Re: [secdir] Review of draft-ietf-detnet-flow-information-model-10
Balázs Varga A <balazs.a.varga@ericsson.com> Fri, 02 October 2020 14:41 UTC
Return-Path: <balazs.a.varga@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820073A107C; Fri, 2 Oct 2020 07:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BbysO9DMrNrH; Fri, 2 Oct 2020 07:41:46 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2054.outbound.protection.outlook.com [40.107.21.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 483733A1080; Fri, 2 Oct 2020 07:41:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AfNk+rg3P/lyuwY14ILw7MmiiZVzQexKYR95r2EYygnZY3Z2W8xdBvlfg1xcKjauvgNJ52W+9BKCu1fRJOH3kqg0L+kw7aJ52GFrNARUuuN8SVDLJ4hMIVArGkFCf5g8nyGCShK96hk4TrgrAeDrlbItnsuQ1L2DMOEXr9y4ppp4lFSGG0goNf4tbooHh/S2lbj9PjY0Jh5hMXeyzqRH3TSe/jQ1xJSj9N2vYNHMnNHSdI/C7Ytp5lZU0Yht5ejruoM6dLvUGJHmu6pGXcz/kGKE6bPdhjOemkvfwceEta/a/EYx0Am8SDdMZtKjLashjq73lT1Ku7yHckfVJXBI6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aNIFFjos8Ww+Mx5CEENClK0atH+oEzmd4L1v8q8erog=; b=DFqxbK7uyjEwMj2UsSZtKxuuScbOv/9YtOi7lqk6jK3L2E773cvGG3anMtubqtOaDCO3QSQaOJq3lP9t+gm1MiBoJ0dZqKFARE5VBo6dLqIhmRV08sQOoM/gzrdegwcMr1yS6OJzAIaNpLVK6yjZidP1EEyUKU8NpLC5L5d1fOX+31A3Ndj+w+4VLQrbnSePUYRpPmsbejX7kgvbQLOfgyQFJXsUsi6a7LyzY8c7thL0JsSG7DX8F1eoQNp9jwm/SRivHG2aFIjRa2tifpBE2eQa+4vE3n6U1xAfgj+xN9JX2xoelkQra+fNTeaZpI9NaO9rgxD5drl55mybhhnXxA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aNIFFjos8Ww+Mx5CEENClK0atH+oEzmd4L1v8q8erog=; b=SKmKBZfu04+OdHGra73DYVa6P+2faqSQAS9yt65h8qXhI5c6T2ftN3akgkCrFCjbElODUEOOYO1feFBPw+ZPdOKhkbZclKFrEop4rVSNudA0Oj4SrOZqK6VReVQ+Qqzp4D+SDp32lWIfJNyqzjnoMEpoYGzAG9GhZV6tRRK24V0=
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com (2603:10a6:208:22::25) by AM0PR07MB6339.eurprd07.prod.outlook.com (2603:10a6:20b:15f::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.13; Fri, 2 Oct 2020 14:41:44 +0000
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9]) by AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9%6]) with mapi id 15.20.3455.013; Fri, 2 Oct 2020 14:41:43 +0000
From: Balázs Varga A <balazs.a.varga@ericsson.com>
To: Shawn Emery <shawn.emery@gmail.com>, secdir <secdir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-detnet-flow-information-model.all@ietf.org" <draft-ietf-detnet-flow-information-model.all@ietf.org>, Shawn Emery <semery@uccs.edu>
Thread-Topic: Review of draft-ietf-detnet-flow-information-model-10
Thread-Index: AQHWgwqeufaHlLUZg06rupGL9hskjKmEi8yA
Date: Fri, 02 Oct 2020 14:41:43 +0000
Message-ID: <AM0PR0702MB3603941A6D7ACE625D703088AC310@AM0PR0702MB3603.eurprd07.prod.outlook.com>
References: <CAChzXmb3kHoNpjOv=YfQFbxSnuhHsGQp5d-6hnp3=BmfyJnOyg@mail.gmail.com>
In-Reply-To: <CAChzXmb3kHoNpjOv=YfQFbxSnuhHsGQp5d-6hnp3=BmfyJnOyg@mail.gmail.com>
Accept-Language: hu-HU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [94.21.192.99]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1a8995da-8f65-44e5-57d6-08d866e1484e
x-ms-traffictypediagnostic: AM0PR07MB6339:
x-microsoft-antispam-prvs: <AM0PR07MB633993E2E2A9A82A59718B3CAC310@AM0PR07MB6339.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2958;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: U7nrBXQ+yt4Kawt9pG5EWtSGVGnYKjwTwDEYrrAnrKSac6pSLOJHlz3C3Cqbr9FfeI2aPFtL3iJPuJyElvbTjw/H0I91RDrCL7wzIbhZzKkT21WJUWRmvGjkmjNOKhkM7kV9FVKynryAGD7q/ZT+2TVRBmLFy5TcmTygZk7OlPX78SsGrCftSJ5pvW9hSLZjJ5T0R14PaAvp6KzIh7tS96YMwfMpV1eec1dpvoA555A6C87iZ6z4EQBVIn3OvrmoFRwaHP7pMjQ8Tu+ZNCSBphsmc5vdWNiiHWBbUarcutXTDbOFv/9IAFlVMPIDB2j9hfnCYgC0D1LKnP04mf2DkzGlD4mmiPsIOX6O+tfARZgqs0FxPC+Bgqt+K4gfHhGF0kMriQe0hIvz5HjJE95cWw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0702MB3603.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(396003)(39860400002)(366004)(64756008)(2906002)(66476007)(66556008)(85182001)(66446008)(66946007)(110136005)(33656002)(53546011)(86362001)(7696005)(76116006)(4326008)(6506007)(478600001)(316002)(54906003)(5660300002)(55016002)(52536014)(8676002)(9686003)(186003)(9326002)(8936002)(26005)(83380400001)(85202003)(83080400001)(166002)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: stOqAk+VGp4xC5FK05sTgQ5YC3qRVRINUSZuwh6zWFbFAB1QUYtxBNucLo252/8o1KymLMMXHx9lpMLYZQJwJRQRiYpOviCKMD6GX02sOfXpklHnVxE9qHbg+HmlyMFq236i5RbSkQ3/dV2pzb6HQvk5sZXuzqrjdxQyNKP0/Cy04pTPqbjcV7Rnr9eTvQoTsP4NJoGokRpE1E8gzsugdQzSTDQG+P2qiIYSea462eQbGg7fcUzxEPK5z9Nk7PegHIGNZvMaOiR2kKnCuQt1GPxCVXttra/9HEFk+qonf/Ynrvr4KGciD5lnVp7a1v1eXNLuDrj5Ob/bBNUn8Yy8HE4YcmvblsYt2MEW3pElI16g3wnzHOjnJrKcUSTZamqVJCm9QkyVPmKvqdaqd+vrRZTuT5NQ5FFXOpfmnSmGsA2YSn/G5PVHcZmavgLokmNNBlWi7cx3tjN6zWPzx1VildKiysWI3WQN4rw58lPg+RnTc9ou7lOiWvseeBGo/GRoaVa2+4XMuqLXBfVkXrHX1nW9u/6rBQnEwI/SeFfw+MW5lHffYcRzt/J+3T8xnZdFJrIdaS4AJyHBEGSg1mokiFoOSOV50PdaxF6H/PlkTptqG3DjAXi+mqh++SxnllA6QidRRceaL/dIFehhiIfOMQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR0702MB3603941A6D7ACE625D703088AC310AM0PR0702MB3603_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0702MB3603.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a8995da-8f65-44e5-57d6-08d866e1484e
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Oct 2020 14:41:43.8104 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 26lPCkcUSRYjozKpG3EIQ85IzbMTSKHTQC/NVEGDkmcClgg9isYu1t8FBYZzjfDEUylCvaTB4dHenhqqphjWuY9/izlE2GZ+VDSugPy8R1g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6339
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/SOSia1uP-k6vpOe0M0y_MSdpyDs>
Subject: Re: [secdir] Review of draft-ietf-detnet-flow-information-model-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 14:41:49 -0000
Hi Shawn, Many thanks for your review. Draft-ietf-detnet-flow-information-model is an informational draft and describes only the flow and service information model for DetNet. The WG is working on the YANG model which will call out the security implications of attributes, per YANG model guidelines. (https://datatracker.ietf.org/doc/draft-ietf-detnet-yang/) Thanks for the editorial comments, I will fix them. Thanks & Cheers Bala’zs From: Shawn Emery <shawn.emery@gmail.com> Sent: Saturday, September 5, 2020 12:27 AM To: secdir <secdir@ietf.org> Cc: last-call@ietf.org; draft-ietf-detnet-flow-information-model.all@ietf.org; Shawn Emery <semery@uccs.edu> Subject: Review of draft-ietf-detnet-flow-information-model-10 Reviewer: Shawn M. Emery Review result: Ready with nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This informational draft specifies an information model for Deterministic Networking (DetNet), specifically for data at the IP/MPLS layer. The security considerations section does exist and recommends confidentiality for DetNet's external interfaces and that the knowledge of flows and services associated with customers and network operators could be used by an adversary to launch attacks against these networks. The section defers mitigation of said attacks to the ietf-detnet-security draft and defers to RFC 8655 for DetNet's overall security considerations. These documents provide some coverage in regards to the data model presented in this draft, but unfortunately does not describe how draft specific attributes, e.g. DnServiceRank could be used as a DoS attack. Having said this, when the data model does become a YANG model then DetNet will need to explicitly call out each of these attributes that have security implications, per YANG model guidelines. General comments: Having the draft-ietf-detnet-security draft is a really good idea to help augment this and other DetNet drafts. Having a comprehensive set of threats and how to mitigate against them provides a good foundation for other authors to think about. Editorial comments: s/can distinguished/can be distinguished/ s/flow using,/flow, using/ s/result data/result in data/ Shawn. --
- [secdir] Review of draft-ietf-detnet-flow-informa… Shawn Emery
- Re: [secdir] Review of draft-ietf-detnet-flow-inf… Balázs Varga A