IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

Simon Josefsson <simon@josefsson.org> Wed, 27 May 2015 05:13 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 938531A87AF; Tue, 26 May 2015 22:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bbEAiQezbTbi; Tue, 26 May 2015 22:13:25 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5CF11A87AC; Tue, 26 May 2015 22:13:24 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t4R5DGsa001435 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 27 May 2015 07:13:17 +0200
Date: Wed, 27 May 2015 07:13:15 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <20150527071315.17b3b5f5@latte.josefsson.org>
In-Reply-To: <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu> <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com> <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/d/M_BP8axIxo1jANMHAl5vU"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/0SPkZ_o-LSU_GGqjcPRnGK5fA60>
Cc: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 05:13:26 -0000

Den Tue, 26 May 2015 19:41:42 -0400 (EDT)
skrev Re: [secdir] Review of draft-ietf-sfc-architecture-08:

> Hi Carlos,
> 
> On Tue, 26 May 2015, Carlos Pignataro (cpignata) wrote:
> 
> > > On May 25, 2015, at 11:01 PM, Benjamin Kaduk <kaduk@MIT.EDU>
> > > wrote:
> > >
> > > insist that encryption always be used, but please do not claim
> > > that being in a single administrative domain excuses the operator
> > > from considering whether encryption is necessary.
> > >
> >
> > My point was a different one: that SFC does not change these
> > requirements.
> >
> > I may have misunderstood, but what I read in Simon's review
> > (admittedly oversimplified) was: in SFC you move services from
> > on-network-path (which, as an aside, is really the other way
> > around; it is moving from creating an on-network-path steering of
> > network topology through the service) to a machine ‘elsewhere' —
> > and thus, consequently, you have to encrypt.
> 
> I do not think anyone is saying "you must encrypt".

Agreed.

> To partially crib from Simon's proposal, how about
> 
> The architecture described here is different from the current model,
> and moving to the new model could lead to different security
> arrangements and modeling. For example, when service functions are
> moved from on-path static machines to dynamic remote machines, this
> can change the flow of data through the network, and the security and
> privacy considerations of the protocol and deployment will need to be
> reevaluated in light of the new topology.
> 
> The word "reevaluated" is intended to indicate that a new analysis
> should be performed, but not that a different conclustion must
> necessarily be reached.

That's better, thank you.  I believe it would have been better to
include a discussion of security concerns in the architecture document
itself -- doing security right sometimes requires architectural
changes, so if it is done later you might realize serious issues -- but
barring that, adding a statement to acknowledge that no security
analysis has been done, and that it has to be done, seems appropriate.

/Simon

v2.23.0 | Report a Bug | By Email