Re: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation
"Adrian Farrel" <adrian@olddog.co.uk> Fri, 29 September 2017 10:26 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB2C132320; Fri, 29 Sep 2017 03:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpHMNCkR2xRf; Fri, 29 Sep 2017 03:26:40 -0700 (PDT)
Received: from asmtp5.iomartmail.com (asmtp5.iomartmail.com [62.128.201.176]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3E81321AC; Fri, 29 Sep 2017 03:26:39 -0700 (PDT)
Received: from asmtp5.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp5.iomartmail.com (8.13.8/8.13.8) with ESMTP id v8TAQVxC016263; Fri, 29 Sep 2017 11:26:31 +0100
Received: from 950129200 (218.122.115.87.dyn.plus.net [87.115.122.218]) (authenticated bits=0) by asmtp5.iomartmail.com (8.13.8/8.13.8) with ESMTP id v8TAQTC7016179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 29 Sep 2017 11:26:30 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: "'Joel M. Halpern'" <jmh@joelhalpern.com>, 'Christian Huitema' <huitema@huitema.net>, secdir@ietf.org
Cc: ietf@ietf.org, sfc@ietf.org, draft-ietf-sfc-nsh.all@ietf.org
References: <150662776428.27730.5006539542253170142@ietfa.amsl.com> <df06edaa-42a0-0182-9155-f8b7e9ab2fd3@joelhalpern.com>
In-Reply-To: <df06edaa-42a0-0182-9155-f8b7e9ab2fd3@joelhalpern.com>
Date: Fri, 29 Sep 2017 11:26:28 +0100
Message-ID: <033901d3390d$6a2cb7f0$3e8627d0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEliXjbI2Or5xvxRW3pzDGXGuSGJQJ/HwKupBMHgCA=
Content-Language: en-gb
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.1.0.1062-23358.006
X-TM-AS-Result: No--25.503-10.0-31-10
X-imss-scan-details: No--25.503-10.0-31-10
X-TMASE-MatchedRID: yebcs53SkkDMy6K24fisq0hEDfw/93BuYY0tNGdvli0ok+CLr2yyHGWg neUNsDqfl9FGugbqhB+zgMdZAMYlv08M9+aj5+3H+nWmWoRu6rEgzzoB6jqxgm3D6f6IpbLIq62 QoUap3IzoZBOhqhwyeEpO4zY8xTkRDMsCHReYlpBMcRwauwQkhIEcpMn6x9cZsVuGFxbE1A6W2J /NBggRJ5al1tG82W7b+wwsO0n+qSdpWmHn0ExnMuw8wbnnSw8blWXxvHK+rV7AOWCpvHcDOllBc zgblE9g2uR6RTfmd0El9+c89RK6DXMDoDWfAPKp1x307doliZsdo1DHlpWEea2/0wkFK1ccwdw0 ue2zGY2DywicQlwuFvuAJw2mWvNG8M+w5/vTMr3x5KZMlKYS/VHewY36PuY0ZutDqLozDshhXhA zuI3Nbt1LKh2WUgi4DZA4FyFICjp6ONMGRUQaGdjko+KiQPUGGSqdEmeD/nUPDqagyTbYYiVk0L E6h2m8CcoPHfTHqMK92pmHMjx8cQ9cNo8YWq5F7VfaTNztInId7wYwkPJ/mmeFbHzvVjbCMnadw j0BvkXTHbRm0pa0Vf1rZRkAcw2A1rPLmbp+RdYmtTGirqG/D34yToAKzDgm0mrr/YUV0CRHL8s9 F1wPzSoLoTJhxWiGu8diuhZv0fmLCOzKtNU0/gRH1Nr7oERdMaP9SSz/VBl5DaK0/x3HRgudF+v yDezAj7tE2dXz/ucCNjoa5H5Ln6Yy2qfD59i7MN+B8zdlz9F+S5m2/8VLmoKwF4K/wIz9fgzZAg JekePARBQVz0Nb6jU0orL4znuBo+y/iI95Xc2eAiCmPx4NwFkMvWAuahr8+gD2vYtOFhgqtq5d3 cxkNQP90fJP9eHt
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ubSwb3qhRN31hhO0I4mmJlqUqAI>
Subject: Re: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 10:26:43 -0000
Maybe to expand on Joel's point about "metadata".
There has (of course) been a lot of discussion of metadata in the context of end-user privacy. I think that has left many people with a specific understanding of "metadata", but as Joel says this is not the intention in this case.
That said, the description of metadata in this document and in RFC 7665 is perhaps a little vague. 7665 has...
Metadata: Provides the ability to exchange context information
between classifiers and SFs, and among SFs.
...from which we might deduce that metadata does two things:
1. Provide a channel for communication between SFC entities for them to synchronize state/actions related to traffic that follows a specific service function chain.
2. Carry information related to a specific packet that has been extracted or derived from that packet (for example, a hash) by an SFC entity that save subsequent SFC entities from having to derive the same information (thus allowing the subsequent SFC entities to be dumber or less CPU-rich).
7665 also says...
One use of metadata is to provide and share the result of
classification (that occurs within the SFC-enabled domain, or
external to it) along an SFP. For example, an external
repository might provide user/subscriber information to a service
chain classifier. This classifier could in turn impose that
information in the SFC encapsulation for delivery to the
requisite SFs. The SFs could in turn utilize the user/subscriber
information for local policy decisions. Metadata can also share
SF output along the SFP.
...which may help explaining the intention.
Personally, I think that tightening the description and scope of metadata might be a way to help address Christian's concerns. At the moment the scope seems to be left wilfully open to allow freedom of choice for future use cases: that seems to me to be dangerously open-ended.
Cheers,
Adrian
> -----Original Message-----
> From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Joel M. Halpern
> Sent: 28 September 2017 20:54
> To: Christian Huitema; secdir@ietf.org
> Cc: ietf@ietf.org; sfc@ietf.org; draft-ietf-sfc-nsh.all@ietf.org
> Subject: Re: Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation
>
> We really need to separate issues here.
>
> The first part of your note talks about the need for metadata. You
> assert that this is related to a need to compete with large scale
> tracking. While I can not prohibit that use, that is NOT the problem
> that drives this work.
> Rather, the whole point is to support separating the currently
> monolithic service platofrms into component services that can be
> combined both to deliver existing services, and to deliver new service
> combinations. To do that, the existing internal methods for passing
> data within a service delivery monolith have to be replaced with an
> external, interoperable, method for doing this.
> My employer would be very happy if the operators would give up on this
> and go back to buying our nice, high reliability, high price, intgrated
> service platforms. But that is not what the operators are asking us
> to provide.
>
> Yours,
> Joel
>
> On 9/28/17 3:42 PM, Christian Huitema wrote:
> > Reviewer: Christian Huitema
> > Review result: Serious Issues
> >
> > I have already reviewed previous iterations of this draft (18) and sent
> > comments on the mailing lists about revisions 20 to 24. The draft has
> > significantly improved through the revisions, but I still have concerns.
> >
> > First, it should be clear that standardizing addition of metadata to packet
> > headers is, from a privacy standpoint, playing with fire. I understand that
> > many ISP believe that they need to accumulate and use metadata in order to
> > compete with the large scale tracking performed by some web companies. This
> > existing competition may well be driving a race to the privacy bottom.
> > Regardless, the minimum these ISP can do is ensure that the privacy sensitive
> > metadata that they collect is well protected. Collecting metadata is bad
> > enough; letting hackers access it would be disastrous, as shown in the Equifax
> > breach. I would like to see a stronger recognition in the security
> > consideration that this is indeed playing with fire.
> >
> > I am also concerned that when writing the security considerations the authors
> > may be playing with words. Frankly, I do not believe that the data will be
> > magically protected because they are only transported in a single
> > administrative domain. As Randy Bush pointed out in an email comment, some
> of
> > the service functions are already provided "in the cloud" by third party
> > contractors to the ISP. This means that in practice, the data will probably not
> > be confined to a single provider domain. In the email, I listed three threats:
> >
> > * Whether ISP believe it or not, their links will be snooped by third parties.
> > We have to assume that adversaries will have access to some of the
> transmission
> > equipment, even inside the perimeter.
> >
> > * We also have to assume that persistent attackers will be able to compromise
> > some of the devices hosting some of the functions.
> >
> > * And we have to assume that some third party providers will re-purpose the
> > metadata that they obtain through various contracts.
> >
> > What worries me is not so much the inadequacies of the defenses proposed in
> the
> > security section as the absence of emphasis on the need to actually deploy
> > these defenses. Everything seems to be optional, left to the good will of the
> > ISP. Experience shows that in these conditions deployments use the most
> > convenient setup, clear text transmission with little defense in depth. The
> > security section ends up being so much empty talk designed to placate security
> > reviewers, playing with words for security without recognizing that
> > standardizing metadata collection is playing with fire.
> >
> >
- [secdir] Secdir telechat review of draft-ietf-sfc… Christian Huitema
- Re: [secdir] Secdir telechat review of draft-ietf… Joel M. Halpern
- Re: [secdir] Secdir telechat review of draft-ietf… Adrian Farrel