Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
mohamed.boucadair@orange.com Mon, 12 July 2021 18:52 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2C0A3A1034; Mon, 12 Jul 2021 11:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.899
X-Spam-Level:
X-Spam-Status: No, score=-0.899 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGTgDbba1lCd; Mon, 12 Jul 2021 11:52:29 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761DA3A0E5B; Mon, 12 Jul 2021 11:52:24 -0700 (PDT)
Received: from opfednr05.francetelecom.fr (unknown [xx.xx.xx.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr24.francetelecom.fr (ESMTP service) with ESMTPS id 4GNtDQ04pyz1yNb; Mon, 12 Jul 2021 20:52:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1626115942; bh=fAESZK3cNMThXh+GguEMy6VQUNWvwdUe8MQ5YQeL4H4=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=WML+lK0iAqf0qDwwwr5qpxbI/HBWHcp5R6dwDd05dPV71zKvy6BsBEj4ujlpJdNNg rRrRm6XzRbgg74xw8YF+o/9l8qoI8w40SaHvWzt09eY2NG1KcLLs9KMMnTEHA1iMfD zEj7zFKa522j9EC0QF+Hya+OvIu5SkTgoi8aTfWNU+nBk7zOnnaFTeTn61CMlTW+eh U3jCXx+RqQyLU3Kbgf/cqQIbYtvUBzWFr7Ru0EbRsXk2Iziwt5OidA5bCQrZ5M358I e17oBGVcYINuMaOYdo3W7SjWo5fIjtTH2dHGpgxZpzuXrfaFz5jbYSs9mqBVLYzCA6 Y2gGj3LJlqEqA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfednr05.francetelecom.fr (ESMTP service) with ESMTPS id 4GNtDP5lQxzyQ3; Mon, 12 Jul 2021 20:52:21 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>
Thread-Topic: Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
Thread-Index: AQHXd0zRVHfyNHLhwkyOd3irdChUIqs/rJuQ
Date: Mon, 12 Jul 2021 18:52:20 +0000
Message-ID: <23837_1626115941_60EC8F65_23837_478_1_787AE7BB302AE849A7480A190F8B9330353BD8C2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <162611498183.7775.3562397379733537345@ietfa.amsl.com>
In-Reply-To: <162611498183.7775.3562397379733537345@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/1Z4U7ewpe6uUB1Hq3_Pn590uU5U>
Subject: Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 18:52:39 -0000
Hi Alvaro, Thank you for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Alvaro Retana via Datatracker [mailto:noreply@ietf.org] > Envoyé : lundi 12 juillet 2021 20:36 > À : The IESG <iesg@ietf.org> > Cc : draft-ietf-sfc-nsh-integrity@ietf.org; sfc-chairs@ietf.org; > sfc@ietf.org; gregimirsky@gmail.com > Objet : Alvaro Retana's No Objection on draft-ietf-sfc-nsh- > integrity-06: (with COMMENT) > > Alvaro Retana has entered the following ballot position for > draft-ietf-sfc-nsh-integrity-06: No Objection > > When responding, please keep the subject line intact and reply to > all email addresses included in the To and CC lines. (Feel free to > cut this introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/ > > > > -------------------------------------------------------------------- > -- > COMMENT: > -------------------------------------------------------------------- > -- > > > (1) Given the required behavior specified in the Security > Considerations section... > > NSH data are exposed to several threats: > > o A man-in-the-middle attacker modifying the NSH data. > > o Attacker spoofing the NSH data. > > o Attacker capturing and replaying the NSH data. > > o Data carried in Context Headers revealing privacy-sensitive > information to attackers. > > o Attacker replacing the packet on which the NSH is imposed with > a > bogus packet. > > In an SFC-enabled domain where the above attacks are possible, > (1) > NSH data MUST be integrity-protected and replay-protected, and > (2) > privacy-sensitive NSH metadata MUST be encrypted for > confidentiality > preservation purposes. The Base and Service Path headers are not > encrypted. > > Why doesn't this document formally update rfc8300? Concerns that > eventually led to this solution have been expressed for several > other documents, including > rfc8459 and rfc8979. > > It looks like the WG didn't consider the question of Updating the > base NSH specification. I believe that this document specifies a > required update to NSH, and would like the WG to consider formally > Updating rfc8300. [My search of the archive didn't find any related > discussion -- did I miss it?] [Med] We don't use the update header as we don't formally update any text in 8300. I know that we can interpret the update as "amends", but unless I'm mistaken there is no formal IETF consensus on this. > > [Even though I consider this omission a serious oversight, I don't > think this issue raises to the level of a DISCUSS.] > > (2) §3: I find the use of normative language to describe > requirements (that are met in this same document) not the best use > of rfc2119 language because any interoperability concerns would > result from the specification itself and not the requirements. > > The use of rfc2119 keywords to describe requirements may result in > confusion. > For example, "The solution MAY provide integrity protection for the > Base Header." -- as described later, protecting the Base Header is > optional, but the solution *does* provide integrity protection for > it. IOW, the specification is what is reflected in the requirement, > but referring to the solution, not the > protection: providing integrity protection is not optional, using it > is. A better working would be: "The solution must provide optional > integrity protection for the Base Header." [Med] Good point. Fixed. Thanks. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [sfc] Alvaro Retana's No Objection on draft-ietf-… Alvaro Retana via Datatracker
- Re: [sfc] Alvaro Retana's No Objection on draft-i… mohamed.boucadair
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Joel M. Halpern
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Alvaro Retana
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Alvaro Retana
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Joel M. Halpern
- Re: [sfc] Alvaro Retana's No Objection on draft-i… mohamed.boucadair
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Alvaro Retana
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Alvaro Retana
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Joel M. Halpern
- Re: [sfc] Alvaro Retana's No Objection on draft-i… mohamed.boucadair
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Murray S. Kucherawy
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Murray S. Kucherawy
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Joel Halpern Direct
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Murray S. Kucherawy
- Re: [sfc] Alvaro Retana's No Objection on draft-i… mohamed.boucadair
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Murray S. Kucherawy