IETF Logo Mail Archive

Re: [Last-Call] Secdir last call review of draft-ietf-rift-applicability-14

Antoni Przygienda <prz@juniper.net> Thu, 18 April 2024 19:36 UTC

Return-Path: <prz@juniper.net>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A43CC14F702; Thu, 18 Apr 2024 12:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.142
X-Spam-Level:
X-Spam-Status: No, score=-4.142 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="ONAQTxhu"; dkim=pass (1024-bit key) header.d=juniper.net header.b="FbteudUM"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrhKjGC3Ecx8; Thu, 18 Apr 2024 12:36:50 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEA9AC14F699; Thu, 18 Apr 2024 12:36:42 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 43IC9vVs019636; Thu, 18 Apr 2024 12:36:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=PPS1017; bh=GWtETTt3fMeHWU1rN2UhVCUTMo2QIFOkbXi3hio0I6Y=; b=O NAQTxhucDFSULMUKsaV0kIbq9ZOMbwl5ypAQwcLQDNkKsop8jwqoIV+qIqXIpRoE KENBW/5k1n4y8aT0baBVda4K5oQ55kefQsV2R5NjGU+NaLuSiViMBdQgol00cYzS SoH/GUHlPSv+nYKPLZ4ohxzKb/m0XrIB7+th9yekW7PkUcBqho+31FsYZFx88Zxr 6RGnR6wt6s2mQelEx6PGjfbf9HQnkdsGXATH5JHsGnIS7KXELr5cjASuJU6MpAu+ G6+1v2baMh/eJauUaAWZeWgSqX9Kr+bh0B5GRM8BlSbr1An6f/RfjEvDAptC6WQ7 +/JbZGAOuAJmLTsz4881w==
Received: from bl0pr05cu006.outbound.protection.outlook.com (mail-eastusazlp17013024.outbound.protection.outlook.com [40.93.11.24]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3xjfdju41p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Apr 2024 12:36:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XbWse7tbHnQQnsfbO1xYkEHBd1Rf6ZG4u0PS1mJOouO7xAi0rnhxCpt5TqHEwdnljVGc7qKnw1TdD5NYrWo4PvyFKlPzTHkWTHkOnjexGGKgfk9AzLqwmAWYuGRVsHgEdHiULHKsuc09UpqDXqp/kG1WWmCcTwxuTzt4iHHy9+p1LW6fBGImZ/TyHnFyxKA/s4mg8794gv9lmY5IJH9yR0XI3BySgJrm8NVb9hfNcLicWLyh/N1ZHRm1ywUv/BqMjxQvseTDzKilmHvp4U9daprsaSrmjjEal32rVLbV7rpCWwlACfUMuNpB1ZbXYcI4DtVHkJ+ztUvtvo5lQs8kMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GWtETTt3fMeHWU1rN2UhVCUTMo2QIFOkbXi3hio0I6Y=; b=jF8UciOaraGzYJSD7GpN/Lgh4wVLcLMr/qVilVS4BtL4f0soXeZRiC8xlyFNNSsSbAcgXUSF2HMSzGEjm5O4KTkMFajQANMC1emoCspXfMTrvl+KQepG+iPijvqM1v7qhqkc/vrQl+YhZyeRr3OVa+IqRjSv2lpGb5ZZnSbh3FXnxj5J0WMl4zMt/jL8ur7pIIRbPFJZNvgJ58b6LLOEFCkes4RW4qNA6V303HFRB/5A2r1jXxNGaVvHsAGP1PsptsweAKqa+RSNuFDUypXS9fChD8uEn5V9jCN89YxL5cadMPqP9XY05IuY/wbMlVn+F8IoSMJCVL3ISPlZXabxmw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GWtETTt3fMeHWU1rN2UhVCUTMo2QIFOkbXi3hio0I6Y=; b=FbteudUM2qLLa+SkvT8VKwsD8bF7hyptSnFs7nsUP5WlubYtYaJ//kz2J7ytfTYANi0ygd2NcALGMj82bbRmUE6qMZI+B2gyOrSOtI6BRKNi8tgUd39G5fRigMnB/xhIDJBecoty27W/VD6hcQSg2H8D1ot+J95fEXIZChi8neA=
Received: from CO6PR05MB7796.namprd05.prod.outlook.com (2603:10b6:5:340::19) by BY3PR05MB8003.namprd05.prod.outlook.com (2603:10b6:a03:36a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.41; Thu, 18 Apr 2024 19:36:19 +0000
Received: from CO6PR05MB7796.namprd05.prod.outlook.com ([fe80::d2df:81b3:5c62:6a8]) by CO6PR05MB7796.namprd05.prod.outlook.com ([fe80::d2df:81b3:5c62:6a8%6]) with mapi id 15.20.7452.046; Thu, 18 Apr 2024 19:36:19 +0000
From: Antoni Przygienda <prz@juniper.net>
To: Watson Ladd <watsonbladd@gmail.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-rift-applicability.all@ietf.org" <draft-ietf-rift-applicability.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "rift@ietf.org" <rift@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-rift-applicability-14
Thread-Index: AQHakcMCppJT1VXYuE+WCfzO4Kp8HLFuZuEAgAACmICAAAJeAA==
Date: Thu, 18 Apr 2024 19:36:19 +0000
Message-ID: <474B9F9F-DE2C-4893-9F30-CAD134AE66BF@juniper.net>
References: <171346691888.35849.11446635845987775680@ietfa.amsl.com> <152A3F33-B9D4-4BA9-BC53-852D2745349A@juniper.net> <CACsn0cnx_VmEO1UoFY4xchH=XCdFwHeE4rVxtQ7zPqXcq6Fu4g@mail.gmail.com>
In-Reply-To: <CACsn0cnx_VmEO1UoFY4xchH=XCdFwHeE4rVxtQ7zPqXcq6Fu4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.4)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO6PR05MB7796:EE_|BY3PR05MB8003:EE_
x-ms-office365-filtering-correlation-id: 475aefc2-8e60-438b-a80a-08dc5fded26f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: u60ikHmJOH1tUUZoM2JKjkpcoF5lzSP3xAQZzguyegPVcNd5L2Sj8pz3Sc30S3XTa1kdrgGXHbZ+36uEz63ybj4Rj6IXBSc9X6/K1QfftnGwH6RSEGf1uwgyBCRHb0VU1ddFWeOLnQpeUSMI0q/NRaB9qoILneBwnVzrzdRqGuKcgQbGbD8Bj2N+NWHbsRoyKNMXE6zz8oX7qcS373wcdKMgzoOjgeJgdovzvU9HcgSuTylJuGzf9KoQV59QcE4GpqZXCXzGrx/egFrlt2oHOQrvf+dj4mBuEkITgL2hvj70878GIDtpx2SJmeJvosckJUcNrHWw3zQH3raV9lNW5dFxAn/xzkn/JiqrNbecci3G/924xLEwtUfk3KmtR5MpSeLpnV3aAEzpMtgIvO2lqEYPnuW+FTvv0ievc9ZQt+G+tnabGn1KXICqW1IvQKyGbsyuBTT1YaKdWXG4/nfs1vImisTlfU+mcQKqRZXcvPOdEkEz5u/tfXyHAR6EvcqmL3uV6WMH7kzI2eTZlFpOlNpwJJB5OoQwqgrejj23KehNZ2FjBAF3h/078Nu6SnliGryKQcRttm6tOo6aQADfhbTQLcIEhVoqQPfiM9qnOstsrhO0TXvjswdzD/SJ/rWgNQz0P7nq1JDzpRGnI7TJj5JxCl+H0hFzudG+nRgN8+UWoFxgdEpp/Ya/HXQSS7dkVlx8Ze12S/PGzv/N8tZ63OVd5gVHjBBvkDTFikJen9Uxonbyb2cyjSMy/J6mz8ihQExqYhH8Eaf4IzfUIiGSnpnGb+0ko/d4c+PJkseVp190c9MpY6vq0MgDOT/VXNfZT0GfxkKyzeNhzkAM76GLNS5eCaka+OZdLWAAEZjKZB5h08SY/Bjh0Ya9bebTwQ6L430L6/HkZMU5gfP0JqmfvHI5uEGA7/QQG7JdD9Zr8mVZ5IN6lGX3bMGJ5IlolBD2qVycQMyjo5xkwGFvba1Jw/lGOG8dV/tYwlEQ/AkPPhA2mI7RsO+xba4FRCyZIoLovWwqIQKSIQppTiOXOZp8SccHKdOIIuv2lCfYZjxDegyMUPp5ocF9NV5sBT20/i6aikzbPKcAUfsmcWW7QSP2HHGpBJ+FG5LlE1mVEXc7ZLGxt2As/hStDQn8DmQDotHVXBuUA/KK2SDeCvduy1eCIotiHsZQ0y53hz6R3o+QOEjBXpYpClYRyIC0pkjtQwSme0u/YptZirAfMflIIiFs/8/dsvAeX5JVUU9BNFmE+hZJdQ2r9nMcLm/1L0r08qtAkLMPd7z62/18bL9K5z6dMN7+IzNGNd78wiSSO5bgVIBr0Yjavn2i7EYFwZxgvkLnI7o7EO/QuyG2A6d3VFA5tw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR05MB7796.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(1800799015)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +ueyiihtfi1bXUjynlhcwFwzm9MZB7CXeeeiQV3Ybf8EfD19FH5A04DKtar5XLxnIgTX/ajt2AXABoXxeyS2B+dv5z6IXhy5oJzkI+XGWHNHP+FcyWLErG97K7sPTCCQyL5A2RPQ8VhTjnwW8Aw6D1voscRPu9hint+O12HvdifyaseLn+o8jqlvDKeaHgXJFMLwiiLZ6h3ZSEDmKJFF7OTp0RN8sconJhPgXjEGGQhIKhrWP+59EllqL+F7iq+NGsFq/NNZ1VdbWLr99gV7Z1nXDi/lUR7RO3BuqTOKSFUnA7IEWsFSYm5dox9BZwByNre5qttO832QU1kPI5wu7QHrd6o55tV5i88IWAffK2hV7iqn52+8S4B+uTj/1M/s8rCSXt4mNgShcrZh9lUs0iaT3Wtl1oFhAuREqSuNeuBtT/+5414sQ75yffxGVk/gs6gh5E0hZwh/+0MuWf4yqpgEM/M8HeX0xCt06aUBf77mMLEFMymMSTbklhRGfBAn7gZpPW157LA7mu/r0qin9u9rp+H4+B546g2iRcEANmsa/2bdzz2sTQ1B61ehrQO5K6D2Kjei1d0GEOWtHniKpLvkSD+5IkCTv14mn10/AgTl+6I0ShgmDh6ghmGR7xzZScgfD/KIXLEudceEJCfmyjXeztQ/TIscABNLy5wvSvgYI+atdeXVTHAIj9VDbORfnZUs9f0UV18rBNnyQpbaJdNLXb85ljqu+UvhhIO1iZw65o9h55iCk4L78JjTij15cn8gB4MG+cBZ9I8KrusPL4fqDFu54sKXDagY5CQchABVl77VZXLwSJ0XUqZZXg3jh3oFkhPRklfV28tkPYgp/rlo0rtLf/IXbDoCc62fBlSlK+gHE6+Qm5A+ieDgXGNLelXeNIYhcL7adHYja7v2RS8wqV3qq81IrmhlA99Y7kvP1IvAaF/gW5mbmsGwdKTh9dCJ36oPUHplnvZKojlR7CuD+YZtknp2eOkghbA/lAtvtjOcE/RGcMDKLBrMLNlktIi5MGx77zzE/OKRPTqeLtZRkqdgaqKIDowEU2PGZwOX4G9bOXYFqlGIx3Wg5K7BSghPLbZdAq49tMGSoMEtXOUW5Qav+EQNJ+osq5STVgJYO8SIy8SQkY1EqFaHZPLIwBqloujgacFkW+FhTrHYCnUZSJw4y1WTaw4xIVYpg6PIiBE0zL76EcQyAIDwU/vxsL/WBMZjmwoUSg82wYeopixgHgIYlAb5R/IrAI35HMzRaYE3wjpQYmLHBfcnTydDDwOaEDp5zkHDlpEh0cs4lKrsGnnSHC8GRySmk4Vga0BPQc/KfGUO9kkMYL+ksCoVx/2SQhMqu07uZDW/0sX9Xj1fiXxLIgQ5VvkZe7SEj8l1ivjI4nyW5dJRRUCzWMOPo2XXYIqGTkx0jKT5KFp5mI2ZrU3nsOo8TNMMe9MkNHodVIMHcq2oiVPJV1JHUti+srqnghjREHycOG4daToRC0CPHLZMjLZRs97rdyFhEJzRNs+bFie42FThdiyI47l5vKAw7HPnzBvPos/BUey9OptrrKqKQrwfi26VaW+P8S3LXgUwenTgAfThJzoOxF4U
Content-Type: text/plain; charset="utf-8"
Content-ID: <727CAB77B10FEF4C84289B515C8ED6CF@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO6PR05MB7796.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 475aefc2-8e60-438b-a80a-08dc5fded26f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2024 19:36:19.7649 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fMsm57V/uFVFfoSZzAoDHyj9TpUf9U6hmrA9cGBSXPnl7rkX+92NoP3XxjYMFyds
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR05MB8003
X-Proofpoint-ORIG-GUID: XIgkm1T6HceCe27CpeqKR4VPQGzHXFt-
X-Proofpoint-GUID: XIgkm1T6HceCe27CpeqKR4VPQGzHXFt-
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-18_18,2024-04-17_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 phishscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 mlxlogscore=999 adultscore=0 suspectscore=0 clxscore=1015 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2404010003 definitions=main-2404180141
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/rgPnGIy5-lM2YsKcwtPhO0kv7Rg>
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-rift-applicability-14
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 19:36:54 -0000

Fair comment. Yes, VMs could participate and it merits a discussion though RIFT already has a section 9.9 on end system implementation and key considerations attached to it. 

Further, thinking through what you say,I see that the applicability draft could be more specific on using e.g. KV for key roll-over, i.e. the fabric using a symmetric key pretty much that can be changed easily when compromised and here yes, it could indicate that it could easily support end-system well-known symmetric that can be changed when compromised contrary to a in-fabric (i.e. networking nodes) key that is less likely to be compromised. 

— Tony 

> On 18 Apr 2024, at 21:27, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> [External Email. Be cautious of content]
> 
> 
> On Thu, Apr 18, 2024 at 12:18 PM Antoni Przygienda <prz@juniper.net> wrote:
>> 
>> Hmm, surprising comment a bit …
>> 
>> RIFT draft has a serious security section in 6.9 and a serious security considerations sections in section 9 and IMO it belongs there. AFAIS those section cover extensively security models possible and all kind of threats/consdierations on secure implementations. Of course lots of that could be moved into applicability (should it? Is security “applicability” even and if so, which part of it? Guide how to deploy it securely? ) but I don’t think that’s the intention and I’m bits lost further what “specificity” means here specifically ;-)  e.g.   Key management considerations do not seem particularly specific to rift as a protocol AFAIS  unless what is desired is some RFC reference that describes key management in routing protocols and the pluses/minuses .
> 
> As an example of the kind of interaction I'm thinking about RIFT says
> "use one symmetric key for ZRT". The applicability document seems (and
> maybe I'm wrong in this) to have VMs directly participate in the
> fabric for mobility. That means all VMs have the symmetric key. You
> probably don't want that.
> 
> Sincerely,
> Watson Ladd

v2.23.0 | Report a Bug | By Email