Re: [RTG-DIR] RtgDir review: draft-ietf-hip-rfc4423-bis-19
Miika Komu <miika.komu@ericsson.com> Fri, 27 April 2018 21:16 UTC
Return-Path: <miika.komu@ericsson.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E75571289B0 for <rtg-dir@ietfa.amsl.com>; Fri, 27 Apr 2018 14:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.312
X-Spam-Level:
X-Spam-Status: No, score=-4.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0TQtajGmtYk for <rtg-dir@ietfa.amsl.com>; Fri, 27 Apr 2018 14:16:06 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD0AE1273E2 for <rtg-dir@ietf.org>; Fri, 27 Apr 2018 14:16:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1524863763; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=CdAfkP76RKXUodGUIvwtK98l10vw4IcKwAuFK8g/vYU=; b=DnJkYwCQ6qfyn2eu8Pj88IzOwG9fThULI4ondODyfcgpxxwBn0phWh3scAaHR5KT dvA5CKId7PwGKfT/4l814krL2DhY75yAZ1PgwWky44NgWKaaWhGIIrVOPPx8+Yoq 1KpfAd22qj1Ryvii0YprBbpnx+DA6rkd4RL2rjpBZ3g=;
X-AuditID: c1b4fb3a-112a09c00000729c-33-5ae393134aa6
Received: from ESESSHC020.ericsson.se (Unknown_Domain [153.88.183.78]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 6D.46.29340.31393EA5; Fri, 27 Apr 2018 23:16:03 +0200 (CEST)
Received: from [100.94.2.233] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.80) with Microsoft SMTP Server id 14.3.382.0; Fri, 27 Apr 2018 23:16:03 +0200
From: Miika Komu <miika.komu@ericsson.com>
To: Dan Frost <frost@mm.st>, rtg-ads@ietf.org
CC: draft-ietf-hip-rfc4423-bis.all@ietf.org, rtg-dir@ietf.org
References: <1520263082.2577768.1291898592.6BFD1573@webmail.messagingengine.com> <a447d17a-eb34-0b24-7e31-2ce16244974a@ericsson.com>
Organization: Ericsson AB
Message-ID: <a87ca130-ac8f-23e4-3d8b-284ea499d213@ericsson.com>
Date: Sat, 28 Apr 2018 00:16:02 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <a447d17a-eb34-0b24-7e31-2ce16244974a@ericsson.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKLMWRmVeSWpSXmKPExsUyM2K7n67w5MdRBpuOWVmcO3GM1eLRnVMs Fifn/GC2WLDmKbsDi8eSJT+ZPN49+sgcwBTFZZOSmpNZllqkb5fAlfHryEn2gu69jBWv/u9k bWBsn8LYxcjJISFgItF25RFzFyMXh5DAEUaJvw9vM0E4qxglXm97D1YlLGApcXjTByYQm01A S2LVnevMILaIgL7EufY5bCA2s4CjxOQtS1ggmtsYJaauPswOkuAXkJTY0LAbrIFXwF7i4bO1 YENZBFQlts/7AxYXFYiQuHf+ExtEjaDEyZlPWEBsTgEHiZZTs1ggFlhIzJx/nhHCFpe49WQ+ E4StLbFs4WugORxAi1UkLh4LnsAoNAvJpFlIumch6Z6FpHsBI8sqRtHi1OLi3HQjI73Uoszk 4uL8PL281JJNjMDAP7jlt9UOxoPPHQ8xCnAwKvHwZnQ/jhJiTSwrrsw9xCjBwawkwrvj9sMo Id6UxMqq1KL8+KLSnNTiQ4zSHCxK4rxOaRZRQgLpiSWp2ampBalFMFkmDk6pBsbi4KU3GfQe q1lUn0900/l5/I7U5vlnYuoj+iz2mHesZJE7r/9zcqYes/q0O0pb76/2PnftV1hEqsV/sc56 JteVWvffB2c9n/8778pWzXmsK38EF3fvFj2zbflbw54cl+xzB888qSxd807F4Mb/UoXpoeuL rVL6mdyCmfds89IRvRv27YVgiLQSS3FGoqEWc1FxIgDXtU4jeAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/2aGOCCKT8_W_86PQ7OD2jENdnk8>
Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-hip-rfc4423-bis-19
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2018 21:16:11 -0000
Hi Dan, some of the missing comments are mentioned below. Sorry for the delay but it took some while to write completely new text into the draft. On 04/06/2018 10:43 AM, Miika Komu wrote: > Hi Dan, > > thanks for the feedback and sorry for the long delay! Some comments below. > > On 03/05/2018 05:18 PM, Dan Frost wrote: >> Hello, >> >> I have been selected as the Routing Directorate reviewer for this >> draft. The Routing Directorate seeks to review all routing or >> routing-related drafts as they pass through IETF last call and IESG >> review, and sometimes on special request. The purpose of the review is >> to provide assistance to the Routing ADs. For more information about >> the Routing Directorate, please see >> http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir >> >> Although these comments are primarily for the use of the Routing ADs, >> it would be helpful if you could consider them along with any other >> IETF Last Call comments that you receive, and strive to resolve them >> through discussion or by updating the draft. >> >> Document: draft-ietf-hip-rfc4423-bis-19 >> Reviewer: Dan Frost >> Review Date: 2017-03-05 >> Intended Status: Informational >> >> Summary: >> >> I have some minor concerns about this document that I think should be >> resolved before publication. >> >> Comments: >> >> This document describes an overall architecture for a proposed "Host >> Identity" layer that fits in to the Internet protocol stack between >> the network and transport layers. The architecture involves adding a >> layer of indirection between the IP and transport layers that >> allocates globally-significant host identifiers in the form of >> cryptographic public keys, and manages network-layer-independent >> associations between hosts. This draft is a revision of RFC 4423, >> which was originally published in 2006, so the basic architecture has >> been around for some time, and seen some limited deployment experience. >> >> The document itself is clearly written, and thorough in addressing the >> many issues and concerns raised by such a proposal without being verbose. >> >> There's a lot of valuable protocol design and deployment experience >> packed into this architecture and the associated protocol RFCs. At the >> same time, actual adoption and deployment of HIP so far appears to >> have been scarce. I don't find this surprising. The existing Internet >> network/transport/application protocol stack has already become >> sufficiently complicated that considerable expertise is required to >> manage it in all but the simplest of cases. Teams of skilled engineers >> routinely spend hours or days troubleshooting operational problems >> that crop up within or between the existing layers, and the collection >> of extensions, workarounds, identifiers, knobs, and failure cases >> continues to grow. Adding a major new layer--and a fairly complicated >> one at that--right in the middle of the existing stack seems likely to >> explode the already heavily-strained operational complexity budget of >> production deployments. while this wasn't an issue, I asked some input on this from Tempered Networks (that has a number of HIP products) and we wrote together some text to address at least some of your concerns. 11.2. Drawbacks of HIP (Added a sentence in the end of the paragraph) O HIP introduces a need to manage the new identities and requires a centralized approach to manage HIP-aware endpoints at scale. [...] As exemplified in Section 11.3.5, these challenges have been already solved in an infrastructure setting to distribute policy and manage the mappings and trust relationships between HIP-aware endpoints. 11.3.5. Management of Identities in a Commercial Product (New section) Tempered Networks provides HIP-based products. They refer to their platform as Identity-Defined Networking (IDN) [tempered-networks] because of HIP's identity-first networking architecture. Their objective has been to make it simple and non-disruptive to deploy HIP enabled services widely in production environments with the purpose of enabling transparent device authentication and authorization, cloaking, segmentation, and end-to-end networking. The goal is to eliminate much of the circular dependencies, exploits, and layered complexity of traditional "address-defined networking" that prevents mobility and verifiable device access control. The products in the portfolio of Tempered Networks utilize HIP as follows: o HIP Switches / Gateways - these are physical or virtual appliances that serve as the HIP gateway and policy enforcement point for non HIP-aware applications and devices located behind it. No IP or infrastructure changes are required in order to connect, cloak, and protect the non-HIP aware devices. Currently known supported platforms for HIP gateways are: x86 and ARM chipsets, ESXi, Hyper- V, KVM, AWS, Azure, and Google clouds. o HIP Relays / Rendezvous - are physical or virtual appliances that serve as identity based routers authorizing and bridging HIP endpoints without decrypting the HIP session. A HIP Relay can be deployed as a standalone appliance or in a cluster for horizontal scaling. All HIP aware endpoints and the devices they're connecting and protecting can remain privately addressed, The appliances eliminate IP conflicts, tunnel through NAT and CGNAT, and require no changes to the underlay infrastructure. The only requirement is that a HIP endpoint should have outbound access to the Internet and that a HIP Relay should have a public address. o HIP-Aware Clients and Servers - software that installs in the host's network stack and enforces policy for that host. HIP clients support split tunneling. Both HIP client and HIP server can interface with the local host firewall and HIP Server can be locked down to listen only on the port used for HIP, making the server invisible from unauthorized devices. Currently known supported platforms are Windows, OSX, iOS, Android, Ubuntu, CentOS and other Linux derivatives. o Policy Orchestration Managers - a physical or virtual appliance that serves as the engine to define and distribute network and security policy (HI and IP mappings, overlay networks and whitelist policies etc.) to HIP-aware endpoints. Orchestration does not need to persist to the HIP endpoints and vice versa allowing for autonomous host networking and security. >> Major Issues: >> >> No major issues found. >> >> Minor Issues: >> >> - Section 1 >> >> It would be good to clarify early in this section that the Host >> Identity namespace is global. > > Fixed: > > The proposed Host Identity namespace is also a global namespace, and it > fills an important gap between the IP and DNS namespaces. > >> - Section 1, paragraph 4, last sentence >> >> Some grammar problems here. > > Fixed. > >> - Section 3, last paragraph >> >> This paragraph says "Firstly, dynamic readdressing cannot be directly >> managed." It's not entirely obvious what this refers to; some >> elaboration or a reference would be helpful. > > I would suggest to change this as follows: > > Firstly, establishing initial contact and sustaining of data > flows between two hosts can be challenging due to private address > realms and ephemeral nature of addresses. > > Is it more clear now and do you need a reference? I am referring to the > issues that vanilla TCP/IP cannot sustain session connectivity upon > address changes and connecting to hosts behind NATs is not possible > without external help (such as ICE, Teredo). > >> - Sections 5 and 10 >> >> These sections contain some discussion of opportunistic mode. The >> draft would benefit from some expanded coverage of this subject, such >> as whether and how a TOFU approach is expected to apply, and a >> comparison against the considerations raised in RFC 7435. > > I have added a new section dedicated to this. The text is here: 12.5. Trust On First Use [RFC7435] highlights four design principles for Leap of Faith, or Trust On First Use (TOFU), protocols that apply also to opportunistic HIP: 1. Coexist with explicit policy 2. Prioritize communication 3. Maximize security peer by peer 4. No misrepresentation of security According to the first TOFU design principle, "opportunistic security never displaces or preempts explicit policy". Some application data may be too sensitive, so the related policy could require authentication (i.e, the public key or certificate) in such a case instead of the unauthenticated opportunistic mode. In practice, this has been realized in HIP implementations as follows [RFC6538]. The OpenHIP implementation allowed an Initiator to use opportunistic mode only with an explicitly configured Responder IP address, when the Responder's HIT is unknown. At the Responder, OpenHIP had an option to allow opportunistic mode with any Initiator -- trust any Initiator. HIP for Linux (HIPL) developers experimented with more fine-grained policies operating at the application level. HIPL implementation utilized so called "LD_PRELOAD" hooking at the application layer that allowed a dynamically linked library to intercept socket-related calls without rebuilding the related application binaries. The library acted as a shim layer between the application and transport layers. The shim layer translated the non-HIP based socket calls from the application into HIP-based socket calls. While the shim library involved some level of complexity as described in more detail in [komu-leap], it achieved the goal of applying opportunistic mode at the granularity of individual applications. The second TOFU principle essentially states that communication should be first class citizen instead of security. So opportunistic mode should be, in general, allowed even if no authentication is present, and even possibly a fallback to non-encrypted communications could be allowed (if policy permits) instead of blocking communications. In practice, this can be realized in three steps. In the first step, a HIP Initiator can look up the HI of a Responder from a directory such as DNS. When the Initiator discovers a HI, it can use the HI for authentication and skip the rest of the following steps. In the second step, the Initiator can, upon failing to find a HI, try opportunistic mode with the Responder. In the third step, the Initiator can fall back to non-HIP based communications upon failing with opportunistic mode if the policy allows it. This three step model has been implemented successfully and described in more detail in [komu-leap]. The third TOFU principle suggests that security should be maximized, so that at least opportunistic security would be employed. The three step model described earlier prefers authentication when it is available, e.g., via DNS records (and possibly even via DNSSEC when available) and falls back to opportunistic mode when no out-of-band credentials are available. As the last resort, fallback to non-HIP based communications can be used if the policy allows it. Also, since perfect forward security (PFS) is explicitly mentioned in the third design principle, it is worth mentioning that HIP supports it. The fourth TOFU principle states that users and non-interactive applications should be properly informed about the level of security being applied. In practice, non-HIP aware applications would assume no extra security being applied, so misleading at least a non- interactive application should not be possible. In the case of interactive desktop applications, system-level prompts have been utilized in earlier HIP experiments [karvonen-usable], [RFC6538] to guide the user about the underlying HIP-based security. In general, users in those experiments perceived when HIP-based security was being used versus not used. However, the users failed to notice the difference between opportunistic and non-opportunistic HIP. The reason for this was that the opportunistic HIP (i.e. lowered level of security) was not clearly indicated in the prompt. This provided a valuable lesson to further improve the user interface. In the case of HIP-aware applications, native sockets APIs for HIP as specified in [RFC6317] can be used to develop application-specific logic instead of using generic system-level prompting. In such case, the application itself can directly prompt the user or otherwise manage the situation in other ways. In this case, also non- interactive applications can properly log the level of security being employed because the developer can now explicitly program the use of authenticated HIP, opportunistic HIP and plain-text communication. It is worth mentioning a few additional items discussed in [RFC7435]. Related to active attacks, HIP has built-in protection against cipher-suite down-grade attacks as described in detail in [RFC7401]. In addition, pre-deployed certificates could be used to mitigate against active attacks in the case of opportunistic mode as mentioned in [RFC6538]. Detection of peer capabilities is also mentioned in the TOFU context. As discussed in this section, the three-step model can be used to detect peer capabilities. A host can achieve the first step of authentication, i.e., discovery of a public key, via DNS, for instance. If the host found no keys, the host can then try opportunistic mode as the second step. Upon a timeout, the host can then proceed to the third step by falling back to non-HIP based communications if the policy permits. This last step is based on an implicit timeout rather an explicit (negative) acknowledgment like in the case of DNS, so the user may conclude prematurely that the connectivity has failed. To speed up the detection phase by explicitly detecting if the peer supports opportunistic HIP, researchers have proposed TCP specific extensions [RFC6538], [komu-leap]. In a nutshell, an Initiator sends simultaneously both an opportunistic I1 packet and the related TCP SYN datagram equipped with a special TCP option to a peer. If the peer supports HIP, it drops the SYN packet and responds with an R1. If the peer is HIP incapable, it drops the HIP packet (and the unknown TCP option) and responds with a TCP SYN-ACK. The benefit of the proposed scheme is faster, one round-trip fallback to non-HIP based communications. The drawback is that the approach is tied to TCP (IP-options were also considered, but do not work well with firewalls and NATs). Naturally, the approach does not work against active attacker, but opportunistic mode is not anyway supposed to protect against such an adversary. It is worth noting that while the use of opportunistic mode has some benefits related to incremental deployment, it does not achieve all the benefits of authenticated HIP [komu-diss]. Namely, authenticated HIP supports persistent identifiers in the sense that hosts are identified with the same HI independently of their movement. Opportunistic HIP meets this goal only partially: after the first contact between two hosts, HIP can successfully sustain connectivity with its mobility management extensions, but problems emerge when the hosts close the HIP association and try to re-establish connectivity. As hosts can change their location, it is no longer guaranteed that the same IP address belongs to the same host. The same address can be temporally assigned to different hosts, e.g., due to the reuse of IP addresses (e.g. by a DHCP service), overlapping private address realms (see also the discussion on Internet transparency in Section 11.1) or due to an attempted attack. >> - Infrastructure devices >> >> The draft does not discuss the applicability of HIP to infrastructure >> devices. These devices are also hosts, and it's a little surprising >> that they're never mentioned as possible HIP users. > > I have been writing a new section on this, including some input from > Tempered Networks on how their HIP product works. I need a bit more time > to complete this though. The new section (note that Tempered Networks discussion is actually a separate section): 11.3.4. Infrastructure Applications HIP experimentation report [RFC6538] enumerates a number of client and server applications that have been trialed with HIP. Based on the report, this section highlights and complements some potential ways how HIP could be exploited in existing infrastructure such as routers, gateways and proxies. HIP has been successfully used with forward web proxies (i.e., client-side proxies). HIP was used between a client host (web browser) and a forward proxy (Apache server) that terminated the HIP/ ESP-tunnel. The forward web proxy translated HIP-based traffic originating from the client into non-HIP traffic towards any web server in the Internet. Consequently, the HIP-capable client could communicate with HIP-incapable web servers. This way, the client could utilize mobility support as provided by HIP while using the fixed IP address of the web proxy, for instance, to access services that were allowed only from the IP address range of the proxy. HIP has also been experimented with reverse web proxies (i.e. server- side proxies) as described in more detail in [komu-cloud]. In this scenario, a HIP-incapable client accessed a HIP-capable web service via an intermediary load balancer (that was a web based load balancer implementation called HAProxy). The load balancer translated non-HIP traffic originating from the client into HIP-based traffic for the web service (consisting of front-end and back-end servers). Both the load balancer and the web service were located in a datacenter. One of the key benefits for encrypting the web traffic with HIP in this scenario was to support a private-public cloud scenario (i.e. hybrid cloud) where the load balancer, front-end servers and back-end servers can be located in different datacenters and, thus, the traffic needs to protected when it passes through potentially insecure networks between the borders of the private and public clouds. While HIP could be used to secure access to intermediary devices (e.g. access to switches with legacy telnet), it has also been used to secure intermittent connectivity between middlebox infrastructure. For instance, earlier research [komu-mitigation] utilized HIP between Secure Mail Transport Protocol (SMTP) servers in order to exploit the computational puzzles of HIP as a spam mitigation mechanism. A rather obvious practical challenge in this approach was the lack of HIP adoption on existing SMTP servers. To avoid deployment hurdles with existing infrastructure, HIP could be applied in the context of new protocols with little deployment. Namely, HIP has been experimented in the context of a new protocol, peer-to-peer SIP [camarillo-p2psip]. The work has resulted in a number of related RFCs [RFC6078], [RFC6079], [RFC7086]. The key idea in the research work was to avoid redundant, time consuming ICE procedures by grouping different connections (i.e. SIP and media streams) together using the low-layer HIP which executes NAT traversal procedures only once per host. An interesting aspect in the approach was the use of P2P-SIP infrastructure as rendezvous servers for HIP control plane instead of utilizing the traditional HIP rendezvous services [RFC8004]. Researchers have proposed to use HIP in cellular networks as a mobility, multihoming and security solution. [hip-lte] provides a security analysis and simulation measurements of using HIP in Long Term Evolution (LTE) backhaul networks. HIP has been experimented with securing cloud internal connectivity. First with virtual machines [komu-cloud] and then later also between Linux containers [ranjbar-synaptic]. In both cases, HIP was suggested as a solution NAT traversal that could be utilized both internally by a cloud network and between multi-cloud deployments. Specifically in the former case, HIP was beneficial sustaining connectivity with a virtual machine while it migrates to a new location. In the latter case, Software-Defined Networking (SDN) controller acted as rendezvous server for HIP-capable containers. The controller enforced strong replay protection by adding middlebox nonces [heer-end-host] to the passing HIP base exchange and UPDATE messages. >> - End user experience >> >> I didn't see a discussion of how the experience of an end user using a >> HIP-enabled application would differ as compared to the status quo. Is >> HIP expected to be completely transparent to end users? Do they need >> to understand the significance of public keys? What new kinds of >> errors might they have to deal with? Impact to end user usability >> seems like an important topic for the architecture to address. > > The text on opportunistic HIP includes some insight on usability. If > needed, I can add a new section this if you need more information. Did not add a new section, but the text on opportunistic mode includes some discussion on this topic. > Dan, the new sections include quite a lot of text. Would you prefer to > receive them by email or should I post a new version of the draft? A pre-version of the draft with the proposed changes is available here: http://mkomu.kapsi.fi/temp/draft-ietf-hip-rfc4423-bis-20pre.txt If needed, I can also post a new officia version for easier diffs? Btw, Jeff Ahrenholz, Tom Henderson and Erik Giesa have been helping with the new text. Tom Henderson also suggested to change the following text in 11.3.1: HIP has commercially been utilized at Boeing airplane factory for their internal purposes [paine-hip]. It has been included in a security product called Tofino to support layer-two Virtual Private Networks [henderson-vpls] to facilitate, e.g, supervisory control and data acquisition (SCADA) security. to: HIP has been adapted and deployed in an industrial control network in a production factory, in which HIP's strong network layer identity supports the secure coexistence of the control network with many untrusted network devices operated by third-party vendors [paine-hip]. Similarly, HIP has also been included in a security product to support layer-two Virtual Private Networks [henderson-vpls] to enable security zones in a supervisory control and data acquisition (SCADA) network. (To make it more vendor neutral)