IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

"Joel M. Halpern" <jmh@joelhalpern.com> Wed, 27 May 2015 19:08 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66721A8986; Wed, 27 May 2015 12:08:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Ak4oyC3va0M; Wed, 27 May 2015 12:08:25 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80E1F1A8A74; Wed, 27 May 2015 12:08:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 6F506240556; Wed, 27 May 2015 12:08:25 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (75-146-28-117-Richmond.hfc.comcastbusiness.net [75.146.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 72CD42402EA; Wed, 27 May 2015 12:08:24 -0700 (PDT)
Message-ID: <55661626.5010300@joelhalpern.com>
Date: Wed, 27 May 2015 15:08:22 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@MIT.EDU>, "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu> <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com> <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu> <53F5D306-5860-4415-8AA4-390882ED94AB@cisco.com> <alpine.GSO.1.10.1505271355150.22210@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1505271355150.22210@multics.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/hUi6BVi8aHWQirW1AkWpMeZ14YE>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 19:08:28 -0000

The "plain text payload" is an IP packet.  Customer IP packet protection 
needs are, in almost all cases I can think of, independent of the 
routing path through the network that the packet takes.  As such, I do 
not see why SFC adding yet another means to direct traffic flows changes 
the protection needs for customer IP packets.

Note that many of the results SFC is trying to simplify are achieved 
today, albeit with more complexity.

So I am having trouble seeing what requirement you want the SFC 
architecture to call out.

Yorus,
Joel

On 5/27/15 2:16 PM, Benjamin Kaduk wrote:
> On Wed, 27 May 2015, Carlos Pignataro (cpignata) wrote:
>
>>
>>> On May 26, 2015, at 7:41 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>>
>>>
>>> My take of the key point is that SFC is (potentially) going to be making
>>> the actual physical flow of data very different from how it currently is,
>>> and potentially also divorced from the conceptual topology of the service
>>> function chain (if the service functions are laid out "strangely" compared
>>> to the physical topology).  This has the potential to drastically change
>>> the security issues an operator deploying things has to consider, and an
>>> architecture document should point out that both protocol designers
>>> implementing the architecture and operators using such protocols should be
>>> aware of the new security environment.
>>
>> Fully agree — and I believe this is what the current Security
>> Considerations section achieves.
>
> I think we disagree on what the current Security Considerations section
> achieves.
>
>> In particular, Section 6 highlights the areas of the new architecture
>> (Overlay, Classification, Encapsulation) of which designers and
>> operators ought to be aware.
>>
>>>   Thus, we are proposing that it is
>>> mandatory for protocol designers and operators to consider whether they
>>> should be encrypting, but not mandatory for them to encrypt (if they are
>>> satisfied with their topology).
>>
>> Further specifically, the "SFC Encapsulation” seems to cover this.
>
> So, you believe that the SFC Encapsulation section is intended to cover
> the potential need for confidentiality protection of the plaintext payload
> which is being encapsulated by SFC?
>
> I think that given the way the current text flows from "an operator may
> consider the SFC Metadata as sensitive" straight into "from a privacy
> perspective, a user may be concerned about the operator revealing data
> about [...] the customer", it causes me to read that privacy concern as
> applying only to the SFC Metadata (i.e., not to the original payload).
> Likewise for the "risk of sensitive information slipping out of the
> operators [sic] control"; since the paragraph started with the SFC
> Metadata, it seems like this paragraph may apply only to the metadata.
>
>> But as I said, I would not oppose strengthening this section even more.
>
> But more generally, I think the rhetoric is better (stronger) if it is of
> the form "you should do this thing (general concept); here are some
> concrete examples", rather than "you should do this list of things"
> without giving the overarching motivation.  This is a lot of why I am
> pushing for added (summary) text.
>
>>> I think that the SFC architecture does have the potential to change where
>>> additional security and privacy considerations are needed.  There can
>>> definitely be security and privacy considerations within a single
>>> administrative domain, and I do not think the current document has
>>> sufficient acknowledgement of the potential for the new architecture to
>>> require drastically different security and privacy measures in some (not
>>> all!) cases.  (Yes, I did read through it before composing this mail.)
>>
>> I do not disagree. Are there areas beyond what’s already in the Security
>> considerations that require specific focus?
>
> I think I only have the points I mentioned above (lack of clarity
> regarding protecting the original payload, and clear rhetoric).  But let's
> see if Simon has anything else to add, as well.
>
>>> I see some text in each of the three areas listed which sort-of addresses
>>> my concerns, ("Used transport mechanisms should satisfy the security
>>> requirements of the specific SFC deployment", "These include [...]
>>> potential confidentiality issues of that policy", "solutions should
>>> consider whether there is a risk of sensitive information slipping out of
>>> the operators control.  Issues of information exposure should also
>>> consider flow analysis"), but they could easily be missed by the reader,
>>> and do not convey a single central sense that adopting SFC will involve a
>>> full reevaluation of network security policy.
>>
>> This is the key of the review, IMHO. On one hand, you seem to
>> acknowledge that your security concerns are already addressed with the
>> existing text. On the other hand, you seem to want to child-proof the
>> text in case a reader misses what is already there already addressing
>> the concern.
>
> I'm sorry that my message was unclear; I was not intending to "acknowledge
> that [my concerns] are already addressed", but rather to say that the
> existing text gets some of the way there, but there were still things
> missing.  (Hopefully this email is helping clarify already.)
>
>>>   That reevaluation will
>>> include security/privacy issues for the original payload as well as the
>>> classification and encapsulation data added by the SFC protocol(s).
>>>
>>>
>>
>> Yes — which is what the doc already says.
>
> Just to ensure we're getting through to each other, do you mind pointing
> to the specific text that you have in mind that is supposed to already
> say this?
>
>> “Reevaluated” is significantly better, of course. Here’s another proposal:
>>
>> "The architecture described here is different from the current model, and
>> moving to the new model could lead to different security arrangements and
>> modeling. In the SFC architecture, a relatively static topologically-dependent
>> deployment model is replaced with the chaining of sets of service functions.
>> This can change the flow of data through the network, and the security and
>> privacy considerations of the protocol and deployment will need to be
>> reevaluated in light of the model.”
>
> I might add in "new" or "chained" before the very last "model", but this
> seems to catch the sentiment I was going for.  The idea would be to insert
> this as a new paragraph after the first paragraph of section 6?
>
> Thank you,
>
> Ben
>

v2.23.0 | Report a Bug | By Email