Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18

"Joel M. Halpern" <jmh@joelhalpern.com> Sun, 17 September 2017 12:04 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B70C7133187; Sun, 17 Sep 2017 05:04:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyUvu9Ae7-Co; Sun, 17 Sep 2017 05:04:16 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11B231330AE; Sun, 17 Sep 2017 05:04:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id E0A3E1C5B4B; Sun, 17 Sep 2017 05:04:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1505649855; bh=sTJ3iYeZVVt/WLg0enTfDoF1xc9a/iAl5YMDf6wLZac=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=dj4bct7yuK2/InRNKwd6ISUngh6afnKKoTJuUZp1gJ0F5X+/5IZUEK9H4+A41KT/G N78b+KyKqrIBeEVzeVXjYN59/kVqvhaxzkosZcuWf908oC+xjHwaciv3F0dC3sJRmp HNyn6hFfBl9Ba97VS/W7kaMIeFoMTY2OO1f+gofA=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 26D1A1C01F2; Sun, 17 Sep 2017 05:04:14 -0700 (PDT)
To: Christian Huitema <huitema@huitema.net>, "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
Cc: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, IETF Discussion Mailing List <ietf@ietf.org>, "draft-ietf-sfc-nsh.all@ietf.org" <draft-ietf-sfc-nsh.all@ietf.org>
References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <C53DE35A-4043-46A5-8525-FF273F205971@cisco.com> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> <C0C0D8D1-0D23-4AC4-94B1-9F10C6D93A46@cisco.com> <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <a68b9d9d-0a85-5a4e-c12e-8928806d730d@joelhalpern.com>
Date: Sun, 17 Sep 2017 08:04:13 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/17h8jftTMxqUzyqBciEiUheFJk4>
Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Sep 2017 12:04:18 -0000

IF removing the two references to Campus networks would help, we can do 
that.  deployment in a campus (sa distinct from the DC within campus) is 
indeed more complex.

With regard to threats, a lot of the reason I have trouble with 
providing good answers is that a service function that stores the 
metadata for later analysis is perfectly legitimate.  If the operator 
contract with the SF provider is that the provider gets the metadata the 
service function sees, that the operators chaice.  Given that SFs have 
to be able to get at whatever metadata they need, the protocol can not 
inherently prevent that. People have suggested in Internet-Drafts 
mechanisms whereby the SFF trim and restore the metadata sets.  that 
does not actually rpevent this, it merely adds the complication that the 
operator has to configure what is allowed where.  If their contract for 
a given SF says that it gets all the metadata, it will get all the metadata.
The one piece we can do is that personally identifying metadata can be 
obfuscated, preferably by indirection.  We should however recognize that 
the indirection will be known to the operator, and if they choose to 
reveal it by other means we can not prevent that.

Yours,
Joel

On 9/17/17 12:21 AM, Christian Huitema wrote:
> 
> 
> On 9/14/2017 4:22 AM, Carlos Pignataro (cpignata) wrote:
>> ...
>> it’s not uncommon to forget how broadly understood assumptions and design criteria for a document are, when being knee-deep in work. This is probably the case here, in which scope should have been more explicit.
>>
>> For completeness, the document is the document plus its context. A peek at the normatively-cited RFC 7665, SFC architecture, (or at the charter as part of a Directorate review) would have proactively reduced your concerns, leaving the editorial need to make it very clear and explicit in “the document” (as opposed to your initial reaction).
> I did read RFC 7665. Before writing the initial review, and again now as
> a refresher. Yes, RFC 7665 mentions an "administrative domain". But it
> is also a very abstract document, leaving open many possibilities. And
> it does contain the text about sharing metadata along a function path
> that gave me pause: "For example, an external repository might provide
> user/subscriber information to a service chain classifier. This
> classifier could in turn impose that information in the SFC
> encapsulation for delivery to the requisite SFs. The SFs could in turn
> utilize the user/subscriber information for local policy decisions.
> Metadata can also share SF output along the SFP." The draft translates
> the architecture into practical protocol specification. It is good to
> include at that stage concrete protections.
>> OK, we can qualify the campus network with “controlled”, or frankly remove it or choose a different example. It is, after all, an example.
> I saw the "controlled" addition in your text, but I don't quite
> understand what a "controlled campus network" is. I understand that one
> of the goals is to place a variety of functions in separate boxes
> independently of topology, but if I was managing a campus network I
> would much rather place these functions in controlled spaces like data
> centers rather than, say, student dorms. Not all places on the campus
> will be tightly controlled. It might be simpler to just not mention
> these campus networks.
> ...
>> How would you suggest this can be strengthened? We do add some relevant text based on the next comment.
>>
>>> The draft mentions using IPv4 or IPv6 as transport. It seems
>>> that in that case there should be some ingress/egress filtering, as in
>>> "packets originating outside the service domain must be dropped if they
>>> contain an NSH," and similarly must be drop on domain exit if they
>>> contain an NSH.
>>>
>> This is a good suggestion. We can add some clarifying text after the first paragraph of the Security Considerations.
>> This can take care of your previous comment as well.
> I saw the text added in the latest draft. That's fine.
> 
>>> The new security section does provide a number of recommendations, such
>>> as the obfuscation of metadata. That's definitely an improvement. But I
>>> believe there are still issues.
>>>
>>> The first issue is that "Metadata privacy and security considerations
>>> are a matter for the documents that define metadata format." That does
>>> not give me a warm and fuzzy feeling at all. I understand that the
>>> formats will be only registered "after IETF review", but these future
>>> reviews would be much easier if the NSH mechanism defined at least a
>>> baseline security posture, and maybe some generic mechanisms for
>>> obfuscation or encryption.
>> I do not know if future reviews might or might not be easier, since there would be a need for a reviewer to follow and read normative references, which practice shows not always happens... But, that aside, ease of future review for reviewers is not a design principle for NSH :-)
>>
>> That said, I agree that there is an opportunity to, without specifying, provide forward-looking guidance or references to potential work. We will add that in.
> 
> I see that you added references to "proof of transit" in draft-21. That,
> and the reference to obfuscating subscriber info, certainly helps. It
> seems that the security protection is based on three broad principles:
> 
> 1) Encrypt the data in transit, using IPSEC or similar;
> 
> 2) Obfuscate by default critical metadata such as subscriber info;
> 
> 3) Encrypt some of the metadata.
> 
> That's not a bad posture, but I wish that you were explicit about the
> threats. I am somewhat concerned that the "administrative domain"
> approach leads to complacency, as in "my domain is secure, I am only
> concerned with external leakage". I think it would be good to point at
> explicit threats. Encrypt in transit addresses one type of threats,
> adversaries tapping conduits to observe the data. But how about hacking
> into an SFF? Or providing a "free" function that pays for itself by
> collecting the meta-data? These all go into the idea that in a complex
> system, it is good to compartment who routinely sees what information.
> That's the rational motivating obfuscation and other such techniques,
> and it would be nice to be explicit about it.
> 
>>
>>> The second issue is that the security section provide recommendations
>>> about solutions, but does not analyze the threats. In particular, one of
>>> the threats that I find worrisome is, what happens if a specific
>>> function in a service chain gets subverted?
>> If a firewall or a router gets subverted, we likely have bigger problems. More below.
> Maybe. Maybe not. What if an intrusion detection system gets subverted?
> What if an accounting system gets subverted? You hope that the intrusion
> will be detected shortly, but principles like "least privilege" are a
> good way to provide defense in depth and minimize the damage during the
> early stages of the intrusion.
> 
> 
> 
>>> I may be paranoid, but there is already an history of adversaries
>>> attacking complex systems like data centers, network control systems or
>>> corporate networks, not to mention campus networks. These adversaries
>>> typically proceed by lateral movement after an initial penetration until
>>> they get closer to their actual target inside the domain. I can see an
>>> adversary trying to penetrate one of these domains in order to access
>>> the metadata. In our case, it would try to find a weak link in the
>>> service function chain. It maybe that one of the functions is deemed
>>> benign, and thus was less secured than the others. But if all functions
>>> see the metadata, then the adversaries will achieve their goal by
>>> targeting that weak link. Some application of the "least privilege"
>>> principle would be useful there.
>> See above. Not all functions see the metadata, if so desired. For example, all SFFs do not see any metadata if the transport uses existing proven encryption techniques, IPsec, TLS, etc.
> 
> Yes. Somehow stating that and explaining why it matters would be nice.
> 
> -- Christian Huitema
> 
>