[nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Yutaka OIWA <y.oiwa@aist.go.jp> Wed, 09 October 2024 11:09 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: nasr@ietfa.amsl.com
Delivered-To: nasr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D85A2C1519B2 for <nasr@ietfa.amsl.com>; Wed, 9 Oct 2024 04:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmfGp38-Zh56 for <nasr@ietfa.amsl.com>; Wed, 9 Oct 2024 04:09:48 -0700 (PDT)
Received: from TYVP286CU001.outbound.protection.outlook.com (mail-japaneastazon11011030.outbound.protection.outlook.com [52.101.125.30]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4E0AC1519AD for <nasr@ietf.org>; Wed, 9 Oct 2024 04:09:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rAqRubh3CQnma0VM/OVg/iyQ3EIK90QPQqeXYcrLsQzggb7YKQwwevccgRcKlvKQvNR59txEPa4AzdVkQh1TwtBmu936Wu83luIVfbL1+UwT4K2hwWin/l/QB8yzwo8E7zRp5lW8ruN/TjFIrFNUFaGQEf2eqNdKf6vI+i+HnW1dCIUq0zU9mOSUPv515hS5BlB5O7Ec92hOeaSNhllNcbGxZptSTNrNzAk+bAUhCIXeBhOZb6qEer30+gNYchgMBCpMhe+chqryuQFaDXkF6y3YoFVumIdob2DSMTSzQIYYiB6x1QCOpS3QsgzjZEMch3fCievDtdJluOq++DVjxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CvY4OOvHJoQvJAaTUFg+biKzwze0UWglRoyp5SSyxa0=; b=RDQLVNCvAKIma91d/mwfLCyNsNS6K31crmowyLNUKRQ2Zm0xn+GzbQIV5EK5i+fnFGsYV7AWS8RJEuOUdaKeFlyoGBfUlSeAEhRk3kFXIr1jz1nILkTwY4qRqivt4sHic30RKv6thOrpzscDPjZReoCs6dENrcJ/EUYD6B7qe8HepqQqziBZswd2P9sW/Ia+CeMZr7o+GD7n1jXXLJfaoUuMGoKmBSADWEAE3q9dRvbg250IV7XPFaopv9IrqmcT+n+YJ9noYtNuTs1/T2/z67RfNco7PrbWlG5uPSUaOlKhPlYv4LQ+Iq6PZwb5bGVQSB3NK/4/BCgcLzVJJvyPbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aist.go.jp; dmarc=pass action=none header.from=aist.go.jp; dkim=pass header.d=aist.go.jp; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CvY4OOvHJoQvJAaTUFg+biKzwze0UWglRoyp5SSyxa0=; b=W4Ah2txaYxXlRZeJO0DBXUz2sIq4OOY/LFAW2HllyxkrJNYRBJb6ic+iUXe3y3Y/pLOscdmk/XA3MrRucXOlMP01TqG09LqIsQs+Gmzt3FnNkDbgpLjxCkbqF0vaB7+V4syZ1j3yjuzqhVWL08KgoF30NKX/KCQTeHvIyOqjW6E=
Received: from TY2PR01MB4345.jpnprd01.prod.outlook.com (2603:1096:404:10c::12) by TY3PR01MB9950.jpnprd01.prod.outlook.com (2603:1096:400:1dd::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.23; Wed, 9 Oct 2024 11:09:45 +0000
Received: from TY2PR01MB4345.jpnprd01.prod.outlook.com ([fe80::d807:2944:5f4b:e7b9]) by TY2PR01MB4345.jpnprd01.prod.outlook.com ([fe80::d807:2944:5f4b:e7b9%6]) with mapi id 15.20.8048.013; Wed, 9 Oct 2024 11:09:45 +0000
From: Yutaka OIWA <y.oiwa@aist.go.jp>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>, "Liuchunchi(Peter)" <liuchunchi=40huawei.com@dmarc.ietf.org>
Thread-Topic: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
Thread-Index: AQHa4/TD1bVohIgo70Su66hhqwp847ITOLaAgAREJ4CAB0Eeo4AFy5kAgAAKSwCAACU5AIAAGwGAgE4dgwCAArA3gIAAKCuAgAAj4oCAAUsugIAF2WwAgAGbVACAAADUZA==
Date: Wed, 09 Oct 2024 11:09:45 +0000
Message-ID: <TY2PR01MB43453FDB00539EB1389C02AAA07F2@TY2PR01MB4345.jpnprd01.prod.outlook.com>
References: <17219.1722798809@obiwan.sandelman.ca> <202408091800065008405@chinamobile.com> <744c46d5.25b2.19149927bcb.Coremail.liupenghui1982@163.com> <ca7257d77709444a914c402f419ad0b0@huawei.com> <630665a9.436d.1914a2e2fc7.Coremail.liupenghui1982@163.com> <c15aa26cea984239baf9d2d96b6ed5a7@huawei.com> <ZvyK4n-BI9S-SF94@faui48e.informatik.uni-erlangen.de> <24175.1727974451@obiwan.sandelman.ca> <Zv7t5QNKYiBXkLYf@faui48e.informatik.uni-erlangen.de> <5925.1727990783@obiwan.sandelman.ca> <ZwAhzypyovggw3n0@faui48e.informatik.uni-erlangen.de> <51088332df184b1b90017a023b07a639@huawei.com> <CAA7e52rArVz8LKh_=50RPsLLkBO72BXAoab4L3gogP84OVg8Tw@mail.gmail.com>
In-Reply-To: <CAA7e52rArVz8LKh_=50RPsLLkBO72BXAoab4L3gogP84OVg8Tw@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_ddc55989-3c9e-4466-8514-eac6f80f6373_Enabled=True;MSIP_Label_ddc55989-3c9e-4466-8514-eac6f80f6373_SiteId=18a7fec8-652f-409b-8369-272d9ce80620;MSIP_Label_ddc55989-3c9e-4466-8514-eac6f80f6373_SetDate=2024-10-09T11:06:21.7243441Z;MSIP_Label_ddc55989-3c9e-4466-8514-eac6f80f6373_Name=ddc55989-3c9e-4466-8514-eac6f80f6373;MSIP_Label_ddc55989-3c9e-4466-8514-eac6f80f6373_ContentBits=0;MSIP_Label_ddc55989-3c9e-4466-8514-eac6f80f6373_Method=Standard
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: TY2PR01MB4345:EE_|TY3PR01MB9950:EE_
x-ms-office365-filtering-correlation-id: 1dc2495e-bfb7-4b99-b2bc-08dce852e1dd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|4022899009|38070700018;
x-microsoft-antispam-message-info: 2WmJZbnx4KYVALTvh+XfR26UjuDjPSpMWcx12Os+I5cuYQEnlgEW7EUhZNPzEIO62gpegRFvUU16BRgSFF3O/x83uIQSq2CWvTOUtDLx9L8+QARdPIklS5PxvebYqnPnwy2EY2x4HeDpb4NC7nHAExkr3iWXFpmmS7iaPmbARygPT9oL1Bsur1KMhFUqGIMZ/UxbP8AeDrpGNme0FfIjGF1na4/jxW+HspottxpiyqkzVvqPAdIgQ+gHVcgGrONuEm5/Fs5SSloo11eKJsaHFjj5uW3dtWQtuo2gTrjrpkWG7sjyzBpoebEnhnQ8XdI6HdLJyll5IqGcXD7hAD22IgIifpEtTX/yJ3+vUddldrRPKzxQWcsjvkbTOWGKPYH2Mi33ybcYE1IzYbHySYj535fOAGW8h6NhcE4X2EYaiqSSZD687LEj1AOiZwhflsD9Z2hCaeK2/Trj+wmpGtUcgq2dTVQZFX+ghgO6h6H+gqNKFNSLEGnVZa2VIp7yC3yz1uZo31Hr8s03jv5QxZio7RnUnzTgNfDje7aLjTwzsI7aGQnxV/0q/0/HlHplxtG/Ix7uFKIipDBqokN4IbRuAVMPdGHJyD75RR6gl3Tu1L+x+mZ9ZxQPYKtV2OaQKndijRlq5zng5mNGwLFNm8Kxh8cY7BvELZuKtQRCL9G7ZuORN2mn17uymNP3LjkAPdyPbdDy9DxixkrdDjzaDne0R17busYSv+u//9NYkkR1MubfDk/TQKZSzP3HcGOUskxj7Y/NqAemsS0hTwIc8Ol8CU+mPLkuDoCD0GCdLNyz/V+RjtgDsiPgM6pwTIjQm11+IuK3BGIHFwzvTn4abCZ7UWzEiYPPwKE52E0w8t2SVmM3tAF9LMrnSK462U+xNlfHJErWOo7JDiZ0kFzYAFRRQK3+CMubjLboL4UUrEAHUxHfS1q9YrZVtd8qmP8I9f6TGHZa6cuwksYmR1uBF9du3ydayTTdZyDVA9VhIDTTm9IdZC40SeZN2wTb8iAEr0gnYmKjyBrhtOjO5lNLhOzcG+ZRMzo3N2cbCzh7759LI7kSoEUX2ZL3y06ij+cUGywmdiSFAFrCDYkWb7xf7n3jHrOkctx8E3JZTyaSpE2gMEiMUgT1JfpYkLndjrxPZ1ID/qDTSzGWqc+w0RtdCM/n8H8Eoa0CIR/H2Zi7Z9hp5fx82C8QvijXCXG5JxSBNNPKh7bcVIQYFXGDKorBWUXGt/dD5pCnZNmrfj8LGl9zIR4ZMjb/suWH9QMONjGq0L+NaqIlG73fEwR+YrLw+yeQBZKeibBnjFbeXXqJ0xBfo8N8MXObIo4S8nNZC6a2JZ6igNg7BrJ27KnYgLRgdt9nuw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:ja;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:TY2PR01MB4345.jpnprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(4022899009)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SpioxXvXVEjHngcJWcRFCJLmrWx2ijCs0/hl6BKqEZLNF84riAXPHpUsV+HoFUU47057niHgIBh0hzB5NleGe70T2SQdpNxqcy3pTwKKE59VtXrzBXDHGpjShu6SVkTG+w35P1pLFraNONOyHHW6gB+20cB8scB7uOqn2SL8/gjlhvxsJtFH6AFssY8DlN2YutX/XSSx49xN1vY1cZ3XzJpiG2leXqSHjf/09kDQCMDhc39pv0igLV+d50DoSdxhwC6OJGlaOCzNStM7rhUStebEQxlSQOMAvcyua0tc7HbQWUvQsWEYdKpVQXK+bQj5ctZwCqQtgtm+E3qNrlsOSlVn3eSf9vfUpWgMhgjKR5vsHFBnx1NhODzXU2/5hB7Y9ZcdmwOHGBcLWBtS7+ylIsa8d+Ce9ddJnUPIWIdhpKBKPwsGoiLFia6++zuh7WC5gMFnXnZBHOhD23HN3pq/3rxL3hn+3sLw1MPZtBGKQklYnX5L/eDgrLMg8eVYF9c0GTkcuaxe5dfQ8dAm8qegIA6oygm6YqdWSzEV99DfA7mZLuLhne59TIlfaHEOAB1thvVrcJYyUbHJASeUroMNBSQPgG+X15XwhuMVsFFUeYstJ4foZvBlL8wI7d+i6+iY7VnoFKfxTcooayNJVlNZ52vz0oDz5XY2Xq+8js4syp9zSR/Wy1183PTCy9kiMkjUTm5g/8OrO1yGqF3qJjpDueUNUNzProIxWJHuIBfivnE7KW73Ph8UKSgHqRjSI2BK+rvCgEi7+kGiDp0I3S5+WZppnZeG9WRcV4tZBoK8e2WtJJ+8VQMemdBX6l6ELxyilI3IYUMFQZk89HbqvptbDVyBCj4EfuHLw9P6Cr/PIaSBvTZu7EpXLKRmXOnlDfAzjLKHXLCZJK1mt9JKCFwpA2v4KTgWdtZ2j6yv5F4tLSOp6LNOG+mE60WpLiRKLL4xWGteCjdHH+lFxJjUHH+YbX4CvZRDlsArkPUsrMUXYl1SI7hf5BlQftieb7arGoG6UVsxM+bq0+sB0Vwxw5Td9GiBT/tT5IKFq4A2HwIj+YzFxLQNGldPEb4D3GwmdFrCtgEFZQcFNLaQ6BFmn6z3K2yyidkXShTXUMENbx1B2Wvlc35HgRVoVnAB9YJfXou7DJZuRN/9dSUc7tmWkPSZYKajDfDMzYQVZOjwHjpznMjAyXhayudBlu1/+XeVvaggYwmU1QAEQo2oawKX2Mavhqi2Ysc7HVII7cC1dsFUu4uYZSoPcNrtQ7o3N7QffGJhWx2+4heojfMrvbZZ0HWpJqVtmaOVTBCi6bNym4K4QYR/+0IpCXqaNKUcDlcukAQ/fHhj9OnB7nsaFjjrPmGI+kFEZREyZmAkGMKSbtfOmh/9lQBG3OUuGhLSASue/0/UQdZlGIhSEGkuexZ+FZhJf6b57nDzs/1nXquVr+3byUsTSERXYuPFXS3JGP4JtReTm5eeDT4WaylDWbmGV8ZtUCCsmssuhf4/1cGauQMlzE66cHaOzmxFgw2drxebqAZ1UH2sSEndKp+LKIzcdyUlK70CePEFXXdSL8TxeQ8St37rYgRdV+4WrKS6hM3d6Jpv
Content-Type: multipart/alternative; boundary="_000_TY2PR01MB43453FDB00539EB1389C02AAA07F2TY2PR01MB4345jpnp_"
MIME-Version: 1.0
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TY2PR01MB4345.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1dc2495e-bfb7-4b99-b2bc-08dce852e1dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2024 11:09:45.3561 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2cNMmuJgsSZ6o7j/7YdosnM8mtA5mKW6k2st8cgjx5W06LmPSKwJ2BOJZUN4/fvSDBdylsp5oacz4e+nrizf2A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY3PR01MB9950
Message-ID-Hash: UM6UM44MIQQWCZWBCUVE727RNVDD7S7S
X-Message-ID-Hash: UM6UM44MIQQWCZWBCUVE727RNVDD7S7S
X-MailFrom: y.oiwa@aist.go.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>, 刘鹏辉 <liupenghui1982@163.com>, Meiling Chen <chenmeiling@chinamobile.com>, "nasr@ietf.org" <nasr@ietf.org>, Luigi IANNONE <luigi.iannone@huawei.com>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/aTBYXXFu1gXEm4m6wkKKxq6cy8c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

Hmm, it seems interesting
I am preparing requirements for “requirements“ spec as a draft update and like to see whether one of these existing ones will meet the req or not.
Also I would be going to design proof representation as well.
I hope we can talk in Dublin for next directions and steps.


--
Yutaka OIWA <y.oiwa@aist.go.jp> on mobile
________________________________
差出人: Jean-Michel Combes <jeanmichel.combes@gmail.com>
送信日時: Wednesday, October 9, 2024 1:03:24 PM
宛先: Liuchunchi(Peter) <liuchunchi=40huawei.com@dmarc.ietf.org>
CC: Toerless Eckert <tte@cs.fau.de>; Michael Richardson <mcr+ietf@sandelman.ca>; 刘鹏辉 <liupenghui1982@163.com>; Meiling Chen <chenmeiling@chinamobile.com>; nasr@ietf.org <nasr@ietf.org>; Luigi IANNONE <luigi.iannone@huawei.com>
件名: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China Mobile-ietf120

Hi,

IETF has already standardized protocols doing only  _assumptions_ (i.e., no way to check the reality) on security rules regarding the boundary of the domain where such protocols are deployed:
- SFC [RFC8300, section 8.1]
"In summary, packets originating outside the SFC-enabled domain MUST be dropped if they contain an NSH. Similarly, packets exiting the SFC-enabled domain MUST be dropped if they contain an NSH."
- RPL [RFC6554, section 5.1]
"As specified in this document, RPL routers MUST drop datagrams entering or exiting a RPL routing domain that contain an SRH in the IPv6 Extension headers."
- SRv6 [RFC8402, section 8.2]
"SR domain boundary routers MUST filter any external traffic destined to an address within the SRGB of the trusted domain or the SRLB of the specific boundary router. External traffic is any traffic received from an interface connected to a node outside the domain of trust.
From a network-protection standpoint, there is an assumed trust model such that any node adding an SRH to the packet is assumed to be
allowed to do so. Therefore, by default, the explicit routing information MUST NOT be leaked through the boundaries of the administered domain. Segment Routing extensions that have been defined in various protocols, leverage the security mechanisms of these protocols such as encryption, authentication, filtering, etc."

Can NASR help to transform such _assumptions_ into _proofs_ and, so, to "achieve" (for the security part) the IETF works done on these protocols?

BTW, this is just a list of protocols I am aware of ... maybe others exist with the same _assumptions_ ...

Thanks in advance for your replies.

Best regards,

JMC.

Le mar. 8 oct. 2024 à 12:31, Liuchunchi(Peter) <liuchunchi=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> a écrit :
just got back from a national holiday, sorry about the delays

using filtering policies to control the dissemination border of security sensitive content is very good to have (and maybe is what we wanted in the first place), but as michael and luigi mentioned, the inability to completely eliminate L2 stealth nodes makes the work less exciting. But what we can do is, based on basic RATS methods, under certain trust assumptions, create a protocol to produce auditable forwarding evidence, which proves the device trustworthiness, execution logs, link security methods used, etc (exact items may be what we have to decide) when certain flow or packets are forwarded. In this way, it appears the more cost-efficient choice (for now, the first step) might be operation-centric forwarding auditing of above information, compact proof creation and visualization. This works as a tool that just objectively verifies and audits forwarding. Just thinking :P

> -----Original Message-----
> From: Toerless Eckert <tte@cs.fau.de<mailto:tte@cs.fau.de>>
> Sent: Saturday, October 5, 2024 1:12 AM
> To: Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>>
> Cc: Liuchunchi(Peter) <liuchunchi@huawei.com<mailto:liuchunchi@huawei.com>>; =?us-
> ascii?B?PT91dGYtOD9CPzVZaVk2Ym1QNkw2Sj89?=
> <liupenghui1982@163.com<mailto:liupenghui1982@163.com>>; Meiling Chen <chenmeiling@chinamobile.com<mailto:chenmeiling@chinamobile.com>>;
> nasr@ietf.org<mailto:nasr@ietf.org>
> Subject: Re: [nasr] Re: 回复: Re: Secure Routing Path Consideration- China
> Mobile-ietf120
>
> On Thu, Oct 03, 2024 at 05:26:23PM -0400, Michael Richardson wrote:
> >
> > Toerless Eckert <tte@cs.fau.de<mailto:tte@cs.fau.de>> wrote:
> >     > But avoidance of copying of traffic by undesired third parties if course a
> core
> >     > benefit that NASR can provide. And those prior examples can provide
> examples of
> >     > the attack vectors why that is undesirable. Even with todays easily
> available
> >     > end-to-end encryption.
> >
> > NASR can not provide any kind of avoidance of copying!
>
> I meant indirectly by being a way to ensure traffic paths that are expected to
> make copying & decryption hard...impossible.... or possible by the "right"
> people ;-)
>
> > (To do that you'd need quantum entangled links of the kind the QIRG is
> > contemplating)
>
> Nice point actually. I remember Huawei was in the past a big fan of quantum
> entangled links (last data point 2018). Cryptographers of course are always
> dismissive (somewhat of a competition). And the visit in Yokohama to the
> quantum research lab on friday was all about allowing entanglement to
> actually go across longer paths.
>
> So i would certainly like to consider the continuuom of different methods to
> protect links and nodes as part of a NASR architecture.
>
> Of course, i would foremost point to the added crypto value of hop-by-hop
> encryption as opposed to only end-to-end encrypion, because of the higher
> cost of crypto attacks - especially when you combine it with load distribution
> across different paths.
>
> > What NASR can do is provide assurance that when you have such links, that:
> > a) there are no stealth routers in the path.
>
> Depending on the technologies we emply in NAS, your could still have a
> stealth L2 device though. Which by the way is a common way how firewalls
> operate.
>
> > b) that the two sides of each QIRG link are operating nominally.
>
> Right.
>
> Cheers
>     Toerless
>
> >     > But maybe much simpler: nation state actors have the means to extract
> and even decrypt
> >     > end-to-end traffic. But if they can not see the traffic because it does not
> run across
> >     > the paths desired by them, because they pass their network taps - then
> >     > they can't do that.
> >
> > yes.
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr%2BIETF@sandelman.ca>>   . o O ( IPv6 IøT consulting )
> >            Sandelman Software Works Inc, Ottawa and Worldwide
> >
> >
> >
> >
>
>
>
> --
> ---
> tte@cs.fau.de<mailto:tte@cs.fau.de>
--
nasr mailing list -- nasr@ietf.org<mailto:nasr@ietf.org>
To unsubscribe send an email to nasr-leave@ietf.org<mailto:nasr-leave@ietf.org>