IETF Logo Mail Archive

Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 04 March 2019 03:25 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83F8130EFC; Sun, 3 Mar 2019 19:25:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvfmTynvH7Z8; Sun, 3 Mar 2019 19:25:31 -0800 (PST)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720095.outbound.protection.outlook.com [40.107.72.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46275130ED4; Sun, 3 Mar 2019 19:25:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iRHzW2T5KSvfGZ+D1N2h5Evivod7JbNR+6ESLZYarzE=; b=xcmJmkFtu8KancPxi5mqEGO+TGVuC+HbQSOqRiOFpZefYE6g19WoJhNcdkcYRZ9h0svqtc+P8VzFkMEAvvqBwQKYS010wrONOwkW5AUvXv1qFv3QH4xsp54o4YNaUojmkh/dKfV3jZS0/HQ7FIDW9n8WG7dxYpnG98FKd4HpO0c=
Received: from CY4PR01CA0017.prod.exchangelabs.com (2603:10b6:903:1f::27) by BYAPR01MB4853.prod.exchangelabs.com (2603:10b6:a03:91::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.19; Mon, 4 Mar 2019 03:25:29 +0000
Received: from DM3NAM03FT054.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::202) by CY4PR01CA0017.outlook.office365.com (2603:10b6:903:1f::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1665.16 via Frontend Transport; Mon, 4 Mar 2019 03:25:29 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT054.mail.protection.outlook.com (10.152.83.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Mon, 4 Mar 2019 03:25:28 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x243POsu014709 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 3 Mar 2019 22:25:26 -0500
Date: Sun, 03 Mar 2019 21:25:24 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: János Farkas <janos.farkas@ericsson.com>
CC: Lou Berger <lberger@labn.net>, draft-ietf-detnet-architecture@ietf.org, detnet@ietf.org, The IESG <iesg@ietf.org>, detnet-chairs@ietf.org
Message-ID: <20190304032524.GM53396@kduck.mit.edu>
References: <155063426136.20704.6779201119170972943.idtracker@ietfa.amsl.com> <cb52062a-b4fb-b51a-2dc3-ca7f161c8f89@labn.net> <20190220160743.GD69562@kduck.mit.edu> <36c4ce97-5c4a-89ab-d648-3e7705a6acd3@labn.net> <20190220212104.GK69562@kduck.mit.edu> <30e27625-da32-7e67-6e3a-a923830b9e5c@labn.net> <e8b22823-fe37-4f6f-e7e3-d597ca29f882@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <e8b22823-fe37-4f6f-e7e3-d597ca29f882@ericsson.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(136003)(396003)(2980300002)(51914003)(189003)(199004)(75432002)(305945005)(106466001)(966005)(6246003)(246002)(50466002)(26005)(4326008)(33656002)(6306002)(55016002)(14444005)(86362001)(54906003)(126002)(53546011)(486006)(476003)(106002)(356004)(229853002)(6916009)(36906005)(786003)(58126008)(53416004)(316002)(336012)(76176011)(104016004)(7696005)(446003)(11346002)(23756003)(956004)(186003)(8936002)(426003)(30864003)(2906002)(66574012)(478600001)(2870700001)(1076003)(88552002)(26826003)(93886005)(8676002)(5660300002)(47776003); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR01MB4853; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 135d31a7-a22b-4732-9d6f-08d6a0510d11
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BYAPR01MB4853;
X-MS-TrafficTypeDiagnostic: BYAPR01MB4853:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB4853; 20:A4Bpr2yWCSiXGnlWbjoBbZIJMKUU1zJrUcLPEKvtqlWbm92kkyd/Z4ssaS2HHau8iA2Qz6mB4O7gAROMxTbErf6CYfuatBRMnsbcv+Am1xdH49/5vHbilSnGHPGV0qr1+1E/e5nT1/CFazN7pexzwVho0GChTpT6vO0ADGlZOhVdIJ6EeaKvgj6pKclvrDKhH1yvpRg64jYZONm0cZ80/bcAuQ66Hcz49gLHCupVbl2qv0lXe6GRcGnz090HsH1yzam4+LQc0kylULDsqsp0T6o/TuCssPTk4LD0TK1jWtJ/a1RN/3+nsFjWXy8anISlSBd88ZN0q/2J0RU4VSrvDWlBhmIBvdrLBY7x2rfB7V3zMGjhU0Rj+e8NfrHEjGIQ2Yfpos7ZGh/7oWx6OsrQ4fl/4qOnIr9DfuWBiUbLrhQ50esN+kGGp6tiiSW/TKlXSWc6dIlfFP0q+tJj7rTaN4rReYU5Dr66SX87ucpCWHy9NlxtgAqokuN8ToBXEsIc35xHznycVjiAelXZJ0RoChNbBMZO3E3oH3dBJw2R34PF+rBwmN4l1m2FXLXQkc7t4jxJBqTM0o+qaUvXxq1EAnM/ePCCQQzEAhpOY6HJ9d0=
X-Microsoft-Antispam-PRVS: <BYAPR01MB485305F6A3EE8A96E3433AC7A0710@BYAPR01MB4853.prod.exchangelabs.com>
X-Forefront-PRVS: 09669DB681
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB4853; 23:frSraWyzkSvD3wMVb3269igno8zTAQSbRDA2J7OzHIVt++U8Bcx7PRNqFev2S5mAPA9noMkgiEsisqIt//0eohKoWrgZhXFlrLihA8Xix1aAV0oMIYBHtLJz6+f8t8dxJ60V3Ud8NL4Isuj/hO7js8aWe8pBHEYtPjVeG2YmxdMMZ4aSXUvzfNQaBSIP7a+PkMyUoDcUY0A5OGzaZMJsHQYm4mpqLbWBLt42kTxtB/LJOkgW6Z2RAnQh0hVGIv3QrRgr5Tf08Zqfgh2FWBNx7Fx86rYkGLX+X/M+f4cZtkNN4PSXJxDvA2RIWRzO5xs7SpkFJEIo94v48D6Egvi1SkIELW3f6X/5an13OaclPhzBK6FpZBy45uAMmgn+qlGUiGuztmWJzS9zYTEeRIFiAxSEViR/pg6FD4wOzCxrpbAuuA48G243V1cL6dtdHw2wRTs++1DXXrmKeoURygUZk1CJZzWgGcGVQzMOfZwOyxuZhPhqupuesjtRbqeprotTrAe8ruyXrDQwrOpjXFsWRJNtqjXreSrd7NEMWPDc8ddNnX1aFex6GxGTeA0uXVR+QdVu1uN85+QriSjNr3gQD0zNn6oqewllalK1I92idDA1P861lOOEe1Y9MlBuFdx0t5u6VDAOlf9B1Sso6nvuuNLlzKIn+c2CYyrf1Q7yhq++EyuQ4Eej++ERYPmO0Uq2Pec2LtQy7g8gqArHaZeGvduNBe6vDN789I7MH64uSUUmUJobHeBHNGTc1IQ2zi0cGsJHJLY5z7g2KP0d4l9dvfgSMqI8q08OJ+j2UkJQMl5wEshJ5oiFhqXZerOim8UR/Ciq1Wf9dRbCGnNwiLbaFSrNaFSge7ipT2Ne6i7hDEMlI7m3s+jeeuj/fJfrEj8QsqPzIuutVcAzRn7CZ0OcXil2lndTUoYKfrW6znJCF7T3qE28dD+LpG7cC5BXeiit/l5hCs4rcM5wVyv9vW+F4zCkOl1M8ws/ORNYVJqW1fHClsom2eSJhTqdnATL3vqEMqoLqEi2nHT3/OrfFAw27YxRPYfIRz7JRoOAfFq6bU7rcvJLEjibLdFakjcTawqvZAGltHSeRb/XQwM+FfVTm2ciElMU8zP7uaLqcekRNAi0JiBLw06m7dDFLg7QZLP2/u4NXh1cSyh9AOfh/jqdVo3F9FyOQ0S2RBN68coBC8jv7dlvs0G/IXNSg+KA3b2dv7o92cz2f6fwh2TjpBnG+xnbn/3chpuLAJ/0m77fu4fg2bGqXadIbLjdvOTStwBoB1Sm+zoR9Mzp0d/iZAGIfWHTv4Tm9WGo04jjPqQnnU8=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: GpHaSPphbnd23h2jJeax4PDIhmVVBY4tMHUVkKlDx5pBBPXPCoy2fikp9E39pXLWqSFe59sQY7zJD/VakHYs1Ed7nvw50MZftGeD9rteU038aKR9dpPAq7Ho1JsE8SfYjhuSNoDVG5DhU02Mmpnr0a633IgzaGW8fb9Dvkgb5LjK46pBb4Umxmm2w2W6zvSFKDSfd3eT7SVVv96xl8AxbKDPUsx1ja7qAcIeLWLAa+4NWq89aPXQo29JTQzK2US3BFzlPuLlld//n6hIuf+53r7thgeEdUSlwG7Zulp8i90XnEcd+0cJmzR0ZTeQ0YJ8wJ72GYM922huAr3Q4q6BLVt9/+wX8oGpfn2Mq+KHLjOBiNjxPgg5XuaMf4IZQwuOZcbyJO4oKIr+55LTOh8FWnvp9vrlUugy5/G6bxG6IqQ=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2019 03:25:28.7243 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 135d31a7-a22b-4732-9d6f-08d6a0510d11
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB4853
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/yhU_4xYPpW_koA6R_oA4Y4kdDb0>
Subject: Re: [Detnet] Benjamin Kaduk's Discuss on draft-ietf-detnet-architecture-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 03:25:34 -0000

Hi János,

Thanks for the new text.  These are some great things to be thinking about,
but I'm a little worried that it's just specifying mechanism without
describing the motiviations; in fact, it may even be more detailed than we
need for this document.  More inline...

On Sat, Mar 02, 2019 at 07:22:15PM +0100, János Farkas wrote:
> Hi Benjamin,
> 
> Thank you for your review!
> 
> Focusing on the main point now: Section 5 Security Considerations. We 
> could consolidate the section to address your comment. Would it be 
> helpful to replace the section with the following text?:
> 
> 
> Security considerations for DetNet are described in detail in 
> [I-D.ietf-detnet-security]. This section considers exclusively security 
> considerations which are specific to the DetNet Architecture.
> 
> Security aspects which are unique to DetNet are those whose aim is to 
> secure the specific quality of service aspects of DetNet, which are 
> primarily to deliver data flows with extremely low packet loss rates and 
> bounded end-to-end delivery latency. A DetNet is implemented using MPLS 
> and IP (including both v4 and v6) technologies, and thus inherits the 
> security properties of those technologies at both the control plane and 
> the data plane.
> 
> Security considerations for DetNet are constrained (compared to, for 
> example, the open Internet) because DetNet is defined to operate only 
> within a single administrative domain (see Section 1).  The primary 
> considerations are to secure the request and control of DetNet 
> resources, maintain confidentiality of data traversing the DetNet, and 
> provide uninterrupted availability of the DetNet quality of service.

"secure" (verb) can mean many different things in different contexts.  So
when we want to "secure" the request and control of resources, that would
presumably be something like denying unauthorized entities the ability to
use the resources, and probably also to limit the consumption of any
given entity.  This probably also means that the ability of resources
external to DetNet to disrupt the DetNet resources should be limited in
some fashion, but the exact details are still unclear to me.
Similarly, the "uninterrupted availability" is not without qualifications:
an EMP or nuclear blast may not be something in the threat model that we
need to defend against.  But if we just say "uninterrupted availability",
the reader has no way to know that.

To be clear, I'm not saying that this introductory text has to change, but
if we keep it, the follow-on paragraphs need to provide the
motivation/reasoning that is missing here.

> To secure the request and control of DetNet resources, authentication 
> and authorization must be provided for each device connected to a DetNet 
> domain, most importantly to network controller devices. Control of a 

We require authn/authz because there is/are some risk(s) that we are trying to
protect against.  What is/are that risk?

> DetNet network may be centralized or distributed (within a single 
> administrative domain). In the case of centralized control, precedent 
> for security considerations as defined for ACTN can be found in RFC8453, 
> Section 9. In the case of a distributed control protocols, DetNet 
> security is expected to be provided by the security properties of the 
> protocols in use. In any case, the result must be that manipulation of 
> administratively configurable parameters is limited to authorized entities.

Deferring on control protocol security is a fine thing to do.

> To maintain confidentiality of data traversing the DetNet, application 
> flows must be protected through whatever means is provided by the 
> underlying technology. For example, encryption may be used, such as that 
> provided by IPSec for IP (Layer 3) flows and by MACSec for Ethernet 
> (Layer 2) flows. DetNet flows are identified on a per-flow basis, which 

(I wouldn't care whether the "For example" sentence is present or not; we
aren't necessarily obligated to provide it.)

> may provide attackers with additional information about the data flows 
> (when compared to networks that do not include per-flow identification); 
> this is an inherent property of DetNet which has security implications 
> which must be considered when determining if DetNet is a suitable 
> technology for any given use case. Similar consideration may need to be 
> given to the use of replicated packet flows, which result in increased 
> surface for Reconnaissance attacks. In any case, the result must be that 
> the confidentiality of the data is maintained to a degree sufficient for 
> the use cases addressed by the given DetNet implementation.

I could consider putting this in a new paragraph.  I'd also consider
trimming it down: the key point at this level is that detnet provides a new
type of information on packets that can be used by an attacker in the
network looking at metadata.  The specific details of that could be shunted
off to the other document with no real harm.

> To provide uninterrupted availability of the DetNet quality of service, 
> provisions must be made against DOS attacks and delay attacks. To 
> protect against DOS attacks, excess traffic due to malicious or 
> malfunctioning devices must be prevented or mitigated, for example 
> through the use of traffic admission control applied at the input of a 
> DetNet domain, as described in Section 3.2.1.1, and through the fault 
> mitigation methods described in Section 3.3.2.

This is getting closer to the sort of thing I was looking for -- we need to
provide availability *in the face of DOS attacks and delay attacks*.  We
could probably say more about where the boundary is between "external"
entities that could threaten DOS and "internal" entities that we assume
behave properly -- is it the boundary of the DetNet domain, or will we
consider the risk of misbehaving/compromised equipment in the domain?

> To prevent DetNet packets from being delayed, protection must be 
> provided against Man-In-The-Middle attacks, for example through use of 
> authentication and authorization of devices within the DetNet domain.

(nit: maybe join this into the previous paragraph, since that paragraph's
topic sentence also mentions delay)
This is also pretty close to what I hoped for: it implies that we need to
keep the traffic inside our trusted elements (by avoiding the MITM), since
the MITM is untrusted and could introduce delay, but the internal elements
are trusted to not delay.  So this could be "prevent DetNet packets from
being delayed by external network entities", which implicitly disclaims an
attempt to protect against a compromised DetNet router.

> Time synchronization methods are not specified by DetNet, however any 
> time synchronization method used with DetNet must also be secured, using 
> the security methods available for the given time synchronization 
> mechanism, for example as described in [RFC7384].
> In any case, the result must be that the DetNet is protected from DOS, 
> delay, and time manipulation attacks to the extent sufficient for the 
> use cases addressed by the given DetNet implementation.

I'd consider rephrasing this more like "Because DetNet mechanisms can make
heavy use of methods that require precise time synchronization, the
accuracy, availability, and integrity of time synchronization is of
critical importance.  Extensive discussion of this topic can be found in
[RFC7384]."  We may not need the rest of the details in this document.

> DetNet use cases are known to have widely divergent security 
> requirements. The intent of this section is to provide a baseline for 
> security considerations which are common to all DetNet designs and 
> implementations, without burdening individual designs with specifics of 
> security infrastructure which may not be germane to the given use case. 
> Designers and Implementers of DetNet systems are expected to take use 
> case specific considerations into account in their DetNet designs and 
> implementations.

This is good.

-Benjamin

> 
> Regards,
> Janos
> 
> 
> 
> On 2/21/2019 9:32 PM, Lou Berger wrote:
> > Hi Benjamin,
> >
> > On 2/20/2019 4:21 PM, Benjamin Kaduk wrote:
> >> Hi Lou,
> >>
> >> On Wed, Feb 20, 2019 at 11:34:11AM -0500, Lou Berger wrote:
> >>> On 2/20/2019 11:07 AM, Benjamin Kaduk wrote:
> >>>> On Wed, Feb 20, 2019 at 09:33:34AM -0500, Lou Berger wrote:
> >>>>> On 2/19/2019 10:44 PM, Benjamin Kaduk wrote:
> >>>>>> I note that the DETNET WG is explicitly chartered with a work 
> >>>>>> item for the
> >>>>>> "overall architecture: This work encompasses ... and security 
> >>>>>> aspects".
> >>>>>> It seems incomplete to specify an architecture for a topic such as
> >>>>>> deterministic networking without specifically considering what 
> >>>>>> threats are
> >>>>>> and are not in scope to be protected against.
> >>>>> The working group certainly recognizes that security is an important
> >>>>> topic and necessary part of the work. The WG's  approach to ensure 
> >>>>> that
> >>>>> this significant topic is sufficiently covered is to have a  document
> >>>>> dedicated to the topic.  As you note below this work,
> >>>>> draft-ietf-detnet-security, is not at the same level maturity - so
> >>>>> please stay tuned.  Of course, the WG would welcome any input on this
> >>>>> security draft now or even a full early-review or security area 
> >>>>> advisor.
> >>>> I do appreciate that the WG has taken the time to work on a dedicated
> >>>> security document, that goes through the (tedious!) effort to 
> >>>> tabulate the
> >>>> various known attacker capabilities, threats, and their interactions.
> >>>>
> >>>> What I think is missing from the high-level architecture document is a
> >>>> sense for what security goals the architecture intends to achieve.  
> >>>> It's
> >>>> fine to have this be separate from the nitty-gritty stuff in the 
> >>>> separate
> >>>> document, but these high-level questions can have an impact on the
> >>>> high-level design of the protocol ecosystem as a whole.  We have 
> >>>> mounds of
> >>>> examples of "come up with a design; bolt security on as an 
> >>>> afterthought"
> >>>> working poorly or being nigh-impossible, and I haven't seen any 
> >>>> attempt at
> >>>> justification for why doing so here is likely to be any different.
> >>>> Including the security concepts from the start and wholly 
> >>>> integrating them
> >>>> into the system tends to produce a much more elegant design and 
> >>>> smoother
> >>>> outcomes all around.
> >>> We went back and forth on how much of the security topic to include in
> >>> the architecture document and settled on the current text of section 5
> >>> where just high level security requirements are identified. From your
> >>> list below, the architecture covers the points you raise (non-detnet
> >>> traffic impacting detnet traffic, and detnet traffic trying to use more
> >>> than its allocation) mainly from a service delivery perspective.  It
> >>> does mention "shaping" as a security concern, the document could expand
> >>> these if helpful. But I think the real discussion point is how much of
> >>> the security details should be in the base (vs dedicated) document  --
> >>> and that you disagree with where the WG has drawn the line. Is this
> >>> correct?
> >> Well, it's not as much that I disagree about where the line is drawn, as
> >> that I disagree with the characterization as "high level security
> >> requirements".
> >>
> >> The first paragraph covers topics worth including here, certainly -- an
> >> attacker that can introduce delay can inherently break the DetNet
> >> guarantees, and there is no further defense.  But the text could 
> >> probably
> >> go further than its current version and explicitly call out that no
> >> technical measures can defend against such delay, other than by
> >> rerouting/avoiding the compromised position.
> >>
> >> The second paragraph also covers a topic worth noting, that entropy and
> >> Murphy as as important of risks to consider as active attacks.
> >>
> >> The rest of the section/list don't seem to match up with the high-level
> >> view, though -- "protection of the signaling protocol", but protection
> >> against what?  Authentication and authorization are important parts of
> >> security, but authorization is tied to actions and entities, not just
> >> entities in vacuo.  For "identification and shaping of DetNet flows", if
> >> security must cover them, what security properties are needed. Do we 
> >> need
> >> to provide integrity protection for the marking, or confidentiality
> >> protection, too?  Does authentication/integrity need to be provided for
> >> in-line or are out-of-band considerations in play?
> >>
> >> The rest of the document presents a good high level picture of what 
> >> pieces
> >> will be involved in a system, and how they fit together.  I'm hoping 
> >> to see
> >> a high-level picture of what attacks/failures the architecture does and
> >> does not aim to protect against.  It's somewhat implied that we need to
> >> protect against the failure of any single node or link (except at the
> >> boundary) due to random faults; explicitly saying this would be a 
> >> perfect
> >> hting to include in the security considerations here!  Once we get 
> >> beyond
> >> entropy as an attack, into more active attack scenarios, though, we 
> >> need to
> >> consider what capabilities an attacker might have.  Do we protect 
> >> against
> >> an entity with the ability to inject various forms of traffic? Modify or
> >> drop valid traffic?  Are there any (classes of) credentials that we 
> >> assume
> >> must be securely held, or will we attempt to protect against 
> >> attackers that
> >> have some privilege within the system?  (Note that misbehaving 
> >> hardware can
> >> sometimes present as similar or identical to such an attacker.)
> >>
> >> Does this give a better picture of what I'm thinking of as "high-level
> >> security requirements"?  I don't necessarily need details of specific
> >> hardware or credentials at play, and certainly not for the solutions, 
> >> but I
> >> want to have a clear picture of what the scope of future security 
> >> analysis
> >> will be.  "How will I be able to tell if the actual protocols meet the
> >> security requirements of the architecture?"
> >
> > I'll get with authors (of both the architecture and security docs) and 
> > see how much they think can be reasonably be added to this document -- 
> > to be clear you *are* asking for a change in how the WG decide to 
> > address this topic and what would go in which document.
> >
> > Lou
> >
> >> -Benjamin
> >>
> >> _______________________________________________
> >> detnet mailing list
> >> detnet@ietf.org
> >> https://www.ietf.org/mailman/listinfo/detnet
> >>
> >
> > _______________________________________________
> > detnet mailing list
> > detnet@ietf.org
> > https://www.ietf.org/mailman/listinfo/detnet
>

v2.23.0 | Report a Bug | By Email