[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 03 October 2024 16:54 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB4AC14EB1E for <nasr@ietfa.amsl.com>; Thu, 3 Oct 2024 09:54:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PV2nf0S2ogLJ for <nasr@ietfa.amsl.com>; Thu, 3 Oct 2024 09:54:16 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E037BC14F6FF for <nasr@ietf.org>; Thu, 3 Oct 2024 09:54:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9DBAE1800D; Thu, 3 Oct 2024 12:54:13 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id Td8CDPi1JWhL; Thu, 3 Oct 2024 12:54:12 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1727974451; bh=jGCu9RvXvXWsWeNRQJe99zZSEImuCxOvbDfOhylzfqY=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=SHOZAOJevb/+y7ELL6k09QFNjmSVsSqq3y8IJ7RPsMGjOU3n5iV1pe1q+2jE75geW vtP1AXV7LXUirvzh+jNwPZ6FX4jANIoA4YD365QT5OCUUB7m7uC6mworLZHXkcdK9v HojEvxoenk8B9i7RpKu/L/8IHbFO+Efj9Or4nS/InjrtVugZdwObyYA82aEPB770d5 BFmtqQhYh61YsfnOccpZQ3I4bdFj0G226d9WhI78A5D3K05K5ZhwI01Ro4QiBTBQee oL3zsOLi31hHjP5rMsYRTnFwt/MeXYrXFacTYkp0F3Id35W//cQRIRH0SYj32cRzn4 7/1wUsrA3o/OQ==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C30781800C; Thu, 3 Oct 2024 12:54:11 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id BEC7647B; Thu, 3 Oct 2024 12:54:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>
In-Reply-To: <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de>
References: <514b701e.3dbe.190e2e04151.Coremail.liupenghui1982@163.com> <202408011054476926448@chinamobile.com> <fe9299737de2469da894ed6e55a53bf1@huawei.com> <5aaf2f9d.1c92.19110d4dea0.Coremail.liupenghui1982@163.com> <17219.1722798809@obiwan.sandelman.ca> <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 03 Oct 2024 12:54:11 -0400
Message-ID: <24175.1727974451@obiwan.sandelman.ca>
Message-ID-Hash: L434JSNRP4FTFUSEU7SFZOBBWO72GTZX
X-Message-ID-Hash: L434JSNRP4FTFUSEU7SFZOBBWO72GTZX
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Liuchunchi(Peter)" <liuchunchi@huawei.com>, =?utf-8?B?5YiY6bmP6L6J?= <liupenghui1982@163.com>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/NHizmBl1ZiJsQ4vDbrzy1xUCjO8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

Toerless Eckert <tte@cs.fau.de> wrote:
    > The reason was simply that content providers had woken up to the attack vector
    > of encryption keys to not be very good long-term, or that in multicast, the
    > encrpyption key had to be shared to multiple subscribers, so some subscribers that
    > where permitted to receive the content could extract and share the
    > encryption key

It's an interesting storey, but I don't think it applies directly as a use
case for NASR.

    > Not sure if any of this multicast example is of interested to be written down
    > in any part of NASR docs, let me know if it is. Else this was just meant as
    > an example of history in network based leakage prevention to prohibit
    > encryption key sharing or long-term key cracking as an attack vector.

    > The unicast equivalent of course is not to upload to-be-protected content to
    > publically accessible web-caches because that too would make dissemination of
    > that content plus key cracking easier.

I'm trying to imagine a nation-state actor that replaces a stream with their
own while the stream was passing through their borders.  That seems pretty
tenuous, but not ridiculous to me.  Particularly when satellites might be involved.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide