[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 10 October 2024 19:52 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B1BBC1519AF for <nasr@ietfa.amsl.com>; Thu, 10 Oct 2024 12:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faxwMUBuYU9f for <nasr@ietfa.amsl.com>; Thu, 10 Oct 2024 12:52:12 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1018C15106B for <nasr@ietf.org>; Thu, 10 Oct 2024 12:52:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 1BCE31800D; Thu, 10 Oct 2024 15:52:11 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id 4euVTKIh3oqy; Thu, 10 Oct 2024 15:52:09 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1728589929; bh=7m6OwWEr61OjLJZIZBAvlcLxeCI9bs3MqnUg4A4uhvo=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=Ak2t8OY+4EXSgFh91J2Q/4bgwqI8N1bl0N1j8MSH1cUv4c156Akh4e/7+1h/nHdDN sBeMLuTbziGmewZZU5ep+/4PQZb5RSI6aJHgzqbttjx8pMfkCavqrXovfskuVdAdu8 FzlIX97TI1kfdNj788BnpfpgncnAw97ZG6RJChunYUF1YEYXghv6GljBlTYL41d65O eTH793MgHCkAXwxC8xLaMF0twTi1jIxjiP5pWMtbFwNdNweweA8FjfMEFYXGvkTKZK OsH7tfwW2G/8MwN+/d+aw24x9Q4d9KJTiH9G3W678NbxGinYqSDQVhyE9PvPxe8ttc ZaN51MLf56jWQ==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3E08D1800C; Thu, 10 Oct 2024 15:52:09 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 3937E2C1; Thu, 10 Oct 2024 15:52:09 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: =?UTF-8?B?5YiY6bmP6L6J?= <liupenghui1982@163.com>
In-Reply-To: <298c3b35.aa50.19275e21b7f.Coremail.liupenghui1982@163.com>
References: <17219.1722798809@obiwan.sandelman.ca> <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de> <24175.1727974451@obiwan.sandelman.ca> <Zv7t5QNKYiBXkLYf@faui48e.informatik.uni-erlangen.de> <5925.1727990783@obiwan.sandelman.ca> <ZwAhzypyovggw3n0@faui48e.informatik.uni-erlangen.de> <51088332df184b1b90017a023b07a639@huawei.com> <CAA7e52rArVz8LKh_=50RPsLLkBO72BXAoab4L3gogP84OVg8Tw@mail.gmail.com> <fce93c3.2869.19274386add.Coremail.liupenghui1982@163.com> <62295fad5a5f4fabb54f0e714b3038e3@huawei.com> <298c3b35.aa50.19275e21b7f.Coremail.liupenghui1982@163.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 10 Oct 2024 15:52:09 -0400
Message-ID: <780.1728589929@obiwan.sandelman.ca>
Message-ID-Hash: FDSVRNQR3NWG6V6PUIXPNA3VLDUOYOV2
X-Message-ID-Hash: FDSVRNQR3NWG6V6PUIXPNA3VLDUOYOV2
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Luigi IANNONE <luigi.iannone=40huawei.com@dmarc.ietf.org>, Jean-Michel Combes <jeanmichel.combes@gmail.com>, "Liuchunchi(Peter)" <liuchunchi=40huawei.com@dmarc.ietf.org>, Toerless Eckert <tte@cs.fau.de>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/95h-NxxXCsb2lcMLeA7Mloo6OkQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

刘鹏辉 <liupenghui1982@163.com> wrote:
    > Toerless etc said there may be stealth L2 device in-between routing as
    > discussed in early emails...

Yes.  There may also be bent fibre.  https://en.wikipedia.org/wiki/Fiber_tapping
That's the same.  We can't prevent it, and may be unable to detect it, (short
of quantum entangled methods).  It presents a capture-now-decrypt-later
attack.

However,
1) We can encrypt everything (MACsec)
2) we can determine the trustworthiness of the end-points
3) we can pick paths where the fibre does not go through adversarial or
insecure routes.

We can prove where traffic went, but we can not prove where traffic did not
go.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide