IETF Logo Mail Archive

Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

János Farkas <janos.farkas@ericsson.com> Wed, 06 March 2019 05:56 UTC

Return-Path: <Janos.Farkas@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52C2130EE3 for <detnet@ietfa.amsl.com>; Tue, 5 Mar 2019 21:56:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.04
X-Spam-Level:
X-Spam-Status: No, score=-4.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBzEHRgHJ9eZ for <detnet@ietfa.amsl.com>; Tue, 5 Mar 2019 21:56:12 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A3D0130EC8 for <detnet@ietf.org>; Tue, 5 Mar 2019 21:56:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1551851763; x=1554443763; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z8BuHZJ4RIW0nzatEn6Uh93YXZSEdZ2ASV7TAmFokFI=; b=Ty3pkG4UEx/Rs/6+4tRjaBI8cp8jDdz/5ernO7CC7OzXnKo7PlMA3LARgiOlBrpI 61WXdE3m4zTEcK+nyL01NtQsJXEXyfwMM8cMJ/JHciAymioP6E4+H7uuuRMAiRjS Dlmjd0RAY2nfKhZzsgj2LnsEudYdyu+iODgDHMavSFE=;
X-AuditID: c1b4fb3a-14fff7000000672c-37-5c7f60f31709
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 8F.E9.26412.3F06F7C5; Wed, 6 Mar 2019 06:56:03 +0100 (CET)
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 6 Mar 2019 06:56:03 +0100
Received: from [131.160.180.67] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.185) with Microsoft SMTP Server id 15.1.1466.3 via Frontend Transport; Wed, 6 Mar 2019 06:56:03 +0100
To: Alvaro Retana <aretana.ietf@gmail.com>
CC: Lou Berger <lberger@labn.net>, The IESG <iesg@ietf.org>, draft-ietf-detnet-architecture@ietf.org, detnet@ietf.org, detnet-chairs@ietf.org
References: <155067820715.31361.3746519237969586434.idtracker@ietfa.amsl.com> <108f9294-fb9d-557a-011a-6a53156bcb37@labn.net> <CAMMESsx4juKOjPNPQW2iLDYRC6REr8jKWLJLBDUt-AsmC-eFmA@mail.gmail.com> <7056c886-3aa9-2d85-7824-ee5f1ac9bb33@labn.net> <CAMMESszvQ-QgZLNfPF2MMq6UNtCR5DLzhMvzuFF_eCiyUiu5qg@mail.gmail.com> <f647a19c-584f-6a34-77d5-702d26d31013@labn.net>
From: János Farkas <janos.farkas@ericsson.com>
Message-ID: <150fb3c5-0f60-8426-0345-a17d9be984b9@ericsson.com>
Date: Wed, 06 Mar 2019 06:56:02 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <f647a19c-584f-6a34-77d5-702d26d31013@labn.net>
Content-Type: multipart/alternative; boundary="------------6A122925EAB8A17805346115"
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeLIzCtJLcpLzFFi42KZGbG9WPdzQn2MwaFD5hY3Dm1gsrjW/4PF 4ven2SwWH77NZLGY8Wcis0VH81sWBzaPnbPusnssWfKTyePDpma2AOYoLpuU1JzMstQifbsE roy7J1cwFlxcwFSxeON75gbGXxcZuxg5OSQETCRWzOpn6mLk4hASOMIo8fTmJCjnK6PE/h8/ 2OAyb3oXsIG0CAsUSHw92sAOYosIaEnc3rmTHaSIWWA6o8T5+S/AioQEPjJJtJ0SALHZBOwl 7l7awAxi8wLZs/9NA7NZBFQk5nZBxEUFYiU+XVkMVSMocXLmExYQm1PARuLE6llgy5gFwiR+ //8NZYtL3Hoynwlil5rEp7cP2ScwCs5C0j4LScssJC0QtoXEzPnnGSFseYnmrbOZIWwNidY5 c9mRxRcwsq9iFC1OLS7OTTcy0kstykwuLs7P08tLLdnECIylg1t+W+1gPPjc8RCjAAejEg/v Nb/6GCHWxLLiytxDjBIczEoivMEOQCHelMTKqtSi/Pii0pzU4kOM0hwsSuK8f4QEY4QE0hNL UrNTUwtSi2CyTBycUg2MKmr1zF3KCkYsb0/s/V7X9PuL2I2ve8PfPF8/48IaJpsop0KJpMaD xTM8L71t+796/9dYOfOT5299vXXXNoDh5kaOBjmbp++EDpcbdeaq79g0N7tn8wx+9qT9zGpz btkUd0ldf/iDs95Q6pUgX6+8QxdT+c6tCgwnOcXeHIp5XLvdaNWtjzy/lViKMxINtZiLihMB rQRSSaECAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/vU7eawHHcIEVcL_GnnAu2olQL3Y>
Subject: Re: [Detnet] Alvaro Retana's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 05:56:16 -0000

Hi Alvaro,

Do the updates we are making the security section resolve your comments:
https://mailarchive.ietf.org/arch/msg/detnet/btWvDFtp4F3JY2rY3wZEYdNn42o

The current proposed text:

5.  Security Considerations

    Security considerations for DetNet are described in detail in
    [I-D.ietf-detnet-security].  This section considers exclusively
    security considerations which are specific to the DetNet
    Architecture.

    Security aspects which are unique to DetNet are those whose aim is to
    provide the specific quality of service aspects of DetNet, which are
    primarily to deliver data flows with extremely low packet loss rates
    and bounded end-to-end delivery latency.  A DetNet may be implemented
    using MPLS and/or IP (including both v4 and v6) technologies, and
    thus inherits the security properties of those technologies at both
    the control plane and the data plane.

    Security considerations for DetNet are constrained (compared to, for
    example, the open Internet) because DetNet is defined to operate only
    within a single administrative domain (see Section 1).  The primary
    considerations are to secure the request and control of DetNet
    resources, maintain confidentiality of data traversing the DetNet,
    and provide the availability of the DetNet quality of service.

    To secure the request and control of DetNet resources, authentication
    and authorization can be used for each device connected to a DetNet
    domain, most importantly to network controller devices.  Control of a
    DetNet network may be centralized or distributed (within a single
    administrative domain).  In the case of centralized control,
    precedent for security considerations as defined for Abstraction and
    Control of Traffic Engineered Networks (ACTN) can be found in
    [RFC8453], Section 9.  In the case of a distributed control
    protocols, DetNet security is expected to be provided by the security
    properties of the protocols in use.  In any case, the result is that
    manipulation of administratively configurable parameters is limited
    to authorized entities.

    To maintain confidentiality of data traversing the DetNet,
    application flows can be protected through whatever means is provided
    by the underlying technology.  For example, encryption may be used,
    such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and
    by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows.

    DetNet flows are identified on a per-flow basis, which may provide
    attackers with additional information about the data flows (when
    compared to networks that do not include per-flow identification).
    This is an inherent property of DetNet which has security
    implications which should be considered when determining if DetNet is
    a suitable technology for any given use case.

    To provide uninterrupted availability of the DetNet quality of
    service, provisions can be made against DOS attacks and delay
    attacks.  To protect against DOS attacks, excess traffic due to
    malicious or malfunctioning devices can be prevented or mitigated,
    for example through the use of traffic admission control applied at
    the input of a DetNet domain, as described in Section 3.2.1, and
    through the fault mitigation methods described in Section 3.3.2. To
    prevent DetNet packets from being delayed by an entity external to a
    DetNet domain, DetNet technology definition can allow for the
    mitigation of Man-In-The-Middle attacks, for example through use of
    authentication and authorization of devices within the DetNet domain.

    Because DetNet mechanisms or applications that rely on DetNet can
    make heavy use of methods that require precise time synchronization,
    the accuracy, availability, and integrity of time synchronization is
    of critical importance.  Extensive discussion of this topic can be
    found in [RFC7384].

    DetNet use cases are known to have widely divergent security
    requirements.  The intent of this section is to provide a baseline
    for security considerations which are common to all DetNet designs
    and implementations, without burdening individual designs with
    specifics of security infrastructure which may not be germane to the
    given use case.  Designers and Implementers of DetNet systems are
    expected to take use case specific considerations into account in
    their DetNet designs and implementations.


Please let us know if you have any remaining comments and what they are.

Thank you!
Janos


On 2/23/2019 9:39 PM, Lou Berger wrote:
>
> Hi *Alvaro*,
>
> see below.
>
> On 2/22/2019 6:02 AM, Alvaro Retana wrote:
>> On February 21, 2019 at 7:35:32 PM, Lou Berger (lberger@labn.net 
>> <mailto:lberger@labn.net>) wrote:
>>
>> Hi!
>>
>>> >>> ----------------------------------------------------------------------
>>> >>> DISCUSS:
>>> >>> 
>>> ----------------------------------------------------------------------
>>> >>>
>>> >>> I support Mirja's and Alissa's DISCUSSes...and have a related 
>>> set of concerns
>>> >>> about the coexistence with non-DetNet traffic and privacy:
>>> >>>
>>> >>> §3.3.1 talks about what I think is a hard to achieve balance 
>>> between coexisting
>>> >>> with non-DetNet traffic and keeping that traffic from disrupting 
>>> DetNet flows.
>>> >>> Because of the constraints, the intent of prioritizing DetNet 
>>> flows is clear
>>> >>> (and that is ok), but that may result in starvation of non-DetNet
>>> >>> traffic...even if the text does explicitly say that it "must be 
>>> avoided".
>>> >>>
>>> >>> I would like to see the potential case of starving non-DetNet 
>>> traffic called
>>> >>> out somewhere.
>>> >>
>>> >> This is the objective of section 3.3.1..
>>> >>
>>> >>
>>> >>> I'm looking for something similar to the first paragraph in §5,
>>> >>> but focused on the non-DetNet traffic.
>>> >>
>>> >> The current text reads:
>>> >>
>>> >> 3.3.1. Coexistence with normal traffic
>>> >>
>>> >> A DetNet network supports the dedication of a high proportion of the
>>> >> network bandwidth to DetNet flows. But, no matter how much is
>>> >> dedicated for DetNet flows, it is a goal of DetNet to coexist with
>>> >> existing Class of Service schemes (e.g., DiffServ). It is also
>>> >> important that non-DetNet traffic not disrupt the DetNet flow, of
>>> >> course (see Section 3.3.2 and Section 5). For these reasons:
>>> >>
>>> >> o Bandwidth (transmission opportunities) not utilized by a DetNet
>>> >> flow is available to non-DetNet packets (though not to other
>>> >> DetNet flows).
>>> >>
>>> >> o DetNet flows can be shaped or scheduled, in order to ensure that
>>> >> the highest-priority non-DetNet packet is also ensured a worst-
>>> >> case latency.
>>> >>
>>> >> o When transmission opportunities for DetNet flows are scheduled in
>>> >> detail, then the algorithm constructing the schedule should leave
>>> >> sufficient opportunities for non-DetNet packets to satisfy the
>>> >> needs of the users of the network. Detailed scheduling can also
>>> >> permit the time-shared use of buffer resources by different DetNet
>>> >> flows.
>>> >>
>>> >> Starvation of non-DetNet traffic must be avoided, e.g., by traffic
>>> >> policing functions (e.g., [RFC2475]). Thus, the net effect of the
>>> >> presence of DetNet flows in a network on the non-DetNet flows is
>>> >> primarily a reduction in the available bandwidth.
>>> >>
>>> >>
>>> >> I think we need a little bit more to understand what you'd like 
>>> to see changed or added. Can you suggest text or what specific topic 
>>> you'd like to see added/addressed?
>>> >
>>> > Yes, let me try to explain better…while comparing with the current
>>> > text in §5, which basically says that even though the objective of
>>> > DetNet is to provide bounded latency, a MIIM may delay the traffic and
>>> > the objective may not be achieved.
>>> >
>>> > For non-DetNet traffic, the objective is to not starve it, while
>>> > providing specific guarantees to the DetNet flows — said other way
>>> > (from the Introduction): "Unused reserved resources are available to
>>> > non-DetNet packets as long as all guarantees are fulfilled.”  However,
>>> > the algorithms (maybe error, misconfiguration…or even maliciously) may
>>> > end up*not* constructing the schedule to leave sufficient
>>> > opportunities for non-DetNet packets (as suggested in the text above
>>> > from §3.3.1).
>>> >
>>> > I see a parallel in how there is a risk of the intention for DetNet
>>> > flows not being met (because of an attack) and how the intention for
>>> > non-DetNet traffic may also not be met.
>>> >
>>> Okay, this sounds like basically the same point that Benjamin was
>>> making, i.e., there must be mechanisms preventing non-detnet traffic
>>> from impacting detnet traffic, and detnet traffic trying to use more
>>> than its allocation and impacting non-detnet traffic. Is this correct or
>>> are you asking for something different/additional?
>>
>> Yes.  I’m not asking so much for a mechanism, but for at least the 
>> recognition that it is a risk.
>>
> Fair enough- I expect the response a response for the architecture and 
> security draft authors to address this.  I'm sure you will confirm 
> that it does!
>
>
>>>
>>>
>>>
>>> >
>>> >>> Related to the above is the fact that the identification of 
>>> flows could be used
>>> >>> to specifically *not* include some of them as DetNet flows. This 
>>> is a
>>> >>> variation of the concern outlined in §6, but applied to 
>>> non-DetNet flows, with
>>> >>> the potential starvation mentioned above. Again, I would like to 
>>> at least see
>>> >>> some discussion of this risk.
>>> >>
>>> >> I don't follow - what is the risk that should be addressed?
>>> >>
>>> > §6 talks about potential privacy concerns due to the identification of
>>> > flows.  I interpret that as potentially being able to identify the
>>> > user (application, or both maybe).
>>> >
>>> Currently flow identification is based on IP headers (6 tuple) and/or
>>> MPLS labels.  So DetNet has the same privacy concerns as standard 
>>> IP/MPLS.
>>>
>>>
>>> > As far as I understand the architecture, DetNet flows are identified
>>> > at the edge and then assigned to specific paths.  If the
>>> > identification of flows can be used to identify the user (for
>>> > example), then it can be used to not only attack specific DetNet flow,
>>> > but also to decide to not provide guarantees to a specific flow based
>>> > on who the user or the application may be.
>>> >
>>> Given DetNet flow identification, is this any different than 
>>> standard PBR?
>>
>> Right, it is not really different.  It is just not mentioned anywhere 
>> that identification (or misidentification as it may be, maybe 
>> maliciously) can lead to not providing guarantees, potential 
>> starving, etc..
>>
> I thought the quotes capture in the various mails on the topic showed 
> how it was -- but let's wait for the updated text and see if it 
> sufficiently addresses your concern/point, and then go from there.
>
> Thanks again for the feedback.
>
> Lou
>
>
>> Thanks!
>>
>> Alvaro.
>>
>>
>> _______________________________________________
>> detnet mailing list
>> detnet@ietf.org
>> https://www.ietf.org/mailman/listinfo/detnet

v2.23.0 | Report a Bug | By Email