IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-sfc-architecture-08

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Thu, 28 May 2015 17:30 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A6D1B2C76; Thu, 28 May 2015 10:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.511
X-Spam-Level:
X-Spam-Status: No, score=-16.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id su9BMWRZA3m9; Thu, 28 May 2015 10:30:13 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF161B2C65; Thu, 28 May 2015 10:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4143; q=dns/txt; s=iport; t=1432834205; x=1434043805; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=FNAxnDj4AG/l58YqiUiY/dcqglLMZiEijaZHGCAaw3M=; b=cSmmNUoiPyPb2+gwn6pRnLNhC152R4AcmADQ8jN2iv9/4tnsb5aC8eKm Lp/VowXzsV5NUa76Aqh00JlNbZ4USu/Jj+3IpXBN/D1sL1Ia/ZsEw5Bty 5ju5z+GEHV4A9Pe6aJ+az1z5toctwJfU2W/nMhyFFU61pq6BP8FgxPt8a 8=;
X-Files: signature.asc : 841
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D/AwAAUGdV/5JdJa1cDoMCgTIGgxi5bWYJh1ECgUw4FAEBAQEBAQGBCoQiAQEBAwEjVgULAgEIEgYqAgIyFw4CBA4FDgyICwixLqQQAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4tDhQYHgmgvgRYFkwiCEoFDhzqBKZItg1kjgWaBVD5vgUaBAQEBAQ
X-IronPort-AV: E=Sophos; i="5.13,513,1427760000"; d="asc'?scan'208"; a="2593212"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-3.cisco.com with ESMTP; 28 May 2015 17:30:05 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id t4SHU4Oe032697 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 28 May 2015 17:30:04 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.147]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.03.0195.001; Thu, 28 May 2015 12:30:04 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [secdir] Review of draft-ietf-sfc-architecture-08
Thread-Index: AQHQllVoiI0EciI2k0ypB2MTIDGLzJ2L5tT3gAIA+oCAAJkTAIAAwU8AgAEfd4CAABfhgIAADp4AgACVMYCAAOGtAA==
Date: Thu, 28 May 2015 17:30:03 +0000
Message-ID: <AF64A753-A664-4343-98D1-93DDE93FD8FC@cisco.com>
References: <20150524211041.52cde768@latte.josefsson.org> <02FCDA94-FCC3-4875-AFBE-D07CC792B0C9@cisco.com> <alpine.GSO.1.10.1505252257290.22210@multics.mit.edu> <2DB7995B-8AF1-4EEE-971E-40A1A6294461@cisco.com> <alpine.GSO.1.10.1505261917240.22210@multics.mit.edu> <53F5D306-5860-4415-8AA4-390882ED94AB@cisco.com> <alpine.GSO.1.10.1505271355150.22210@multics.mit.edu> <55661626.5010300@joelhalpern.com> <alpine.GSO.1.10.1505272356450.22210@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1505272356450.22210@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.117.115.60]
Content-Type: multipart/signed; boundary="Apple-Mail=_D424051D-628E-4F96-AE65-F8065BCB8B25"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/kGvwvDwY6v8By0pU4Tno_Z1IBGQ>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "Joel M. Halpern" <jmh@joelhalpern.com>, "draft-ietf-sfc-architecture.all@tools.ietf.org" <draft-ietf-sfc-architecture.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Review of draft-ietf-sfc-architecture-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 17:30:15 -0000

Hi, Ben,

> On May 28, 2015, at 12:02 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> On Wed, 27 May 2015, Joel M. Halpern wrote:
> 
>> The "plain text payload" is an IP packet.  Customer IP packet protection needs
>> are, in almost all cases I can think of, independent of the routing path
>> through the network that the packet takes.  As such, I do not see why SFC
>> adding yet another means to direct traffic flows changes the protection needs
>> for customer IP packets.
>> 
>> Note that many of the results SFC is trying to simplify are achieved today,
>> albeit with more complexity.
>> 
>> So I am having trouble seeing what requirement you want the SFC architecture
>> to call out.
> 
> I believe that the main motivating factor is the case where the NSA or
> some other "three-letter agency" is sniffing traffic within a network.
> There was a bunch of news about "ssl added and removed here" a while back,
> motivating some companies to increase the use of encryption within their
> networks.

This is a very noble goal, but let’s not DoS-attack this draft to solve that higher-level objective. :-)

I look forward to satisfactorily addressing the security concerns, and strengthening the SFC architecture. I believe we have convergence points in your other response. I will reply with the specifics there, but a couple additional thoughts below.

> 
> If the attacker only has access to a small number of nodes or links within
> the network, then changing the paths over which data passes can
> potentially expose it to surveillance when it was not before.

“Changing the path" can potentially remove traffic from surveillance points also, net-improving the situation. My point is that it is conjecture.

>  You are
> correct that SFC itself may not be adding new real requirements on what
> data (paths) should be protected, but it is, in some sense, the first "new
> thing" now that we are aware of the extent to which networks come under
> attack.  As such, we are inclined to take the opportunity to remind
> readers of the potential for these attacks and that they may want to
> consider countermeasures as appropriate.

Given this objective, and the fact you acknowledge that SFC may not be adding new real requirements, I’d recommend a more holistic approach instead of reminding only SFC readers in a corner of the security considerations.

Best,

— Carlos.

> 
> So, it is not exactly an additional requirement in practice, but rather an
> additional requirement in terms of what we document in IETF protocols, an
> addition made to reflect our changed understanding of the world in which
> we operate.
> 
> -Ben

v2.23.0 | Report a Bug | By Email