IETF Logo Mail Archive

Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)

Alvaro Retana <aretana.ietf@gmail.com> Mon, 12 July 2021 20:08 UTC

Return-Path: <aretana.ietf@gmail.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14BDB3A15F2; Mon, 12 Jul 2021 13:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Veb3OtxbW9Ao; Mon, 12 Jul 2021 13:08:42 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 829503A15E6; Mon, 12 Jul 2021 13:08:41 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id ee25so11642655edb.5; Mon, 12 Jul 2021 13:08:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=nl9ff1cx8a/E1YYd3oZCG94UofikPo9QUIK3yEVlg1Y=; b=PyH1vujGzWh66EA9FYNRnT9rYlk49dt2wcYi3gkjGK/ULtHy+0wQ1lut9eE+UuDMNG QZUEeqM20YrzSwYqZaOT6z6x8sp+y0pYT6esOdNNIswLIf0HPf7ZQSGBkKh6DBlm/YU9 IgxH6QKgjgZh46N7b1fXeoma49HPMM6MSGp0pAkpzdWWLzuiK41jIlKn7cdWCXhwahrm IR+qhDokDqzuPBjQTFTNaG/FR2MBqk+GYtmtY2agGFecr6UG80fvkl31NOmBffWly39/ tffsYyNZs3sN2bgXAZoDflWWPvbW8BGyfIraxBV+BhgFLrzUIKHqd//gzMK2auFI9M1z vdRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=nl9ff1cx8a/E1YYd3oZCG94UofikPo9QUIK3yEVlg1Y=; b=dEb+S5CyMhBHKa6sVuzXxWSJD40kj9wD3MCQ6qnbAAnWH8Upo2meaXhWzGXRof/Wiw 8Z2M0P86EUW1Xeuh8fSQSWjJ+VgMiHDg5HS1aWU1XlvoFKCgdnjuO+POnIeDc/jCuT3x AwcyKCSFnrhRgLq3rADGL8hF6Q4UHaqka+ejFd+lh3Vrm5bdzv59zYSr+6ZemxtwFgzp uBnTE5BqJTwn+WpF2YpueenbjgNz3S0wsKvipzEruhEF+o55Z4p/IFofLh0/wd/MhOHF MDn4EKr2RO++e8o+5kniQjLIxYG8bdDI2lQfoLLstZ9EDV+r6aKqhnSQ3nfpWpbyFLnB Ll1g==
X-Gm-Message-State: AOAM5332R2beRfPfP3TJpAclxwbwVVW/f4m/RNEX/qDcgx8NB6FqhNNx aNyVSe2nywuoat8Yw2sVxStBP8xujEwRL9mGXW1tzejVBsM=
X-Google-Smtp-Source: ABdhPJzoup7DePpH8mAZ7Cf6Kkxs2ZnwLuZONsjxcKagRd1tdhx9Uu3hbebTGTwuCd4Qj4X0qviDigK7NWmvA+L5rXQ=
X-Received: by 2002:a05:6402:40f:: with SMTP id q15mr744952edv.86.1626120518284; Mon, 12 Jul 2021 13:08:38 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 12 Jul 2021 13:08:37 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <1a5ae768-bf12-6d94-819c-7923e1f816ee@joelhalpern.com>
References: <162611498183.7775.3562397379733537345@ietfa.amsl.com> <f5961690-4496-7f85-74ca-f3705d5a1c2e@joelhalpern.com> <CAMMESszF+jc7WKkAwmzAFs0A7bsDqXJKA3p5+cyexdU3fvNnDQ@mail.gmail.com> <1a5ae768-bf12-6d94-819c-7923e1f816ee@joelhalpern.com>
MIME-Version: 1.0
Date: Mon, 12 Jul 2021 13:08:37 -0700
Message-ID: <CAMMESsxJ1F90ro=_Gjszys3E86f4YgRQ49ofGGOoAyDJ8EFL8w@mail.gmail.com>
To: The IESG <iesg@ietf.org>, "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: sfc@ietf.org, gregimirsky@gmail.com, draft-ietf-sfc-nsh-integrity@ietf.org
Content-Type: multipart/alternative; boundary="000000000000dabbe005c6f2af33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/6JcbxtJS1D2gVPOM94nOnw1pv0o>
Subject: Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 20:08:47 -0000

Hi!

I meant the discussion about this draft formally Updating rfc8300 — which I
would have hopped happened when processing/discussing this document (not
before).

I’m assuming that discussion never happened.


BTW, I’m not asking for the new mechanism to be MTI — the current text (at
least to me) reads as if it is not.  I’m ok with that.  [IOW, an Update to
rfc8300 would “inherit” that characteristic.]

Alvaro.

On July 12, 2021 at 3:37:51 PM, Joel M. Halpern (jmh@joelhalpern.com) wrote:

Depending upon what you mean, either

1) The discussion never happened, because the action was not suggested.

or, with a longer view

2) The discussion happened when 8300 was being approved. We agreed with
the IESG that we would not define a mandatory-to-implement NSH security
mechanism, but that we would add an optional NSH security mechanism.
Which this draft does.

Yours,
Joel

On 7/12/2021 3:29 PM, Alvaro Retana wrote:
> Joel:
>
> Hi!
>
> I guess I missed where that discussion happened — probably buried in one
> of the threads.  Can you please point me to it?
>
> Thanks!
>
> Alvaro.
>
> On July 12, 2021 at 3:23:28 PM, Joel M. Halpern (jmh@joelhalpern.com
> <mailto:jmh@joelhalpern.com>) wrote:
>
>> I find your description of this as a "required update to 8300" rather
>> odd. The working group did not agree to make implementation of this
>> mandatory for 8300. That would, indeed, be an update to 8300. This is
>> just another feature that can be used with NSH. A useful feature.
>>
>> The security considerations do give lots of reasons to do this. But that
>> is not the same as making it "required" for all implementations of 8300.
>>
>> Yours,
>> Joel
>>
>> On 7/12/2021 2:36 PM, Alvaro Retana via Datatracker wrote:
>> > Alvaro Retana has entered the following ballot position for
>> > draft-ietf-sfc-nsh-integrity-06: No Objection
>> >
>> > When responding, please keep the subject line intact and reply to all
>> > email addresses included in the To and CC lines. (Feel free to cut
this
>> > introductory paragraph, however.)
>> >
>> >
>> > Please refer to
https://www.ietf.org/iesg/statement/discuss-criteria.html
>> <https://www.ietf.org/iesg/statement/discuss-criteria.html>
>> > for more information about DISCUSS and COMMENT positions.
>> >
>> >
>> > The document, along with other ballot positions, can be found here:
>> > https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/
>> <https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/>
>> >
>> >
>> >
>> > ----------------------------------------------------------------------
>> > COMMENT:
>> > ----------------------------------------------------------------------
>> >
>> >
>> > (1) Given the required behavior specified in the Security
Considerations
>> > section...
>> >
>> > NSH data are exposed to several threats:
>> >
>> > o A man-in-the-middle attacker modifying the NSH data.
>> >
>> > o Attacker spoofing the NSH data.
>> >
>> > o Attacker capturing and replaying the NSH data.
>> >
>> > o Data carried in Context Headers revealing privacy-sensitive
>> > information to attackers.
>> >
>> > o Attacker replacing the packet on which the NSH is imposed with a
>> > bogus packet.
>> >
>> > In an SFC-enabled domain where the above attacks are possible, (1)
>> > NSH data MUST be integrity-protected and replay-protected, and (2)
>> > privacy-sensitive NSH metadata MUST be encrypted for confidentiality
>> > preservation purposes. The Base and Service Path headers are not
>> > encrypted.
>> >
>> > Why doesn't this document formally update rfc8300? Concerns that
eventually
>> > led to this solution have been expressed for several other documents,
including
>> > rfc8459 and rfc8979.
>> >
>> > It looks like the WG didn't consider the question of Updating the base
NSH
>> > specification. I believe that this document specifies a required
update to
>> > NSH, and would like the WG to consider formally Updating rfc8300. [My
search
>> > of the archive didn't find any related discussion -- did I miss it?]
>> >
>> > [Even though I consider this omission a serious oversight, I don't
think this
>> > issue raises to the level of a DISCUSS.]
>> >
>> > (2) §3: I find the use of normative language to describe requirements
(that are
>> > met in this same document) not the best use of rfc2119 language
because any
>> > interoperability concerns would result from the specification itself
and not
>> > the requirements.
>> >
>> > The use of rfc2119 keywords to describe requirements may result in
confusion.
>> > For example, "The solution MAY provide integrity protection for the
Base
>> > Header." -- as described later, protecting the Base Header is
optional, but the
>> > solution *does* provide integrity protection for it. IOW, the
specification is
>> > what is reflected in the requirement, but referring to the solution,
not the
>> > protection: providing integrity protection is not optional, using it
is. A
>> > better working would be: "The solution must provide optional integrity
>> > protection for the Base Header."
>> >
>> >
>> >
>> > _______________________________________________
>> > sfc mailing list
>> > sfc@ietf.org <mailto:sfc@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/sfc
>> <https://www.ietf.org/mailman/listinfo/sfc>
>> >
>
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc
>

v2.23.0 | Report a Bug | By Email