IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

Benjamin Kaduk <kaduk@MIT.EDU> Tue, 26 May 2015 23:41 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4A01B3326; Tue, 26 May 2015 16:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptgZEnoki0zc; Tue, 26 May 2015 16:41:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7F91B3323; Tue, 26 May 2015 16:41:48 -0700 (PDT)
X-AuditID: 12074422-f79cb6d000000d7b-cf-556504bbcb54
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id CA.0A.03451.BB405655; Tue, 26 May 2015 19:41:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t4QNfklB009172; Tue, 26 May 2015 19:41:47 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t4QNfhvc024537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 26 May 2015 19:41:45 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t4QNfhNG026076; Tue, 26 May 2015 19:41:43 -0400 (EDT)
Date: Tue, 26 May 2015 19:41:42 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
In-Reply-To: <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com>
Message-ID: <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu> <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; boundary="-559023410-1165714292-1432682669=:22210"
Content-ID: <alpine.GSO.1.10.1505261930230.22210@multics.mit.edu>
X-Brightmail-Tracker: H4sIAAAAAAAAA02SX0hTURzHO/febdfhtetV8/gv8KYo/i1QWWQrqYc9iUJ7KIq8bSc33Kbt TvMftIj2YGEWmm0WOJQeHGETKaPAmvngn9RlgiYtNCMQE1np1ITa3Zr69j18Pr8v53B+JM4M ieJJrcGEjAZOx4qlBCORp2W/JpDy6Ox2nsy7OkDIZr3zuOzRzn1ctmZfIGSe/o+S0yJF6x+n SNHdvYUprONuieL39C9xCXFBWqhGOm0NMubKy6SaT3YfUdWbWuueWcTNYO5wEwgjIZ0HbfNu PJgPwSlPr7gJSEmG7sLg0/UuEDw4AbRMfQeCxdAuDK7+KAkCM4D9Y2siARB0JvSMTwaymE6B 1hWnWMjRdAG8+e0BJgzg9BKAY83v/U0kGUXLoa8lRXDC6JPQNdkX8Cm6CE60T/y/hhtA++Nn gdIYOgs6BluJoBQJR6xLgYzTpXDDZhEFcxEc+NuDtwDGtk+z7dNs+7RgToNvvW4QzJnw65xF HHIcd7ygE4h7QJJaX5+t57Q6HqmyeRVnMCBjdn6OXmvKQerqPhD4q7PsANh6x7oATQI2nJIN qZSMiKvh6/QuEEdibAzFbqmVTMSVSnWdhuM1l43VOsS7ACRxNpq6vuNnlJqrq0fGyhBKIAk2 lurbjDjH0OWcCVUgVIWMIZpIkiykUnGkZCKNqBzVXtXqTHsYI8OE8nB/uQ/zOxRfxel5bXmQ j4Lk+FgqThimBaCpNuzOhnZvGcT6nxJFpQtWuH8zd6eX/cWYv7hgWLg1b+L2ULwZWBo6h9/M GU5JThTXr146jsYat8uiM6RLi6qfK3QiUNwlC8/XHGhGyQdnyusdn7F8ec+Z2zcGt4s3ZOnK e0kLHcnXGnITPI6mUckXe9uHpbJbbUf6nXlRpR3Nm0+szxM2H7oHfMuWjJFG684LuzTL9Spt OrHfXDCFvaxoF69fZAlewx3LwI089w8L+TVvVgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/7321JniBhTIeNa8Yqtij6s9TLIQ>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 23:41:50 -0000

Hi Carlos,

On Tue, 26 May 2015, Carlos Pignataro (cpignata) wrote:

> > On May 25, 2015, at 11:01 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> >
> > insist that encryption always be used, but please do not claim that being
> > in a single administrative domain excuses the operator from considering
> > whether encryption is necessary.
> >
>
> My point was a different one: that SFC does not change these
> requirements.
>
> I may have misunderstood, but what I read in Simon's review (admittedly
> oversimplified) was: in SFC you move services from on-network-path
> (which, as an aside, is really the other way around; it is moving from
> creating an on-network-path steering of network topology through the
> service) to a machine ‘elsewhere' — and thus, consequently, you have to
> encrypt.

I do not think anyone is saying "you must encrypt".

My take of the key point is that SFC is (potentially) going to be making
the actual physical flow of data very different from how it currently is,
and potentially also divorced from the conceptual topology of the service
function chain (if the service functions are laid out "strangely" compared
to the physical topology).  This has the potential to drastically change
the security issues an operator deploying things has to consider, and an
architecture document should point out that both protocol designers
implementing the architecture and operators using such protocols should be
aware of the new security environment.  Thus, we are proposing that it is
mandatory for protocol designers and operators to consider whether they
should be encrypting, but not mandatory for them to encrypt (if they are
satisfied with their topology).

> My point is that the logic above (which, again, I may have
> misunderstood) does not follow.
>
> There may be additional security and privacy considerations needed in
> the DC, in mobile networks, etc. However, the SFC architecture does not
> change that, and mandating encryption on SFCs might not be the right
> answer. As we wrote, the solution realizing the architecture need to
> perform part of that analysis.

I think that the SFC architecture does have the potential to change where
additional security and privacy considerations are needed.  There can
definitely be security and privacy considerations within a single
administrative domain, and I do not think the current document has
sufficient acknowledgement of the potential for the new architecture to
require drastically different security and privacy measures in some (not
all!) cases.  (Yes, I did read through it before composing this mail.)

I see some text in each of the three areas listed which sort-of addresses
my concerns, ("Used transport mechanisms should satisfy the security
requirements of the specific SFC deployment", "These include [...]
potential confidentiality issues of that policy", "solutions should
consider whether there is a risk of sensitive information slipping out of
the operators control.  Issues of information exposure should also
consider flow analysis"), but they could easily be missed by the reader,
and do not convey a single central sense that adopting SFC will involve a
full reevaluation of network security policy.  That reevaluation will
include security/privacy issues for the original payload as well as the
classification and encapsulation data added by the SFC protocol(s).


> As I had said, I am more than happy adding text strengthening the
> security considerations — as long as we do not mandate a solution at a
> specific layer.

To partially crib from Simon's proposal, how about

The architecture described here is different from the current model, and
moving to the new model could lead to different security arrangements and
modeling. For example, when service functions are moved from on-path
static machines to dynamic remote machines, this can change the flow of
data through the network, and the security and privacy considerations of
the protocol and deployment will need to be reevaluated in light of the
new topology.

The word "reevaluated" is intended to indicate that a new analysis should
be performed, but not that a different conclustion must necessarily be
reached.

-Ben

P.S. "consdierations" in the second paragraph of section 6 is a typo

v2.23.0 | Report a Bug | By Email