AW: VPN security vs SD-WAN security

<Ruediger.Geib@telekom.de> Wed, 25 July 2018 12:51 UTC

Return-Path: <Ruediger.Geib@telekom.de>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDB5130E63 for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 05:51:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de header.b=n3A2atwe; dkim=pass (1024-bit key) header.d=telekom.onmicrosoft.de header.b=LiKzxAGE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EZQ0OwrXakvE for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 05:51:08 -0700 (PDT)
Received: from mailout23.telekom.de (MAILOUT23.telekom.de [80.149.113.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A513130E62 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 05:51:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1532523067; x=1564059067; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=jlKLNXeBsJsJc7b58ekmQd49wRI4ISacnHfL2IXQiGc=; b=n3A2atwe58i5DvrLc2/U6oCxlq7KShkvWRvOgM9mUJVu9oJQBXy7fb7e tr5s0tnrt0++AsrdsAJXKJCQ/iZJd4Pt9+H6hU8yflPhDobaYY3IIO/ex VVd03qkNdK9ZNnL/6n3v9hj9kh9BkH1UiFhjZgqyAM37HqE2Rz7cOYF4T 4EZfHnT88vK73Oeg1XhQOUVcqBvlpR84hJzaal8P9XC/kjPYpvF+xd9ka TYPrTEQdNjeaeSvhoh2v3NDMniMw+WG93gPcEP+v1PI+7YElro7jAv5DN vKDMPzuqZaZQU2R+sh1Pr1WwgNiws2ixdluvuiy8e7dYTyo0Y95sXT4h7 w==;
Received: from qde8e4.de.t-internal.com ([10.171.255.33]) by MAILOUT21.telekom.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Jul 2018 14:51:03 +0200
X-IronPort-AV: E=Sophos;i="5.51,401,1526335200"; d="scan'208,217";a="301324643"
Received: from he105684.emea1.cds.t-internal.com ([10.169.119.46]) by QDE8PP.de.t-internal.com with ESMTP/TLS/AES256-SHA; 25 Jul 2018 14:51:03 +0200
Received: from HE199743.EMEA1.cds.t-internal.com (10.169.119.51) by HE105684.emea1.cds.t-internal.com (10.169.119.46) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 25 Jul 2018 14:51:03 +0200
Received: from HE104162.emea1.cds.t-internal.com (10.171.40.37) by HE199743.EMEA1.cds.t-internal.com (10.169.119.51) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 25 Jul 2018 14:51:03 +0200
Received: from GER01-LEJ-obe.outbound.protection.outlook.de (51.5.80.23) by O365mail04.telekom.de (172.30.0.231) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 25 Jul 2018 14:48:53 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.onmicrosoft.de; s=selector1-telekom-onmicrosoft-de; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jlKLNXeBsJsJc7b58ekmQd49wRI4ISacnHfL2IXQiGc=; b=LiKzxAGE2tqJpltE+xiNrvo7IgEIG8F+EYcOYdepVNBQdQCKfKGPYNmNIhkTKZPqhWQOfcDavFUw7H3CSpi1vNgj4U1LWOA4AkSK/lAUDrnhsa+YBXclvjfyQQFwLvqILZLTodGQy1W+/ynkQ9/BTPXKOlsfM+odgBagHS+ihaE=
Received: from FRAPR01MB0113.DEUPRD01.PROD.OUTLOOK.DE (10.158.130.143) by FRAPR01MB0115.DEUPRD01.PROD.OUTLOOK.DE (10.158.130.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Wed, 25 Jul 2018 12:51:02 +0000
Received: from FRAPR01MB0113.DEUPRD01.PROD.OUTLOOK.DE ([fe80::c49d:c928:7ae4:7ae9]) by FRAPR01MB0113.DEUPRD01.PROD.OUTLOOK.DE ([fe80::c49d:c928:7ae4:7ae9%7]) with mapi id 15.20.0973.022; Wed, 25 Jul 2018 12:51:02 +0000
From: <Ruediger.Geib@telekom.de>
To: <stewart.bryant@gmail.com>
CC: <rtgwg@ietf.org>
Subject: AW: VPN security vs SD-WAN security
Thread-Topic: VPN security vs SD-WAN security
Thread-Index: AQHUI/uhyZGetGyeRkmfDNWxACWHqKSfsyaAgAAYIgCAABGYAIAAAj6AgAADQkA=
Date: Wed, 25 Jul 2018 12:51:02 +0000
Message-ID: <FRAPR01MB01133665E93496E78E6E7AF99C540@FRAPR01MB0113.DEUPRD01.PROD.OUTLOOK.DE>
References: <CA+b+ERmfOaFMURD2eNPScs2SZ88rOEfGXZZJsqGDWX3M6bTY-g@mail.gmail.com> <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com> <5D10C0C4-B93D-463F-A071-EEA6F35506CD@cisco.com> <CA+b+ERkqrr4Wr+Wy9q81SpyWi7H1s=z_RAvbc3Rbddvpgb7Xpg@mail.gmail.com> <44F647C7-BF88-469D-82C6-1509A57EAD31@gmail.com>
In-Reply-To: <44F647C7-BF88-469D-82C6-1509A57EAD31@gmail.com>
Accept-Language: en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Ruediger.Geib@telekom.de;
x-originating-ip: [164.19.3.204]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; FRAPR01MB0115; 6:lC5IyKJ7WKUybWaP4UpqjOYZAyOYsQxMslNyA6iNu6bXvxkfYYm+AwnhF9JRapq+dz7C/QxtRySsoK18iRrOZ8DallZXZ1ej5FDJe/DNuJnqwb9EqYueBO/xbrUOj3d7e1xUIM74gNN2Xj6f0c2JCK3FaL6gWnFrFpeyEikj9DUOJrmz697rpwCiAGcmO3enwVSA0GVRTMufK7JQ6mS+II+90QRF+cZQolW56J341KALCpaUzHog9jrMFHLygKS5z66qbDcCGgYDX4kvRAjAC5ne5q2MQkZ46JXrx7h/T92IW5z6L4AGNOsru8xr94f9XuVjWRRE33LngyZ8rokC9Pib1PO6IoZO1+sISGvNSpLuYr79Z3p8gY1T4vbYDpIidnqaOIzqXWoNt06zCURsTWwWMC0n2TWqu9Ntp40q9a/Xu0P5/hw84p50ZiajdJLfcg5S3CXv+EdbrUC8oSMJIA==; 5:+6LMi55yMmuYi6hL+HbMTfMSP6cpx6a+8VS3xTqn9AIiXR07Wsk3RBxQ5JEFYBjaCxdaetcVC72u9yPWY51fbCIEZ9tQ0Dn2CHp1Rrt4liST5KW2Fq1z+nGCLWTKPlqhRYEN3Eu7zu/OblQqta/bmgNf2KgLwvQ8M9+z/I/Qlp0=; 7:wIokzNgYkpK2T8dt0bgjCUwoiTR7G0btGYcB07Ais4mjvCH7yN66HeiG90sBpL2WCp/g5TTh9vhahCvz9WSGrpXw0MWoq/dNiVP2Alq6heM7wci+YLtAcnHkn4amztTXTrsLt8U5VYNJKKv+IUzpAPqQHPnsgIkqG7yNFjun0BF22y7wjZVL1943UaResBYf5FuivVhO4ydN+byjEQvuva+U8d05lzCmT7i+gPnWYGl2FB6g5erwa2i//4lUiv6b
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 1871b055-fa22-4eb3-8858-08d5f22d473a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600073)(711020)(2017052603328)(7153060)(7193020); SRVR:FRAPR01MB0115;
x-ms-traffictypediagnostic: FRAPR01MB0115:
x-microsoft-antispam-prvs: <FRAPR01MB0115B8BD895CA9A03BB5C79E9C540@FRAPR01MB0115.DEUPRD01.PROD.OUTLOOK.DE>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(85827821059158)(95692535739014)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:FRAPR01MB0115; BCL:0; PCL:0; RULEID:; SRVR:FRAPR01MB0115;
x-forefront-prvs: 0744CFB5E8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(39860400002)(366004)(376002)(396003)(51444003)(189003)(199004)(256004)(2906002)(446003)(7110500001)(15650500001)(486006)(5660300001)(26005)(93886005)(39060400002)(11346002)(66066001)(19627235002)(6916009)(102836004)(33656002)(8676002)(97736004)(81156014)(8936002)(68736007)(5250100002)(2420400007)(476003)(316002)(4326008)(10710500007)(14444005)(236005)(52396003)(54896002)(106356001)(6306002)(86362001)(7736002)(2900100001)(53936002)(74482002)(85182001)(478600001)(105586002)(9686003)(55016002)(76176011)(81166006)(186003)(85202003)(3846002)(53546011)(7696005)(14454004)(75402003)(72206003)(6116002)(790700001)(777600001); DIR:OUT; SFP:1101; SCL:1; SRVR:FRAPR01MB0115; H:FRAPR01MB0113.DEUPRD01.PROD.OUTLOOK.DE; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: telekom.de does not designate permitted sender hosts)
x-microsoft-antispam-message-info: eGRtdls69DGeg1fUaNsi043TumrlBNEc68UaU3COiMxr4r+lBSS4NggGE8qxL4syVOv5cqp/552c6i2FO2cWGx8vHJPcKVBmvqLsR/7muPKcxVolCmm4waPY0ACtJE/asd2KstOQQr+pr/9IZJiphXXKhbAabFHOyknu14hMcWxqkrdKq2kqHCwGfjE8g1TBNyTzbIyzVyj/XrUyYX2+E6ENtZmBfRTohiw5XF0DH9Qj5FEQv0w9P2ZoO7LVuTvgCZwMZTCM1tAyv4Pvp3ALsz4YhOiMPQBma52cuHapDh29dmv2pMLmjabs/lyPNebTeCqkGevTc5JqOZc5BDEZkEbnkcdakp39ffvq865jyEs=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_FRAPR01MB01133665E93496E78E6E7AF99C540FRAPR01MB0113DEUP_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1871b055-fa22-4eb3-8858-08d5f22d473a
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2018 12:51:02.4901 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRAPR01MB0115
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/fk5z2Z6_aVjKycQpLejjziU4xNw>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 12:51:13 -0000

Stewart,

let’s keep the discussion technical please. I’m not sure which man made technology is able to withstand state-sponsored attacks.

Regards,

Ruediger


Von: rtgwg [mailto:rtgwg-bounces@ietf.org] Im Auftrag von Stewart Bryant
Gesendet: Mittwoch, 25. Juli 2018 14:32
An: Robert Raszuk <robert@raszuk.net>;
Cc: rtgwg@ietf.org
Betreff: Re: VPN security vs SD-WAN security

Robert,

Perhaps the right thing here is for you to propose text to Fred on how to make sure his traffic is safe from the types of state-sponsored attack that an air traffic system might need to withstand?

Stewart

On 25 Jul 2018, at 13:24, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

True network slicing for IP networks means either waist of resources or very strict multi-level queuing at each hop and 100% ingress traffic policing. Yet while this has a chance to work during normal operation at the time of even regular failures this all pretty much melts like cheese on a good sandwich.

It is going to be very interesting to compare how single complex sliced network compares for any end to end robust transport from N normal simple IP backbones and end to end SLA based millisecond switch over between one and another on a per flow basis. Also let's note then while the former is still to the best of my knowledge a draft the latter is already deployed globally in 100s of networks.

Best,
R.


On Wed, Jul 25, 2018 at 1:21 PM, Acee Lindem (acee) <acee@cisco.com<mailto:acee@cisco.com>> wrote:


From: rtgwg <rtgwg-bounces@ietf.org<mailto:rtgwg-bounces@ietf.org>> on behalf of Stewart Bryant <stewart.bryant@gmail.com<mailto:stewart.bryant@gmail.com>>
Date: Wednesday, July 25, 2018 at 5:55 AM
To: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Cc: Routing WG <rtgwg@ietf.org<mailto:rtgwg@ietf.org>>
Subject: Re: VPN security vs SD-WAN security




On 25/07/2018 10:40, Robert Raszuk wrote:
/* Adjusting the subject ... */

​Hello ​
Stewart,

​You have made the below comment in the other thread we are having: ​

Indeed, I would have expected this to be on a secure network of some sort either purely
private or some form of VPN. However, I am sure I read in your text that you were
considering using the Public Internet much in the way of SD-WAN.

​Would you mind as extensively as you can expand on the above statement ?

Specifically on what basis do you treat say L2VPN or L3VPN of naked unencrypted packets often traveling on the very same links as this "bad" Internet traffic to be even slightly more secure then IPSEC or DTLS encrypted SD-WAN carried data with endpoints being terminated in private systems ?

Thx,
Robert

Robert, I think that you have to take it as read that an air traffic control SoF system is encrypting its packets. If it is not, then it is clearly not fit for purpose.

What concerns me is that an air traffic system is one of the most, if not the most, high profile targets in civil society. You get reminded of this each time you travel to IETF.

The thing about safety of flight traffic is that a sustained and effective DDoS attack has global impact in a way that few other such attacks have.

A VPN system ought to sustain resistance to such an attack better than the proposed system which treats the SoF traffic the same as regular traffic.

I guess you are making a case for your network slicing work 😉

Acee


- Stewart