[nasr] Re: [saag] Re: NASR BOF Follow-Up

Henk Birkholz <henk.birkholz@ietf.contact> Fri, 11 April 2025 16:45 UTC

Return-Path: <henk.birkholz@ietf.contact>
X-Original-To: nasr@mail2.ietf.org
Delivered-To: nasr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B01341ACCD02; Fri, 11 Apr 2025 09:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.172
X-Spam-Level:
X-Spam-Status: No, score=-4.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.374, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ietf.contact
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5El-xyotTV4; Fri, 11 Apr 2025 09:45:29 -0700 (PDT)
Received: from smtp01-ext2.udag.de (smtp01-ext2.udag.de [62.146.106.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B831E1ACCCFD; Fri, 11 Apr 2025 09:45:29 -0700 (PDT)
Received: from [IPV6:2a01:599:70e:2547:9109:a3af:4961:cdb4] (tmo-126-220.customers.d1-online.com [80.187.126.220]) by smtp01-ext2.udag.de (Postfix) with ESMTPA id 4C70BE0253; Fri, 11 Apr 2025 18:45:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ietf.contact; s=uddkim-202310; t=1744389928; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IkpNtBFT66pOtY0F6GwzgEEinBD08NGvQ10vJlKJc4s=; b=flZ4iAnnqqPqDqTT3sQdZudK0+QQ240/iKazZnnaJG6Cwcdq9hfAxhbrgW3Kbz6ni9dzvc GyfjiYusn/GKsHsSVSgoC1y+SvHaeMTGCykQLT75jdlGlGQtLrP1GUkb+OmhwU4M5rH9su hS51XEiyIUyXbtCogUZ0Qqf87C9C0yZb9e/WoFEQqLHxqQgYr9LUjsdnWNiTLJJmjQn36J kciWqmMfRdG4l8DvNAYvXwfnQ6Soz/hdhB8SPbIX3fyJsP9p0tKAYVSyq+8u1q+u1l5S6k csJpULUuCQHw0lYfTtmixlWhDguuTfuxXBljM/mcELLqrvYtnQCvfRAatm8hLQ==
Message-ID: <d3de69d6-f46b-fe0c-b6dc-8180864bd9b0@ietf.contact>
Date: Fri, 11 Apr 2025 18:45:25 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Eric Rescorla <ekr@rtfm.com>
References: <ef08bf0afa924713acc629dff8156761@huawei.com> <2025040312042771743841@chinamobile.com> <CAL02cgSg53nOB8BCSNCLGC78r41P_1VzBPoj2yOJP1qbS0jqfA@mail.gmail.com> <CABcZeBPFaJMsWyNozXS+osh251631vCStkrmOk=WQig5c1_0qw@mail.gmail.com> <87c61c52-839f-f66e-a66a-b737f01ca93f@ietf.contact> <CABcZeBMOvFXkQ2OFBpz2Ri5_Oz-pHGs=2fHvBNptOdjQy9F7ww@mail.gmail.com> <11730e71-f409-bbaf-9bc1-4f88d207bcab@ietf.contact> <CABcZeBMDg9cFGtf6AMwSiq3ZnZnrvwoAc7TjD0Ftq-JC8jWusQ@mail.gmail.com>
From: Henk Birkholz <henk.birkholz@ietf.contact>
In-Reply-To: <CABcZeBMDg9cFGtf6AMwSiq3ZnZnrvwoAc7TjD0Ftq-JC8jWusQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp01-ext2.udag.de; auth=pass smtp.auth=henk.birkholz@ietf.contact smtp.mailfrom=henk.birkholz@ietf.contact
Message-ID-Hash: 4ORSO23F4QCUDZONSBO2Z2GJO3WBWM3K
X-Message-ID-Hash: 4ORSO23F4QCUDZONSBO2Z2GJO3WBWM3K
X-MailFrom: henk.birkholz@ietf.contact
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Richard Barnes <rlb@ipv.sx>, Meiling Chen <chenmeiling@chinamobile.com>, "Liuchunchi(Peter)" <liuchunchi@huawei.com>, "nasr@ietf.org" <nasr@ietf.org>, IETF SAAG <saag@ietf.org>, Luigi Iannone <ggx@gigix.net>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nasr] Re: [saag] Re: NASR BOF Follow-Up
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/kViJ38xN70xxwlmdZ7GtrDZCOT4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>

On 11.04.25 15:38, Eric Rescorla wrote:
> 
> 
> On Fri, Apr 11, 2025 at 2:01 AM Henk Birkholz 
> <henk.birkholz@ietf.contact> wrote:
> 
>     On 10.04.25 21:01, Eric Rescorla wrote:
>      >
>      >
>      > On Thu, Apr 10, 2025 at 11:40 AM Henk Birkholz
>      > <henk.birkholz@ietf.contact> wrote:
>      >
>      >     On 03.04.25 21:11, Eric Rescorla wrote:
>      >
>      >      > [0] Of course you could hash the individual configuration
>     values,
>      >      > but this is much the same as publishing the configuration.
>      >
>      >     Is it? I am curious why.
>      >
>      >
>      > Because the values themselves are generally low entropy, so if you
>      > publish their hashes, then it's generally easy to determine the
>     preimage.
>      >
>      > -Ekr
> 
>     Would some salt help here (like the salted hashes in sd-cwt)?
> 
> 
> Probably not very much. What salt does is make it more difficult to 
> amortize computation
> across multiple hashed values. However, if the total number of possible 
> values
> is low (e.g., you have some configuration setting with 3 values) then 
> you can
> just exhaustively search at query time.

That makes a lot of sense - and might be another good reason not to put 
these types of Claims into Evidence. I still think it is better to 
include software components that provide the conveyance mechanism (e.g., 
a YANG server with YANG Push capability) in a TCB and then use 
successfully appraised software components for trusted telemetry to 
convey such values for evaluation.

Viele Grüße,

Henk

> 
> -Ekr
> 
> 
> 
>     Viele Grüße,
> 
>     Henk
> 
>      >
>      >
>      >     Viele Grüße,
>      >
>      >     Henk
>      >
>      >      >
>      >      >
>      >      >     It was not raised in the BoF, but I would like to
>     point out a
>      >      >     logical inconsistency at the core of the proposition
>     here: On the
>      >      >     one hand, the proponents assert that end-to-end
>     cryptographic
>      >      >     protections are not sufficient to keep endpoints safe.  On
>      >     the other
>      >      >     hand, the premise of the proposed solution is ... more
>      >      >     cryptography.  Attestations, MACSEC, etc.  So the
>     argument here
>      >      >     cannot rest on a hand-wavy "cryptography isn't
>     enough"; you
>      >     need to
>      >      >     articulate what specific risks you're addressing.
>      >      >
>      >      >     Honestly, when I read the charter for this work, I did not
>      >     initially
>      >      >     have as negative a reaction.  I initially presumed it
>     was like
>      >      >     verified SFC, and that you would do things like making
>     a firewall
>      >      >     rule a little more permissive if the flow had been
>     verified
>      >      >     upstream.  It's not implausible that there are some
>     use cases of
>      >      >     that shape.  But instead, the presentations in the BoF
>     framed an
>      >      >     impossible problem and an unworkable solution, which
>     clearly
>      >     I could
>      >      >     not support.
>      >      >
>      >      >     Hope that helps,
>      >      >     --Richard
>      >      >
>      >      >
>      >      >     On Thu, Apr 3, 2025 at 12:05 AM Meiling Chen
>      >      >     <chenmeiling@chinamobile.com
>     <mailto:chenmeiling@chinamobile.com>
>      >     <mailto:chenmeiling@chinamobile.com
>     <mailto:chenmeiling@chinamobile.com>>
>      >     <mailto:chenmeiling@chinamobile.com
>     <mailto:chenmeiling@chinamobile.com>
>      >     <mailto:chenmeiling@chinamobile.com
>     <mailto:chenmeiling@chinamobile.com>>>>
>      >      >     wrote:
>      >      >
>      >      >         Hi all,
>      >      >
>      >      >         We will continue to track and actively address the
>     issues
>      >     raised
>      >      >         on NASR BoF, for convenience, I have brought the Q&A
>      >     record to
>      >      >         the email list.
>      >      >         Welcome to continue discussing with those who are
>     concerned
>      >      >         about these issues.
>      >      >
>      >      >         Q1: Why is not end-to-end protection sufficient
>     and why
>      >     should
>      >      >         we care about where the traffic goes through?
>      >      >         Q2:  Why this is important to assure at the
>     network layer?
>      >      >         Q3: List actual concrete examples of existing
>     regulations.
>      >      >         Q4: List the technical requirements in detail.
>      >      >         Q5: NASR being a possible way to address pervasive
>     traffic
>      >      >         monitoring threats?
>      >      >
>      >      >         Q6: Proof of transit does not imply that the packet
>      >     didn’t exit
>      >      >         the path. ---->PoNT is out of scope.
>      >      >
>      >      >         Q7: There is work about proof of transit that has been
>      >     done in
>      >      >         SFC, what is needed to highlight what is not there (in
>      >     routing,
>      >      >         RATS, SFC PoT) which NASR will provide.-->
>      >      >
>      >      >         NASR is the joint use of attestation techncology
>     and proof of
>      >      >         transit.
>      >      >
>      >      >         Q8: What about lawful interceptions?---->
>      >      >
>      >      >         Trustworthiness as defined in RATS can attest that a
>      >     router does
>      >      >         what is supposed to do, including lawful
>     interception if
>      >     it is
>      >      >         what it is supposed to do.
>      >      >
>      >      >         Q9: There is work from RATS, like RFC 9684, that
>     can be
>      >     used in
>      >      >         NASR. Why an independent effort? Why not putting this
>      >     work in an
>      >      >         existing WG?---->
>      >      >
>      >      >         RATS is the building block to create path
>     attestation, whose
>      >      >         usage is then verified with proof of transit.
>     These two
>      >     things
>      >      >         together look out of the scope of RATS. NASR does
>     not want to
>      >      >         replace RFC 9684, but rather leverage it.
>      >      >
>      >      >         Q10: What is exactly the definition of a path in
>     NASR? BGP
>      >      >         session? Tunnel? physical links?---->
>      >      >
>      >      >         A document in PANRG has a good definition of what
>     a path is.
>      >      >
>      >      >         Q11: Trustworthiness and traffic engineering are
>     already
>      >      >         addressed in different places, so what is new in
>     NASR? ---->
>      >      >
>      >      >         The possibility for the customers to verify that the
>      >     traffic has
>      >      >         been engineered in the way they asked. How to do it is
>      >     the gap
>      >      >         NASR wants to fill.
>      >      >
>      >      >         Q12: Candidate solutions from problems exist in
>     other venues
>      >      >         (Routing security / SFC)---->
>      >      >
>      >      >         True, but they do not address the combination
>     (forwarding).
>      >      >
>      >      >         Q13: Proposed work may result in fragmentation of the
>      >     Internet,
>      >      >         including and excluding poeople?---->
>      >      >
>      >      >         No. That is the wrong terminology to use. NASR is
>     about path
>      >      >         complaint to a set of claims. Is a specific
>     service in a
>      >     limited
>      >      >         domain not a general service for the Internet.
>      >      >
>      >      >         Q14: Clarification of requirements whether the
>      >     requirement is to
>      >      >         detect nodes along the path that do not support
>     NASR?---->
>      >      >
>      >      >         No. Only have proof that traffic went through a
>     set of nodes
>      >      >         that support NASR.
>      >      >
>      >      >         Q15: Bringing the work to RATS would not work. RATS is
>      >     already
>      >      >         bloated and bringing all this work there is not
>     possible.
>      >      >
>      >      >         Q16: PoT has cryptographic cost.--->
>      >      >
>      >      >         Implementation on SRv6 shows that the cost is very
>     limited.
>      >      >
>      >      >         Q17: Remark about the scope of implementation:
>     Internet or
>      >      >         limited domain?--->
>      >      >
>      >      >         limited domain implemented at the operator level.
>      >      >
>      >      >         Q18: Need to verify every configuration (binary /
>      >     configuration
>      >      >         files / routers) in order to determine the
>     properties of the
>      >      >         path?--->This is not how remote attestation works.
>     There
>      >     is no
>      >      >         configuration shared, the configuration is
>     attested through
>      >      >         trusted third party. You share hash values that attest
>      >     the the
>      >      >         property.
>      >      >
>      >      >         Q19: Why not doing this in the SFC WG?---->Piece
>     can be
>      >     done in
>      >      >         other WG, but from a global perspective wold be
>     better to
>      >     have a WG.
>      >      >
>      >      >         Q20: For reliability, what about having multiple
>     paths?
>      >     Can it
>      >      >         be a scalability issue? ----Yes, the attribute of
>      >     multiple path
>      >      >         is included.
>      >      >
>      >      >         Best,
>      >      >         Meiling
>      >      >
>      >      >             *From:* Liuchunchi\(Peter\)
>      >      >             <mailto:liuchunchi <mailto:liuchunchi>
>      >     <mailto:liuchunchi
>     <mailto:liuchunchi>>=40huawei.com@dmarc.ietf.org
>     <mailto:40huawei.com@dmarc.ietf.org>
>      >     <mailto:40huawei.com@dmarc.ietf.org
>     <mailto:40huawei.com@dmarc.ietf.org>>>
>      >      >             *Date:* 2025-03-29 19:19
>      >      >             *To:* nasr@ietf.org <mailto:nasr@ietf.org>
>     <mailto:nasr@ietf.org <mailto:nasr@ietf.org>>
>      >     <mailto:nasr@ietf.org <mailto:nasr@ietf.org>
>     <mailto:nasr@ietf.org <mailto:nasr@ietf.org>>>; IETF SAAG
>      >      >             <mailto:saag@ietf.org <mailto:saag@ietf.org>
>     <mailto:saag@ietf.org <mailto:saag@ietf.org>>>
>      >      >             *CC:* ggx@gigix.net <mailto:ggx@gigix.net>
>     <mailto:ggx@gigix.net <mailto:ggx@gigix.net>>
>      >     <mailto:ggx@gigix.net <mailto:ggx@gigix.net>
>     <mailto:ggx@gigix.net <mailto:ggx@gigix.net>>>
>      >      >             *Subject:* [saag] NASR BOF Follow-Up
>      >      >
>      >      >             Hi NASR, SAAG,____
>      >      >
>      >      >             __ __
>      >      >
>      >      >             Thanks everyone for participating and contributing
>      >     valuable
>      >      >             feedbacks to the NASR BOF last week! Thank you
>     Nancy and
>      >      >             Luigi for mediating a productive discussion, and
>      >     thanks Deb
>      >      >             for supervising the process.____
>      >      >
>      >      >             __ __
>      >      >
>      >      >             During the process, we had extensive
>     discussions that
>      >     showed
>      >      >             both major interests in the problem and differing
>      >      >             understanding of the objective. For example, NASR
>      >     represents
>      >      >             new use case requirements that aim to extend
>     Remote
>      >      >             Attestation benefits to the network scale,
>     providing more
>      >      >             comprehensive security visibility and behavioral
>      >     assurance
>      >      >             across network deployments to the customers.
>     But NASR
>      >     is not
>      >      >             intended, in any capacity, to serve as a
>     substitute for
>      >      >             end-to-end encryption technology, etc. ____
>      >      >
>      >      >             __ __
>      >      >
>      >      >             The poll result shows a clear consensus that
>     this is
>      >     an IETF
>      >      >             problem, but a rougher (at best) or no
>     consensus that the
>      >      >             problem is well understood. ____
>      >      >
>      >      >             __ __
>      >      >
>      >      >             To help on that, next steps we will work on a
>     dedicated
>      >      >             document that collects all valuable feedbacks from
>      >     the BOF
>      >      >             and resolve them one-by-one. Again, we
>     sincerely thank
>      >      >             everyone who contributed valuable feedbacks
>     and cares
>      >     about
>      >      >             bringing more security and transparency to
>     networks!____
>      >      >
>      >      >             __ __
>      >      >
>      >      >             Best regards,____
>      >      >
>      >      >             Peter (Chunchi) Liu____
>      >      >
>      >      >             __ __
>      >      >
>      >      >         _______________________________________________
>      >      >         saag mailing list -- saag@ietf.org
>     <mailto:saag@ietf.org> <mailto:saag@ietf.org <mailto:saag@ietf.org>>
>      >     <mailto:saag@ietf.org <mailto:saag@ietf.org>
>     <mailto:saag@ietf.org <mailto:saag@ietf.org>>>
>      >      >         To unsubscribe send an email to
>     saag-leave@ietf.org <mailto:saag-leave@ietf.org>
>      >     <mailto:saag-leave@ietf.org <mailto:saag-leave@ietf.org>>
>      >      >         <mailto:saag-leave@ietf.org
>     <mailto:saag-leave@ietf.org> <mailto:saag-leave@ietf.org
>     <mailto:saag-leave@ietf.org>>>
>      >      >
>      >      >     --
>      >      >     nasr mailing list -- nasr@ietf.org
>     <mailto:nasr@ietf.org> <mailto:nasr@ietf.org <mailto:nasr@ietf.org>>
>      >     <mailto:nasr@ietf.org <mailto:nasr@ietf.org>
>     <mailto:nasr@ietf.org <mailto:nasr@ietf.org>>>
>      >      >     To unsubscribe send an email to nasr-leave@ietf.org
>     <mailto:nasr-leave@ietf.org>
>      >     <mailto:nasr-leave@ietf.org <mailto:nasr-leave@ietf.org>>
>      >      >     <mailto:nasr-leave@ietf.org
>     <mailto:nasr-leave@ietf.org> <mailto:nasr-leave@ietf.org
>     <mailto:nasr-leave@ietf.org>>>
>      >      >
>      >
>