Re: [sfc] Eric Rescorla's No Objection on draft-farrel-sfc-convent-05: (with COMMENT)
Eric Rescorla <ekr@rtfm.com> Fri, 09 February 2018 00:40 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8664F12DA3E for <sfc@ietfa.amsl.com>; Thu, 8 Feb 2018 16:40:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wqsUs9Omunn for <sfc@ietfa.amsl.com>; Thu, 8 Feb 2018 16:40:28 -0800 (PST)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BD1C12DA29 for <sfc@ietf.org>; Thu, 8 Feb 2018 16:40:28 -0800 (PST)
Received: by mail-yw0-x22c.google.com with SMTP id l11so805777ywh.2 for <sfc@ietf.org>; Thu, 08 Feb 2018 16:40:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=O0GnvJ9JEN3ymBiEH/A28noIFmtAWNqBbGN1bh2h9Xs=; b=jJHf8VWPAh6aE3ohykJo3LhUTOVVUk/4Vfd+EVEEA67a8xV3jpD2xOkBehlwcvZXSE x624fD/nJz7EZ7PyVodcmD2kvbQj/eUqcWyKMSWEmIFAadxmb7ym1/mK0jkzIFKvol4M 4Lpyd+aL6K9DGyCjd3RakR3R9pBSlW6NzhlcrjaxGt8ul0nxOb0GhSvoocageER6+l2p OOTo7A+NisZyGRB8+bNYtqLRivEEBk6TcXHPx/+WD6flpTiLv8HoIe3Y0wny6e5V4E7A faAYTwTPt5FpmaqakWP9+eafH1FeEX56AsIT1zioJUOnlHSaZMaxvQ2jvukfgq6xJYaJ JF8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=O0GnvJ9JEN3ymBiEH/A28noIFmtAWNqBbGN1bh2h9Xs=; b=oG8XtENA8rVqWNW20ajqrEo8BBBogZnT1AqVOycbUlP3hzizuwm7zbxEb6Z+xhnax+ U/igvu5GjO3CxSsCOcqLbG3kg8V4wbNmwM3NZFlaPJh/ATVgwpurYCTieyiAAZkasaR8 Ypw2Er+katiClwLT/VXcMT/ZOEIfRtuiPfDANSO3akDj3OhM8Gs/vYUoMPZBnFlsJCJD b8zuPOXRVGtfs4DGyx6flUkuBNa/hjQg+Pz4RVkWxsEYgQbkIJtAT5NimeL7pe3TsPJI b/wRgaKuC4jDGAHh83hSk2U+VRQzoDpycmGZh/Y1kDx1rpJUrdqHmMePm76ofEtLeaAk c6QA==
X-Gm-Message-State: APf1xPDVlwiqjtMhvvBjpbwrNk9FQQdS6bPB3T64w8mCX6mqwR7jwe2B s2R2Q09i18sUeDjTWgU0YZrvVfqNYJoyDhyo5SNN0w==
X-Google-Smtp-Source: AH8x2266GFzqBfgnlNsSMuZZERlEj/ft4Cu/4o+K6SPC6AAXZgnU1U7Db7IC/EtYw6Vk3N8faquUpztI/Hu4TonCF+Q=
X-Received: by 10.37.239.79 with SMTP id w15mr594337ybm.293.1518136827253; Thu, 08 Feb 2018 16:40:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.201 with HTTP; Thu, 8 Feb 2018 16:39:46 -0800 (PST)
In-Reply-To: <09be01d3a119$c48d8660$4da89320$@olddog.co.uk>
References: <151797352162.25862.18235247183979141834.idtracker@ietfa.amsl.com> <09be01d3a119$c48d8660$4da89320$@olddog.co.uk>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Feb 2018 16:39:46 -0800
Message-ID: <CABcZeBNjs4m1OZV-obJR-NY7MBJYdx-Vm_vT2p95NHAGNJ26ng@mail.gmail.com>
To: Adrian Farrel <adrian@olddog.co.uk>
Cc: The IESG <iesg@ietf.org>, draft-farrel-sfc-convent@ietf.org, tal.mizrahi.phd@gmail.com, sfc-chairs@ietf.org, sfc@ietf.org
Content-Type: multipart/alternative; boundary="089e0828a13c4f2cc10564bcc634"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/3B8U4lkmaBa-_0JprKLliL5hU50>
Subject: Re: [sfc] Eric Rescorla's No Objection on draft-farrel-sfc-convent-05: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 00:40:30 -0000
This is actually a smarter point that I was intending to make. I was just looking at the following text? " according to the perceived vulnerabilities of the network. Protection of metadata may be achieved by using encrypted transport between SFC entities or by encrypting the metadata in its own right." This isn't necessarily a function of "encrypting" but rather of providing integrity and data origin authentication, although good encryption protocols do provide both. -Ekr On Thu, Feb 8, 2018 at 12:16 PM, Adrian Farrel <adrian@olddog.co.uk> wrote: > Hey Eric, > > Thanks for this comment. > > > The need to protect the metadata is not modified by this document and > > forms part of the NSH definition found in [I-D.ietf-sfc-nsh]. > > Nit: I wouldn't limit this to encryption. If you care about > integrity/data > > origin authentication, then encryption may not supply that, > > If I'm reading you right, you're observing that the mechanism described in > the > document might allow an imposter to introduce metadata. > > That's sounds like a real problem and we should do something like: > > OLD > The mechanism described in this document might possibly be used to > introduce packets into the SFC overlay network. Therefore measures > SHOULD be taken to ensure authorization of sources of such packets, > and tunneling of such packets into the network SHOULD be prevented. > The amount of packets with "Next Protocol" set to "None" on an SFP > SHOULD be rate limited at each point on the SFP to provide additional > security. > NEW > The mechanism described in this document might be used to introduce > packets into the SFC overlay network and might be used to > illegitimately introduce false metadata to the nodes on an SFC. > Therefore measures SHOULD be taken to ensure authorization of sources > of such packets, and tunneling of such packets into the network > SHOULD be prevented. > > The amount of packets with "Next Protocol" set to "None" on an SFP > SHOULD be rate limited at each point on the SFP to provide additional > network security. > END > > Does that do it? > > Cheers, > Adrian > >
- [sfc] Eric Rescorla's No Objection on draft-farre… Eric Rescorla
- Re: [sfc] Eric Rescorla's No Objection on draft-f… Adrian Farrel
- Re: [sfc] Eric Rescorla's No Objection on draft-f… Eric Rescorla