[Detnet] WG Last Call: draft-ietf-detnet-security-09 - David Black's initial comments

"Black, David" <David.Black@dell.com> Tue, 21 April 2020 23:05 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE07B3A0D7A for <detnet@ietfa.amsl.com>; Tue, 21 Apr 2020 16:05:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.919
X-Spam-Level:
X-Spam-Status: No, score=-2.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com header.b=s4vfH2kH; dkim=pass (1024-bit key) header.d=dell.onmicrosoft.com header.b=M1VvEzF3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ViViuSsRGjhx for <detnet@ietfa.amsl.com>; Tue, 21 Apr 2020 16:05:05 -0700 (PDT)
Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C03D3A0D6B for <detnet@ietf.org>; Tue, 21 Apr 2020 16:05:04 -0700 (PDT)
Received: from pps.filterd (m0170395.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 03LN1lrO021365; Tue, 21 Apr 2020 19:05:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=0z2Ujl62uFNalcJksldQ5rdqCoM2t3rQe4orFS/U/GU=; b=s4vfH2kHj2H99UGAsL+/85KSbBBpHvlqag0q1sUsvTmNO3z2w9l5w9uoIfI8scD+cQ/P q1srWmKNFmI/Jd5ODV0uIB0f92Vc0FSDRu6XjLm3H+NBAkAFRWlcAybXzZP0KRrBYTiW VupXypLnW0NbZGAz47tKj1o5+wq65NYtG/LjnWH7Ti31gn2LKQO44ZUcF/2vsipamuy4 eJB0BtSbXL1VK+Wgslh76E9TBZ+N4hXM3uyvnhMiqHSIDAURZgW9bWfwa/ynwAQYA6dX pdzZHeKibG/S3U0B6NjsXhmk0eNOpZscJ4+pFumFnT92fKPWMl+G/Tb9epgmtGFz4nS3 UA==
Received: from mx0a-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0b-00154904.pphosted.com with ESMTP id 30fx7nbupf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Apr 2020 19:05:03 -0400
Received: from pps.filterd (m0134746.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 03LN4WJ7182939; Tue, 21 Apr 2020 19:05:03 -0400
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2108.outbound.protection.outlook.com [104.47.58.108]) by mx0a-00154901.pphosted.com with ESMTP id 30j8e7hhgh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 21 Apr 2020 19:05:02 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rhvg/I0FAy1oRmVxn//GaIMnGXJEZQtqs/YBUBDlzJSnfhmYT/L7sApKBMt6gMpMnSuoA6V28xqe2Y37tBKrfI+dN8KYM2D1qKNc4ovpLh/31TCfzOZYnRwQyDF6g3OLeirgaByvQ27XbjzbqhMF2F8qxKl6h8XaxNUojBVJVrmJRJOstHgKq1fiNYxjSIXV4xjzJLgsDlL8ARuUe6Zkv1/BKgMO+1BpdebMRqBJgrlj0DeaP33KDrN+ElS8XOgNFr2b8a792FSvLZ+5JAM1G6NO7mE2FlCFYZZUhd/Fd8KPNMAUMfMOKuvyEd31KpeE8Hh7hnsgvHR613oGNdW3kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0z2Ujl62uFNalcJksldQ5rdqCoM2t3rQe4orFS/U/GU=; b=SPh0YCNuDSrocvu1WPaam84mpp5m/eemXjE2eykM1JEBpwS5e+tsP84/Hq1DZohlMEFKQzA8cfU+o9rn/MEQwKpxzpzfAX7BOj2L+ri9QwmmbFAZQHpHTiPQSfTgfB0qVE4CfKgTw8WJo9EHTA7QLv6GvoIrnjqTdqWV4rT0QIwLM0B3Hd4BqUJUPjigGOCeX0x4eGSc3G/rkpJuPxA87Ph2icBcgeJ93okjXxiyUyQmCfRoQfIKHSZvEtZgh16E9QI5eexF0N5LwAC4weBfhuY9V0OBy9wuqmwMTZLoPmQG+GVI6QvknJfVnjkFLoauGLhYOA13a+bH5Yj/k9edvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Dell.onmicrosoft.com; s=selector1-Dell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0z2Ujl62uFNalcJksldQ5rdqCoM2t3rQe4orFS/U/GU=; b=M1VvEzF36f6Tvds22O4a5XBSmRvCG0GuqSLWeTIwqQ7IEbljDMans/hIxqdNxRnQYJJZHOOuf4T/OHNJq3I/6DTOE1Oc/M2y/YKUH1zDE0o/8QgEzEuw9y0jsZlUI8I+EkDl008mJ20W9m3MoxLt0zXC/74RMCm+stlPsEavxeE=
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB2575.namprd19.prod.outlook.com (2603:10b6:208:105::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Tue, 21 Apr 2020 23:05:01 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8d12:8a24:ccb2:b2bd]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8d12:8a24:ccb2:b2bd%3]) with mapi id 15.20.2921.027; Tue, 21 Apr 2020 23:05:01 +0000
From: "Black, David" <David.Black@dell.com>
To: Lou Berger <lberger@labn.net>, DetNet WG <detnet@ietf.org>
CC: "Black, David" <David.Black@dell.com>
Thread-Topic: WG Last Call: draft-ietf-detnet-security-09 - David Black's initial comments
Thread-Index: AdYYMUgr2Pyyo4/NQiWVed43h/ACJQ==
Date: Tue, 21 Apr 2020 23:05:00 +0000
Message-ID: <MN2PR19MB4045021D3B08F605104933BF83D50@MN2PR19MB4045.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2020-04-21T21:38:50.6334078Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual; aiplabel=External Public
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7c5573f4-4c56-42c3-6c63-08d7e6486b79
x-ms-traffictypediagnostic: MN2PR19MB2575:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR19MB2575CB2251B2CBFD768E67F883D50@MN2PR19MB2575.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 038002787A
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(396003)(376002)(346002)(966005)(66946007)(66446008)(15650500001)(8676002)(53546011)(52536014)(9686003)(26005)(6506007)(478600001)(76116006)(81156014)(86362001)(71200400001)(2906002)(186003)(66476007)(64756008)(66556008)(55016002)(8936002)(786003)(7696005)(4326008)(316002)(33656002)(107886003)(5660300002)(110136005); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: dell.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ds5qzysDBBcwj4kBkDBdlsqY1ua9Dfm9AM528FrUN+YIhp+6JV/HeJ4zlwfL0wtqt20FvX2X/igjlNg8fyGdpFSr4TzG0u4b+oLRQRfqIeCHwGIb7v20c/sqg9hA1xncSmYMW61AoWHLhJfFG9fQZgbslZ4u5XE5pF9InMHFtPRxKXm/Yfx+RmVvUEiqDp+8ITK+GDeadDWHR/PlQv8fX0TtnIn68/cP55iwRNv7Xn1EnavF3h9jRJZ8h1L0UuT9IAILSfkOFAHbUNaLcF7a0HFceifGGS0gYy0jE668+8nHyWDL4TVZpsdKpqmwl+QJGElUbEDfC0j7YVd1jRmG5zBNrCYzgkGemF0A1VhKZuHqV1k+/EmjEatJiv5A8KUxId6C+umrGnCp+4WkpdScWq1g6T/nYjN2NVJUMzmYAzoGwih+ubXGifTJKNK/t3mv/3xiM6jkHaQlQmyVwNG6Sj9HUaoVDvgNg7uvqZaZeT41nAYcBVh8vEjIMBTBrpnIHihJdohmOCOZtAm7hiM+pQ==
x-ms-exchange-antispam-messagedata: AkDpaRkS58iQ1/yPVO92tHLtFXMxO3E2wk+PN1BnwCZvZguEDj+xNH09FLMee1EJJ8ir5ajFnPXEHq54Ag1uwCif1doTWo9nbCdHubmHekqP10HsuzDT8sozBOrfNDqzA0fky8h8f3nX9iUK41Hi1g==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c5573f4-4c56-42c3-6c63-08d7e6486b79
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2020 23:05:00.9844 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FDuhPU7G/nGIoToH7H8wkpFAR2qjI3rAISYZxCu6UZ/LUnDUn5xmTiWPotqmYhIQ+R8yuicPvhxfeZ8C4rgCWQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB2575
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-21_10:2020-04-21, 2020-04-21 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 priorityscore=1501 spamscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 lowpriorityscore=0 phishscore=0 malwarescore=0 suspectscore=0 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004210168
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 priorityscore=1501 adultscore=0 impostorscore=0 spamscore=0 suspectscore=0 lowpriorityscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004210168
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/QNcwAUmWGQw8gzoRhP83roAZV-k>
Subject: [Detnet] WG Last Call: draft-ietf-detnet-security-09 - David Black's initial comments
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 23:05:08 -0000

Hi Lou,

> The working group last call ends on April 4.
> Please send your comments to the working group mailing list.

Surely May 4 was intended ... as a WG chair, I've been there ... and been off by much more than one month :-).

Here are some initial relatively high-level comments (I may have more to add after a detailed read):

[1-Editorial] The relationship to RFC 7384 deserves more mention.   A statement towards the end of the introduction to indicate that the threat model and the structure of at least the threat analysis are similar because of the importance of time to the security of both time protocols and DetNet would be good to add.

[2-Minor] In section 4, I suggest removing the discussion of Effects and the Effects rows in the table, as they don't appear to play much of a role in the draft.

[3-Editorial] This draft uses a lot of internal cross references to other sections, e.g., in the Related Attacks discussions in section 5.  It would be helpful to the reader to include section names and/or short description of the contents of the referenced section with each cross reference.

[4-Minor] Sections 5.1 and 5.2 should state that path replication and elimination are not available in the IP data plane

[5-Major] Section 5.8 seems incomplete.   It contains a sizeable summary table of attacks, impacts and mitigations, but doesn't provide recommendations on what to do.  Scanning the mitigations column, a good start would be to characterize control message protection and performance analytics as [MUST implement, SHOULD use] and the combination of DetNet authentication and integrity protection as [MUST implement, MAY use].   Both "MUST" requirements are my initial take that I'd be happy to discuss further.

[6-Major] Section 7.1 on the IP data plane seems rather weak - I'm not sure whether it says anything that's seriously useful.  Section 7.2 on the MPLS data plane is much better in directing the reader to relevant security considerations in other documents.

Thanks, --David

> -----Original Message-----
> From: detnet <detnet-bounces@ietf.org> On Behalf Of Lou Berger
> Sent: Monday, April 20, 2020 11:01 AM
> To: DetNet WG
> Subject: [Detnet] WG Last Call: draft-ietf-detnet-security-09
> 
> 
> [EXTERNAL EMAIL]
> 
> All,
> 
> This starts a two-week working group last call for
> draft-ietf-detnet-security-09
> 
> The working group last call ends on April 4.
> Please send your comments to the working group mailing list.
> 
> Positive comments, e.g., "I've reviewed this document
> and believe it is ready for publication", are welcome!
> This is useful and important, even from authors.
> 
> Thank you,
> Lou (DetNet Co-Chair & doc Shepherd)
> 
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet