Re: [I2nsf] AD Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-07

Rafa Marin-Lopez <rafa@um.es> Sat, 16 May 2020 09:46 UTC

Return-Path: <rafa@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391C73A09DC for <i2nsf@ietfa.amsl.com>; Sat, 16 May 2020 02:46:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Co02hSacu0i for <i2nsf@ietfa.amsl.com>; Sat, 16 May 2020 02:46:01 -0700 (PDT)
Received: from mx01.puc.rediris.es (outbound1mad.lav.puc.rediris.es [130.206.19.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F320E3A09DB for <i2nsf@ietf.org>; Sat, 16 May 2020 02:46:00 -0700 (PDT)
Received: from xenon44.um.es (xenon44.um.es [155.54.212.171]) by mx01.puc.rediris.es with ESMTP id 04G9jj1f026523-04G9jj1g026523; Sat, 16 May 2020 11:45:45 +0200
Received: from localhost (localhost [127.0.0.1]) by xenon44.um.es (Postfix) with ESMTP id 5773720A71; Sat, 16 May 2020 11:45:45 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon44.um.es
Received: from xenon44.um.es ([127.0.0.1]) by localhost (xenon44.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CHCCHSV-U32E; Sat, 16 May 2020 11:45:45 +0200 (CEST)
Received: from [192.168.1.44] (47.red-2-138-85.dynamicip.rima-tde.net [2.138.85.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon44.um.es (Postfix) with ESMTPSA id 47A5D209D8; Sat, 16 May 2020 11:45:41 +0200 (CEST)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <202B421A-24D5-411C-84D2-BFDAE1E3CE37@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EA711349-E450-4420-8C76-1A415A384F2E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 16 May 2020 11:45:41 +0200
In-Reply-To: <57be4218bd9f48eababda4731ca92ab2@cert.org>
Cc: Rafa Marin-Lopez <rafa@um.es>, "i2nsf@ietf.org" <i2nsf@ietf.org>, Gabriel Lopez <vice_calidad.inf@um.es>, =?utf-8?B?RmVybmFuZG8gUGVyZcOxw61ndWV6IEdhcmPDrWE=?= <fernando.pereniguez@cud.upct.es>
To: Roman Danyliw <rdd@cert.org>
References: <57be4218bd9f48eababda4731ca92ab2@cert.org>
X-Mailer: Apple Mail (2.3445.104.11)
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.171 as permitted sender) smtp.mailfrom=rafa@um.es
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=NKPE7+D77uVctidxENp5EEESzUs3D+WGIS+8apBsBXc=; b=RByflWTn+VFZSKfjCXZb7KhRCVVKfA2oe8sx63A2xkw9UfLqPP65AimAVSD1iwFJymkY4h60txXP b/sQ+9G6NA2Mifr0dEYs0vxNLsxN97nl9+aXdlBTkGeqMiN7O4tl12BIiCrsYCHabKNOvYkgZDYM 50mYpZfUSb4QHnWJ4SKzwZet4PzUOxTVkoePI8xC/wlpoizSW2ZJb5ItyEth/Y0Grl3EAj9UYcfg M5THdoUrDCGihrvbjlKPzF9PbJb/4ZAjl+j2i0mP/42ucbDOLcUBw6jNsyr8Xsw7vQcLkO31aSPt kUeBfPawmOylcGwa8ykk2SKG2EXvRFlwpm+GGQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/aGFSFeXNjue3n04V5SHl5KbJano>
Subject: Re: [I2nsf] AD Review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-07
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 09:46:04 -0000

Dear Roman:

I really hope this e-mail finds you well.

Thank you very much for this detailed revision. We really appreciate it.

We are preparing our answers to each of your comments/questions. We really hope we can have them by next week.

Best Regards.
 

> El 11 may 2020, a las 23:52, Roman Danyliw <rdd@cert.org> escribió:
> 
> Hi!
> 
> I performed an AD review of draft-ietf-i2nsf-sdn-ipsec-flow-protection-07 and my feedback is as follows:
> 
> (1) As written, it wasn't clear to me how this document fits into the I2NSF architecture.  There were a number of places in the document that the underlying reference architecture does not appear to link to the one specified in I2NSF.  The text at times reads like I2NSF, an SDN architecture or a generic configuration of IPSec.  This document needs additional text to frame the work for I2NSF so that it fits into the charter -- if it generalizes to other use cases, I don't see this as an issue.  The following is a non-exhaustive list where I saw dissidence.
> 
> -- Section 1.  What is the relationship between the SDN controller referenced here and the I2NSF NOMS per Figure 1 of RFC8329?
> 
> -- Section 1 makes no reference to I2NSF.
> 
> -- Section 5.  Does the proposed architecture cited in Figure 1 and 2 conform to the "I2NSF Reference Architecture" depicted in Figure 1 of RFC8329.  It seems like it should.  However:
> 
> o this document doesn't cite it.  It does however cite RFC8192.  In Figure 1 and 2 of this document, there is a "client facing interface"/"vendor facing interface"/"Security Controller", but RFC8329 has a "consumer facing interface"/"registration interface"/"Network Operator Management System"
> o In Figure 1 and 2 of this document there is an I2NSF agent in the NSF which isn't described elsewhere.
> o The Client-Facing Interface is cited as RFC8192.  What is the relationship between this interface and draft-ietf-i2nsf-consumer-facing-interface-dm?
> o What is the relationship between the NSF Facing Interface in Figure 1 and draft-ietf-i2nsf-nsf-facing-interface-dm?
> 
> -- Section 5.1.1.  How does the scenario of multiple Security Controllers and gateways relate to the I2NSF architecture?
> 
> -- Section 5.2.  Per "As shown in Figure 2, applications for flow protection run on top of the Security Controller", can you clarify what this means?  Is it that the functionality associated with translating the policy shared by I2NSF client is built into the security controller?
> 
> -- Section 5.3.  Per "In principle, IKE case is easier to deploy than IKE-less case because current gateways ..."  
> o s/IKE case is/the IKE case is/
> o s/than IKE-less case/than the IKE-less case/
> o what gateway is being referenced here - it isn't in Figure 1, 2 or RFC8329.  RFC8192 defines a security gateway be subsequently doesn't use it again
> 
> -- Section 5.3.  Per "Moreover hosts can install easily an IKE implementation":
> o s/can install easily/can easily install/
> o What are hosts in this context?  How are they related to the NSFs?
> 
> -- Section 5.3.1.  "However, when IKE is not used, we have followed a different approach to avoid any packet loss during rekey: the Security Controller installs first the new inbound SAs in both NSFs and then, the outbound IPsec SAs."  This text mentions multiple NSFs (i.e., "in both NSFs"), but the I2NSF is scoped to the interface between the controller and NSFs (but not between NSFs).
> 
> -- Section 7.  How do these use cases relate to the I2NSF architecture?  There appears to be a set of actions taken by an administrator that is at a different level of abstraction that specified by I2NSF
> o Section 7.1 and 7.2 discuss communication between NSFs which isn't covered in I2NSF
> o Section 7.2 discusses communication though an "east-west" interface between controllers which isn't covered in I2NSF
> o I also couldn't find a reference to I2NSF interactions where there are multiple controllers operated by different administrative entities.
> 
> (2) Abstract.  Editorial.  The sentence "This document describing ..." does not parse for me and I recommend tying it to the I2NSF architecture:
> OLD: 
> This document describes how providing IPsec-based flow protection by
>   means of a Software-Defined Network (SDN) controller (aka.  Security
>   Controller) and establishes the requirements to support this service.
> NEW:
> This document describes how to provide IPsec-based flow protection by means of a Software-Defined Network (SDN) controller (I2NSF   Security Controller) and establishes the requirements to support this service. 
> 
> (3) Abstract.  Per "The document focuses on the NSF Facing Interface ...", which NSF Facing Interface?  I2NSF or something more generic?
> 
> (4) Section 1.  Per "Recently, several network scenarios are considering a centralized way ...", this sentence notes that there are several network scenarios motivating the work but only names one, SD-WAN.  Either enumerate the others or note SD-WAN only.
> 
> (5) Section 1.  Editorial.
> OLD:
> SD-WAN is based on IPsec as underlying security
>   protocol and aims to provide flexible, automated, fast deployment and
>   on-demand security network services such as IPsec SA management from
>   a centralized point.
> NEW:
> SD-WAN is based on IPsec as an underlying security protocol and aims to provide flexible, automated, and rapid deployment; and enable on-demand security network services such as IPsec SA management from a centralized point.
> 
> (6) Section 1. "First, this document exposes the requirements to support the protection of data flows using IPsec [RFC4301].", I had trouble identifying the SDN-specific requirements in the text.  In what section is state stated?
> 
> (7) Section 1.  Editorial s/manage autonomously/autonomously manage/
> 
> (8) Section 1.  Per "The analysis of the host-to-gateway (roadwarrior) scenario is out of scope ...", 
> -- Consider using a different, less colloquial phrase than "roadwarrior"
> 
> -- EDITORIAL:
> OLD: 
> The analysis of the host-to-gateway (roadwarrior) scenario is out of scope of this document
> 
> NEW:
> Consideration for the host-to-gateway (roadwarrior) scenario is out of scope of this document
> 
> (9) Section 1.  Editorial. s/pays attention to the challenge/addresses the challenge of the/
> 
> (10) Section 3.  Per [I-D.ietf-i2nsf-terminology]:
> -- [I-D.ietf-i2nsf-terminology] is expired.  Are you sure you want to use?
> 
> -- Is there a reason to redefine NSF here as it is defined in [I-D.ietf-i2nsf-terminology]
> 
> (11) Section 3.  Editorial. s/dst\/src/destination\/source/
> 
> (12) Section 3. Typo. s/outboud/outbound/
> 
> (13) Section 4.  This section was a helpful scoping.  I would have benefit from reading it earlier (Section 1)
> 
> (14) Section 4.  Per "... in order to protect specific data flows", between what parts of the I2NSF infrastructure?
> 
> (15) Section 5.1.  Editorial
> OLD
> In this case the NSF ships an IKEv2 implementation besides the IPsec support.   
> 
> NEW
> In this case, the NSF ships an IPSec implementation with IKEv2 support.
> 
> (16) Section 5.1.1. Per Figure 1 (and applies to Figure 2)
> -- What is the "application support"?
> -- What is the "SPD entries Distr." Is that "distribution"?
> -- What's "data protection and forwarding"?
> 
> (17) Per Section 5.1.1.  Per "In order to support this capability in IKE cases, the following interface requirements need to be met:"
> -- To what interfaces is this referring?
> -- Editorial: s/in IKE case/in the IKE case/
> 
> (18) Section 5.2.1.  The text references an SDN controller.  Is that the Security Controller per Figure 2?  I recommend consistent language.
> 
> (19) Section 5.3.  Per "As downside, the NSF needs more resources to hold IKEv2", what does "hold IKEv2" mean in this context?  Is it an observation that the NSF will need more memory? Storage? Compute?
> 
> (20) Section 5.3.  Per "Moreover, the IKEv2 implementation needs to implement an internal interface" - what is an internal interface in this architecture?
> 
> (21) Section 5.3.  Recommend something more precise than "lighter NSFs".
> 
> (22) Section 5.3.  Per "On the contrary, the overload of creating and managing ...", "overload", to me, implies that the demand for a resource is out stripping the supply.  Do you mean "the overhead of creating ..."? Also see the last sentence of this paragraph, "In summary, this overload may ..."
> 
> (23) Section 5.3.2.  Per "Moreover, the Security Controller has a register about all the NSFs ...", what is "has a register"?  Is the intent to say that the controller keeps a list of NSFs?
> 
> (24) Section 5.3.2.  "In IKE-less case, if the Security Controller detects that a NSF has lost the IPsec SAs it will delete the old IPsec SAs on the non-failed nodes, established with the failed node (step 1).  This prevents the non-failed nodes from leaking plaintext."
> -- Is there a reason why normative language isn't used to require this clean up (i.e., deleting the old IPSec SAs)?
> -- Are there constraints on how quickly this needs to happen?
> 
> (25) Section 5.3.2.  Per "Nevertheless other more optimized options can be considered", what is the guidance to implementors with this statement?
> 
> (26) Section 5.3.3.  Per "On the contrary, the IKE-less case does not have any protocol in the NSFs to detect whether they are located behind a NAT or not.", it seems odd to make assumptions about the code in the NSFs.
> 
> (27) Section 5.3.3.  The normative behavior of the IKE-less NAT detection isn't clear.  The paragraphs "On the contrary, ..." and "For example ..." don't articulate what's to be done in the NAT case.
> 
> (28) Section 5.3.4.  Per "The assumption in this document is that, for both cases, before a NSF can operate in this system, it MUST be registered in the Security Controller.  In this way, when the NSF comes to live and establishes a connection to the Security Controller, it knows that the NSF is valid for joining the system."
> -- how does this registration and validation occur?  I see the text later says "This discover process is out of scope ...", but registration seems different than discovery.
> -- (editorially) I stumbled over "when the NSF comes to live", maybe "when the NSF starts"
> 
> (29) Section 6.2. Is the spd-entry having only a single traffic selector the only simplification of RFC4301.  If not, list all of the divergences.  Otherwise, I recommend explicitly saying only this edit was made.
> 
> (30) Section 6.2. Typo. s/instead a list/instead of  a list/
> 
> (31) Section 6.2.  Editorial. s/admit a traffic selector per IPsec policy/admit a single traffic selector per IPSec policy/
> 
> (32) Section 7.  Are the use cases normative text?  If not, please say so.  Consider moving them to an appendix outside of the normative flow of the text.  If the text is normative, then I'll have more feedback as they are underspecified for standards track text.
> 
> (33) Section 7.1.  "Besides, fresh SAD entries will be also generated by the Security Controller and enforced in the NSFs.  In this case, the Security Controller does not run any IKEv2 implementation (neither the NSFs), and it provides the cryptographic material for the IPsec SAs."  
> 
> Editorially, what the "beside" is referencing and the double negative in the second sentence created confusion for me.  Recommend:
> 
> NEW: 
> Fresh SAD entries will be also generated by the Security Controller and enforced in the NSFs.  As the Security Controller is not running IKEv2, it provide the cryptographic materials for the IPSec SAs.
> 
> (34) Section 7.2.  Step 3.  What does "NOTE: This may require extensions in the East/West interface." mean?
> 
> (35) Section 9.  s/MUST exit/MUST exist/
> 
> (36) Section 9.  Typo. s/to protect of the critical/to protect the critical/
> 
> (37) Section 9.0  Per "For example, when NETCONF is used as southbound protocol between the Security Controller and the NSFs, it is defined that TLS or SSH security association MUST be established between both entities", what is the difference between this normative language and Section 9.3's "The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242].  The lowest RESTCONF layer  is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446]."?
> 
> (38) Section 9.  Typo. s/This default policy MUST ... before the NSF contacts with the Security Controller/This default policy MUST ... before the NSF contacts the Security Controller/
> 
> (39) Section 9.  Per "Moreover, the startup configuration datastore MUST be pre-configured ..."
> -- where is the "startup configuration datastore" defined in the architecture?
> -- How is it provisioned (is this out of scope?)?
> 
> (40) Section 9.  Typo. s/always apply first/always first apply/
> 
> (41) Section 9. Per "In general, the Security Controller, as typically in the SDN paradigm, is a target for different type of attacks .  Thus, the Security Controller is a key entity in the infrastructure and MUST be protected accordingly ...", what are the details here?  Section 13 of [ITU-T.Y.3300]  says "Moreover, a logically centralized controller can be a single point of failure, and can be a target of malicious attacks, thus special attention is required." and Section 7 of [8192] doesn't mention the security controller at all.
> 
> (42) Section 9.1. Should configurations adhere to the algorithm recommendations of RFC8247?
> 
> (43) Section 9.1 and 9.2.  Per "The general recommendation is that the Security Controller MUST NOT store ...", is this a recommendation or a normative "MUST NOT".  To me, the use of the language "general recommendation" suggests it is optional.  I recommend:
> 
> OLD
> The general recommendation is that the Security Controller MUST NOT store the IKE credentials after distributing them.
> 
> NEW
> The Security Controller MUST NOT store the IKE credentials after distributing them
> 
> (44) Section 9.1.  Editorial.  s/One option is to return always .../One option is to always return .../
> 
> (45) Section 9.1.  Per "Moreover, the PSK MUST have a proper length (e.g.  minimum 128 bit length) and strength", what is the recommended guidance - it is that PSKs need to have 128-bit strength?  The normative guidance in a parenthetic example is not clear.
> 
> (46) Section 9.1. "How the NSF generates these cryptographic material (public key/private keys) and export the public key, or it is instructed to do so , it is out of the scope of this document."
> -- what is meant by "or it is instructed to do so"?
> -- s/export/exports/
> -- s/it is out of the scope/is out of scope/
> 
> Regards,
> Roman
> 
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf

-------------------------------------------------------
Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------