Re: [secdir] Review of draft-ietf-sfc-architecture-08
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 26 May 2015 21:34 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314FE1B3202; Tue, 26 May 2015 14:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, J_BACKHAIR_32=1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NG5K-hAACH8e; Tue, 26 May 2015 14:34:01 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C8001B3200; Tue, 26 May 2015 14:34:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 53B85BECF; Tue, 26 May 2015 22:33:59 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-Q0PPDIiXAV; Tue, 26 May 2015 22:33:57 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.20.233]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1CEF2BECC; Tue, 26 May 2015 22:33:57 +0100 (IST)
Message-ID: <5564E6C4.4000302@cs.tcd.ie>
Date: Tue, 26 May 2015 22:33:56 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "Joel M. Halpern" <jmh@joelhalpern.com>, Simon Josefsson <simon@josefsson.org>
References: <20150524211041.52cde768@latte.josefsson.org> <55622F53.5090201@joelhalpern.com> <20150526221728.02605b82@latte.josefsson.org> <5564E432.9000207@joelhalpern.com>
In-Reply-To: <5564E432.9000207@joelhalpern.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/KzcHiV_yAsYy-FEqbiNbf6qRLjQ>
Cc: secdir@ietf.org, draft-ietf-sfc-architecture.all@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 21:34:05 -0000
I've yet to read this one so could be plain wrong but I don't see that our choices here are an architecture that defines (or re-uses) no security mechanisms/services at all or one that encrypts everything, but fwiw your response below Joel and earlier ones read as if those are the only choices and I find that hard to believe. S. On 26/05/15 22:22, Joel M. Halpern wrote: > Given the expected construction and usage for this, if we rite into the > archtiecture that encryption and authentication of data plane messages > are mandatory, then > presumably we will also write such "mandatory" mechanisms into the data > plane mechanism we specify. > > At which point we are writing a specification which will be widely ignored. > > Given that we are talking about passing packets through a series of > service functions, requiring encryption between them causes a drastic > increase in complexity and latency. As far as I can tell from the way > customers expect to use this, it is simply unacceptable. For inter-DC > (or POP<->DC) operators who wish to protect that traffic wil likely want > to do so whether or not they are using service chaining. As such, the > protection is not a service chaining issue. > > So, sorry, but I have to respectfully disagree with you Simon. > > Yours, > Joel > > On 5/26/15 4:17 PM, Simon Josefsson wrote: >> If it is unreasonable to expect that encryption/authentication will be >> part of the architecture, I believe there is a significant problem with >> this architecture. The argument that security is not necessary within >> a single administrative domain is one that I complete disagree with. I >> am hoping that I am missing some context here. >> >> /Simon >> >>> While the paragraph you suggest looks reasonable, I am somewhat >>> concerned if readers draw the conclusion that we expect to include >>> data plane authentication and / or encryption mechanisms as a >>> mandatory part of the solution. There is no such expectation. While >>> there is reason to be concerned about exposure of information across >>> the Internet, the document begins by specifically noting that this >>> architecture is for use with a single administrative domain. >>> >>> I am thus concerned that adding the suggested text may give rise to >>> unreasonable expectations on solutions which comply with this >>> architecture. >>> >>> Yours, >>> Joel >>> >>> On 5/24/15 3:10 PM, Simon Josefsson wrote: >>>> Hello. >>>> >>>> I have reviewed this document as part of the security directorate's >>>> ongoing effort to review all IETF documents being processed by the >>>> IESG. These comments were written primarily for the benefit of the >>>> security area directors. Document editors and WG chairs should >>>> treat these comments just like any other last call comments. >>>> >>>> This is an architectural document, so it doesn't have the usual >>>> security impact that you can easily review. The Security >>>> Considerations section gently refer any security considerations to >>>> the future documents that will actually realize the archicture. >>>> >>>> The security considerations that you would expect to be discussed >>>> in an architecural document are those on an architectural level. >>>> The archicture proposed here is to change how network services are >>>> delivered. The document doesn't give many examples, but my >>>> understanding is that the intended services would include firewalls, >>>> NAT, proxies, packet filtering, anti-spam measures, anti-DDOS >>>> measure, QoS, and so on. >>>> >>>> The traditional model is static services coupled to network topology >>>> and physical resource. The new model introduced by this document, as >>>> far as I understand, is a dynamic model where delivery of these >>>> services can be moved around more dynamically, by tunneling traffic >>>> to the service and back. >>>> >>>> I may have missed it, but I feel that the security consequences of >>>> moving to this new architecture is not discussed in the document. >>>> >>>> Some obvious security considerations that are introduced with an >>>> architecture like this are: >>>> >>>> 1) When delivery of a service is moved from an on-network-path >>>> machine to a machine sitting somewhere else, there ought to be >>>> some consideration to authenticating the involved entities and >>>> encrypting the traffic between them. >>>> >>>> 2) Auditing who has powers over a communication channel will be >>>> different -- before you evaluated the wires and who had access >>>> to the machines connected to the wires. Now you have to review the >>>> policies configured in the machines and what external entities are >>>> involved, together with the operational aspects of this boxes that >>>> perform the service delivery. >>>> >>>> 3) Moving traffic around raises the challenge how to achieve that >>>> without negatively affecting privacy of the traffic. >>>> >>>> 4) Protecting the SFC configuration and policies is critical for >>>> secure operations. Anyone who gains access may be able to modify >>>> traffic. >>>> >>>> If the above is a bit handwavy, allow me to be more concrete. >>>> Adding something like the following to the security considerations >>>> would at least acknowledge that there are inherent security >>>> considerations with this architecture: >>>> >>>> The architecture described here is different from the current >>>> model, and moving to the new model will lead to different security >>>> arrangements and modeling. For example, when service functions >>>> are moved from on-path static machines to dynamic remote machines, >>>> this introduce security and privacy aspects that needs to be >>>> addressed. >>>> >>>> All this said, I still would classify this document as Ready. It >>>> mostly just disappoint me that a new architecture can be introduced >>>> without containing a significant discussion of security properties. >>>> >>>> /Simon >>>> >> > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- [secdir] Review of draft-ietf-sfc-architecture-08 Simon Josefsson
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Simon Josefsson
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Stephen Farrell
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Stephen Farrell
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Simon Josefsson
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Joel M. Halpern
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)
- Re: [secdir] Review of draft-ietf-sfc-architectur… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-sfc-architectur… Carlos Pignataro (cpignata)