Re: [secdir] Secdir last call review of draft-ietf-detnet-mpls-05
Stewart Bryant <stewart.bryant@gmail.com> Thu, 12 March 2020 11:04 UTC
Return-Path: <stewart.bryant@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64DDC3A0D32; Thu, 12 Mar 2020 04:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RyGE0twYwiy4; Thu, 12 Mar 2020 04:04:57 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CBA43A0D3D; Thu, 12 Mar 2020 04:04:56 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id n8so5594082wmc.4; Thu, 12 Mar 2020 04:04:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jixXKzmXBUy+qeJEImdDesq2ql0Ka4VGHz3NMx1XLic=; b=MJOGtKywly2NxaTxNV9WdeRpF4Hiw04fpJFesZhrBiZYf/rQ1RbSI7IDXXhWBUYHwg v6Ln3mQwBMf95JFsnEzX3pb3O8/+QpuDtSe9vjhyWWSITqnGzaRGOJ4iYcM9FK/YPYsO +8ar4ewROTwpnQ39EGinN0ZwIlCrRyIPpLbSDWbuun7NOLsLoub6OwDwZYeeEc4BwuWM E2DQZqyRho2+tEP2fbbFGx0+p/PMQBs92HBZEZYTGgzVMHzGWxj8+V9GB5SmFRLF+3Xy tl+iskwRT1JFk/AHNAGQXHgln80ttHoCbijupHE0p+T5KEzP3Q+QTzZj1m8ncXgOsYYm QagA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jixXKzmXBUy+qeJEImdDesq2ql0Ka4VGHz3NMx1XLic=; b=lkj8PHq2pfHya852hdc1tfXJbcYrWMscUP93ZzSWUKdcbBP7lROLcyaRJ7myvTcwQp ryR34VqfNpfcmJHw2/o8t4Z2tdQRMoPx0hkEcI97gDgzOAt63lFgCO66wr651DRF2OBf N2EvdKg83286J0VwJ+gYGSa0I0hZwOztEIkxDlxzesayqmuWfem8YVagUrRfVGf8ZpGC ivwi82FU5osAQqJ6Po/KCVg4+CmtdoPuFkufpCk+49xdcvdm7ju70Vnj7A1Rk0BF8BKj VoSDX50V1fUYJenU7JEfCdm2XAX5O47TBt+6zPChCHXLmQipn6LPaIbzhqjFTbsvhMMb DQ4g==
X-Gm-Message-State: ANhLgQ3p5dNuXcVwfA7j8lIoBfjrf8b4cb4x6tJTYjIkl7tXxX1KUZj2 gKo90hha7bU8FB1MI+nvPmOACHz7
X-Google-Smtp-Source: ADFU+vstwzX/07zZRx0yowLctF4QKuOZ3C1zCJL9IjgyOuiBfW62qloaVSxsNgjex37dARX975flCw==
X-Received: by 2002:a1c:6a16:: with SMTP id f22mr4206479wmc.53.1584011094872; Thu, 12 Mar 2020 04:04:54 -0700 (PDT)
Received: from broadband.bt.com ([2a00:23a8:4140:0:a0a7:a4c5:a18b:5118]) by smtp.gmail.com with ESMTPSA id t187sm12467632wmt.25.2020.03.12.04.04.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Mar 2020 04:04:54 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Stewart Bryant <stewart.bryant@gmail.com>
In-Reply-To: <CACsn0cmQ0pzGF9MxVWGx-gMUOR6eR7zkKhnMPDx-876xt-H3sw@mail.gmail.com>
Date: Thu, 12 Mar 2020 11:04:52 +0000
Cc: Stewart Bryant <stewart.bryant@gmail.com>, secdir <secdir@ietf.org>, DetNet WG <detnet@ietf.org>, draft-ietf-detnet-mpls.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <BBCBEB36-F982-4E0A-A32B-D78723072E66@gmail.com>
References: <158389693039.16158.6977515080330200081@ietfa.amsl.com> <E15E2A3F-5EAA-4B86-B39A-14521AD762D5@gmail.com> <CACsn0cnxjPf3ziSQbjdLmD+1xUJtcDF3kSbz0LiSj=b_safb2A@mail.gmail.com> <137FCA36-3B7C-46EB-B951-3FDC01560069@gmail.com> <CACsn0cmQ0pzGF9MxVWGx-gMUOR6eR7zkKhnMPDx-876xt-H3sw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NLkhfjRIOfI4DDT5UQzfITafcXo>
Subject: Re: [secdir] Secdir last call review of draft-ietf-detnet-mpls-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 11:05:07 -0000
> On 12 Mar 2020, at 02:29, Watson Ladd <watsonbladd@gmail.com> wrote: > > I don't see any reason why RFC 3552's guidelines shoudn't apply to this draft. No you mis the point. The underlay (MPLS) is resilient to the level required by RFC3552 so that really is out of scope because we are not describing MPLS itself but what in MPLS terminology is an application running over MPLS. As far as I can see the RFC3552 view of security was the necessary security to be applied to a best effort service. The types of attack that very few people have experience of is dynamic attacks. The only people that have experience of them, and I am sure you know, are people doing time transfer. Now I think that this is largely an unsolved problem, particularly with fine grained timing. I have worked on systems where this has accidentally occurred (two 1588 streams with different clocks beating), but this sets a floor on the lower deterministic delay bound and as I noted earlier DN is not looking for min delay, just a delay floor. However that is not really a security problem, it is an operational performance problem. > > If there is a MPLS exception I'd like to see the rules that should be applied. > > As is I don't see any reason why the assumptions can't be explicitly > spelled out, either in the Security Considerations or elsewhere. We can certainly note that we assume that DN over MPLS will be run over a well managed MPLS network if that helps. If you have explicit suggestions for text we will look at them. - Stewart
- [secdir] Secdir last call review of draft-ietf-de… Watson Ladd via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Stewart Bryant
- Re: [secdir] Secdir last call review of draft-iet… Watson Ladd
- Re: [secdir] Secdir last call review of draft-iet… Stewart Bryant
- Re: [secdir] Secdir last call review of draft-iet… Watson Ladd
- Re: [secdir] Secdir last call review of draft-iet… Stewart Bryant
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Watson Ladd
- Re: [secdir] [Detnet] Secdir last call review of … Stewart Bryant
- Re: [secdir] [Detnet] Secdir last call review of … Uri Blumenthal
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Watson Ladd
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Uri Blumenthal
- Re: [secdir] [Detnet] Secdir last call review of … Stewart Bryant
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Uri Blumenthal
- Re: [secdir] [Detnet] Secdir last call review of … Stewart Bryant
- Re: [secdir] [Detnet] Secdir last call review of … Watson Ladd
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Stewart Bryant
- Re: [secdir] [Detnet] Secdir last call review of … Uri Blumenthal
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Uri Blumenthal
- Re: [secdir] [Detnet] Secdir last call review of … Lou Berger
- Re: [secdir] [Detnet] Secdir last call review of … Black, David
- Re: [secdir] [Detnet] Secdir last call review of … Uri Blumenthal