3hD?= =?utf-8?B?VGwvZTljTStoM3hQYlVIWlNweGc5U1FnSTF0T3BxRFFlVkY5ZUpHckhTTXZv?= =?utf-8?B?aFZCeGE3cWZrejliVmhReGpEVThQK0dFWmFBQjhxTExZU1R4UHJ6eE0ydmRr?= =?utf-8?B?SE1CZGh1STJ5Ukdmdmh4OGVScjB2eTdabk93ajVZS3JiRFBDVFQwcExjODMr?= =?utf-8?B?ODI2M3BOZlRvRG1TbzBySFNhWVNwaHBvZVQwd1hDNHpmMWkvQndnWlJvaW1K?= =?utf-8?B?OWpxeG5IMFRZY0lMd1g1Qkphc3FsZnVGT2RlT0FmWDdXZFdPbXA5WmNldFlN?= =?utf-8?Q?UUYi98y7NKlx1i1J8049uXzmoX1D6JBkOL?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-5ygyEO8+u4wivJE9WQ3V"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 21ba12fb-520d-4c5b-d8fb-08d8b2f633a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2021 10:22:56.8385 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OjLsxlVDovV8TNcxrNr9kuIxGHrACu3RLi8FSsEUAdp46vo1VdzbvgEUa4E0lJ8py+in+P4UfzDJN8YEEBShd/bLwQrBC0JK2XdpuI+Tda8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4443
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/iwhW75WiEB6usLHrq3cB_Ut2BMU>
Subject: Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-security-13: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2021 10:23:03 -0000

Hi,

So I think I did missinterpret the intention of the original sentence a bit.
This longer text do help me understand and it might be useful for others.
However, I do wonder if there are an even better description of this?

So to me there appear to be a design principle here that the resources for one
flow are inviolable. That way one can keep the different flows and resource
allocations independent. However, this design principle is only fulfilled if the
individual components and the setup of the chain of components ensures this
design priniciple. 

So with correctly designed components and security mechanisms one can prevent
malious acitvities from impacting other resources. And this might be the simpler
case at least on a theoreticall level as the malicous attacker can be limited in
where it can impact traffic flows or network control interfaces through security
mechanisms. 

For network internal malfunctions this design principle might not be as feasible
to achive the total goal, but the design principle should lead to that impact is
minimized to the diretly affected flows, i.e. avoid casade failures. For my case
of rewritten flow-id then only the original and target flow should be affected.
In addition this failure should rapidly be detected so the failure can be
addressed. 

As you discuss to attempt to ensure this inviolable resource allocation, to
detect my specific case, the system designer needs a component where each
individual flow is verified to be within resource allocation as each single
device where resource contention could occurr, i.e. in each router or switch on
the path through the network. 

So taking my specific case of network internal rewrite of the flow-ids. With
flow shapers in each forwarding instance one can prevent the flow to go beyond
its resource allocation and cause impact outside of the directly impacted flows.
However, the system and its protocols have not been built to prevent the
impacted flow from being harmed here as this internal failure is unlikely enough
that putting in the mechanism to verify each single packet belonging to each
flow is deemed to expensive. Instead it is trade-off that a flow shaper would
cause drops if over using the resources, raising an alarm that something is
malfunctioning as these drops occurs. While having security mechanism to
identify flows correctly at the ingress and prevent malicous attackers modified
packets to join a flow is likely a necessary mechanism. 

So the whole point with this text was to verify if I have correctly understood
what is attemtped to described here. And secondly maybe indicate that the
proposed text maybe can be further improved by more accurately describe the
principle and the fact that certain choices have been made on protocol level for
what support is required. In addtion the implementor of each component as well
as the system builder needs to consider how the set of chosen components
interact to reach the security goals related to different aspects, in this case
the resource allocation. 

Please consider if your text proposal can be further improved to more correctly
describe what is relevant here. As the section is intended to be a high level
requirement on individual components the hard question is how much requirement
is necessary to be explicit about. I think the aggregation example in Section
3.1 do point to the challenges here to fulfill this design principle. As the
goal of aggregating is to only need aggregate state in the middle which in its
turn can violate the principle of inviolable for each component, as adding one
flow to much to the aggregate through an error will potentially impact all the
other component flows. 

Cheers

Magnus Westerlund


On Wed, 2021-01-06 at 15:33 -0800, Ethan Grossman wrote:
> Hi Magnus,
> Thank you for your review comments, they are very helpful. We have
> incorporated David's comments into our proposed new text for the two
> sections referenced, as follows. Please let us know if this sufficiently
> addresses your comments. 
> Sincerely,
> Ethan (as DetNet Security draft editor) 
> 
> ----------------START --------------------------------------------
> OLD: 
> 3.1.  Resource Allocation
> A DetNet system security designer relies on the premise that any resources
> allocated to a resource-reserved (OT-type) flow are inviolable, in other
> words there is no physical possibility within a DetNet component that
> resources allocated to a given flow can be compromised by any type of
> traffic in the network; this includes both malicious traffic as well as
> inadvertent traffic such as might be produced by a malfunctioning component,
> for example one made by a different manufacturer.  From a security
> standpoint, this is a critical assumption, for example when designing
> against DOS attacks.
> It is the responsibility of the component designer to ensure that this
> condition is met; this implies protection against excess traffic from
> adjacent flows, and against compromises to the resource
> allocation/deallocation process, for example through the use of traffic
> shaping and policing.
> . . .
> NEW: 
> 3.1.  Resource Allocation
> A DetNet system security designer relies on the premise that any resources
> allocated to a resource-reserved (OT-type) flow are inviolable; in other
> words there is no physical possibility within a DetNet component that
> resources allocated to a given flow can be compromised by any type of
> traffic in the network; this includes malicious traffic as well as
> inadvertent traffic such as might be produced by a malfunctioning component,
> or due to interactions between components that were not sufficiently tested
> for interoperability. From a security standpoint, this is a critical
> assumption, for example when designing against DOS attacks.  
> It is the responsibility of the component designer to ensure that this
> condition is met; this implies protection against excess traffic from
> adjacent flows, and against compromises to the resource
> allocation/deallocation process, for example through the use of traffic
> shaping and policing.
> However, this assumption on the part of the DetNet system designer must be
> tempered by the fact that any given component is designed for some set of
> use cases and accordingly will have certain limitations on its security
> properties and vulnerabilities. For example, due to cost and complexity
> factors, the security properties of a component designed for low-cost
> systems may be quite different from a component with similar intended
> functionality, but designed for highly secure or otherwise critical
> applications, perhaps at substantially higher cost. Thus, a significant
> responsibility of the designer of any component intended for use with DetNet
> is that they clearly document the security properties of the component. For
> example, to address the case where a corrupted packet in which the flow
> identification information is compromised and thus may incidentally match
> the flow ID of another ("victim") DetNet flow, resulting in additional
> unauthorized traffic on the victim, the documentation might state that the
> component employs integrity protection on the flow identification fields. 
> Even in the case that the security properties of the component as designed
> are well specified and understood, if the component malfunctions, for
> example due to physical circumstances unpredicted by the component designer,
> it may be difficult or impossible to fully prevent malfunction of the
> network. However, all networks are subject to this level of uncertainty; it
> is not unique to DetNet. Having said that, DetNet raises the bar by changing
> many added latency scenarios from tolerable annoyances to unacceptable
> service violations.   That in turn underscores the importance of system
> integrity, as well as correct and stable configuration of the network and
> its nodes, as discussed in [reference to Introduction section].  
> . . .
> END
> 
> OLD: 
> 8.1.6.  End-to-End Delivery
> Packets sent over DetNet are not to be dropped by the network due to
> congestion.  (Packets may however intentionally be dropped for intended
> reasons, e.g. per security measures).
> . . .
> NEW: 
> 8.1.6.  End-to-End Delivery
> Packets that are part of a resource-reserved DetNet flow are not to be
> dropped by the DetNet due to congestion.  Packets may however be dropped for
> intended reasons, for example security measures. For example, consider the
> case in which a packet becomes corrupted (whether incidentally or
> maliciously) such that the resulting flow ID incidentally matches the flow
> ID of another DetNet flow, potentially resulting in additional unauthorized
> traffic on the latter. In such a case it may be a security requirement that
> the system report and/or take some defined action, perhaps when a packet
> drop count threshold has been reached (see also [reference to Dynamic
> Performance Analytics section]). 
> . . .
> END
> 
> -----------------------END-------------------------------------
> 
> -----Original Message-----
> From: Black, David <David.Black@dell.com> 
> Sent: Tuesday, December 22, 2020 9:19 AM
> To: Magnus Westerlund <magnus.westerlund@ericsson.com>om>; The IESG
> <iesg@ietf.org>
> Cc: detnet@ietf.org; draft-ietf-detnet-security@ietf.org; lberger@labn.net;
> detnet-chairs@ietf.org; Black, David <David.Black@dell.com>
> Subject: RE: [Detnet] Magnus Westerlund's Discuss on
> draft-ietf-detnet-security-13: (with DISCUSS and COMMENT)
> 
> Hi Magnus,
> 
> > Can we really ensure that a malfunctioning component can't compromise 
> > the resources of another one. The most simple example I would have is 
> > a router with a malfunction rewriting the destination address or flow 
> > label of a packet causing the packet to change the flow it is 
> > belonging too,
> 
> No, but ...
> 
> ... DetNet is fundamentally relying on system integrity and correct
> configuration of the DetNet implementations.  This is not a new concept -
> e.g., if an MPLS LSR fouls up the label switching, all manner of things can
> go very wrong very quickly ... which is something that generally doesn't
> happen in practice.  That said, DetNet raises the bar by changing many added
> latency scenarios from tolerable annoyances to unacceptable service
> violations.   That in turn increases the importance of system integrity and
> correct/stable configuration of the network and its nodes.  I would suggest
> a rewording along these lines if that's acceptable to you, as I don't think
> this area of concern justifies additional defense mechanisms in the data
> planes.
> 
> > I would also recommend that you don't indicate that a different 
> > manufacturer can be blamed. Isn't a malfunction going to occur where 
> > they occur, it is not like a single vendor network will be without 
> > malfunctions due to hardware issue, nor have its set of software bugs.
> 
> +1
> 
> Thanks, --David (as Transport Technical Advisor to the detnet WG)
> 
> > -----Original Message-----
> > From: detnet <detnet-bounces@ietf.org> On Behalf Of Magnus Westerlund 
> > via Datatracker
> > Sent: Tuesday, December 22, 2020 9:12 AM
> > To: The IESG
> > Cc: detnet@ietf.org; draft-ietf-detnet-security@ietf.org; 
> > lberger@labn.net; detnet- chairs@ietf.org
> > Subject: [Detnet] Magnus Westerlund's Discuss on
> 
> draft-ietf-detnet-security-13:
> > (with DISCUSS and COMMENT)
> > 
> > 
> > [EXTERNAL EMAIL]
> > 
> > Magnus Westerlund has entered the following ballot position for
> > draft-ietf-detnet-security-13: Discuss
> > 
> > When responding, please keep the subject line intact and reply to all 
> > email addresses included in the To and CC lines. (Feel free to cut 
> > this introductory paragraph, however.)
> > 
> > 
> > Please refer to 
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> > 
> > 
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-detnet-security/
> > 
> > 
> > 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > Section 3.1:
> > 
> >    A DetNet system security designer relies on the premise that any
> >    resources allocated to a resource-reserved (OT-type) flow are
> >    inviolable, in other words there is no physical possibility within a
> >    DetNet component that resources allocated to a given flow can be
> >    compromised by any type of traffic in the network; this includes both
> >    malicious traffic as well as inadvertent traffic such as might be
> >    produced by a malfunctioning component, for example one made by a
> >    different manufacturer.
> > 
> > Can we really ensure that a malfunctioning component can't compromise 
> > the resources of another one. The most simple example I would have is 
> > a router with a malfunction rewriting the destination address or flow 
> > label of a packet causing the packet to change the flow it is 
> > belonging too, thus if occurring for any significant amount of packets 
> > causing overflow in the next hop router when the original and the 
> > remarked flow compete for the same resources assigned. The only way to 
> > ensure that this happens is to verify a strong header integrity 
> > protection at each point a decision on how to forward, classify or 
> > remark the flow is done. So Section
> > 3.3 indicate that this is an issue, but only discusses how it can be 
> > solved over ethernet. This issue hasn't been well handled in either 
> > the MPLS or IP detnet data planes as no additional mechanism was required
> 
> to ensure this criteria is meet.
> > 
> > So I think the requirement that also malfunctions in equipment don't 
> > result in flow violations is hard, and will require that the already 
> > approved data plane specification needs additional mechanism that 
> > verify all data used on each occasion the data is used. Neither MPLS 
> > nor IP as currently specified fulfill this, not even against 
> > non-malicious malfunctions or corruption type malfunctions. Then we 
> > have those malfunction that breaks the network or where control plane
> 
> information provided is being corrupted.
> > 
> > I have only looked a bit deeply on one type of malfunction that I know 
> > that can occur. I convinced that this document will indicate a number 
> > of additional potential ways things can go wrong that can't be 
> > determined without additional mechanisms and likely additional per 
> > packet fields. Thus, I think we need to discuss if the security 
> > properties matches the actual approved data plane, or if the property is
> 
> so important that the data plane specification is moved back to the WG to be
> fixed?
> > 
> > I would also recommend that you don't indicate that a different 
> > manufacturer can be blamed. Isn't a malfunction going to occur where 
> > they occur, it is not like a single vendor network will be without 
> > malfunctions due to hardware issue, nor have its set of software bugs.
> > 
> > Section 9.1:
> > 
> >    The IP protocol has a long history of security considerations and
> >    architectural protection mechanisms.  From a data plane perspective
> >    DetNet does not add or modify any IP header information, so the
> >    carriage of DetNet traffic over an IP data plane does not introduce
> >    any new security issues that were not there before, apart from those
> >    already described in the data-plane-independent threats section
> >    Section 5, Security Threats.
> > 
> > The above requirement from Section 3.1 in regards to IP header fields 
> > used for flow classification are not automatically fulfilled without 
> > additional mechanisms. Thus, I would claim that DETNET unless Section 
> > 3.1 requirement is minimized will require support for a strong 
> > integrity mechanism over all headers. So if this needs to be keyed or 
> > not is totally dependent on if malicious modifications of packet headers
> 
> needs to be taken into account or not.
> > 
> > Section 9.2:
> > 
> > Same as previous issue but for integrity over the MPLS headers.
> > 
> > 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> > 
> > 8.1.6.  End-to-End Delivery
> > Packets sent over DetNet are not to be dropped by the network due to
> >    congestion.  (Packets may however intentionally be dropped for
> >    intended reasons, e.g. per security measures).
> > Maybe it need to be stated that packets for a flow that are within 
> > flow parameters are not to be dropped due to congestion.
> > 
> > The security aspects include packets being dropped due to corruption 
> > malicious or not.
> > 
> > 
> > 
> > _______________________________________________
> > detnet mailing list
> > detnet@ietf.org
> > https://www.ietf.org/mailman/listinfo/detnet
> 
>