Re: [secdir] secdir review of draft-ietf-detnet-architecture-08

"Grossman, Ethan A." <eagros@dolby.com> Wed, 26 September 2018 19:39 UTC

Return-Path: <eagros@dolby.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 643F8126CC7; Wed, 26 Sep 2018 12:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrYrtH_gwavY; Wed, 26 Sep 2018 12:39:23 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0129.outbound.protection.outlook.com [104.47.33.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4A81128CB7; Wed, 26 Sep 2018 12:39:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vlUe4rqPWgh6M/7gCuNdveLKNqNvsBXm1a4DWhVW6j4=; b=l+WILUWSyOyQx3oQ3SVP4X57Y6qMnw3JVnX/cIlX4/0pW59M5F9JjZ5R1enOmek+ao77zKQz6HefWYTKbBxMM7x9jW9nYolcsG9Gb/Joc+4dhkhC3S5afbcko1JmCL5yCujoqtGnamJ9Hxjr9fQ3zEQ75hep3hgXoMoLOU3Eyt8=
Received: from BL0PR06MB4548.namprd06.prod.outlook.com (20.177.145.145) by BL0PR06MB4274.namprd06.prod.outlook.com (10.167.179.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.18; Wed, 26 Sep 2018 19:39:20 +0000
Received: from BL0PR06MB4548.namprd06.prod.outlook.com ([fe80::2821:1ebf:40eb:7174]) by BL0PR06MB4548.namprd06.prod.outlook.com ([fe80::2821:1ebf:40eb:7174%2]) with mapi id 15.20.1143.022; Wed, 26 Sep 2018 19:39:20 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: Daniel Harkins <dharkins@lounge.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-detnet-architecture.all@ietf.org" <draft-ietf-detnet-architecture.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-detnet-architecture-08
Thread-Index: AQHUVGrXrs+5hv7zUEm0nOgDPUhzg6UC96dA
Date: Wed, 26 Sep 2018 19:39:19 +0000
Message-ID: <BL0PR06MB45480C63A3C83CFAC7C5B686C4150@BL0PR06MB4548.namprd06.prod.outlook.com>
References: <72b6e1cf-3a41-7845-863e-7958a09d36fc@lounge.org>
In-Reply-To: <72b6e1cf-3a41-7845-863e-7958a09d36fc@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=eagros@dolby.com;
x-originating-ip: [8.39.141.5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR06MB4274; 6:vQHN8pYtje8mGC3akKxiRonFGpT3rxDazMxVKItYZ6vU/teVAgJwUbH0DYJ5ayQuAoPMVTGqYaMOjKhpoRvgi5Rk3RfvYmIiUxGFGIp0Ta0YRzVJcxXM6JyyI70AwM0QhIVoWcqWrWse++8wk0KC1p8JJPETaDDerXpWlPLMhKxbylKLto3999pMHieTkfuyIokORqTrA3neZRGHB5yhPXdnME8lf4o/IeJQLHeb4Z7M0baylaaWxLYjc8d4TlNnlzHJk/pM/AtUAvEorV3wD7/uMPdqJZ3mqA33K80XF6WQzXqrh6BBToISoaFSfdzmRfiO7l1MoMDMuXBCWGrf2HJVvtLAvEwcDnRVAjI9banJqOjsP1ryY4IHeU1Y1ovHMWcb/Mp00lNowJzDEEhMtVQ2+7Hwl1315fUfhqNdukTDsTIhs8/ykyt+5tY2HXLig1e21JoKrcZBvmzuszdSSQ==; 5:EoWOjSz1fyJ918CGucifcmFODcHLssvqFrzY9Kss+jwqXUNN2N75ZCYEIfsMffNYIXg+MqvSmh3OEcZcuU/Ppd6bGmGnl6DADmU9gAZv+eUlsCC27CgkKRdQttfEv4zzFc1iU1tEPzvbwBeeoLGiC4YTkn49JG1nkQs41YSFWtM=; 7:loTFWjbIFgyPWNRu7cRYzjhjJQuooKzok2y1kAfNn0BNo8W5O7OIN9+MTXMO89nX9bKzSQe/f8u8yep6Gtgd/dWcpB4W00mxY7dHBV2G/f2gMlD+ro+/OMs3TwE/H9W7CjQeGuE209ajPb2ozM4uE9G55Md3QMVU9eB99/AFsxQFyTy2hK5BJxqQSFtbjV/0NffE6+xByiiA2lDmYa2RuiU28wHuUiXTKMN6kvF9apNnRfR9b5GQwYhyDrxXPftX
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ab5516db-e948-4598-595c-08d623e7c0f3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BL0PR06MB4274;
x-ms-traffictypediagnostic: BL0PR06MB4274:
x-microsoft-antispam-prvs: <BL0PR06MB4274A70E3C201DDBE4DB81DEC4150@BL0PR06MB4274.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(3231355)(944501410)(52105095)(10201501046)(149066)(150057)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051); SRVR:BL0PR06MB4274; BCL:0; PCL:0; RULEID:; SRVR:BL0PR06MB4274;
x-forefront-prvs: 08076ABC99
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(396003)(346002)(136003)(39860400002)(189003)(199004)(81166006)(81156014)(6116002)(9686003)(3846002)(74316002)(7736002)(2906002)(790700001)(110136005)(33656002)(106356001)(316002)(236005)(55016002)(54896002)(53546011)(4326008)(2900100001)(105586002)(5660300001)(229853002)(102836004)(66066001)(53936002)(6436002)(6306002)(6506007)(99286004)(6246003)(26005)(476003)(486006)(186003)(446003)(76176011)(11346002)(7696005)(9326002)(606006)(25786009)(14444005)(256004)(68736007)(8676002)(966005)(5250100002)(2501003)(8936002)(478600001)(2201001)(86362001)(14454004)(97736004)(71190400001)(71200400001)(34290500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR06MB4274; H:BL0PR06MB4548.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: dolby.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: RoW5wL+nDj6sH/qCrmV4nPca50jwlIa/sthTqzaSRAxjNSKdBC2GJNZw62Ma5vSpTkGYOTQq4bCMrlB8kqxpca+kbfiTXPE6ICiagAMr33Exad/priVMhoxeEcaowR7eYuyWRMIlJI/5ysqc+lj7hpEBxnIQASu58q/vnUrFKHQO5gHjp8yA3FnyShYWZJFxx8T2yah51djuR5tTOf48O1UhDyEawD5aPScD0WffgoHcB0quz7Y/U8P54rP+To2gGpbiFvH8xuwKgd9YKyYZn3O49unDM+TSSrKiyjLD0lzOrLqn+qaPRMYykP610FgTU5VWz1Eui4LP1yjgcA4lHfd7rjRg/r7DstSn6lHyGQE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BL0PR06MB45480C63A3C83CFAC7C5B686C4150BL0PR06MB4548namp_"
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ab5516db-e948-4598-595c-08d623e7c0f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Sep 2018 19:39:19.9219 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR06MB4274
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/4dAgC4iAqKYd-zyTA9wjux_l-zY>
Subject: Re: [secdir] secdir review of draft-ietf-detnet-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 19:39:28 -0000

Hi Daniel,
I just want to make sure you are aware of
https://datatracker.ietf.org/doc/draft-ietf-detnet-security/

Best,
Ethan (as Editor of the DetNet Security Considerations draft)

From: Daniel Harkins <dharkins@lounge.org>
Sent: Monday, September 24, 2018 5:58 PM
To: iesg@ietf.org; secdir@ietf.org
Cc: draft-ietf-detnet-architecture.all@ietf.org
Subject: secdir review of draft-ietf-detnet-architecture-08


  Hello,

  I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.



  The summary of the review is ready with issues.



  This draft describes an architecture for deterministic networking

that provides for delivery of packet flows with low packet loss and

with a maximum amount of latency.



  A nit first. The terminology seems a bit overblown. We have DetNet

Intermediate nodes that could be relay nodes or transit nodes; and a

DetNet system that is a DetNet aware system or transit node or

relay node; and DetNet edge nodes that are relay nodes; and DetNet

relay nodes that can be bridges, firewalls, or anything else that

participates in DetNet. Finally, to translate between 802.1 TSN and

DetNet we have a "relay system" that is an 802.1 term for a DetNet

intermediate node which, as we have seen, is a DetNet relay node. This

can be simplified considerably.



  The Security Considerations is thin, especially for an architecture

draft that is going to be referred to by subsequent drafts which will

just say something along the lines of, "as an instance of the DetNet

FooBar, these Security Considerations are those from [ARCH]", where

ARCH is the RFC that comes out of this I-D. I think there needs to be

a description of the various points in the architecture that an attacker

could exploit, and if a point is not exploitable it should say so. For

instance:



  - is it possible for an attacker to launch a DoS attack by manipulating

    member flows of a DetNet flow in order to force DetNet nodes to

    consume buffers they allocated to deal with the DetNet flow?



  - If an end system is not DetNet aware there needs to be a DetNet edge

    node to handle the encaps of the flow into the DetNet system. Can an

    attacker in that case introduce packets that shouldn't be part of the

    DetNet flow into the flow by getting the edge node to encaps them as

    such?



If there are any assumptions being made-- e.g. "insider attacks are not

being considered"-- they should be mentioned.



  regards,



  Dan.