[nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Follow-Up

["Liuchunchi(Peter)" <liuchunchi@huawei.com>]

Okay I think there is some minor confusion here…

1. The router in question would forward/has forwarded specific
traffic classes on specific links and not others.
[LI] Nope. NASR is not about forwarding on specific links. It is about being able to proof that traffic went through a certain set of devices that fulfil a set of claims (or requirements if you wish…).
2. That specific traffic classes would be/had been encrypted
using MACSEC.
[LI] Nope. (as I state in a previous mail) this is orthogonal to NASR. Whether you want to use it is not part of the NASR problem statement.


“A five tuple flow X use encrypted links“ IS a claim at device level. It is attestable by aggregating the evidences (configurations of all devices on path) and be inspected by the verifier.

Peter

From: Meiling Chen <chenmeiling@chinamobile.com>
Sent: Thursday, May 29, 2025 9:27 AM
To: Luigi IANNONE <luigi.iannone@huawei.com>; Eric Rescorla <ekr@rtfm.com>
Cc: Toerless Eckert <tte@cs.fau.de>; nasr <nasr@ietf.org>; IETF SAAG <saag@ietf.org>; Luigi Iannone <ggx@gigix.net>
Subject: [saag] Re: [nasr] Re: Re: Re: Re: NASR BOF Follow-Up

Hi,

I think Luigi's reply is completely in line with the original intention.

Best,
Meiling


发件人: Luigi IANNONE<mailto:luigi.iannone@huawei.com>
时间: 2025/05/27(星期二)15:46
收件人: Eric Rescorla<mailto:ekr@rtfm.com>;Meiling Chen<mailto:chenmeiling@chinamobile.com>;
抄送人: Watson Ladd<mailto:watsonbladd@gmail.com>;Henk Birkholz<mailto:henk.birkholz@ietf.contact>;Liuchunchi<mailto:liuchunchi=40huawei.com@dmarc.ietf.org>;Toerless Eckert<mailto:tte@cs.fau.de>;nasr<mailto:nasr@ietf.org>;IETF SAAG<mailto:saag@ietf.org>;Luigi Iannone<mailto:ggx@gigix.net>;
主题: RE: Re: [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up
HI,

I think there is a bit of a  misunderstanding …


The BOF presented a number of problems that allegedly NASR was trying
to solve, including that:

1. The router in question would forward/has forwarded specific
traffic classes on specific links and not others.
[LI] Nope. NASR is not about forwarding on specific links. It is about being able to proof that traffic went through a certain set of devices that fulfil a set of claims (or requirements if you wish…).
Attesting that the set of devices fulfils the requirements is done by extending the RATS technology.
Proving that the traffic did go through those devices is done a proof of transit technology for which there are a couple of early ideas documented.

2. That specific traffic classes would be/had been encrypted
using MACSEC.
[LI] Nope. (as I state in a previous mail) this is orthogonal to NASR. Whether you want to use it is not part of the NASR problem statement.

NASR represents one specific proposal for addressing these problems,
which is to attest to the code and configuration running on specific
network elements. So, yes, a system like NASR needs to establish
that the code and configuration guarantees these properties in
order to address the stated problem.
[LI] You do not need that level of granularity.
It's certainly not sufficient
to demonstrate that the device simply supports MACSEC, because
it might be disabled.

If you think there is some other set of problems that need to be
solved, and that these don't need to be then I think you need to state
that more clearly.
[LI] Agreed. We certainly need to do more work in clarifying the problem and possible solution space.
The ongoing exchange in very helpful in this sense.
Thanks
Ciao
L.



-Ekr