[nasr] Re: [saag] Re: NASR BOF Follow-Up
Richard Barnes <rlb@ipv.sx> Thu, 03 April 2025 13:08 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: nasr@mail2.ietf.org
Delivered-To: nasr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1638916DDF3F for <nasr@mail2.ietf.org>; Thu, 3 Apr 2025 06:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmuPqtSmFSZH for <nasr@mail2.ietf.org>; Thu, 3 Apr 2025 06:08:57 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E874516DDF22 for <nasr@ietf.org>; Thu, 3 Apr 2025 06:08:57 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id e9e14a558f8ab-3d445a722b9so4428785ab.3 for <nasr@ietf.org>; Thu, 03 Apr 2025 06:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1743685737; x=1744290537; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/pyXGzw/sqtWtulPjbmQEaoli86P1fpAz69EkfAmQqA=; b=ZQ4USyF1aNKxN75h2wKBfJfmLsZkmNo5nFULA33+QNHg/dBKvGViinnLN8U3nSsQBf fqUtWtVfxeqXEhGJy+KF5GQ92EPSJRH7OOw9Rn+uyO1Y9U8xfjO32lWag3lrKpWtXXfz 9Us1joLc9q5QUPOIJx817wWZoHA4yH+G5d0cckpguxcXOAZoWgK7Glfcm8uzqEMFGcop xN21uajqH6leykWf2tvR4KwyY9UzlxVMXNwejgTBnS3yepyUJU1FCLdLOeJQfgdwN73u 82c6P0MeLhlHRjUw0fXF7V5up3HmdcrkNVFU9HDqfm/MXdX38Rpqk3u07LVhVhaRKiyZ iFrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743685737; x=1744290537; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/pyXGzw/sqtWtulPjbmQEaoli86P1fpAz69EkfAmQqA=; b=YjZ+m/FqTz3H4QK5Wi97m2N28wk055kS7usuvtDCXMQZKCD6uWITi86INVgx1Kn53K ZzfZArakQDNauYtA+MtbKm+70M8RAUqirBK7TN8cHIuXLGPEiG+TOLSDKhPnzsLNCI3Y FIdJB7gjGNCnG2/7PgKyt6Prr3xsqv7Pl5kYuHVTr7AH/SWKX1shDQIN5XjL4vOkdB34 NYN2V0gRWIsvqVSfA4IPmLX/k3h5eJH7iRfyul1p4TEphQAX3DU6H6ZCYtBUgKlH9HG2 CiwUxrYxDZdoV42F6zxxExt75aTts7Cq1KmR0CPiRKrUmuKpQRSfkvDj2pHkE10/SBJt JZSA==
X-Forwarded-Encrypted: i=1; AJvYcCWE2Lg3wzRGqx93Qg395+if6qCVJ+T4NagMpMvw7eYF4rrOfphpbcZcm7FFr4SWRKUWD9oZ@ietf.org
X-Gm-Message-State: AOJu0YziZMAM+1Fs1ZYZWVZA8ISehTKmQp0M5bkKhtSe7qbjOy52CGEU r0KXC2qPtY37rPHuPjVULFCXndX6F/eX9IxZH98P1qBova2hkDZAJWLaFTrpqXMKAGu1h8zeykF d00p+UmO1Dn7jwZUnxURd0/hreNLtWfNYR1Auig==
X-Gm-Gg: ASbGncuMjkn/h/VOsGnf/QUo9pB/bhB3/TvCm3q8iKwsow6zu6qENG098EPaabJNrA1 4bo9lo2f6XCf4G5fSxMEtp1Qz+wAH4umcpj3EzoDwk36K5bDhieH3nFmuJAUSDeVXnC0fSbgQh5 UQNT7vUKwsXoIf43OrB83UHcR2c60naKlZlilUSjHRcWkIPj5IF7+7BJTr4tc6
X-Google-Smtp-Source: AGHT+IFhXt6T17UZ7B0Pp2RCoQcSCw5e0Umf9ktMBPFsaHKwqmysmp97wcH+OuhHp6nkTN/OnMlX/Z4gaRHB+VkDJ2A=
X-Received: by 2002:a05:6e02:4401:20b0:3d5:890b:8ee with SMTP id e9e14a558f8ab-3d6dd76b1ebmr22064315ab.2.1743685737171; Thu, 03 Apr 2025 06:08:57 -0700 (PDT)
MIME-Version: 1.0
References: <ef08bf0afa924713acc629dff8156761@huawei.com> <2025040312042771743841@chinamobile.com>
In-Reply-To: <2025040312042771743841@chinamobile.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 03 Apr 2025 09:08:46 -0400
X-Gm-Features: ATxdqUErvYVYouWsrCwETayzA6ReQngWzH3eH46k7UN5nNk2mTuKIcDn5kz-QfU
Message-ID: <CAL02cgSg53nOB8BCSNCLGC78r41P_1VzBPoj2yOJP1qbS0jqfA@mail.gmail.com>
To: Meiling Chen <chenmeiling@chinamobile.com>
Content-Type: multipart/alternative; boundary="000000000000f6ff870631df7825"
Message-ID-Hash: N4H4W34Z2JDKYCTH6JIUOMIFXKTI2DZX
X-Message-ID-Hash: N4H4W34Z2JDKYCTH6JIUOMIFXKTI2DZX
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Liuchunchi <liuchunchi=40huawei.com@dmarc.ietf.org>, "nasr@ietf.org" <nasr@ietf.org>, IETF SAAG <saag@ietf.org>, Luigi Iannone <ggx@gigix.net>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nasr] Re: [saag] Re: NASR BOF Follow-Up
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/10gSsB8VONVEPFNk_1OCi652B9A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>
Thanks for the summary, Meiling. That covers most of the issues that I remember being raised. I would just like to touch on a few of these points: Q6 is a big one. The motivating examples in the BoF were all about proving that a packet didn't go someplace, which as multiple people pointed out, cannot be done. If this work is to go anywhere, it needs to solve a problem that is actually solvable. On Q18, I think Meiling's summary accurately captures what was said at the microphone, but I think that response is deeply misleading. This solution will result in detailed network state information going outside of operator networks, or it cannot work. Let me try to state it clearly: - The basic premise here is that the Network wants to attest to a Relying Party some properties about the overall state of the network - In order to evaluate whether the properties are true, a Verifier has to to actually look at the detailed network state - The Verifier has to be either the Relying Party or someone the Relying Party trusts - The Verifier **cannot** be the Network, because then the Network is just self-asserting and you don't need any technology at all Yes, the technical implementation might involve hashes. But fundamentally, the information has to leave the Network. So another thing the proponents need to demonstrate is that there's any plausible scenario where a network operator is going to be willing to expose this information. It was not raised in the BoF, but I would like to point out a logical inconsistency at the core of the proposition here: On the one hand, the proponents assert that end-to-end cryptographic protections are not sufficient to keep endpoints safe. On the other hand, the premise of the proposed solution is ... more cryptography. Attestations, MACSEC, etc. So the argument here cannot rest on a hand-wavy "cryptography isn't enough"; you need to articulate what specific risks you're addressing. Honestly, when I read the charter for this work, I did not initially have as negative a reaction. I initially presumed it was like verified SFC, and that you would do things like making a firewall rule a little more permissive if the flow had been verified upstream. It's not implausible that there are some use cases of that shape. But instead, the presentations in the BoF framed an impossible problem and an unworkable solution, which clearly I could not support. Hope that helps, --Richard On Thu, Apr 3, 2025 at 12:05 AM Meiling Chen <chenmeiling@chinamobile.com> wrote: > Hi all, > > We will continue to track and actively address the issues raised on NASR > BoF, for convenience, I have brought the Q&A record to the email list. > Welcome to continue discussing with those who are concerned about these > issues. > > Q1: Why is not end-to-end protection sufficient and why should we care > about where the traffic goes through? > Q2: Why this is important to assure at the network layer? > Q3: List actual concrete examples of existing regulations. > Q4: List the technical requirements in detail. > Q5: NASR being a possible way to address pervasive traffic monitoring > threats? > > Q6: Proof of transit does not imply that the packet didn’t exit the path. > ---->PoNT is out of scope. > > Q7: There is work about proof of transit that has been done in SFC, what > is needed to highlight what is not there (in routing, RATS, SFC PoT) which > NASR will provide.--> > NASR is the joint use of attestation techncology and proof of transit. > > Q8: What about lawful interceptions?----> > Trustworthiness as defined in RATS can attest that a router does what is > supposed to do, including lawful interception if it is what it is supposed > to do. > > Q9: There is work from RATS, like RFC 9684, that can be used in NASR. Why > an independent effort? Why not putting this work in an existing WG?----> > RATS is the building block to create path attestation, whose usage is then > verified with proof of transit. These two things together look out of the > scope of RATS. NASR does not want to replace RFC 9684, but rather > leverage it. > > Q10: What is exactly the definition of a path in NASR? BGP session? > Tunnel? physical links?----> > A document in PANRG has a good definition of what a path is. > > Q11: Trustworthiness and traffic engineering are already addressed in > different places, so what is new in NASR? ----> > The possibility for the customers to verify that the traffic has been > engineered in the way they asked. How to do it is the gap NASR wants to > fill. > > Q12: Candidate solutions from problems exist in other venues (Routing > security / SFC)----> > True, but they do not address the combination (forwarding). > > Q13: Proposed work may result in fragmentation of the Internet, including > and excluding poeople?----> > No. That is the wrong terminology to use. NASR is about path complaint to > a set of claims. Is a specific service in a limited domain not a general > service for the Internet. > > Q14: Clarification of requirements whether the requirement is to detect > nodes along the path that do not support NASR?----> > No. Only have proof that traffic went through a set of nodes that support > NASR. > > Q15: Bringing the work to RATS would not work. RATS is already bloated and > bringing all this work there is not possible. > > Q16: PoT has cryptographic cost.---> > Implementation on SRv6 shows that the cost is very limited. > > Q17: Remark about the scope of implementation: Internet or limited > domain?---> > limited domain implemented at the operator level. > > Q18: Need to verify every configuration (binary / configuration files / > routers) in order to determine the properties of the path?--->This is not > how remote attestation works. There is no configuration shared, the > configuration is attested through trusted third party. You share hash > values that attest the the property. > > Q19: Why not doing this in the SFC WG?---->Piece can be done in other WG, > but from a global perspective wold be better to have a WG. > > Q20: For reliability, what about having multiple paths? Can it be a > scalability issue? ----Yes, the attribute of multiple path is included. > > Best, > Meiling > > > *From:* Liuchunchi\(Peter\) <liuchunchi=40huawei.com@dmarc.ietf.org> > *Date:* 2025-03-29 19:19 > *To:* nasr@ietf.org; IETF SAAG <saag@ietf.org> > *CC:* ggx@gigix.net > *Subject:* [saag] NASR BOF Follow-Up > > Hi NASR, SAAG, > > > > Thanks everyone for participating and contributing valuable feedbacks to > the NASR BOF last week! Thank you Nancy and Luigi for mediating a > productive discussion, and thanks Deb for supervising the process. > > > > During the process, we had extensive discussions that showed both major > interests in the problem and differing understanding of the objective. For > example, NASR represents new use case requirements that aim to extend > Remote Attestation benefits to the network scale, providing more > comprehensive security visibility and behavioral assurance across network > deployments to the customers. But NASR is not intended, in any capacity, to > serve as a substitute for end-to-end encryption technology, etc. > > > > The poll result shows a clear consensus that this is an IETF problem, but > a rougher (at best) or no consensus that the problem is well understood. > > > > To help on that, next steps we will work on a dedicated document that > collects all valuable feedbacks from the BOF and resolve them one-by-one. > Again, we sincerely thank everyone who contributed valuable feedbacks and > cares about bringing more security and transparency to networks! > > > > Best regards, > > Peter (Chunchi) Liu > > > > _______________________________________________ > saag mailing list -- saag@ietf.org > To unsubscribe send an email to saag-leave@ietf.org >
- [nasr] NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Richard Barnes
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up 刘鹏辉
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Richard Barnes
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Summary of Discussions So far---Re: [saag]… Meiling Chen
- [nasr] Re: Summary of Discussions So far---Re: [s… Luigi IANNONE
- [nasr] Re: Summary of Discussions So far---Re: [s… Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Liuchunchi(Peter)
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Stephen Farrell
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Liuchunchi(Peter)
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Adrian Farrel
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Eric Rescorla
- [nasr] Re: [saag] Re: Re: NASR BOF Follow-Up Carsten Bormann