[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

"Liuchunchi(Peter)" <liuchunchi@huawei.com> Thu, 10 October 2024 07:04 UTC

Return-Path: <liuchunchi@huawei.com>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06653C1D4CD4 for <nasr@ietfa.amsl.com>; Thu, 10 Oct 2024 00:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VprflE9N8IIh for <nasr@ietfa.amsl.com>; Thu, 10 Oct 2024 00:04:45 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD2DBC1D4CCE for <nasr@ietf.org>; Thu, 10 Oct 2024 00:04:44 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4XPLLx4fylz6J6nL; Thu, 10 Oct 2024 15:03:21 +0800 (CST)
Received: from lhrpeml100006.china.huawei.com (unknown [7.191.160.224]) by mail.maildlp.com (Postfix) with ESMTPS id 8AA06140391; Thu, 10 Oct 2024 15:04:41 +0800 (CST)
Received: from dggpeml100020.china.huawei.com (7.185.36.91) by lhrpeml100006.china.huawei.com (7.191.160.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 10 Oct 2024 08:04:40 +0100
Received: from dggpeml100018.china.huawei.com (7.185.36.133) by dggpeml100020.china.huawei.com (7.185.36.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 10 Oct 2024 15:04:38 +0800
Received: from dggpeml100018.china.huawei.com ([7.185.36.133]) by dggpeml100018.china.huawei.com ([7.185.36.133]) with mapi id 15.01.2507.039; Thu, 10 Oct 2024 15:04:38 +0800
From: "Liuchunchi(Peter)" <liuchunchi@huawei.com>
To: Luigi IANNONE <luigi.iannone=40huawei.com@dmarc.ietf.org>, Jean-Michel Combes <jeanmichel.combes@gmail.com>
Thread-Topic: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
Thread-Index: AQHbFFzScoYwJ78sE0+8JtVYf3xQlrJ0uueAgAAoK4CAACPigIABSy6AgAZdORCAAReHAIAAHM2AgAGDYEA=
Date: Thu, 10 Oct 2024 07:04:38 +0000
Message-ID: <b8af360c37e8436ba370c70ea165ba85@huawei.com>
References: <17219.1722798809@obiwan.sandelman.ca> <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de> <24175.1727974451@obiwan.sandelman.ca> <Zv7t5QNKYiBXkLYf@faui48e.informatik.uni-erlangen.de> <5925.1727990783@obiwan.sandelman.ca> <ZwAhzypyovggw3n0@faui48e.informatik.uni-erlangen.de> <51088332df184b1b90017a023b07a639@huawei.com> <CAA7e52rArVz8LKh_=50RPsLLkBO72BXAoab4L3gogP84OVg8Tw@mail.gmail.com> <f0b125fcf8fc45c4b3991202c9b0a3c6@huawei.com>
In-Reply-To: <f0b125fcf8fc45c4b3991202c9b0a3c6@huawei.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.114.71]
Content-Type: multipart/alternative; boundary="_000_b8af360c37e8436ba370c70ea165ba85huaweicom_"
MIME-Version: 1.0
Message-ID-Hash: EI3RZ5JCROSQHTRYMPX7BFDKXPAWBCUW
X-Message-ID-Hash: EI3RZ5JCROSQHTRYMPX7BFDKXPAWBCUW
X-MailFrom: liuchunchi@huawei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>, 刘鹏辉 <liupenghui1982@163.com>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/R5MKhlJ_Pj8CSeOj7VAX8DgVi80>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

Hi Jean-Michel,

This is an interesting question and directly relates to data leakage problem. Preventing SRv6 packet leak from trusted domains are required by RFC8402, as you listed, but each individual forwarding decision still depends on the border device. Having 100% guarantee/proof of no-leakage is like proof-of-non-transit, very hard to achieve. But on one hand, having a full audit record about “where did this border device A forwarded this packet/flow X” definitely helps. On the other hand, I think its SPRING/SRv6OPS’s day job to consider developing methods to more securely filter them. Two techniques can complement each other. Some related work in the INTAREA ongoing: https://datatracker.ietf.org/doc/draft-wkumari-intarea-safe-limited-domains/ if it helps

Peter

From: Luigi IANNONE <luigi.iannone=40huawei.com@dmarc.ietf.org>
Sent: Wednesday, October 9, 2024 8:46 PM
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>; Liuchunchi(Peter) <liuchunchi@huawei.com>
Cc: Toerless Eckert <tte@cs.fau.de>; Michael Richardson <mcr+ietf@sandelman.ca>; 刘鹏辉 <liupenghui1982@163.com>; Meiling Chen <chenmeiling@chinamobile.com>; nasr@ietf.org
Subject: RE: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Hi Jean-Michel,

From: Jean-Michel Combes <jeanmichel.combes@gmail.com<mailto:jeanmichel.combes@gmail.com>>
Sent: Wednesday, 9 October 2024 13:03
To: Liuchunchi(Peter) <liuchunchi=40huawei.com@dmarc.ietf.org<mailto:liuchunchi=40huawei.com@dmarc.ietf.org>>
Cc: Toerless Eckert <tte@cs.fau.de<mailto:tte@cs.fau.de>>; Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>; 刘鹏辉 <liupenghui1982@163.com<mailto:liupenghui1982@163.com>>; Meiling Chen <chenmeiling@chinamobile.com<mailto:chenmeiling@chinamobile.com>>; nasr@ietf.org<mailto:nasr@ietf.org>; Luigi IANNONE <luigi.iannone@huawei.com<mailto:luigi.iannone@huawei.com>>
Subject: Re: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Hi,

IETF has already standardized protocols doing only  _assumptions_ (i.e., no way to check the reality) on security rules regarding the boundary of the domain where such protocols are deployed:
- SFC [RFC8300, section 8.1]
"In summary, packets originating outside the SFC-enabled domain MUST be dropped if they contain an NSH. Similarly, packets exiting the SFC-enabled domain MUST be dropped if they contain an NSH."
- RPL [RFC6554, section 5.1]
"As specified in this document, RPL routers MUST drop datagrams entering or exiting a RPL routing domain that contain an SRH in the IPv6 Extension headers."
- SRv6 [RFC8402, section 8.2]
"SR domain boundary routers MUST filter any external traffic destined to an address within the SRGB of the trusted domain or the SRLB of the specific boundary router. External traffic is any traffic received from an interface connected to a node outside the domain of trust.
From a network-protection standpoint, there is an assumed trust model such that any node adding an SRH to the packet is assumed to be
allowed to do so. Therefore, by default, the explicit routing information MUST NOT be leaked through the boundaries of the administered domain. Segment Routing extensions that have been defined in various protocols, leverage the security mechanisms of these protocols such as encryption, authentication, filtering, etc."

Can NASR help to transform such _assumptions_ into _proofs_ and, so, to "achieve" (for the security part) the IETF works done on these protocols?

[LI] Interesting use case. I would say that the “auditing” part of NASR can some how used for that purpose. 😉

Ciao

L.







BTW, this is just a list of protocols I am aware of ... maybe others exist with the same _assumptions_ ...

Thanks in advance for your replies.

Best regards,

JMC.

Le mar. 8 oct. 2024 à 12:31, Liuchunchi(Peter) <liuchunchi=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> a écrit :
just got back from a national holiday, sorry about the delays

using filtering policies to control the dissemination border of security sensitive content is very good to have (and maybe is what we wanted in the first place), but as michael and luigi mentioned, the inability to completely eliminate L2 stealth nodes makes the work less exciting. But what we can do is, based on basic RATS methods, under certain trust assumptions, create a protocol to produce auditable forwarding evidence, which proves the device trustworthiness, execution logs, link security methods used, etc (exact items may be what we have to decide) when certain flow or packets are forwarded. In this way, it appears the more cost-efficient choice (for now, the first step) might be operation-centric forwarding auditing of above information, compact proof creation and visualization. This works as a tool that just objectively verifies and audits forwarding. Just thinking :P

> -----Original Message-----
> From: Toerless Eckert <tte@cs.fau.de<mailto:tte@cs.fau.de>>
> Sent: Saturday, October 5, 2024 1:12 AM
> To: Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>>
> Cc: Liuchunchi(Peter) <liuchunchi@huawei.com<mailto:liuchunchi@huawei.com>>; =?us-
> ascii?B?PT91dGYtOD9CPzVZaVk2Ym1QNkw2Sj89?=
> <liupenghui1982@163.com<mailto:liupenghui1982@163.com>>; Meiling Chen <chenmeiling@chinamobile.com<mailto:chenmeiling@chinamobile.com>>;
> nasr@ietf.org<mailto:nasr@ietf.org>
> Subject: Re: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China
> Mobile-ietf120
>
> On Thu, Oct 03, 2024 at 05:26:23PM -0400, Michael Richardson wrote:
> >
> > Toerless Eckert <tte@cs.fau.de<mailto:tte@cs.fau.de>> wrote:
> >     > But avoidance of copying of traffic by undesired third parties if course a
> core
> >     > benefit that NASR can provide. And those prior examples can provide
> examples of
> >     > the attack vectors why that is undesirable. Even with todays easily
> available
> >     > end-to-end encryption.
> >
> > NASR can not provide any kind of avoidance of copying!
>
> I meant indirectly by being a way to ensure traffic paths that are expected to
> make copying & decryption hard...impossible.... or possible by the "right"
> people ;-)
>
> > (To do that you'd need quantum entangled links of the kind the QIRG is
> > contemplating)
>
> Nice point actually. I remember Huawei was in the past a big fan of quantum
> entangled links (last data point 2018). Cryptographers of course are always
> dismissive (somewhat of a competition). And the visit in Yokohama to the
> quantum research lab on friday was all about allowing entanglement to
> actually go across longer paths.
>
> So i would certainly like to consider the continuuom of different methods to
> protect links and nodes as part of a NASR architecture.
>
> Of course, i would foremost point to the added crypto value of hop-by-hop
> encryption as opposed to only end-to-end encrypion, because of the higher
> cost of crypto attacks - especially when you combine it with load distribution
> across different paths.
>
> > What NASR can do is provide assurance that when you have such links, that:
> > a) there are no stealth routers in the path.
>
> Depending on the technologies we emply in NAS, your could still have a
> stealth L2 device though. Which by the way is a common way how firewalls
> operate.
>
> > b) that the two sides of each QIRG link are operating nominally.
>
> Right.
>
> Cheers
>     Toerless
>
> >     > But maybe much simpler: nation state actors have the means to extract
> and even decrypt
> >     > end-to-end traffic. But if they can not see the traffic because it does not
> run across
> >     > the paths desired by them, because they pass their network taps - then
> >     > they can't do that.
> >
> > yes.
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr%2BIETF@sandelman.ca>>   . o O ( IPv6 IøT consulting )
> >            Sandelman Software Works Inc, Ottawa and Worldwide
> >
> >
> >
> >
>
>
>
> --
> ---
> tte@cs.fau.de<mailto:tte@cs.fau.de>
--
nasr mailing list -- nasr@ietf.org<mailto:nasr@ietf.org>
To unsubscribe send an email to nasr-leave@ietf.org<mailto:nasr-leave@ietf.org>