Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header-12: (with DISCUSS) Mon, 02 November 2020 07:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 260B03A044A; Sun, 1 Nov 2020 23:50:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nLGDdkjw-9Ga; Sun, 1 Nov 2020 23:50:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EBD403A045E; Sun, 1 Nov 2020 23:50:38 -0800 (PST)
Received: from (unknown [xx.xx.xx.7]) by (ESMTP service) with ESMTP id 4CPlT93gD3z7tVL; Mon, 2 Nov 2020 08:50:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ORANGE001; t=1604303437; bh=0hQRnpWmThY8uhd3ooWdZ7fnJDnHzRYYoh9xVa9NZN8=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=lVOvdEgzxiJB9k6cDVpJi9JdL+d7eQ1026v69/GgtLYGlMXsXj1P8QVkH02er4kk6 g+wcHL1JJLK9umbGFumjnNte6lnVadGEPKHaflarEXQbSEW5W9KxCrMwwiQRLyFd+W xWxEqvUa3wdNI+vCsDzMk02xE0/SgaTZjJ+IaSUT69MUDdhQOVlMUUP4NmZWOYF+pp XjNIU3RIN43QPUk8OamhCEWxe2KTSKnfcXUFxCKA9Knz34/fLqygmeK2xfjLvFkcza vf5TWOi55JXe+BbkYul2siIvwcU1NwCIDzOszPac8cquHxaXPTyBzC6NYNAtrsNGTR FcT6CVe6wJAgA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.64]) by (ESMTP service) with ESMTP id 4CPlT92Bzfz2xCG; Mon, 2 Nov 2020 08:50:37 +0100 (CET)
From: <>
To: Benjamin Kaduk <>, The IESG <>
CC: "" <>, "" <>, "" <>, Greg Mirsky <>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header-12: (with DISCUSS)
Thread-Index: AQHWryjuj9aNt53qTkShksvgnpc6+am0eH4A
Date: Mon, 2 Nov 2020 07:50:36 +0000
Message-ID: <14200_1604303437_5F9FBA4D_14200_375_1_787AE7BB302AE849A7480A190F8B93303156D2E0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header-12: (with DISCUSS)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Nov 2020 07:50:41 -0000

Hi Ben, 

This is a fair and a good point. 

FYI, we raised this point to the WG (see Slide 7 of Because the issue is ** not specific ** to this spec, the WG decided to define a solution that will apply to any TLV carrying sensitive data (including encryption): draft-ietf-sfc-nsh-integrity.

What about making this change: 

   A misbehaving node within from the SFC-enabled domain may alter the
   content of Subscriber Identifier and Performance Policy Context
   Headers which may lead to service disruption.  Such attack is not
   unique to the Context Headers defined in this document; measures
   discussed in [RFC8300] are to be followed.

   A misbehaving node within from the SFC-enabled domain may alter the
   content of Subscriber Identifier and Performance Policy Context
   Headers which may lead to service disruption.  Such attack is not
   unique to the Context Headers defined in this document; measures
   discussed in [RFC8300] are to be followed. A mechanism for SFC integrity
   is specified in [I-D.ietf-sfc-nsh-integrity].

Thank you. 


> -----Message d'origine-----
> De : Benjamin Kaduk via Datatracker []
> Envoyé : samedi 31 octobre 2020 02:56
> À : The IESG <>
> Cc :;;
>; Greg Mirsky <>om>;
> Objet : Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header-
> 12: (with DISCUSS)
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-sfc-serviceid-header-12: Discuss
> When responding, please keep the subject line intact and reply to
> all email addresses included in the To and CC lines. (Feel free to
> cut this introductory paragraph, however.)
> Please refer to
> criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> --------------------------------------------------------------------
> --
> --------------------------------------------------------------------
> --
> This is an "early warning" discuss ballot, entered before I have
> done a full review of the document.
> As such, it is possible that the stated concern may in fact be a
> non-issue after closer examination, but the potential import of the
> concern seems to make it worth starting the discussion sooner rather
> than later.
> This document defines (among other things) a mechanism for carrying
> subscriber information in an NSH.  RFC 8300 (NSH) notes both that:
>                                              Metadata privacy and
>    security considerations are a matter for the documents that
> define
>    metadata format.
> and that:
>       One useful element of providing privacy protection for
> sensitive
>       metadata is described under the "SFC Encapsulation" area of
> the
>       Security Considerations of [RFC7665].  Operators can and
> should
>       use indirect identification for metadata deemed to be
> sensitive
>       (such as personally identifying information), significantly
>       mitigating the risk of a privacy violation.  In particular,
>       subscriber-identifying information should be handled
> carefully,
>       and, in general, SHOULD be obfuscated.
> On the other hand, this document in its security considerations
> claims that:
>    Data plane SFC-related security considerations, including
> privacy,
>    are discussed in [RFC7665] and [RFC8300].
> and does not seem to incorporate any discussion of the privacy and
> security considerations of the subscriber information metadata
> carried by the new format it conveys.  Yes, it does note that all
> nodes with access to the information are part of the same trusted
> domain, but I do not think that is sufficient, especially given that
> personally identifiable information is often subject to strict
> compliance regimes.
> In short, 8300 and this document are referring to each other for
> privacy considerations, and the actual privacy considerations do not
> seem to be documented in either place.
> Additionally, I did not see any indication of how the subscriber-
> identifying information ought to be obfuscated (or an explanation of
> why it is okay to violate the SHOULD from 8300).


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.