IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Wed, 27 May 2015 16:54 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 352561A871E; Wed, 27 May 2015 09:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfiSZg-KH7q6; Wed, 27 May 2015 09:54:10 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DE041A8710; Wed, 27 May 2015 09:54:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4339; q=dns/txt; s=iport; t=1432745651; x=1433955251; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=WSMRJFBM98GFXZaaHAfxyFUObxVhUppBFG8oI8gpNWQ=; b=PMexTBAge8FQR8zUqaE0sXgoDWM1HDgouh89XQgD0QNKyTT5W93G9Knb qBuuBGnJZLOCxLgDUobcge2uVE0nntuMpNV01mpK/KPJphm+LEMUJnETc grh1UwY8dkqkK5Ir3LMkOBFne1uvZA+9HnQEo3PuaQyY4wGBu8pYwg0jm o=;
X-Files: signature.asc : 841
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BHBQCh9WVV/4oNJK1cgxCBMgaDGb1eiD8CgT5MAQEBAQEBgQuEIgEBAQMBI1YFCwIBCBIGFRUCAjIXDgIEDgUODYgKCK1VpCYBAQEBAQEBAQEBAQEBAQEBAQEBGYo4gQKFBQcKgl4vgRYFkwiCEoFDhzqBKYNxgn+PFiODeG+BRoEBAQEB
X-IronPort-AV: E=Sophos;i="5.13,506,1427760000"; d="asc'?scan'208";a="15209458"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-8.cisco.com with ESMTP; 27 May 2015 16:54:10 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id t4RGs9lU030679 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 27 May 2015 16:54:09 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.147]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.03.0195.001; Wed, 27 May 2015 11:54:09 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Simon Josefsson <simon@josefsson.org>
Thread-Topic: [secdir] Review of draft-ietf-sfc-architecture-08
Thread-Index: AQHQllVoiI0EciI2k0ypB2MTIDGLzJ2L5tT3gAIA+oCAAJkTAIAAwU8AgABcooCAAMPTAA==
Date: Wed, 27 May 2015 16:54:08 +0000
Message-ID: <83F188A4-8E60-479E-A676-EB910E3EC900@cisco.com>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu> <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com> <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu> <20150527071315.17b3b5f5@latte.josefsson.org>
In-Reply-To: <20150527071315.17b3b5f5@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.150.54.90]
Content-Type: multipart/signed; boundary="Apple-Mail=_1A903881-ADAF-48D0-9FC8-D29E7A5F223E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/iSNWMCd_FQXk2hUfdW49isxOTs4>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 16:54:12 -0000

Simon,

> On May 27, 2015, at 1:13 AM, Simon Josefsson <simon@josefsson.org> wrote:
> 
> Den Tue, 26 May 2015 19:41:42 -0400 (EDT)
> skrev Re: [secdir] Review of draft-ietf-sfc-architecture-08:
> 
>> Hi Carlos,
>> 
>> On Tue, 26 May 2015, Carlos Pignataro (cpignata) wrote:
>> 
>>>> On May 25, 2015, at 11:01 PM, Benjamin Kaduk <kaduk@MIT.EDU>
>>>> wrote:
>>>> 
>>>> insist that encryption always be used, but please do not claim
>>>> that being in a single administrative domain excuses the operator
>>>> from considering whether encryption is necessary.
>>>> 
>>> 
>>> My point was a different one: that SFC does not change these
>>> requirements.
>>> 
>>> I may have misunderstood, but what I read in Simon's review
>>> (admittedly oversimplified) was: in SFC you move services from
>>> on-network-path (which, as an aside, is really the other way
>>> around; it is moving from creating an on-network-path steering of
>>> network topology through the service) to a machine ‘elsewhere' —
>>> and thus, consequently, you have to encrypt.
>> 
>> I do not think anyone is saying "you must encrypt".
> 
> Agreed.
> 
>> To partially crib from Simon's proposal, how about
>> 
>> The architecture described here is different from the current model,
>> and moving to the new model could lead to different security
>> arrangements and modeling. For example, when service functions are
>> moved from on-path static machines to dynamic remote machines, this
>> can change the flow of data through the network, and the security and
>> privacy considerations of the protocol and deployment will need to be
>> reevaluated in light of the new topology.
>> 
>> The word "reevaluated" is intended to indicate that a new analysis
>> should be performed, but not that a different conclustion must
>> necessarily be reached.
> 
> That's better, thank you.  I believe it would have been better to
> include a discussion of security concerns in the architecture document
> itself -- doing security right sometimes requires architectural
> changes, so if it is done later you might realize serious issues -- but
> barring that, adding a statement to acknowledge that no security
> analysis has been done, and that it has to be done, seems appropriate.

A security analysis has been done, resulting in the identification of key areas of security considerations to be taken into account during protocol design and solution deployment.

At an architectural level, Section 6 identifies the architectural building blocks and their specific security considerations, to be addressed by the realization of the architecture. This statement is not an acknowledgement that no security analysis has been done.

> 
> /Simon


> -Ben
> 
> P.S. "consdierations" in the second paragraph of section 6 is a typo

Thank you, Ben. This is already corrected in our working copy.

Best,

— Carlos.

v2.23.0 | Report a Bug | By Email