IETF Logo Mail Archive

Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

"Grossman, Ethan A." <eagros@dolby.com> Mon, 25 February 2019 06:31 UTC

Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89BEC130E0A; Sun, 24 Feb 2019 22:31:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lr7Ih3Yggq1H; Sun, 24 Feb 2019 22:31:20 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770117.outbound.protection.outlook.com [40.107.77.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AF7712F1AC; Sun, 24 Feb 2019 22:31:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3fDXtQFL1IKxJPYeEZWk4D4JbZEQ/7+H9u6GzUPFeHs=; b=d1IvSDZurSQ1fGGhJXzhAl5tNms/JK2TZPcsTEpMpoQxmbjcz8woX1QohH0PxpFIuFzqCTHUNgKOlowJz4vJFHrU88DUujxI2h8EwUJkHyVVwCWhc9H7KJyC3a+X+VFS+/W5b62WzGu9Vq/DhG/+airPH6fN47NLSfapa5HTJsQ=
Received: from BYAPR06MB4325.namprd06.prod.outlook.com (52.135.240.140) by BYAPR06MB6054.namprd06.prod.outlook.com (20.178.51.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Mon, 25 Feb 2019 06:31:16 +0000
Received: from BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::a55b:5609:ca77:6500]) by BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::a55b:5609:ca77:6500%6]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 06:31:16 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-detnet-architecture@ietf.org" <draft-ietf-detnet-architecture@ietf.org>, "detnet@ietf.org" <detnet@ietf.org>, The IESG <iesg@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
Thread-Topic: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
Thread-Index: AQHUyM6XP+fod7L+2k6iJmhQjssa7KXowOYAgAAaUACAAAdkgIAAUCiAgAGEsICABUlAUA==
Date: Mon, 25 Feb 2019 06:31:16 +0000
Message-ID: <BYAPR06MB4325DC91AE78DC38CD0A74B6C47A0@BYAPR06MB4325.namprd06.prod.outlook.com>
References: <155063426136.20704.6779201119170972943.idtracker@ietfa.amsl.com> <cb52062a-b4fb-b51a-2dc3-ca7f161c8f89@labn.net> <20190220160743.GD69562@kduck.mit.edu> <36c4ce97-5c4a-89ab-d648-3e7705a6acd3@labn.net> <20190220212104.GK69562@kduck.mit.edu> <30e27625-da32-7e67-6e3a-a923830b9e5c@labn.net>
In-Reply-To: <30e27625-da32-7e67-6e3a-a923830b9e5c@labn.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=eagros@dolby.com;
x-originating-ip: [73.162.193.175]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0bfcd8e4-39b4-45de-637d-08d69aead89e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYAPR06MB6054;
x-ms-traffictypediagnostic: BYAPR06MB6054:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;BYAPR06MB6054;23:t0/QLKsOa8nCTfYxfGu7fXEF41nkogRlZYw0d/mZL5X4Z4LFu9MdRElvYVhGlBxu+NdoN1X1tMbL2U3+CCVnJTFIpBKtgnPyITX3L6Ot6QcoJS07tqRdhdzMTRPCI87pTv8z6ugPpRa4VuqTFIZ760LEB5hwTx+6qHQPcLxHzr3Faq0PBQlrkpZZGAje05Dor37P7NTWKx0PwPQTwV7eekuK9zuTwYBrb7CRNKmaBStvlkSExf4T449xOjc1bOfxfD0emVisif4zh3VdMNC/L2DsqQVDU2p0PY0W8yL2UHv5RADadxlnXtdHwtKxzAaW2e0Cs++FxGIPKioSAi8QECaU7My0I3OHv+m1Lxf7HfCIq0HOjY0REFhGLjMODIzfh3G5zL0q0FXS5hlIvPCum/V/U2E4Gm3R25vNHQhNcWh/W7Pfz0VSupMxHtx82BNADzkqPBTWaMQz8fxR9vKb4Eh/OylV15x49t5EjXQ8Mm8lz6MAN+zSnxQSwIw+Rav/OKTPU1oSv5e3QToV9XBM5sbQ/UK/U/U3l30DQQy0vK1zwK8B8stj33+4lGOxydxvb59KUovbRqiwFPlHzbjUd1cFr/0ez8Nqvwc7e90tnB8GaBhZ0haCHqjIUjbpn/wPjNMffbL5MA7ln2BGDo2H+mbH+8W0VmkDF1y6OOc+TRabQVy3cJAKRcaiOMqTUseKgkYyBJiBq9ChLXOwo2vOGwowpwOjU1UCQzObyZbgIF9Kb8bYs6uc357YcGXPNt6LNjFoJ9KyMnfvCW8r76T1oWdrwtdXJE0XAbmlFva665GSSWB3YBpaNY13z6g+SMQBb7rtSg7ImOCv3pNh7PReKY9oY1+BrPWdDlxd+hCsoF6x63K0KJHejlJu8+gpimpwtiAPRBzYO6c02ghlwn4LIIlPHP+W1DPxvEMqBp5WuPhORaRj23gwZL2MyUIiNvzNx1VDekvuZ1DqOmuBDrwY6LwqwPItHrE6WJspQ/lJbrhGHG6oYOGsdIRCmYIIqxGpXoXpt7geOyR4asa1Wqbw4n8nFFhSfniyzJ4pkhL5W8twLY+w8A0ZpNtRCHH0t7eASepotap9/KB4o1NUzlTEb3qkMaBL9qKPCUdEmRIEqNwtGeegzpKqRg6niEHAHm5i3DSerCEGY0TSda3E2bpfFQvTGPSmV/v02l6qVFxbjQNTyWuTUkK/rTqw+UWoGBeYj5S6ZyvOX9KMk1Ma6iLVUbmOLrEBYw+vV0GJsNSd98JmOZ7qe3QAZhVVfVXdCE5/V0CpQeMZSIjKit1jrugs/Kf6Q495kxDTruWe7gBMCdZkoxNjHOqFAAV+StkVQMpKbL3c6D0ZEVX19SLGuSoHyQ1yJEcqJLDlTGjF6DMMG0c=
x-microsoft-antispam-prvs: <BYAPR06MB60548DF782F6311158940736C47A0@BYAPR06MB6054.namprd06.prod.outlook.com>
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(136003)(376002)(366004)(39850400004)(396003)(199004)(189003)(13464003)(102836004)(6506007)(53936002)(25786009)(53546011)(71190400001)(71200400001)(81156014)(66066001)(81166006)(8936002)(26005)(6116002)(3846002)(8676002)(186003)(106356001)(7736002)(305945005)(229853002)(6436002)(6916009)(486006)(74316002)(105586002)(99286004)(476003)(4326008)(11346002)(446003)(256004)(86362001)(97736004)(7696005)(9686003)(55016002)(6306002)(76176011)(2171002)(478600001)(93886005)(316002)(33656002)(2906002)(30864003)(68736007)(54906003)(14444005)(6246003)(14454004)(966005)(52536013)(5660300002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR06MB6054; H:BYAPR06MB4325.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: dolby.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZjcLHBuxKlKxbTul+OcJLhn+FbvNuL0uTsvPyG/eWL+0E1yfZyUCxy9zuOESPCmyaqi3X0rTalrr9eWoq7aptKM9XvgWG0NMYzMWHuiLBiXHAVbfnZF0VRClzSulUb6ibcoOj6rfXkcoS48gZdbvDOSGONRZjkk9skj83Df5icp9AbqrvRkZgPFV2rCUpCCNdBjjvmoTsJqkYbjSrD5ZuGvlmZ1YCCbQEsnqYGLs+kTbKUyqwBI/p488HGkDqN+5k0JE+r/CyF9D8YZ577+XVJyo6j4XokAjVoPHT60FdzdtUqukU4d005+EOw3NZMvNzyGPoP7pz7jBSSPsWBOKIpPAPTAec5b+G1h1kMXuGVK3+aWVzh/uIgXzVD7Cavq8tpSROIZsqC5/aFgojlw4S/iJnNaLbjbtvUYYtndb9us=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bfcd8e4-39b4-45de-637d-08d69aead89e
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 06:31:16.5896 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB6054
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/RLBrpkyiuVkBfJgzST37eWskO1U>
Subject: Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 06:31:24 -0000

Hi Benjamin,
As editor and co-author of the DetNet Security draft, I thank you very much for your comments regarding the security aspects of the DetNet Architecture and Security draft. Indeed it is our intent to ensure that security is considered throughout the design process and not "bolted on" at the end; this is why we have been developing the Security draft in parallel with the Architecture, Data Plane and other drafts.  Here are a couple of my initial thoughts on your comments; I present them for discussion, not as a defense of a pre-determined outcome. 

I follow your concern that we have not made a distinction between the laundry list of possible threats versus those threats that designs based on the architecture must address in order to satisfy the security requirements of the architecture. Excellent point, in that I for one have not considered the topic in that light before, and I appreciate the need to do so now. 

Up until this point, i.e. prior to your comments, we have been working based on at least two guiding principles. One is that we are only addressing security considerations which are specific to time-sensitive, routed, centrally-administered networks, so anything that could be considered to be "covered elsewhere" we have intentionally omitted. For example you cite "using HMAC for message integrity protection without mention of infrastructure for distributing the keys for keying the HMAC"; I would expect that this topic could be regarded as "covered elsewhere", but please correct me if I'm missing something here. 

Another main thread running through almost every aspect of DetNet is that as noted in the Use Cases draft, there are many and diverse applications for DetNet, spanning networks contained within a single machine all the way through networks spanning a nation. As such it is difficult to make generalizations about almost anything in DetNet - everything has to be framed as "scalable" so that we don't mandate something that makes sense for one use case but not for another. 

So the intent of the Security draft (in conjunction with security text in the other DetNet drafts) thus far has been to provide some insights into the aspects of security that are introduced with time-sensitivity to routed networks, with a nod as to how they might be addressed, while being almost completely non-prescriptive about it, leaving the details as an exercise for the reader based on their particular use case. 

In other words, as soon as we say "a DetNet must include [any specific security property]", someone will inevitably come up with a use case for which that didn't make sense (insufficient time, insufficient CPU cycles, not required in this case because blah, etc.) For example when I look at your questions like "Do we need to provide integrity protection for the marking, or confidentiality protection, too?  Does  authentication/integrity need to be provided for in-line or are out-of-band considerations in play?" my thought would be to say "well it depends on the use case, i.e. the specific implementation". 

So at this point I don't know whether this stance is valid, or whether it is an abdication of our responsibility, or whether there are some stakes in the ground that we can actually claim will fit all use cases, and thus we should be stating as mandatory. Certainly we would like to avoid the outcome that the architecture leaves open questions as to whether a given implementation satisfies its security requirements. We also want to avoid being overly prescriptive such that "exceptions" would need to be made to accommodate diverse use cases. 

Please let us know how this line of thinking affects your assessment of our situation, if at all. My short term goal here is to unblock publication of the Architecture draft, but not at the expense of adequate coverage and integration of security. 

Thanks again for your review, 
Sincerely,
Ethan (as editor and co-author of the DetNet Security draft and the DetNet Use Cases draft). 


-----Original Message-----
From: detnet <detnet-bounces@ietf.org> On Behalf Of Lou Berger
Sent: Thursday, February 21, 2019 12:32 PM
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-detnet-architecture@ietf.org; detnet@ietf.org; The IESG <iesg@ietf.org>; detnet-chairs@ietf.org
Subject: Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

Hi Benjamin,

On 2/20/2019 4:21 PM, Benjamin Kaduk wrote:
> Hi Lou,
>
> On Wed, Feb 20, 2019 at 11:34:11AM -0500, Lou Berger wrote:
>> On 2/20/2019 11:07 AM, Benjamin Kaduk wrote:
>>> On Wed, Feb 20, 2019 at 09:33:34AM -0500, Lou Berger wrote:
>>>> On 2/19/2019 10:44 PM, Benjamin Kaduk wrote:
>>>>> I note that the DETNET WG is explicitly chartered with a work item 
>>>>> for the "overall architecture: This work encompasses ... and security aspects".
>>>>> It seems incomplete to specify an architecture for a topic such as 
>>>>> deterministic networking without specifically considering what 
>>>>> threats are and are not in scope to be protected against.
>>>> The working group certainly recognizes that security is an 
>>>> important topic and necessary part of the work. The WG's  approach 
>>>> to ensure that this significant topic is sufficiently covered is to 
>>>> have a  document dedicated to the topic.  As you note below this 
>>>> work, draft-ietf-detnet-security, is not at the same level maturity 
>>>> - so please stay tuned.  Of course, the WG would welcome any input 
>>>> on this security draft now or even a full early-review or security area advisor.
>>> I do appreciate that the WG has taken the time to work on a 
>>> dedicated security document, that goes through the (tedious!) effort 
>>> to tabulate the various known attacker capabilities, threats, and their interactions.
>>>
>>> What I think is missing from the high-level architecture document is 
>>> a sense for what security goals the architecture intends to achieve.  
>>> It's fine to have this be separate from the nitty-gritty stuff in 
>>> the separate document, but these high-level questions can have an 
>>> impact on the high-level design of the protocol ecosystem as a 
>>> whole.  We have mounds of examples of "come up with a design; bolt security on as an afterthought"
>>> working poorly or being nigh-impossible, and I haven't seen any 
>>> attempt at justification for why doing so here is likely to be any different.
>>> Including the security concepts from the start and wholly 
>>> integrating them into the system tends to produce a much more 
>>> elegant design and smoother outcomes all around.
>> We went back and forth on how much of the security topic to include 
>> in the architecture document and settled on the current text of 
>> section 5 where just high level security requirements are identified.  
>> From your list below, the architecture covers the points you raise 
>> (non-detnet traffic impacting detnet traffic, and detnet traffic 
>> trying to use more than its allocation) mainly from a service 
>> delivery perspective.  It does mention "shaping" as a security 
>> concern, the document could expand these if helpful. But I think the 
>> real discussion point is how much of the security details should be 
>> in the base (vs dedicated) document  -- and that you disagree with 
>> where the WG has drawn the line.  Is this correct?
> Well, it's not as much that I disagree about where the line is drawn, 
> as that I disagree with the characterization as "high level security 
> requirements".
>
> The first paragraph covers topics worth including here, certainly -- 
> an attacker that can introduce delay can inherently break the DetNet 
> guarantees, and there is no further defense.  But the text could 
> probably go further than its current version and explicitly call out 
> that no technical measures can defend against such delay, other than 
> by rerouting/avoiding the compromised position.
>
> The second paragraph also covers a topic worth noting, that entropy 
> and Murphy as as important of risks to consider as active attacks.
>
> The rest of the section/list don't seem to match up with the 
> high-level view, though -- "protection of the signaling protocol", but 
> protection against what?  Authentication and authorization are 
> important parts of security, but authorization is tied to actions and 
> entities, not just entities in vacuo.  For "identification and shaping 
> of DetNet flows", if security must cover them, what security 
> properties are needed.  Do we need to provide integrity protection for 
> the marking, or confidentiality protection, too?  Does 
> authentication/integrity need to be provided for in-line or are out-of-band considerations in play?
>
> The rest of the document presents a good high level picture of what 
> pieces will be involved in a system, and how they fit together.  I'm 
> hoping to see a high-level picture of what attacks/failures the 
> architecture does and does not aim to protect against.  It's somewhat 
> implied that we need to protect against the failure of any single node 
> or link (except at the
> boundary) due to random faults; explicitly saying this would be a 
> perfect hting to include in the security considerations here!  Once we 
> get beyond entropy as an attack, into more active attack scenarios, 
> though, we need to consider what capabilities an attacker might have.  
> Do we protect against an entity with the ability to inject various 
> forms of traffic?  Modify or drop valid traffic?  Are there any 
> (classes of) credentials that we assume must be securely held, or will 
> we attempt to protect against attackers that have some privilege 
> within the system?  (Note that misbehaving hardware can sometimes 
> present as similar or identical to such an attacker.)
>
> Does this give a better picture of what I'm thinking of as "high-level 
> security requirements"?  I don't necessarily need details of specific 
> hardware or credentials at play, and certainly not for the solutions, 
> but I want to have a clear picture of what the scope of future 
> security analysis will be.  "How will I be able to tell if the actual 
> protocols meet the security requirements of the architecture?"

I'll get with authors (of both the architecture and security docs) and see how much they think can be reasonably be added to this document -- to be clear you *are* asking for a change in how the WG decide to address this topic and what would go in which document.

Lou

> -Benjamin
>
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet
>

_______________________________________________
detnet mailing list
detnet@ietf.org
https://www.ietf.org/mailman/listinfo/detnet

v2.23.0 | Report a Bug | By Email