IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

"Joel M. Halpern" <jmh@joelhalpern.com> Tue, 26 May 2015 23:07 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5865C1B32FB; Tue, 26 May 2015 16:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.902
X-Spam-Level:
X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_BACKHAIR_32=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqBkKxLmbL21; Tue, 26 May 2015 16:07:33 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 576FB1B32F5; Tue, 26 May 2015 16:07:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 35882240443; Tue, 26 May 2015 16:07:33 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (75-146-28-117-Richmond.hfc.comcastbusiness.net [75.146.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 577132464B7; Tue, 26 May 2015 16:07:32 -0700 (PDT)
Message-ID: <5564FCB1.80207@joelhalpern.com>
Date: Tue, 26 May 2015 19:07:29 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Simon Josefsson <simon@josefsson.org>
References: <20150524211041.52cde768@latte.josefsson.org> <55622F53.5090201@joelhalpern.com> <20150526221728.02605b82@latte.josefsson.org> <5564E432.9000207@joelhalpern.com> <5564E6C4.4000302@cs.tcd.ie>
In-Reply-To: <5564E6C4.4000302@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ju1Yo5rLH8DlM-uV7UH6YLcvD7k>
Cc: secdir@ietf.org, draft-ietf-sfc-architecture.all@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 23:07:35 -0000

There may well be something that can be said in the architecture that 
would be helpful.  My concern is that given teh current IETF 
environment, adding the suggested wording to the architecture could 
easily lead the IESG to expect mandatory-to-implement data plane packet 
authentication and / or encryption.

There are proposals to add optional mechanisms to the dataplane 
protocol.  The proposals I have seen have no impact on the architecture.

Yours,
Joel

On 5/26/15 5:33 PM, Stephen Farrell wrote:
>
> I've yet to read this one so could be plain wrong but I don't
> see that our choices here are an architecture that defines (or
> re-uses) no security mechanisms/services at all or one that
> encrypts everything, but fwiw your response below Joel and earlier
> ones read as if those are the only choices and I find that hard
> to believe.
>
> S.
>
> On 26/05/15 22:22, Joel M. Halpern wrote:
>> Given the expected construction and usage for this, if we rite into the
>> archtiecture that encryption and authentication of data plane messages
>> are mandatory, then
>> presumably we will also write such "mandatory" mechanisms into the data
>> plane mechanism we specify.
>>
>> At which point we are writing a specification which will be widely ignored.
>>
>> Given that we are talking about passing packets through a series of
>> service functions, requiring encryption between them causes a drastic
>> increase in complexity and latency.  As far as I can tell from the way
>> customers expect to use this, it is simply unacceptable.  For inter-DC
>> (or POP<->DC) operators who wish to protect that traffic wil likely want
>> to do so whether or not they are using service chaining.  As such, the
>> protection is not a service chaining issue.
>>
>> So, sorry, but I have to respectfully disagree with you Simon.
>>
>> Yours,
>> Joel
>>
>> On 5/26/15 4:17 PM, Simon Josefsson wrote:
>>> If it is unreasonable to expect that encryption/authentication will be
>>> part of the architecture, I believe there is a significant problem with
>>> this architecture.  The argument that security is not necessary within
>>> a single administrative domain is one that I complete disagree with.  I
>>> am hoping that I am missing some context here.
>>>
>>> /Simon
>>>
>>>> While the paragraph you suggest looks reasonable, I am somewhat
>>>> concerned if readers draw the conclusion that we expect to include
>>>> data plane authentication and / or encryption mechanisms as a
>>>> mandatory part of the solution.  There is no such expectation.  While
>>>> there is reason to be concerned about exposure of information across
>>>> the Internet, the document begins by specifically noting that this
>>>> architecture is for use with a single administrative domain.
>>>>
>>>> I am thus concerned that adding the suggested text may give rise to
>>>> unreasonable expectations on solutions which comply with this
>>>> architecture.
>>>>
>>>> Yours,
>>>> Joel
>>>>
>>>> On 5/24/15 3:10 PM, Simon Josefsson wrote:
>>>>> Hello.
>>>>>
>>>>> I have reviewed this document as part of the security directorate's
>>>>> ongoing effort to review all IETF documents being processed by the
>>>>> IESG.  These comments were written primarily for the benefit of the
>>>>> security area directors.  Document editors and WG chairs should
>>>>> treat these comments just like any other last call comments.
>>>>>
>>>>> This is an architectural document, so it doesn't have the usual
>>>>> security impact that you can easily review.  The Security
>>>>> Considerations section gently refer any security considerations to
>>>>> the future documents that will actually realize the archicture.
>>>>>
>>>>> The security considerations that you would expect to be discussed
>>>>> in an architecural document are those on an architectural level.
>>>>> The archicture proposed here is to change how network services are
>>>>> delivered.  The document doesn't give many examples, but my
>>>>> understanding is that the intended services would include firewalls,
>>>>> NAT, proxies, packet filtering, anti-spam measures, anti-DDOS
>>>>> measure, QoS, and so on.
>>>>>
>>>>> The traditional model is static services coupled to network topology
>>>>> and physical resource. The new model introduced by this document, as
>>>>> far as I understand, is a dynamic model where delivery of these
>>>>> services can be moved around more dynamically, by tunneling traffic
>>>>> to the service and back.
>>>>>
>>>>> I may have missed it, but I feel that the security consequences of
>>>>> moving to this new architecture is not discussed in the document.
>>>>>
>>>>> Some obvious security considerations that are introduced with an
>>>>> architecture like this are:
>>>>>
>>>>>      1) When delivery of a service is moved from an on-network-path
>>>>>      machine to a machine sitting somewhere else, there ought to be
>>>>> some consideration to authenticating the involved entities and
>>>>> encrypting the traffic between them.
>>>>>
>>>>>      2) Auditing who has powers over a communication channel will be
>>>>>      different -- before you evaluated the wires and who had access
>>>>> to the machines connected to the wires.  Now you have to review the
>>>>> policies configured in the machines and what external entities are
>>>>> involved, together with the operational aspects of this boxes that
>>>>> perform the service delivery.
>>>>>
>>>>>      3) Moving traffic around raises the challenge how to achieve that
>>>>>      without negatively affecting privacy of the traffic.
>>>>>
>>>>>      4) Protecting the SFC configuration and policies is critical for
>>>>>      secure operations.  Anyone who gains access may be able to modify
>>>>>      traffic.
>>>>>
>>>>> If the above is a bit handwavy, allow me to be more concrete.
>>>>> Adding something like the following to the security considerations
>>>>> would at least acknowledge that there are inherent security
>>>>> considerations with this architecture:
>>>>>
>>>>>      The architecture described here is different from the current
>>>>> model, and moving to the new model will lead to different security
>>>>>      arrangements and modeling. For example, when service functions
>>>>> are moved from on-path static machines to dynamic remote machines,
>>>>> this introduce security and privacy aspects that needs to be
>>>>> addressed.
>>>>>
>>>>> All this said, I still would classify this document as Ready.  It
>>>>> mostly just disappoint me that a new architecture can be introduced
>>>>> without containing a significant discussion of security properties.
>>>>>
>>>>> /Simon
>>>>>
>>>
>>
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>

v2.23.0 | Report a Bug | By Email