Re: [secdir] SecDir review of draft-ietf-ipfix-mediators-problem-statement-08

Atsushi Kobayashi <akoba@nttv6.net> Tue, 16 March 2010 18:26 UTC

Return-Path: <akoba@nttv6.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A753A6AB3 for <secdir@core3.amsl.com>; Tue, 16 Mar 2010 11:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.541
X-Spam-Level: *
X-Spam-Status: No, score=1.541 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74, HOST_MISMATCH_COM=0.311, RDNS_DYNAMIC=0.1, SUBJ_RE_NUM=2.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEDiXIjqQtK4 for <secdir@core3.amsl.com>; Tue, 16 Mar 2010 11:26:05 -0700 (PDT)
Received: from mail.nttv6.net (mail.nttv6.net [IPv6:2001:fa8::25]) by core3.amsl.com (Postfix) with ESMTP id 0C7CD3A6AD2 for <secdir@ietf.org>; Tue, 16 Mar 2010 11:24:32 -0700 (PDT)
Received: from [127.0.0.1] (dhcp-3-152.nttv6.com [192.47.163.152]) by mail.nttv6.net (8.14.3/8.14.3) with ESMTP id o2GIOK06031047; Wed, 17 Mar 2010 03:24:21 +0900 (JST) (envelope-from akoba@nttv6.net)
Date: Wed, 17 Mar 2010 03:19:03 +0900
From: Atsushi Kobayashi <akoba@nttv6.net>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05E0C898@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05E0C897@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05E0C898@il-ex01.ad.checkpoint.com>
Message-Id: <20100317010923.AFAB.17391CF2@nttv6.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.50.05 [ja] (Unregistered)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (mail.nttv6.net [192.16.178.5]); Wed, 17 Mar 2010 03:24:21 +0900 (JST)
X-Mailman-Approved-At: Wed, 17 Mar 2010 01:09:15 -0700
Cc: "draft-ietf-ipfix-mediators-problem-statement.all@tools.ietf.org" <draft-ietf-ipfix-mediators-problem-statement.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mediators-problem-statement-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 18:26:07 -0000

Dear Yaron,

Thank you for your feedbacks. Please see in-line.

On Thu, 11 Mar 2010 16:50:58 +0200
Yaron Sheffer <yaronf@checkpoint.com>; wrote:

> Resending, sorry if you see it twice...
> 
> ________________________________________
> From: Yaron Sheffer
> Sent: Thursday, March 11, 2010 4:47 PM
> To: secdir@ietf.org; draft-ietf-ipfix-mediators-problem-statement.all@ietf.org
> Subject: SecDir review of draft-ietf-ipfix-mediators-problem-statement-08
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This document presents the need for introducing Mediators (known in other quarters as "proxies") into the IPFIX architecture.
> 
> The document is in general well written, and it does attempt to cover most of the relevant security issues. But I would have liked to see a bit more discussion on:
> 
> - Privacy concerns, especially where actual data packets are sampled. These concerns may be amplified when streams from multiple sources are combined.


Could you please clarify your concerns.
I assume your concerns as follows.

a) Flow Records from multiple sources can reveal the path for flows. It
may create another privacy issue.

b) Generally, it is difficult that random sampling technique captures
specific customer's traffic. However, the probability to capture
specific customer's traffic increases, when there are multiple
observation points.

I think a) and b) are general privacy issues regarding flow-based
measurement whether there are intermediate devices or not.

> - Multi-tenancy: large networks, i.e. those that require such solutions, may process and sometime aggregate data from many different owners. An extreme example is virtualized processing clouds. Tenants should be protected from one another, and possibly also from the service provider.

Yes.

It needs to identify the customer's identifier, e.g., IP addess, vlan,
mac address, and etc., to feed them to appropriate intermediate process
anonymizing them, and to export them to Collector to separate one another.

When an IPFIX Mediator can not identify the customer, in special case
where VM motion occurs, it may need to drop the flow records.

I will put above paragraph in sentence.

> - The subsection of the Security Considerations that discusses confidentiality protection could be improved to more clearly point out that transport-level security is no longer sufficient in this architecture, and (at least in some cases) should be replaced by end-to-end, application-level security.

Actually, the scope of this document is problem statement. It is just
starting points to continue to the series of IPFIX Mediation documents.

At this level, I can not come up with the suitable end-to-end
confidentiality protection method via Mediator. If the 
confidentiality protection for Flow Records is kept on Mediators,
Mediator would not be able to handle Flow Records. Could you please
show some cases you mentioned.

> - The trust model should be clarified, possibly just to say "we all trust the Mediator".

I have two scenarios.

a) A Collector certificates a Mediator by using X.509 certificates, and
the Collector certificates an Original Exporter by its X.509
certificates informed by the Mediator.

b) A Collector certificates a Mediator by using X.509 certificates, and
the Collector receives the report that the Mediator certificates
an Original Exporter.

Case a) is recommended. Case b) can be applied to the following cases,
service providers feed customer flow data, and also would like to avoid
to disclose the network devices information, that is exporters. Any
other cases should be avoid so far. 

I think the above description should be put into the later framework
document as some requirement. 
http://tools.ietf.org/html/draft-ietf-ipfix-mediators-framework-05

I will discussed with authors and WG members. 

> 
> Non-security comments
> 
> The document starts out by discussing IPFIX, and then suddenly in 3.2, PSAMP is introduced. The clueless reader is left confused: how does PSAMP relate to per-flow information? I'd appreciate a clarifying paragraph at the top of Sec. 3.

Ok, I will put the following paragraph at the top of section 3.

IPFIX Mediation can be applied to flow- or packet-based information.
The flow-based information is encoded by IPFIX protocol, and the
packet-based information is extracted by some sampling techniques and
then encoded by PSAMP protocol. Thus, this section describes relevant
documents for both protocols.

--- 
Atsushi KOBAYASHI  <akoba@nttv6.net>;
NTT Information Sharing Platform Lab.
tel:+81-(0)422-59-3978 fax:+81-(0)422-59-5637