[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
"Liuchunchi(Peter)" <liuchunchi@huawei.com> Tue, 08 October 2024 10:31 UTC
Return-Path: <liuchunchi@huawei.com>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E884EC151525 for <nasr@ietfa.amsl.com>; Tue, 8 Oct 2024 03:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24rFHfuroe2N for <nasr@ietfa.amsl.com>; Tue, 8 Oct 2024 03:31:18 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9878C151095 for <nasr@ietf.org>; Tue, 8 Oct 2024 03:31:17 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4XNByp3X5Wz6GFRr; Tue, 8 Oct 2024 18:26:58 +0800 (CST)
Received: from lhrpeml500001.china.huawei.com (unknown [7.191.163.213]) by mail.maildlp.com (Postfix) with ESMTPS id 29D5D1402C6; Tue, 8 Oct 2024 18:31:16 +0800 (CST)
Received: from kwepemg100005.china.huawei.com (7.202.181.23) by lhrpeml500001.china.huawei.com (7.191.163.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Tue, 8 Oct 2024 11:31:15 +0100
Received: from dggpeml100018.china.huawei.com (7.185.36.133) by kwepemg100005.china.huawei.com (7.202.181.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 8 Oct 2024 18:31:13 +0800
Received: from dggpeml100018.china.huawei.com ([7.185.36.133]) by dggpeml100018.china.huawei.com ([7.185.36.133]) with mapi id 15.01.2507.039; Tue, 8 Oct 2024 18:31:13 +0800
From: "Liuchunchi(Peter)" <liuchunchi@huawei.com>
To: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
Thread-Index: AQHbFFzScoYwJ78sE0+8JtVYf3xQlrJ0uueAgAAoK4CAACPigIABSy6AgAZdORA=
Date: Tue, 08 Oct 2024 10:31:12 +0000
Message-ID: <51088332df184b1b90017a023b07a639@huawei.com>
References: <17219.1722798809@obiwan.sandelman.ca> <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de> <24175.1727974451@obiwan.sandelman.ca> <Zv7t5QNKYiBXkLYf@faui48e.informatik.uni-erlangen.de> <5925.1727990783@obiwan.sandelman.ca> <ZwAhzypyovggw3n0@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZwAhzypyovggw3n0@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.114.71]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: VMVADNFIAXYQHUPP73BTTUS65CDVPIJX
X-Message-ID-Hash: VMVADNFIAXYQHUPP73BTTUS65CDVPIJX
X-MailFrom: liuchunchi@huawei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: 刘鹏辉 <liupenghui1982@163.com>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>, Luigi IANNONE <luigi.iannone@huawei.com>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/CzNXs24KX9PUWZv6LfdOPH5ijvA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>
just got back from a national holiday, sorry about the delays using filtering policies to control the dissemination border of security sensitive content is very good to have (and maybe is what we wanted in the first place), but as michael and luigi mentioned, the inability to completely eliminate L2 stealth nodes makes the work less exciting. But what we can do is, based on basic RATS methods, under certain trust assumptions, create a protocol to produce auditable forwarding evidence, which proves the device trustworthiness, execution logs, link security methods used, etc (exact items may be what we have to decide) when certain flow or packets are forwarded. In this way, it appears the more cost-efficient choice (for now, the first step) might be operation-centric forwarding auditing of above information, compact proof creation and visualization. This works as a tool that just objectively verifies and audits forwarding. Just thinking :P > -----Original Message----- > From: Toerless Eckert <tte@cs.fau.de> > Sent: Saturday, October 5, 2024 1:12 AM > To: Michael Richardson <mcr+ietf@sandelman.ca> > Cc: Liuchunchi(Peter) <liuchunchi@huawei.com>; =?us- > ascii?B?PT91dGYtOD9CPzVZaVk2Ym1QNkw2Sj89?= > <liupenghui1982@163.com>; Meiling Chen <chenmeiling@chinamobile.com>; > nasr@ietf.org > Subject: Re: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China > Mobile-ietf120 > > On Thu, Oct 03, 2024 at 05:26:23PM -0400, Michael Richardson wrote: > > > > Toerless Eckert <tte@cs.fau.de> wrote: > > > But avoidance of copying of traffic by undesired third parties if course a > core > > > benefit that NASR can provide. And those prior examples can provide > examples of > > > the attack vectors why that is undesirable. Even with todays easily > available > > > end-to-end encryption. > > > > NASR can not provide any kind of avoidance of copying! > > I meant indirectly by being a way to ensure traffic paths that are expected to > make copying & decryption hard...impossible.... or possible by the "right" > people ;-) > > > (To do that you'd need quantum entangled links of the kind the QIRG is > > contemplating) > > Nice point actually. I remember Huawei was in the past a big fan of quantum > entangled links (last data point 2018). Cryptographers of course are always > dismissive (somewhat of a competition). And the visit in Yokohama to the > quantum research lab on friday was all about allowing entanglement to > actually go across longer paths. > > So i would certainly like to consider the continuuom of different methods to > protect links and nodes as part of a NASR architecture. > > Of course, i would foremost point to the added crypto value of hop-by-hop > encryption as opposed to only end-to-end encrypion, because of the higher > cost of crypto attacks - especially when you combine it with load distribution > across different paths. > > > What NASR can do is provide assurance that when you have such links, that: > > a) there are no stealth routers in the path. > > Depending on the technologies we emply in NAS, your could still have a > stealth L2 device though. Which by the way is a common way how firewalls > operate. > > > b) that the two sides of each QIRG link are operating nominally. > > Right. > > Cheers > Toerless > > > > But maybe much simpler: nation state actors have the means to extract > and even decrypt > > > end-to-end traffic. But if they can not see the traffic because it does not > run across > > > the paths desired by them, because they pass their network taps - then > > > they can't do that. > > > > yes. > > > > -- > > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > > > > > > > -- > --- > tte@cs.fau.de
- [nasr] Secure Routing Path Consideration- China M… Meiling Chen
- [nasr] Re: Secure Routing Path Consideration- Chi… Luigi Iannone
- [nasr] Re: Secure Routing Path Consideration- Chi… 刘鹏辉
- [nasr] 回复: Re: Secure Routing Path Consideration-… Meiling Chen
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Liuchunchi(Peter)
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Meiling Chen
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Liuchunchi(Peter)
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Liuchunchi(Peter)
- [nasr] 回复: Re: 回复: Re: Secure Routing Path Consid… Meiling Chen
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Toerless Eckert
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Toerless Eckert
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… junzhang
- [nasr] Re: Secure Routing Path Consideration- Chi… Luigi Iannone
- [nasr] Re: Secure Routing Path Consideration- Chi… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Toerless Eckert
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Toerless Eckert
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Toerless Eckert
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Liuchunchi(Peter)
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Jean-Michel Combes
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Yutaka OIWA
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Luigi IANNONE
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Jean-Michel Combes
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Luigi IANNONE
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Liuchunchi(Peter)
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Luigi IANNONE
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Henk Birkholz
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Michael Richardson
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Meiling Chen
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Liuchunchi(Peter)
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Meiling Chen
- [nasr] Re: Secure Routing Path Consideration- Chi… Luigi Iannone
- [nasr] Re: Secure Routing Path Consideration- Chi… Liuchunchi(Peter)
- [nasr] Re: Secure Routing Path Consideration- Chi… Meiling Chen
- [nasr] Re: Secure Routing Path Consideration- Chi… Luigi IANNONE
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Jean-Michel Combes
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… 刘鹏辉
- [nasr] Re: Secure Routing Path Consideration- Chi… Meiling Chen
- [nasr] Re: 回复: Re: Secure Routing Path Considerat… Jean-Michel Combes