Return-Path: <ekr@rtfm.com>
X-Original-To: nasr@mail2.ietf.org
Delivered-To: nasr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id B0FA82C576DB
	for <nasr@mail2.ietf.org>; Fri, 23 May 2025 09:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level: 
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
	SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id UgcjBwvpYad8 for <nasr@mail2.ietf.org>;
	Fri, 23 May 2025 09:32:38 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com
 [IPv6:2607:f8b0:4864:20::b33])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id 088DB2C576C9
	for <nasr@ietf.org>; Fri, 23 May 2025 09:32:38 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id
 3f1490d57ef6-e733cd55f9eso69188276.1
        for <nasr@ietf.org>; Fri, 23 May 2025 09:32:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1748017957;
 x=1748622757; darn=ietf.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=20sFgJ4VFP49tMagZvijdbJ7DjtrgwKp4wD4f4Vu84M=;
        b=xblP8oKSKY9XauRKr3/VqvB96M58QyvWO5TrgfF/bJxKYJePt+tWQ2liMXz3C/SBXf
         WVFqBFFSgFkc7cDSAK63VefNaT5JmzFjj9Go2F6jjc1/GFfhubOY6L9mkwn6i8GBx0IS
         egU4e2IyOzmovDqpD8bdvJNE2nczIvHXibEC02hjQz0B4CW5mE1WEMr1nW04VSGo+YdQ
         bJtMSKOusaOZRRwl+IE6Sf/8/JFmzO4PPhsuUK981hiADbt6MLc29LwkKAlOiiStj9HV
         ufhdxEtnmZ3Zr4X2h1KdddAyD9J0oHCfS5T4m4dK7YBmJBKbRJzDnjelizcXcvnV2KQh
         BbhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1748017957; x=1748622757;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=20sFgJ4VFP49tMagZvijdbJ7DjtrgwKp4wD4f4Vu84M=;
        b=OX0tpsImho089x6PVqFrdkGGbA/pJJivi77Trrv6KJ46ZjSLG8qHB2AOJB6cZIstrF
         Zy5MzjFRtE+8KxE79q9VNs1cclmku2pL6YQPFZfYbOMa6iQZQKTga8sZRobcJ0PEx4Ku
         ny0JTo8/M0YQzwDBO/Af+/wVZodeN2iGXgtgsRDKWdFaGutBKZs8iKEgeW0R8ubGuaTK
         AbRCM/lRwIvOJjcCdVeK7Y3CAmpBMAHN4LJCwilFzmRdU0gWXWM+J1nYjaM6y+IPzWDc
         or2qqFR4s43fAUmRx0A831QBUu63dDaF5jZ76gMdF9WKX4URuBCBG3RiaM0y4xg8dFZ2
         gObA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVaIE8bA3FnjRtVBcHxXoTWDSBcDC0khrfuIgm564N4qaKiR87SBmpbU20rm4p8Epr1tzk4@ietf.org
X-Gm-Message-State: AOJu0Yw4W55ICtBu1aS3n8mXpWlJDBDyPyhCpWE87w3CmdVmcLDmzsil
	h5bGCScBC+0ntFgXPqSLz8bTL6YVKaKz12k97vGv6nBZGMs7Hen4L83Ndi4uCYsb01kJB4RIZzs
	pW2z+vvdK9k/L4O7ZNU5JweU1i8wwcNxuri4tcwRXOg==
X-Gm-Gg: ASbGncsT0v33zLytSQ6xDgZK4++K337Te8R2dTZBwTRs9Q291ftoOrxJtXuEJALgcR7
	PlfXyVAVyePHvGykzcWHudv8AyYS39Bx4bVgnNTYtWkULI2KVxWv6dNVU9UW+9ctgMgqObByYGr
	41nfX/jpNQx+jzSbJgmRduSyVjGxIsnuFpY/I=
X-Google-Smtp-Source: 
 AGHT+IHbr8rs+nGqm9yxqBi1+JDYjgzHwFxddYG+wc3JqpC1uVL3cUKDLjPJcAVsgacyexc5oP70IRrtgrzki9oCxFs=
X-Received: by 2002:a05:6902:5401:b0:e7d:61b5:839 with SMTP id
 3f1490d57ef6-e7d919b4fcdmr219140276.17.1748017957321; Fri, 23 May 2025
 09:32:37 -0700 (PDT)
MIME-Version: 1.0
References: <87c61c52-839f-f66e-a66a-b737f01ca93f@ietf.contact>
 <CABcZeBMOvFXkQ2OFBpz2Ri5_Oz-pHGs=2fHvBNptOdjQy9F7ww@mail.gmail.com>
 <11730e71-f409-bbaf-9bc1-4f88d207bcab@ietf.contact>
 <CABcZeBMDg9cFGtf6AMwSiq3ZnZnrvwoAc7TjD0Ftq-JC8jWusQ@mail.gmail.com>
 <d3de69d6-f46b-fe0c-b6dc-8180864bd9b0@ietf.contact>
 <CABcZeBO15H=+ds0deqvtOzKvX+JvFzCn2pht3fcKYcp7df=UFw@mail.gmail.com>
 <52b08a1b-45e2-b03b-a0a8-12e55b56bfa8@ietf.contact>
 <CABcZeBOwZ3=pz=Xz1D3YwJ6_svTidt5azWDFnTwexsE508rmkA@mail.gmail.com>
 <ee313d5a-967b-c434-804c-097e4777ca20@ietf.contact>
 <CABcZeBP7-A52XPghkCWa7f15Xa1UvoHKujhNPzvoH+cP+McSWQ@mail.gmail.com>
 <Z_mZqmJs8Su1Tt2Y@faui48e.informatik.uni-erlangen.de>
 <CABcZeBMK5kBN2YG4Xev5CTVyk00BXAUWa4P_Ov9Q7K+-b1B5Pw@mail.gmail.com>
 <52075b58d6f64ef98871f1296a6e347f@huawei.com>
 <CACsn0c=sfhN+zJ7r7vpCe4gOXbLU8HAA0hwvgxoB3cGmMTH4WQ@mail.gmail.com>
 <c73fe830-413e-04b8-92f7-28c994034c81@ietf.contact>
 <CACsn0c=+2b5-x9FnjZHDFWxs31HUyPyd42==DeyKqXuP2SVssg@mail.gmail.com>
 <59336c94-08ea-2961-6390-50bf70f7befd@ietf.contact>
 <CACsn0cmGaWNRP6Nrj1F1O8vYeuM2EB9d9Ah6N_Lz-m6cp0y7HQ@mail.gmail.com>
 <2025052016324389942321@chinamobile.com>
 <CACsn0cm7r77B-fOwhP4sfOMsvxBhy_75wAYERzG6Fp6co7ZeYA@mail.gmail.com>
 <4cfab84c8bc74efdbb642650638931d7@huawei.com>
In-Reply-To: <4cfab84c8bc74efdbb642650638931d7@huawei.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 May 2025 09:32:00 -0700
X-Gm-Features: AX0GCFte7Tf3DInB0-CtvkX9b9K7ZD_pHCZws_OakaQ1cmBzaLlk1h5M_kyPWt4
Message-ID: 
 <CABcZeBNGt_9iG10enECOT0JgA1EwN1MsR-RDNDCC+a4TiG8WxQ@mail.gmail.com>
To: Luigi IANNONE <luigi.iannone@huawei.com>
Content-Type: multipart/alternative; boundary="00000000000068518b0635d0251c"
Message-ID-Hash: 5XKLFHCMBWTWREZBYH4QW36623TBFLOW
X-Message-ID-Hash: 5XKLFHCMBWTWREZBYH4QW36623TBFLOW
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Watson Ladd <watsonbladd@gmail.com>,
 Meiling Chen <chenmeiling@chinamobile.com>,
 Henk Birkholz <henk.birkholz@ietf.contact>,
 Liuchunchi <liuchunchi=40huawei.com@dmarc.ietf.org>,
 Toerless Eckert <tte@cs.fau.de>, "nasr@ietf.org" <nasr@ietf.org>,
 IETF SAAG <saag@ietf.org>, Luigi Iannone <ggx@gigix.net>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5Bnasr=5D_Re=3A_=5Bsaag=5D_Re=3A_Re=3A_Re=3A_NASR_BOF_Follow-Up?=
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/nasr/2Zf34mAsnljjbRBo7Ccp8O2gda0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

--00000000000068518b0635d0251c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, May 22, 2025 at 12:52=E2=80=AFAM Luigi IANNONE <luigi.iannone@huawe=
i.com>
wrote:

> Hi Watson,
>
> >
> > Correct. Some claims are easy to verify. Most aren't. Statements that
> "the
> > router supports X" aren't really interesting. Statements that "this
> > configuration will never pass your traffic over a bad link" are, but ar=
e
> a lot
> > harder to show.
> >
> > >
>
> [LI] Agreed. This is a very claim hard show/attest.
> Note however that this is not what NASR is trying to do.
> NASR is more about router has feature X, Y, and Z which is what I want,
> and that traffic goes through the selected routers that support X, Y and =
Z.
> NASR is not about proving that traffic does not go somewhere else (proof
> of non-transit is out of scope).
>

As I understood the presentations, you wanted to make claims like:

* This traffic was sent over an encrypted link
* All traffic to address X will be sent over an encrypted link
* This traffic is not being sent to a spanning port or otherwise available
for monitoring

Correct?

-Ekr



-Ekr


> Ciao
>
> L.
>

--00000000000068518b0635d0251c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g=
mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, May 22,=
 2025 at 12:52=E2=80=AFAM Luigi IANNONE &lt;<a href=3D"mailto:luigi.iannone=
@huawei.com">luigi.iannone@huawei.com</a>&gt; wrote:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex">Hi Watson,<br>
<br>
&gt; <br>
&gt; Correct. Some claims are easy to verify. Most aren&#39;t. Statements t=
hat &quot;the<br>
&gt; router supports X&quot; aren&#39;t really interesting. Statements that=
 &quot;this<br>
&gt; configuration will never pass your traffic over a bad link&quot; are, =
but are a lot<br>
&gt; harder to show.<br>
&gt; <br>
&gt; &gt;<br>
<br>
[LI] Agreed. This is a very claim hard show/attest. <br>
Note however that this is not what NASR is trying to do. <br>
NASR is more about router has feature X, Y, and Z which is what I want, and=
 that traffic goes through the selected routers that support X, Y and Z.<br=
>
NASR is not about proving that traffic does not go somewhere else (proof of=
 non-transit is out of scope). <br></blockquote><div><br></div><div>As I un=
derstood the presentations, you wanted to make claims like:</div><div><br><=
/div><div>* This traffic was sent over an encrypted link</div><div>* All tr=
affic to address X will be sent over an encrypted link</div><div>* This tra=
ffic is not being sent to a spanning port or otherwise available for monito=
ring</div><div><br></div><div>Correct?</div><div><br></div><div>-Ekr</div><=
div><br></div><div><br></div><div><br></div><div>-Ekr</div><div><br></div><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Ciao<br>
<br>
L.<br>
</blockquote></div></div>

--00000000000068518b0635d0251c--

