Re: [secdir] Review of draft-ietf-sfc-architecture-08
Benjamin Kaduk <kaduk@MIT.EDU> Tue, 26 May 2015 23:41 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4A01B3326; Tue, 26 May 2015 16:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptgZEnoki0zc; Tue, 26 May 2015 16:41:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7F91B3323; Tue, 26 May 2015 16:41:48 -0700 (PDT)
X-AuditID: 12074422-f79cb6d000000d7b-cf-556504bbcb54
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id CA.0A.03451.BB405655; Tue, 26 May 2015 19:41:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t4QNfklB009172; Tue, 26 May 2015 19:41:47 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t4QNfhvc024537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 26 May 2015 19:41:45 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t4QNfhNG026076; Tue, 26 May 2015 19:41:43 -0400 (EDT)
Date: Tue, 26 May 2015 19:41:42 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
In-Reply-To: <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com>
Message-ID: <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu> <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; boundary="-559023410-1165714292-1432682669=:22210"
Content-ID: <alpine.GSO.1.10.1505261930230.22210@multics.mit.edu>
X-Brightmail-Tracker: H4sIAAAAAAAAA02SX0hTURzHO/febdfhtetV8/gv8KYo/i1QWWQrqYc9iUJ7KIq8bSc33Kbt TvMftIj2YGEWmm0WOJQeHGETKaPAmvngn9RlgiYtNCMQE1np1ITa3Zr69j18Pr8v53B+JM4M ieJJrcGEjAZOx4qlBCORp2W/JpDy6Ox2nsy7OkDIZr3zuOzRzn1ctmZfIGSe/o+S0yJF6x+n SNHdvYUprONuieL39C9xCXFBWqhGOm0NMubKy6SaT3YfUdWbWuueWcTNYO5wEwgjIZ0HbfNu PJgPwSlPr7gJSEmG7sLg0/UuEDw4AbRMfQeCxdAuDK7+KAkCM4D9Y2siARB0JvSMTwaymE6B 1hWnWMjRdAG8+e0BJgzg9BKAY83v/U0kGUXLoa8lRXDC6JPQNdkX8Cm6CE60T/y/hhtA++Nn gdIYOgs6BluJoBQJR6xLgYzTpXDDZhEFcxEc+NuDtwDGtk+z7dNs+7RgToNvvW4QzJnw65xF HHIcd7ygE4h7QJJaX5+t57Q6HqmyeRVnMCBjdn6OXmvKQerqPhD4q7PsANh6x7oATQI2nJIN qZSMiKvh6/QuEEdibAzFbqmVTMSVSnWdhuM1l43VOsS7ACRxNpq6vuNnlJqrq0fGyhBKIAk2 lurbjDjH0OWcCVUgVIWMIZpIkiykUnGkZCKNqBzVXtXqTHsYI8OE8nB/uQ/zOxRfxel5bXmQ j4Lk+FgqThimBaCpNuzOhnZvGcT6nxJFpQtWuH8zd6eX/cWYv7hgWLg1b+L2ULwZWBo6h9/M GU5JThTXr146jsYat8uiM6RLi6qfK3QiUNwlC8/XHGhGyQdnyusdn7F8ec+Z2zcGt4s3ZOnK e0kLHcnXGnITPI6mUckXe9uHpbJbbUf6nXlRpR3Nm0+szxM2H7oHfMuWjJFG684LuzTL9Spt OrHfXDCFvaxoF69fZAlewx3LwI089w8L+TVvVgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/7321JniBhTIeNa8Yqtij6s9TLIQ>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 23:41:50 -0000
Hi Carlos, On Tue, 26 May 2015, Carlos Pignataro (cpignata) wrote: > > On May 25, 2015, at 11:01 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: > > > > insist that encryption always be used, but please do not claim that being > > in a single administrative domain excuses the operator from considering > > whether encryption is necessary. > > > > My point was a different one: that SFC does not change these > requirements. > > I may have misunderstood, but what I read in Simon's review (admittedly > oversimplified) was: in SFC you move services from on-network-path > (which, as an aside, is really the other way around; it is moving from > creating an on-network-path steering of network topology through the > service) to a machine ‘elsewhere' — and thus, consequently, you have to > encrypt. I do not think anyone is saying "you must encrypt". My take of the key point is that SFC is (potentially) going to be making the actual physical flow of data very different from how it currently is, and potentially also divorced from the conceptual topology of the service function chain (if the service functions are laid out "strangely" compared to the physical topology). This has the potential to drastically change the security issues an operator deploying things has to consider, and an architecture document should point out that both protocol designers implementing the architecture and operators using such protocols should be aware of the new security environment. Thus, we are proposing that it is mandatory for protocol designers and operators to consider whether they should be encrypting, but not mandatory for them to encrypt (if they are satisfied with their topology). > My point is that the logic above (which, again, I may have > misunderstood) does not follow. > > There may be additional security and privacy considerations needed in > the DC, in mobile networks, etc. However, the SFC architecture does not > change that, and mandating encryption on SFCs might not be the right > answer. As we wrote, the solution realizing the architecture need to > perform part of that analysis. I think that the SFC architecture does have the potential to change where additional security and privacy considerations are needed. There can definitely be security and privacy considerations within a single administrative domain, and I do not think the current document has sufficient acknowledgement of the potential for the new architecture to require drastically different security and privacy measures in some (not all!) cases. (Yes, I did read through it before composing this mail.) I see some text in each of the three areas listed which sort-of addresses my concerns, ("Used transport mechanisms should satisfy the security requirements of the specific SFC deployment", "These include [...] potential confidentiality issues of that policy", "solutions should consider whether there is a risk of sensitive information slipping out of the operators control. Issues of information exposure should also consider flow analysis"), but they could easily be missed by the reader, and do not convey a single central sense that adopting SFC will involve a full reevaluation of network security policy. That reevaluation will include security/privacy issues for the original payload as well as the classification and encapsulation data added by the SFC protocol(s). > As I had said, I am more than happy adding text strengthening the > security considerations — as long as we do not mandate a solution at a > specific layer. To partially crib from Simon's proposal, how about The architecture described here is different from the current model, and moving to the new model could lead to different security arrangements and modeling. For example, when service functions are moved from on-path static machines to dynamic remote machines, this can change the flow of data through the network, and the security and privacy considerations of the protocol and deployment will need to be reevaluated in light of the new topology. The word "reevaluated" is intended to indicate that a new analysis should be performed, but not that a different conclustion must necessarily be reached. -Ben P.S. "consdierations" in the second paragraph of section 6 is a typo
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- [secdir] Review of draft-ietf-sfc-architecture-08 Simon Josefsson
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Simon Josefsson
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Stephen Farrell
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Stephen Farrell
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Simon Josefsson
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)