[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Toerless Eckert <tte@cs.fau.de> Fri, 04 October 2024 18:42 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89BE1C14F5E6 for <nasr@ietfa.amsl.com>; Fri, 4 Oct 2024 11:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.343
X-Spam-Level:
X-Spam-Status: No, score=0.343 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_DOTEDU=1.999] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJ5EZrXmmUrH for <nasr@ietfa.amsl.com>; Fri, 4 Oct 2024 11:42:22 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A48C14F603 for <nasr@ietf.org>; Fri, 4 Oct 2024 11:42:22 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4XKy8B3Bqsz1R6gW; Fri, 4 Oct 2024 20:42:18 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4XKy8B2MvvzkxTQ; Fri, 4 Oct 2024 20:42:18 +0200 (CEST)
Date: Fri, 04 Oct 2024 20:42:18 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: junzhang <junzhang1@huawei.com>
Message-ID: <ZwA3Cq1bu54Y3fXI@faui48e.informatik.uni-erlangen.de>
References: <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de> <24175.1727974451@obiwan.sandelman.ca> <Zv7t5QNKYiBXkLYf@faui48e.informatik.uni-erlangen.de> <5925.1727990783@obiwan.sandelman.ca> <bcb2832ba5f24192be84c5c596ae41dd@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <bcb2832ba5f24192be84c5c596ae41dd@huawei.com>
Message-ID-Hash: OBPKWLNVY32RRCG673LCYXQYUW7YJHIP
X-Message-ID-Hash: OBPKWLNVY32RRCG673LCYXQYUW7YJHIP
X-MailFrom: eckert@i4.informatik.uni-erlangen.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "Liuchunchi(Peter)" <liuchunchi@huawei.com>, 刘鹏辉 <liupenghui1982@163.com>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/LulH0Ta44dIF9PxVUuLw_LDdiLQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

Interesting, Junzhan, thanks

I think all the concepts of security for data at rest are useful to look at
as an adjacency and "steal" useful concepts. But likewise i would think
that keeping data at rest out of scope for NASR is one simple way to constrain
the scope.

What i think will be of interest is to figure out what the most simple modelling
of the different degrees of security is for NASR. "Secure Nodes" of course are
a key aspect to make NASR useful, aka: If you would create any form of signature
from a key pair thats easily accessed by hackers, then it's at best NAsR ;-)

In this context (trusted devices), there is definitely the interesting evolution
from "destroy the hardware" over "zero the data" to "store encrypted, delete the keys".
and each of these steps adds convenience, but increases also risk of new insecurities.

To avoid scope creep it would be good to figure out how we can call the maximum
amount of those details "problems of other people", but of course, as soon as
one thinks of operationalizing NASR, those topics can't be avoided. And the device
level requirements against a trustworthy NASR implementation are IMHO as important
as the on-the-wire ones. Typically that would worry me in the IETF because it's
full of on-the-wire-centric folks, but luckily there are also enough security people
to understand that we need to specify security requirements well to meet the
expected security requirements of a solution.

There was also an interesting side meeting at IETF120 about TPMs... 

Cheers
    Toerless


On Fri, Oct 04, 2024 at 08:38:02AM +0000, junzhang wrote:
> Dear Michael and Toerless,
>        
>            In the cloud computing area, there is a concept called assured deletion, that is, to give a proof that after the data is removed from the cloud, and no one else can access it again. One typical approach to realize it is 
>            (1) encrypt the data such that it is computationally prohibitive to decrypt the data without the decryption key, 
> then (2) store the encrypted data in the cloud while keeping the decryption key secure, 
> and finally (3) securely delete the encryption key.
>           
>                    https://cdn.stmarytx.edu/wp-content/uploads/2020/10/Cloud-Storage-Assured-Deletion-Considerations-and-Schemes.pdf
> 
>           Is it related to the avoidance of copying traffic that you have discussed?
>           Yours,
>                  Jun Zhang
> 
> -----Original Message-----
> From: Michael Richardson <mcr+ietf@sandelman.ca> 
> Sent: Thursday, October 3, 2024 11:26 PM
> To: Toerless Eckert <tte@cs.fau.de>
> Cc: Liuchunchi(Peter) <liuchunchi@huawei.com>; =?us-ascii?B?PT91dGYtOD9CPzVZaVk2Ym1QNkw2Sj89?= <liupenghui1982@163.com>; Meiling Chen <chenmeiling@chinamobile.com>; nasr@ietf.org
> Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
> 
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > But avoidance of copying of traffic by undesired third parties if course a core
>     > benefit that NASR can provide. And those prior examples can provide examples of
>     > the attack vectors why that is undesirable. Even with todays easily available
>     > end-to-end encryption.
> 
> NASR can not provide any kind of avoidance of copying!
> (To do that you'd need quantum entangled links of the kind the QIRG is contemplating)
> 
> What NASR can do is provide assurance that when you have such links, that:
> a) there are no stealth routers in the path.
> b) that the two sides of each QIRG link are operating nominally.
> 
>     > But maybe much simpler: nation state actors have the means to extract and even decrypt
>     > end-to-end traffic. But if they can not see the traffic because it does not run across
>     > the paths desired by them, because they pass their network taps - then
>     > they can't do that.
> 
> yes.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
> 

-- 
---
tte@cs.fau.de