IETF Logo Mail Archive

Re: [secdir] [Detnet] Secdir last call review of draft-ietf-detnet-mpls-05

Watson Ladd <watsonbladd@gmail.com> Mon, 16 March 2020 14:19 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833563A08FD; Mon, 16 Mar 2020 07:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpzoOyoKK8fq; Mon, 16 Mar 2020 07:19:03 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 774E93A0901; Mon, 16 Mar 2020 07:18:57 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id c20so14240381lfb.0; Mon, 16 Mar 2020 07:18:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QljCFe26iYMylvT19icyZdOtgo0dYP6xdQ+NPT2VIIM=; b=kBdpFKjKcVClOCYcUYCjY6dWKqNr5b3f9txfG0CQfLfk7PQa3ACreI86Lj3w5K246L qxkfqtVSCj/w6Sem03rsieiXSxLu5ZrGE3IMmCGlZINJpKr9QLynjnimvTXHli+dzHLx mxCibV0AQdIQRy3OSHjXStUXy+qCGsgLHMf+S6tiyOVgIXptbGfNvg6s9Q/tWLVE8qDY xYE/PH2DTCmRER+1sUmt89TLXqLHg1mCTXLlcLTwgVXwACnUlIYuOvHJdfgRMFDI+Z+5 Nusq5ZdgJzyFc+WOSyIP8eP10SepdbMN3Cs5GiCMHP//d0ytD8ZbZ5WqlHAcH1NrvHAS dA2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QljCFe26iYMylvT19icyZdOtgo0dYP6xdQ+NPT2VIIM=; b=gpv2zNZDvDO42qKYWf8Lw9clOIaf51ozcx2o0LGizTPQpRJvuN3utAMa3mSbp8TcdL IF81AXZ8NN8lnxB5UDr09HpFH+s8knnEVDX1y9omNjA4kVPum4KDT82NQfc6I2GitVVv DzvxLoN46P8eCcNpyT16480nJOnLR2dsKagrFY4Lm/1z/+BaHybi94k4u7dWnb0HsQqY szlJO7pUuYvakUponzYwz0NQddb0sqdSr0hmUqo5yNgy94/S9kZ+0K8KZrr8q6whvEax 2RJrPon/1xdVaJ1qgISZ3PDIT9agqE9ZCWFfh77zTAZK6NXdUhlvHU3Y91CCLtqYpwU/ Tnvw==
X-Gm-Message-State: ANhLgQ1yWmhfDdL2Svac9L2UBOlojDybPDbxYao18q2bGqsDBB1dNiwE vVvdxEqEpSGCsd21Y4F4GpFLEI8x2YBHXqVpad0=
X-Google-Smtp-Source: ADFU+vv8yyee/2hDSDzxnLxJK1XrW4xuiVVzaIxYxpJV1rPEivSe8QP+6tDQh1vm0Dxn8ytTAnkf6OCSTqYXnIr8w4s=
X-Received: by 2002:a05:6512:4cf:: with SMTP id w15mr10726016lfq.147.1584368335411; Mon, 16 Mar 2020 07:18:55 -0700 (PDT)
MIME-Version: 1.0
References: <7A5A9066-7877-402A-9704-AD83AF4FD3D0@gmail.com> <E0A8CA63-8C58-4AFA-B213-76A7FD261833@mit.edu> <96BB26AA-3314-4E0A-98F3-4F2E93F1D9FF@gmail.com>
In-Reply-To: <96BB26AA-3314-4E0A-98F3-4F2E93F1D9FF@gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 16 Mar 2020 07:18:44 -0700
Message-ID: <CACsn0cnCAo082hB4MK=dRTxbha1niGsSQ4-dW4_UvQ8bZ0TBLw@mail.gmail.com>
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: Uri Blumenthal <uri@mit.edu>, Lou Berger <lberger@labn.net>, draft-ietf-detnet-mpls.all@ietf.org, DetNet WG <detnet@ietf.org>, secdir <secdir@ietf.org>, rtg-ads@ietf.org, "<sec-ads@ietf.org>" <sec-ads@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d35d7005a0f97fd9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5L7MrRa_1AXG_TOERHUI56xex0c>
Subject: Re: [secdir] [Detnet] Secdir last call review of draft-ietf-detnet-mpls-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 14:19:06 -0000

On Mon, Mar 16, 2020, 7:01 AM Stewart Bryant <stewart.bryant@gmail.com>
wrote:

> The requirement is NOT for a draft to provide the security analysis of all
> of all of the technologies that it calls up. It is, I believe, to describe
> the deltas that apply to the new idea. Anything else and the text would be
> a security analysis with a short technology preamble.
>
> We are describing a technology that is overlaid on MPLS. We should not
> need to describe the security model of MPLS,  but instead confine our
> remarks to issues that specifically apply to the additional technology we
> are describing.
>

RFC 3552 requires that in a case such as this you explicitly describe what
the lower layer is providing to the top layer. RFC 3552 section 5 also
demands that attacks be enumerated and those out of scope be called out.

E.g "use TLS" isn't good enough and imho neither is "use MPLS".

Again, the sentences in the security considerations as it stands are about
MPLS and Detnet, and they don't seem to come together. Are there really no
security considerations when putting the two together? Every MPLS network
will just work with Detnet on top, no matter how rushed the deploy is?


> Early in the document we call up RFC3031 and RFC3032, the fundamental MPLS
> RFCs. They are in section 3.1 the first part of the serious technical
> discussion. In my view these establish a baseline of understand that the
> reader is expected to have.
>
> It is important to realise, as I have said before, that without
> understanding that baseline the rest of the document is meaningless.
>
> Regards
>
> Stewart
>
> BTW
>
> It might be as well if you refrained from illustrating the lack of
> professionalism that the security area applies to its reviews by continuing
> with the flippancy. There is a serious point that needs to be debated here
> about what assumptions are a given and what assumptions need to be spelled
> out when modifying or layering a technology.
>
>
> > On 16 Mar 2020, at 12:22, Uri Blumenthal <uri@mit.edu> wrote:
> >
> > IETF position (add fat as I remember) regarding RFCs has been that RFCs
> should provide with everything information for a reasonable developer to
> implement correctly and securely the standard they define, and provide
> enough information for the person who will deploy a compliant
> implementation to do that correctly and securely.
> >
> > One purpose of Security Review is to ensure that a person doesn't have
> to be an expert in the field to deal with the proposed document.
> >
> > In a flippant way, if using your stuff is requires special classes -
> perhaps it belongs to a book rather than an RFC.
> >
> > In a non-flippant way - what's the problem in mentioning the issues and
> providing the appropriate references? A "normal" RFC cannot be
> self-contained, but it's unreasonable to epect a reader to just "know"
> where all the omitted things are described.
> >
> >> On Mar 16, 2020, at 06:33, Stewart Bryant <stewart.bryant@gmail.com>
> wrote:
> >>
> >> Uri,
> >>
> >> That is a ridiculous position, and you flippancy demonstrates that.
> >>
> >> This technology fundamentally rests on MPLS and it is reasonable that
> the reader of this RFC will understand MPLS and the security model it uses
> before they implement or deploy it. Indeed I cannot think of any
> implementor or operator that would not already have that knowledge before
> taking on the task of building or running DN over MPLS.
> >>
> >> If SecDir reviews are to retain any credibility as expert reviews as
> opposed to Genart random reader reviews they have to be carried out with
> shared knowledge of both the security area and the draft’s host area.
> >>
> >> I have been thinking for some time that there needs to be a fundamental
> review of the security review process.
> >>
> >> Stewart
> >>
> >>> On 15 Mar 2020, at 22:44, Uri Blumenthal <uri@mit.edu> wrote:
> >>>
> >>> I say yes - unless you expect a person who wants just one RFC to have
> to read every cr^h^h stuff that came out of the routing area.
> >>>
> >>> "Just do it"
> >>>
> >>>
> >>>>> On Mar 15, 2020, at 17:39, Lou Berger <lberger@labn.net> wrote:
> >>>>
> >>>> 
> >>>>> On 3/15/2020 5:22 PM, Watson Ladd wrote:
> >>>>>> On Sun, Mar 15, 2020 at 2:14 PM Lou Berger <lberger@labn.net>
> wrote:
> >>>>>> Hi Watson,
> >>>>>>
> >>>>>>   I think Stewart's response really covers the main points. DetNet
> is
> >>>>>> really just MPLS (and IP) with some specific forwarding behaviors
> and
> >>>>>> queuing.  The only thing I'd add, is I see DetNet in general as a
> >>>>>> specific form of policy based routing. (The general form of which is
> >>>>>> pretty much as old as IP).
> >>>>> Then Stewart can put those points in the security considerations
> >>>>> section. What's the disadvantage of doing so?
> >>>>
> >>>> At one level, it would be easiest for the authors to just put these
> in.  On the other hand, this would mean that every RFC produced in the
> routing area will acquire similar notes, e.g., routing protocols are
> currently built with a chain of trust model.  Is this what the sec-dir
> really is asking the routing area to do?
> >>>>
> >>>> ADs,
> >>>>
> >>>>  any opinion on this?     (for context, Stewart's response can be
> found at:
> https://mailarchive.ietf.org/arch/msg/detnet/-epL5Fb6bFIUltMrjH53C2316ZA/)
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Lou
> >>>>
> >>>>>> Lou
> >>>>>>
> >>>>>> On 3/12/2020 9:35 PM, Watson Ladd wrote:
> >>>>>>> On Thu, Mar 12, 2020 at 4:07 AM Lou Berger <lberger@labn.net>
> wrote:
> >>>>>>>> Watson,
> >>>>>>>>
> >>>>>>>> Can you provide context here? Can you be explicit on what you see
> needs to
> >>>>>>>> be addressed (beyond what is in this document as well as related
> rfcs)?
> >>>>>>> You have to talk about how the layers interact, and can't just say
> the
> >>>>>>> lower level handles anything without any guide as to what needs to
> be
> >>>>>>> provided by that lower layer.
> >>>>>>>
> >>>>>>> I think my concerns about the assumptions this could be fixed by
> >>>>>>> saying. "All nodes are trusted and any of them can misbehave in
> ways
> >>>>>>> that affect the network.  If the MPLS layer cannot provide
> sufficient
> >>>>>>> determinism, then the DetNet mechanisms won't work".  I agree we
> >>>>>>> shoudn't require an entire massive security framework to be quoted
> >>>>>>> again here, but there must be some details of this embedding that
> are
> >>>>>>> worth noting, and yet I don't see them called out in the security
> >>>>>>> considerations section.
> >>>>>>>
> >>>>>>> Are there really no specific concerns about the interaction between
> >>>>>>> DetNet and MPLS?
> >>>>>>>
> >>>>>>>> Thank you,
> >>>>>>>> Lou
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ----------
> >>>>>>>> On March 11, 2020 10:30:27 PM Watson Ladd <watsonbladd@gmail.com>
> wrote:
> >>>>>>>>
> >>>>>>>>> I don't see any reason why RFC 3552's guidelines shoudn't apply
> to this draft.
> >>>>>>>>>
> >>>>>>>>> If there is a MPLS exception I'd like to see the rules that
> should be applied.
> >>>>>>>>>
> >>>>>>>>> As is I don't see any reason why the assumptions can't be
> explicitly
> >>>>>>>>> spelled out, either in the Security Considerations or elsewhere.
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> detnet mailing list
> >>>>>>>>> detnet@ietf.org
> >>>>>>>>> https://www.ietf.org/mailman/listinfo/detnet
> >>>>>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> secdir mailing list
> >>>> secdir@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/secdir
> >>>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
> >>
>
>

v2.23.0 | Report a Bug | By Email