Re: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation
"Joel M. Halpern" <jmh@joelhalpern.com> Thu, 28 September 2017 19:54 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A70A81348D8; Thu, 28 Sep 2017 12:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4G9PRwxz4VZ0; Thu, 28 Sep 2017 12:54:10 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 957E71348DA; Thu, 28 Sep 2017 12:54:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 774972403A9; Thu, 28 Sep 2017 12:54:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1506628450; bh=vM0VH/6ZxZ+gham858MgDJ0vtgKj7XvG9Fzv1fIatgU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=DM340mx04j9aoOeIqdWORugDjUp0BJECypCXISgLsKI320f0eUspaiQEXUsIvZHfX 9gATpjx56mtQFW39gYi1juatY8YzwxzeglfeI/ncP8DW7CCSufcj07Wu5/UQXANrd9 EdR7t80gRvo7mXu/zkg82Z++9Lmf6vfmjgiHcufI=
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id A8A87240E7D; Thu, 28 Sep 2017 12:54:09 -0700 (PDT)
To: Christian Huitema <huitema@huitema.net>, secdir@ietf.org
Cc: ietf@ietf.org, sfc@ietf.org, draft-ietf-sfc-nsh.all@ietf.org
References: <150662776428.27730.5006539542253170142@ietfa.amsl.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <df06edaa-42a0-0182-9155-f8b7e9ab2fd3@joelhalpern.com>
Date: Thu, 28 Sep 2017 15:54:08 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <150662776428.27730.5006539542253170142@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ZGIn_Tso8aMW3oMjrHfDus3n7lY>
Subject: Re: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2017 19:54:12 -0000
We really need to separate issues here. The first part of your note talks about the need for metadata. You assert that this is related to a need to compete with large scale tracking. While I can not prohibit that use, that is NOT the problem that drives this work. Rather, the whole point is to support separating the currently monolithic service platofrms into component services that can be combined both to deliver existing services, and to deliver new service combinations. To do that, the existing internal methods for passing data within a service delivery monolith have to be replaced with an external, interoperable, method for doing this. My employer would be very happy if the operators would give up on this and go back to buying our nice, high reliability, high price, intgrated service platforms. But that is not what the operators are asking us to provide. Yours, Joel On 9/28/17 3:42 PM, Christian Huitema wrote: > Reviewer: Christian Huitema > Review result: Serious Issues > > I have already reviewed previous iterations of this draft (18) and sent > comments on the mailing lists about revisions 20 to 24. The draft has > significantly improved through the revisions, but I still have concerns. > > First, it should be clear that standardizing addition of metadata to packet > headers is, from a privacy standpoint, playing with fire. I understand that > many ISP believe that they need to accumulate and use metadata in order to > compete with the large scale tracking performed by some web companies. This > existing competition may well be driving a race to the privacy bottom. > Regardless, the minimum these ISP can do is ensure that the privacy sensitive > metadata that they collect is well protected. Collecting metadata is bad > enough; letting hackers access it would be disastrous, as shown in the Equifax > breach. I would like to see a stronger recognition in the security > consideration that this is indeed playing with fire. > > I am also concerned that when writing the security considerations the authors > may be playing with words. Frankly, I do not believe that the data will be > magically protected because they are only transported in a single > administrative domain. As Randy Bush pointed out in an email comment, some of > the service functions are already provided "in the cloud" by third party > contractors to the ISP. This means that in practice, the data will probably not > be confined to a single provider domain. In the email, I listed three threats: > > * Whether ISP believe it or not, their links will be snooped by third parties. > We have to assume that adversaries will have access to some of the transmission > equipment, even inside the perimeter. > > * We also have to assume that persistent attackers will be able to compromise > some of the devices hosting some of the functions. > > * And we have to assume that some third party providers will re-purpose the > metadata that they obtain through various contracts. > > What worries me is not so much the inadequacies of the defenses proposed in the > security section as the absence of emphasis on the need to actually deploy > these defenses. Everything seems to be optional, left to the good will of the > ISP. Experience shows that in these conditions deployments use the most > convenient setup, clear text transmission with little defense in depth. The > security section ends up being so much empty talk designed to placate security > reviewers, playing with words for security without recognizing that > standardizing metadata collection is playing with fire. > >
- [secdir] Secdir telechat review of draft-ietf-sfc… Christian Huitema
- Re: [secdir] Secdir telechat review of draft-ietf… Joel M. Halpern
- Re: [secdir] Secdir telechat review of draft-ietf… Adrian Farrel