Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header-12: (with DISCUSS)
Benjamin Kaduk <kaduk@mit.edu> Tue, 03 November 2020 02:07 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96CEE3A133E; Mon, 2 Nov 2020 18:07:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCNfxgkNa1V9; Mon, 2 Nov 2020 18:07:53 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB533A133C; Mon, 2 Nov 2020 18:07:52 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0A327hLc010286 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 2 Nov 2020 21:07:48 -0500
Date: Mon, 02 Nov 2020 18:07:43 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: mohamed.boucadair@orange.com
Cc: The IESG <iesg@ietf.org>, "draft-ietf-sfc-serviceid-header@ietf.org" <draft-ietf-sfc-serviceid-header@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, Greg Mirsky <gregimirsky@gmail.com>
Message-ID: <20201103020743.GF39170@kduck.mit.edu>
References: <160410933541.16179.15193989217234885583@ietfa.amsl.com> <14200_1604303437_5F9FBA4D_14200_375_1_787AE7BB302AE849A7480A190F8B93303156D2E0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <14200_1604303437_5F9FBA4D_14200_375_1_787AE7BB302AE849A7480A190F8B93303156D2E0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/8UswAMMPh4yoShg63mRak5W2v0A>
Subject: Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header-12: (with DISCUSS)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 02:07:56 -0000
Hi Med, Thanks for helping out with the early start. On Mon, Nov 02, 2020 at 07:50:36AM +0000, mohamed.boucadair@orange.com wrote: > Hi Ben, > > This is a fair and a good point. > > FYI, we raised this point to the WG (see Slide 7 of https://www.ietf.org/proceedings/104/slides/slides-104-sfc-sfc-chair-slides-01). Because the issue is ** not specific ** to this spec, the WG decided to define a solution that will apply to any TLV carrying sensitive data (including encryption): draft-ietf-sfc-nsh-integrity. > > What about making this change: > > OLD: > A misbehaving node within from the SFC-enabled domain may alter the > content of Subscriber Identifier and Performance Policy Context > Headers which may lead to service disruption. Such attack is not > unique to the Context Headers defined in this document; measures > discussed in [RFC8300] are to be followed. > > NEW: > A misbehaving node within from the SFC-enabled domain may alter the > content of Subscriber Identifier and Performance Policy Context > Headers which may lead to service disruption. Such attack is not > unique to the Context Headers defined in this document; measures > discussed in [RFC8300] are to be followed. A mechanism for SFC integrity > is specified in [I-D.ietf-sfc-nsh-integrity]. I may well have to properly read the document to comment confidently, but I think this change is not along the axis I am most concerned about right now. (It is a find change to make, just not the change I was looking for here.) Specifically, it is talking about "how can I protect this information?" rather than "why might I need to protect this information?". I think that the statement in 8300 is saying that we ("would", at the time of 8300, but now "will") need to consider how (e.g.) the per-packet subscriber information would traverse through the SFP, what nodes would now have access to it (at a per-packet level) that did not previously, whether there are network links (yes, even within the trusted domain) that would now have access to the additional metadata, if there is other cleartext data or metadata in the payload that is now easily associated with the subscriber for social-engineering/blackmail/etc. attacks, etc. In short, the considerations that someone would have to think about in order to decide whether nsh-integrity will be needed for their deployment. Thanks, Ben > > -----Message d'origine----- > > De : Benjamin Kaduk via Datatracker [mailto:noreply@ietf.org] > > Envoyé : samedi 31 octobre 2020 02:56 > > À : The IESG <iesg@ietf.org> > > Cc : draft-ietf-sfc-serviceid-header@ietf.org; sfc-chairs@ietf.org; > > sfc@ietf.org; Greg Mirsky <gregimirsky@gmail.com>; > > gregimirsky@gmail.com > > Objet : Benjamin Kaduk's Discuss on draft-ietf-sfc-serviceid-header- > > 12: (with DISCUSS) > > > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-sfc-serviceid-header-12: Discuss > > > > When responding, please keep the subject line intact and reply to > > all email addresses included in the To and CC lines. (Feel free to > > cut this introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > > criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-sfc-serviceid-header/ > > > > > > > > -------------------------------------------------------------------- > > -- > > DISCUSS: > > -------------------------------------------------------------------- > > -- > > > > This is an "early warning" discuss ballot, entered before I have > > done a full review of the document. > > As such, it is possible that the stated concern may in fact be a > > non-issue after closer examination, but the potential import of the > > concern seems to make it worth starting the discussion sooner rather > > than later. > > > > This document defines (among other things) a mechanism for carrying > > subscriber information in an NSH. RFC 8300 (NSH) notes both that: > > > > Metadata privacy and > > security considerations are a matter for the documents that > > define > > metadata format. > > > > and that: > > > > One useful element of providing privacy protection for > > sensitive > > metadata is described under the "SFC Encapsulation" area of > > the > > Security Considerations of [RFC7665]. Operators can and > > should > > use indirect identification for metadata deemed to be > > sensitive > > (such as personally identifying information), significantly > > mitigating the risk of a privacy violation. In particular, > > subscriber-identifying information should be handled > > carefully, > > and, in general, SHOULD be obfuscated. > > > > On the other hand, this document in its security considerations > > claims that: > > > > Data plane SFC-related security considerations, including > > privacy, > > are discussed in [RFC7665] and [RFC8300]. > > > > and does not seem to incorporate any discussion of the privacy and > > security considerations of the subscriber information metadata > > carried by the new format it conveys. Yes, it does note that all > > nodes with access to the information are part of the same trusted > > domain, but I do not think that is sufficient, especially given that > > personally identifiable information is often subject to strict > > compliance regimes. > > > > In short, 8300 and this document are referring to each other for > > privacy considerations, and the actual privacy considerations do not > > seem to be documented in either place. > > > > Additionally, I did not see any indication of how the subscriber- > > identifying information ought to be obfuscated (or an explanation of > > why it is okay to violate the SHOULD from 8300). > > > > > > > > > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. >
- [sfc] Benjamin Kaduk's Discuss on draft-ietf-sfc-… Benjamin Kaduk via Datatracker
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… mohamed.boucadair
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [sfc] Benjamin Kaduk's Discuss on draft-ietf-… mohamed.boucadair