[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Jean-Michel Combes <jeanmichel.combes@gmail.com> Wed, 09 October 2024 11:03 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63115C14F6FE for <nasr@ietfa.amsl.com>; Wed, 9 Oct 2024 04:03:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wowBo5BaZyOU for <nasr@ietfa.amsl.com>; Wed, 9 Oct 2024 04:03:42 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C0CFC1516E1 for <nasr@ietf.org>; Wed, 9 Oct 2024 04:03:36 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id a1e0cc1a2514c-84fc21ac668so99864241.1 for <nasr@ietf.org>; Wed, 09 Oct 2024 04:03:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728471815; x=1729076615; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ST+tU+tv2WZzUgeo/AVTmcdnKneUXmC0dXwMp2Cw3VE=; b=jEgzYc5TknrPhTKQ/r3hxOHZXZcYk/2SXaFMJRPwtcq/pCOGf94xLsEaDkLXv/qW76 0xHmwogFc9GHv8YmedgTCL64wqSmAma48a/iNft6r7HirNYy4bpnCVTjDQWaCyLng193 GsA9+8SFoV7/19seUaBbmAHXIxPqjsc2Vc31SigJJtaHmaT3AOFNOGddb+6toMs5YE9J j+GqDSCwxXfhS3kFRikCJ6VWe1FaDGrwef+/uisIuflNHOFDW7f/SKnx0IFP4qC9z3TQ 6lPkvUVK86G8jupsTDrwbUsJJIuj8PcUzRgn0ivjXkHzkBxMOAx5eH+j6j23VqGqLR58 YDhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728471815; x=1729076615; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ST+tU+tv2WZzUgeo/AVTmcdnKneUXmC0dXwMp2Cw3VE=; b=jcUj7CMbcyHstrYP0mlIf2mHb1oirJ6cqLXkr5AkGFJVwtB+YE2imiA1h97PngYZp4 Idq9PIkg8jzt+3w6aMSDyP7dZ5MRql3biaLfcHJTm29999Fk8iuRYN6KxYGyj6B/rz3e 7KcjdjBY796i4Isk48IgTwWS4Ys9W7UCLsLsfYqbCe3qxV7p2ainOky+USqxMPcLRN1k umP4eK/99xmh/D7Q5Jt+4d579EB79HDsPgRTR/WyXeX/CKUanlugY4soLGHl3owjbZyq R5ioOckXZVXpyVGpKgK4TUJb36uOPxNcQwXQWLWbG2Jt8HHBmQluuByOfELpO2/ClC5/ TtNg==
X-Forwarded-Encrypted: i=1; AJvYcCUJ1Z/MpacR8/XhLmQ1pEKOvR5BKn2xbYpclwCvyHLmjgJxvH+YW/dODvk9BpEILY/TdnpA@ietf.org
X-Gm-Message-State: AOJu0YzI1fmenGyEbTf0RzHKf80Jg1t1ctgdmukqypTyBeJ9stoes8lh 7u+XjFtsnr5WFYhNJ2tL4dB+70dlUSYg+Kjx6lNjmwlYHJ9VroRP2R07NDC3KT491b4OWPYwbMX kNGQsMtTeGHYgFE/MIzQ+at8XI1/nPSW0
X-Google-Smtp-Source: AGHT+IHrjhTdsG3io8ANp7Jwpp4mQPBUg9B/dlQe3R2/ixQ9ju3O40AxOsz7kEE/cgvnOPD2gHHXLtSlFFjfSRp8Rwk=
X-Received: by 2002:a05:6122:4687:b0:509:3dc0:fdd9 with SMTP id 71dfb90a1353d-50cf02511c4mr986345e0c.0.1728471815273; Wed, 09 Oct 2024 04:03:35 -0700 (PDT)
MIME-Version: 1.0
References: <17219.1722798809@obiwan.sandelman.ca> <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de> <24175.1727974451@obiwan.sandelman.ca> <Zv7t5QNKYiBXkLYf@faui48e.informatik.uni-erlangen.de> <5925.1727990783@obiwan.sandelman.ca> <ZwAhzypyovggw3n0@faui48e.informatik.uni-erlangen.de> <51088332df184b1b90017a023b07a639@huawei.com>
In-Reply-To: <51088332df184b1b90017a023b07a639@huawei.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
Date: Wed, 09 Oct 2024 13:03:24 +0200
Message-ID: <CAA7e52rArVz8LKh_=50RPsLLkBO72BXAoab4L3gogP84OVg8Tw@mail.gmail.com>
To: "Liuchunchi(Peter)" <liuchunchi=40huawei.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008dc27c0624093443"
Message-ID-Hash: IW3HZD7QSMKKROD73T2HUYCXJJQ3YUBV
X-Message-ID-Hash: IW3HZD7QSMKKROD73T2HUYCXJJQ3YUBV
X-MailFrom: jeanmichel.combes@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>, 刘鹏辉 <liupenghui1982@163.com>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>, Luigi IANNONE <luigi.iannone@huawei.com>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/Fk9CXHpD1ugyRiuGXrkQrXpcM5Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

Hi,

IETF has already standardized protocols doing only  _assumptions_ (i.e., no
way to check the reality) on security rules regarding the boundary of the
domain where such protocols are deployed:
- SFC [RFC8300, section 8.1]
"In summary, packets originating outside the SFC-enabled domain MUST be
dropped if they contain an NSH. Similarly, packets exiting the SFC-enabled
domain MUST be dropped if they contain an NSH."
- RPL [RFC6554, section 5.1]
"As specified in this document, RPL routers MUST drop datagrams entering or
exiting a RPL routing domain that contain an SRH in the IPv6 Extension
headers."
- SRv6 [RFC8402, section 8.2]
"SR domain boundary routers MUST filter any external traffic destined to an
address within the SRGB of the trusted domain or the SRLB of the specific
boundary router. External traffic is any traffic received from an interface
connected to a node outside the domain of trust.
>From a network-protection standpoint, there is an assumed trust model such
that any node adding an SRH to the packet is assumed to be
allowed to do so. Therefore, by default, the explicit routing information
MUST NOT be leaked through the boundaries of the administered domain.
Segment Routing extensions that have been defined in various protocols,
leverage the security mechanisms of these protocols such as encryption,
authentication, filtering, etc."

Can NASR help to transform such _assumptions_ into _proofs_ and, so, to
"achieve" (for the security part) the IETF works done on these protocols?

BTW, this is just a list of protocols I am aware of ... maybe others exist
with the same _assumptions_ ...

Thanks in advance for your replies.

Best regards,

JMC.

Le mar. 8 oct. 2024 à 12:31, Liuchunchi(Peter) <liuchunchi=
40huawei.com@dmarc.ietf.org> a écrit :

> just got back from a national holiday, sorry about the delays
>
> using filtering policies to control the dissemination border of security
> sensitive content is very good to have (and maybe is what we wanted in the
> first place), but as michael and luigi mentioned, the inability to
> completely eliminate L2 stealth nodes makes the work less exciting. But
> what we can do is, based on basic RATS methods, under certain trust
> assumptions, create a protocol to produce auditable forwarding evidence,
> which proves the device trustworthiness, execution logs, link security
> methods used, etc (exact items may be what we have to decide) when certain
> flow or packets are forwarded. In this way, it appears the more
> cost-efficient choice (for now, the first step) might be operation-centric
> forwarding auditing of above information, compact proof creation and
> visualization. This works as a tool that just objectively verifies and
> audits forwarding. Just thinking :P
>
> > -----Original Message-----
> > From: Toerless Eckert <tte@cs.fau.de>
> > Sent: Saturday, October 5, 2024 1:12 AM
> > To: Michael Richardson <mcr+ietf@sandelman.ca>
> > Cc: Liuchunchi(Peter) <liuchunchi@huawei.com>; =?us-
> > ascii?B?PT91dGYtOD9CPzVZaVk2Ym1QNkw2Sj89?=
> > <liupenghui1982@163.com>; Meiling Chen <chenmeiling@chinamobile.com>;
> > nasr@ietf.org
> > Subject: Re: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China
> > Mobile-ietf120
> >
> > On Thu, Oct 03, 2024 at 05:26:23PM -0400, Michael Richardson wrote:
> > >
> > > Toerless Eckert <tte@cs.fau.de> wrote:
> > >     > But avoidance of copying of traffic by undesired third parties
> if course a
> > core
> > >     > benefit that NASR can provide. And those prior examples can
> provide
> > examples of
> > >     > the attack vectors why that is undesirable. Even with todays
> easily
> > available
> > >     > end-to-end encryption.
> > >
> > > NASR can not provide any kind of avoidance of copying!
> >
> > I meant indirectly by being a way to ensure traffic paths that are
> expected to
> > make copying & decryption hard...impossible.... or possible by the
> "right"
> > people ;-)
> >
> > > (To do that you'd need quantum entangled links of the kind the QIRG is
> > > contemplating)
> >
> > Nice point actually. I remember Huawei was in the past a big fan of
> quantum
> > entangled links (last data point 2018). Cryptographers of course are
> always
> > dismissive (somewhat of a competition). And the visit in Yokohama to the
> > quantum research lab on friday was all about allowing entanglement to
> > actually go across longer paths.
> >
> > So i would certainly like to consider the continuuom of different
> methods to
> > protect links and nodes as part of a NASR architecture.
> >
> > Of course, i would foremost point to the added crypto value of hop-by-hop
> > encryption as opposed to only end-to-end encrypion, because of the higher
> > cost of crypto attacks - especially when you combine it with load
> distribution
> > across different paths.
> >
> > > What NASR can do is provide assurance that when you have such links,
> that:
> > > a) there are no stealth routers in the path.
> >
> > Depending on the technologies we emply in NAS, your could still have a
> > stealth L2 device though. Which by the way is a common way how firewalls
> > operate.
> >
> > > b) that the two sides of each QIRG link are operating nominally.
> >
> > Right.
> >
> > Cheers
> >     Toerless
> >
> > >     > But maybe much simpler: nation state actors have the means to
> extract
> > and even decrypt
> > >     > end-to-end traffic. But if they can not see the traffic because
> it does not
> > run across
> > >     > the paths desired by them, because they pass their network taps
> - then
> > >     > they can't do that.
> > >
> > > yes.
> > >
> > > --
> > > Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT
> consulting )
> > >            Sandelman Software Works Inc, Ottawa and Worldwide
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > ---
> > tte@cs.fau.de
> --
> nasr mailing list -- nasr@ietf.org
> To unsubscribe send an email to nasr-leave@ietf.org
>