Re: [OPSAWG] [Last-Call] Secdir last call review of draft-ietf-opsawg-model-automation-framework-06

mohamed.boucadair@orange.com Tue, 06 October 2020 07:22 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43DCE3A1207; Tue, 6 Oct 2020 00:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2uv_EnqMVdN6; Tue, 6 Oct 2020 00:22:05 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71553A1253; Tue, 6 Oct 2020 00:22:04 -0700 (PDT)
Received: from opfednr04.francetelecom.fr (unknown [xx.xx.xx.68]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 4C586g0V9tz1yX3; Tue, 6 Oct 2020 09:22:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1601968923; bh=ghC6YhhsiRfvwlR+63UD4Q1+Kngvscah65BFdTjhP8I=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=AKR6W/7Bs+V//9BUfeo/6ztfkSwfa/VtxbMeEuL5RfK0L12Ek1H06cgBO8wmTXIeI jPLGNjs7jH30u/slK0w+vWQ7HpEKTP7T9STgF47g5TJkamKd6hYvkQ0dh00cnL+whp B9vCC9ILzt8005RRtIkr0vfHnj6cTmWRsmYwNOs3i1e2NtnmWKeOLAoy5HLIGlpHJx B2FC3iDCiLCpzjrxKURDm8+JrXvVbeS2TULnRhd5ip8j8DVn6obpXDDrlkO6d5X0T7 gjN+ECgNSCLhoE76Z2rzXhs/TaoFDNFmMhmyelGqrQjbQFo/idIbGmIy5AZbGDC/sU pOe4v+6E4eqIw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.107]) by opfednr04.francetelecom.fr (ESMTP service) with ESMTP id 4C586f6mrmz1xpZ; Tue, 6 Oct 2020 09:22:02 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Christian Huitema <huitema@huitema.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-opsawg-model-automation-framework.all@ietf.org" <draft-ietf-opsawg-model-automation-framework.all@ietf.org>
Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-opsawg-model-automation-framework-06
Thread-Index: AQHWmyznzK6bClqu6UiOqq+yBh8iZqmKJs0Q
Date: Tue, 06 Oct 2020 07:22:02 +0000
Message-ID: <27006_1601968923_5F7C1B1A_27006_382_1_787AE7BB302AE849A7480A190F8B93303154DA92@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160176719670.27275.17469866976212039001@ietfa.amsl.com> <6471_1601884933_5F7AD305_6471_296_1_787AE7BB302AE849A7480A190F8B93303154CFFA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <7daed45f-5bd7-e2bc-8663-8ca2bea7fb82@huitema.net>
In-Reply-To: <7daed45f-5bd7-e2bc-8663-8ca2bea7fb82@huitema.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/4_q5CxWpnxCojqmqx748SYtUPuM>
Subject: Re: [OPSAWG] [Last-Call] Secdir last call review of draft-ietf-opsawg-model-automation-framework-06
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 07:22:07 -0000

Hi Christian, 

You made good points. Thanks. 

I went with the following modifications to try to address them:

* Update the title of the layering architecture to insist the view within the same operator:  

OLD: 
 Figure 3: Layering and Representation

NEW
 Figure 3: Layering and Representation Within a Network Operator

And added this NEW text to further insist on this aspect: 

 "All these elements (i.e., Orchestrator(s),	
 Controller(s), device(s)) are under the responsibility of the same	
 operator."

* Mention how the composite service case is handled: 

NEW:
 A composite service offered by a network operator may rely on	
 services that are offered by other operators.  In such case, the	 
 network operator acts as a "Customer" to request services from other	
 networks.  The operators providing these services will then follow	
 the layering depicted in Figure 3.

* Cover service violation (including "bad" partners): 

NEW:
   A provider may rely on services offered by other providers to build
   composite services.  Appropriate mechanisms should be enabled by the
   provider to monitor and detect a service disruption from these
   providers.  The characterization of a service disruption (including,
   mean time between failures, mean time to repair), the escalation
   procedure, and penalties are usually documented in contractual
   agreements (e.g., Section 2.1 of [RFC4176]).  Misbehaving peer
   providers will thus be identified and appropriate countermeasures
   will be applied.

* Internal layer misalignment (corrupted data, manipulated data reporting, ..): 

NEW:
   To detect misalignment between layers that might be induced by
   misbehaving nodes, upper layers should continuously monitor the
   perceived service (Section 4.1.3) and should proceed with checks to
   assess that the provided service complies with the expected service
   and that the data reported by an underlying layer is matching the
   perceived service by the above layer.  Typically, such checks are the
   responsibility of the service diagnosis (Section 4.1.4).

* Misbehaving Nodes: 

NEW:
   Network operators should monitor and audit their networks to detect
   misbehaving nodes and abnormal behaviors.  For example, OAM discussed
   in Section 4.1.4 can be used for that purpose.

One pending comment is this one:  

> > [Med] It is up to each individual model to call out those, not
> this document.
> 
> I am concerned about that. If that's the approach, then it should be
> stated very forcefully, as in some kind of MUST requirement for the
> development of service descriptions.

Models must anyway comply with https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines. These models must identify sensitive data and so on. I'm afraid that no change is needed for this one.  

Cheers,
Med

> -----Message d'origine-----
> De : Christian Huitema [mailto:huitema@huitema.net]
> Envoyé : lundi 5 octobre 2020 17:20
> À : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>;
> secdir@ietf.org
> Cc : opsawg@ietf.org; last-call@ietf.org; draft-ietf-opsawg-model-
> automation-framework.all@ietf.org
> Objet : Re: [Last-Call] Secdir last call review of draft-ietf-
> opsawg-model-automation-framework-06
> 
> 
> On 10/5/2020 1:02 AM, mohamed.boucadair@orange.com wrote:
> > Hi Christian,
> >
> > Thank you for the review.
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> >> -----Message d'origine-----
> >> De : Christian Huitema via Datatracker [mailto:noreply@ietf.org]
> >> Envoyé : dimanche 4 octobre 2020 01:20 À : secdir@ietf.org Cc :
> >> opsawg@ietf.org; last-call@ietf.org; draft-ietf-opsawg-model-
> >> automation-framework.all@ietf.org Objet : Secdir last call review
> of
> >> draft-ietf-opsawg-model-
> >> automation-framework-06
> >>
> >> Reviewer: Christian Huitema
> >> Review result: Has Issues
> >>
> >> The document proposes an architecture for describing and
> provisioning
> >> services such as L3VPN or L2VPN. This is an ambitious
> architecture,
> >> aiming at providing end-to-end services over concatenations of
> >> network services provided by independent providers.
> > [Med] There is no such assumption in the draft but we can
> accommodate that case.
> 
> It seems I was led to the wrong conclusion by the exposition of the
> layering between services, networks and devices. If you in fact
> assume that all the "networks" involved in the provision of the
> service are under the same management, by a single operator, then
> you should say that loudly and clearly in the draft.
> 
> >  I am concerned that the model does not expose trust
> >> boundaries during these providers, and that the security section
> does
> >> not discuss what happens when some providers try to game the
> system
> >> or otherwise fail to cooperate.
> > [Med] The various blocks discussed in the document are within the
> scope of the ** same provider **.
> >
> > That's said, if a provider relies upon other providers to deliver
> a given service, the model will apply in a recursive manner: That
> is, a network can act as a "customer" and request services from
> other networks. The peer network will then follow the various levels
> depicted in the architecture to deliver the service.
> >
> > Any failure of a peer provider to deliver an agreed service is a
> violation of the service level agreement. Such violation is detected
> by means of the service fulfilment/assurance and appropriate
> counter-measures will be followed. These counter-measures may be
> technical (switch to another provider) and/or contractual
> (penalties).
> >
> > We can add the following:
> >
> >    A provider may rely upon services offered by other providers.
> >    Appropriate mechanisms should be enabled by the provider to
> monitor
> >    and detect a service disruption from these providers.  The
> >    characterization of a service disruption (including, mean time
> >    between failures, mean time to repair), the escalation
> procedure, and
> >    penalties are usually documented in contractual agreements.
> >    Misbehaving peer providers will thus be identified and
> appropriate
> >    countermeasures will be applied.
> 
> Yes, please.
> 
> >> The architecture organizes functions in three levels, service,
> >> network and device. Creation of services will trigger
> requirements on
> >> the networks, and then configuration of devices. Performance
> >> monitoring at the device level will inform service assurance and
> >> service optimizatio at the network level, and service assurance,
> >> optimization and diagnostic at the service level. The
> configurations
> >> and the performance measurements are described using Yang models.
> >>
> >> The Yang modules are designed to be accessed through secrure
> >> protocols, such as NETCONF over SSH or RESTCONF over HTTPS. This
> >> provides authentication of the servers and protection of the
> data,
> >> and allows implementation of access control. That's a good basis,
> but
> >> these processes only secure "point to point"
> >> interfaces between functions in the system. This presupposes
> honest
> >> cooperation between all actors, despite the fact that those
> actors
> >> often are in competition.
> >>
> >> The security considerations consider misconfiguration attacks
> such as
> >> the creation of forwarding loops, leakage of sensitive
> information,
> >> and traffic isolation issues. These are all interesting issues,
> but
> >> they are only mentioned in the architecture document as
> guidelines
> >> for the future development of actual services. I think issues
> such as
> >> the protection of sensitive information should be developed in
> the
> >> model itself, because they are generic.
> > [Med] It is up to each individual model to call out those, not
> this document.
> 
> I am concerned about that. If that's the approach, then it should be
> stated very forcefully, as in some kind of MUST requirement for the
> development of service descriptions.
> 
> 
> >
> >  The
> >> document articulates a hierarchy of Yang modules. Why does it not
> >> articulate the trust boundaries between the different actors?
> > [Med] Because the focus is on what happens within  ** a single
> provider **. The interaction with other providers is no more than a
> provider acting as a "customer" for a service offered by another
> provider.
> >
> > The customer-facing interface is out of scope. We think this this
> now clarified with the review from Brian.
> 
> I already asked that you state the single provider focus more
> clearly in introduction. I would appreciate if it was also called
> out in the security considerations. You assume that the various
> elements are under a single management authority, and thus are
> cooperating in good faith.
> Applying the model without that assumption opens the possibility of
> a range of attacks, in which competing actors might be dissimulating
> or manipulating information. You consider that out of scope, but
> then that also mean that the model should not be applied to
> orchestration of services across multiple operators.
> 
> On the other end, there is the particular issue of the untrusted
> device.
> Consider the now classic scenario in which attackers manage to
> obtain the credential of some employees of the operator, maybe
> through a phishing attack. The attackers then use those credentials
> to gain access to a couple of network devices. Have you considered
> how they might leverage that access through the service
> architecture? Or, conversely, have you considered whether the
> architecture provides functions for the operator to detect and
> isolate such attacks?
> 
> >> In addition to three classes of issues listed in the security
> >> considerations, I am also concerned with possibilities of
> retaining
> >> or falsifying data. What if an actor hides or fakes performance
> >> monitoring data, either out of malice or due to faulty
> equipement?
> > [Med] All the levels are under the responsibility of the same
> provider. An underlying level can report performance data but the
> above level can also proceed with OAM checks as per Section 4.1.4.
> Anomalies can thus be detected locally.
> >
> >> Will that disrupt the provision of the services? What tools are
> >> available to detect such behavior? What if a network provide
> >> overpromises, in order to attract contracts? I understand that
> the
> >> ultimate remedies lies in contract obligations and contract
> >> enforcement, but that enforcement has to be based on data. How is
> the
> >> architectur organizing the collection of the data?
> > [Med] This is the role of the assurance functions. See also the
> NEW text suggested above.
> Yes, the new text is useful.
> >> On a side note, I find that this architecture cites a large
> number of
> >> other drafts such as evpn, l2vpn, l3vpn, etc. These drafts in
> turn
> >> presumably cite the architecture, thus forcing the RFC production
> to
> >> organize all of them in a large publication cluster.
> >> Is it really required for the architecture document to cite all
> the
> >> documents that will later use it?
> > [Med] None of these drafts is normative. There is not risk to
> create a publication cluster.
> 
> I will leave that to you and the RFC Production Center. That was
> just a side remark.
> 
> -- Christian Huitema
> 


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.