IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 26 May 2015 12:09 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341BC1A88C6; Tue, 26 May 2015 05:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUVHLtZZWBRp; Tue, 26 May 2015 05:09:52 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E3871A88C2; Tue, 26 May 2015 05:09:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4100; q=dns/txt; s=iport; t=1432642193; x=1433851793; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=E86AHYBsY7IzYQMGIDFf35EugiRoY4M7cIccdWNIcQI=; b=Sg1J5gBqfOXAr+Ms0+ikG9atRB5WqTAYlWya88/tP9sTv0ynN+9ekCRr aOQtOrdEdkXMuj02AFOa5tkXW6Wtq69iPnFq+yEveXYX9F4EpXYVampZ8 iIVffOkj3F/lFylpo4+nnjuIJmzUwnJv+wdnOzMhq0JAKNjnmLLowlJ4H w=;
X-Files: signature.asc : 841
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BXBQD/YWRV/5pdJa1cDoMCVF4Ggxm/FYJIhS1KAoFHTAEBAQEBAYELhCIBAQEDASNWBQsCAQgSBioCAjIXDgIEDgUJBQ2ICQgNr0OjVAEBAQEBAQEBAQEBAQEBAQEBAQEZizqEMwEBUAIFgmgvgRYFkwiCEoFDhzqBKYNxgn+PFiOCChyBFD5vAYELOoEBAQEB
X-IronPort-AV: E=Sophos;i="5.13,498,1427760000"; d="asc'?scan'208";a="422585998"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-7.cisco.com with ESMTP; 26 May 2015 12:09:52 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t4QC9px1005956 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 26 May 2015 12:09:51 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.147]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.03.0195.001; Tue, 26 May 2015 07:09:51 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [secdir] Review of draft-ietf-sfc-architecture-08
Thread-Index: AQHQllVoiI0EciI2k0ypB2MTIDGLzJ2L5tT3gAIA+oCAAJkTAA==
Date: Tue, 26 May 2015 12:09:50 +0000
Message-ID: <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.82.213.72]
Content-Type: multipart/signed; boundary="Apple-Mail=_1A9EA452-D03F-46CB-99A3-96E95133F6DB"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Pino96MMiuhHT95EG60udphLNbY>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 12:09:54 -0000

Ben,

> On May 25, 2015, at 11:01 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> On Sun, 24 May 2015, Carlos Pignataro (cpignata) wrote:
> 
>> It is true that this new architecture introduces a model in which there
>> is a more dynamic service application, decoupling it from network
>> topology path; however, there is no administrative domain changes or
>> admin fragmentation. In other words, taking it very concrete, there is
>> no change in expectations regarding for example encryption. The service
>> is potentially applied in another part of the network and a chain can be
>> created dynamically, but all within the same admin domain as before.
> 
> As I attemted to say in my secdir review of the sfc-problem-statement
> document
> (http://www.ietf.org/mail-archive/web/secdir/current/msg05351.html), it is
> not clear that being within the same administrative domain excuses one
> from considering whether encryption is necessary.  I seem to recall that,
> e.g., Google is encrypting all inter-datacenter traffic (I don't remember
> about intra-datacenter traffic, though).
> 
> I do not think it is realistic to think that one can protect a network at
> the boundary -- there are always ways for sufficiently advanced attackers
> to get in, and some form of defense in depth is needed.  Now, I grant that
> encryption may not always be needed, and it is not the place of SFC to
> insist that encryption always be used, but please do not claim that being
> in a single administrative domain excuses the operator from considering
> whether encryption is necessary.
> 

My point was a different one: that SFC does not change these requirements.

I may have misunderstood, but what I read in Simon's review (admittedly oversimplified) was: in SFC you move services from on-network-path (which, as an aside, is really the other way around; it is moving from creating an on-network-path steering of network topology through the service) to a machine ‘elsewhere' — and thus, consequently, you have to encrypt.

My point is that the logic above (which, again, I may have misunderstood) does not follow.

There may be additional security and privacy considerations needed in the DC, in mobile networks, etc. However, the SFC architecture does not change that, and mandating encryption on SFCs might not be the right answer. As we wrote, the solution realizing the architecture need to perform part of that analysis.

As I had said, I am more than happy adding text strengthening the security considerations — as long as we do not mandate a solution at a specific layer.

Best,

— Carlos.

> -Ben Kaduk

v2.23.0 | Report a Bug | By Email