Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-oam-packet-02: (with COMMENT)
mohamed.boucadair@orange.com Fri, 17 March 2023 08:39 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F307FC14CF15; Fri, 17 Mar 2023 01:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a7-kGKyc21W5; Fri, 17 Mar 2023 01:39:38 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8666CC151534; Fri, 17 Mar 2023 01:39:38 -0700 (PDT)
Received: from opfednr01.francetelecom.fr (unknown [xx.xx.xx.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr25.francetelecom.fr (ESMTP service) with ESMTPS id 4PdHcS4wmLzCrLM; Fri, 17 Mar 2023 09:39:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1679042376; bh=jtAoqzML5dQdonzQklZQkSngcc1mYMmQZQkpeceVP0o=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=Gg4N9MHD3kxGA+MXMxcIfUUQGji5pizAcWNxfgAUDSj7T1CO2taF37ZA+1bTMHf3w 0R9ebdR3eSwpdFxS2cnQiUWNxBEnRtkjXQ77nSwRIBjXnXudcu4PDxOIJNxb5t9DnA sYzNzHhLSrh54MY9M5ad+QyLoScGKwKcYJ5zC6bhNEuuzXlGkhBY8HS4KPWDD4+7E2 M5kHY/wFmvQIecCb3i91YtVFPt/KI/4Ld14EhiRxlX8BY73a1g1HWkmGjlgf/Bpgay HeXwkQh/dWiTvY3QWScFzrBHXT2i+BMThxlmtYXfoKBo1d0X3COwIOIkgT77bUKu6z Ssc3dubZ0kyzg==
From: mohamed.boucadair@orange.com
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "draft-ietf-sfc-oam-packet@ietf.org" <draft-ietf-sfc-oam-packet@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>, "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: Alvaro Retana's No Objection on draft-ietf-sfc-oam-packet-02: (with COMMENT)
Thread-Index: AQHZWCMX1YoZkN+ciEGuLDEfTeBqpK7+osmA
Content-Class:
Date: Fri, 17 Mar 2023 08:39:36 +0000
Message-ID: <19356_1679042376_64142748_19356_189_1_645e94efcfaf470999691744149af94a@orange.com>
References: <167881890203.59567.9590061889094198419@ietfa.amsl.com> <12715_1678868218_64117EFA_12715_99_1_87f4c5adbbf0469b95f096a4f0b98191@orange.com> <CAMMESsxgWDz_b6E-mxDdKUcRkR396iYR8sB0bfMic-x3U76bAw@mail.gmail.com>
In-Reply-To: <CAMMESsxgWDz_b6E-mxDdKUcRkR396iYR8sB0bfMic-x3U76bAw@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-03-17T08:22:02Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=7c42675c-0209-43b5-b12f-0da922e413ae; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.52]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/OsXumyxv2bDVMQ0SfNo0i9hu4J4>
Subject: Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-oam-packet-02: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2023 08:39:43 -0000
Hi Alvaro, Apologies for not pointing explicitly to the specific parts from the threads I quoted. Anyway, your observation is a valid one. OAM data is not specific and should fall under the considerations set in RFC9145. However, please note that the "required" part you quoted is conditioned by "In an SFC-enabled domain where the above attacks are possible,". Specifically, depending on how OAM data is conveyed in the NSH and specifics of an SFC-enabled domain, the other protections in NSH may or may not be sufficient (e.g., transport security). SHOULD is there to cover cases where the alternate 8300 protection mechanisms are sufficient. Thank you. Cheers, Med > -----Message d'origine----- > De : Alvaro Retana <aretana.ietf@gmail.com> > Envoyé : jeudi 16 mars 2023 17:20 > À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; > The IESG <iesg@ietf.org> > Cc : sfc-chairs@ietf.org; draft-ietf-sfc-oam-packet@ietf.org; > gregimirsky@gmail.com; sfc@ietf.org > Objet : RE: Alvaro Retana's No Objection on draft-ietf-sfc-oam- > packet-02: (with COMMENT) > > On March 15, 2023 at 4:16:59 AM, mohamed.boucadair@orange.com > wrote: > > Med: > > Hi! > > I'm ok with your replies, but I do want to ask about #5 again: > > > ... > > > (5) From §5: "Any data included in an NSH OAM packet SHOULD be > > > integrity-protected [RFC9145]." > > > > > > Why is this action recommended and not required? > > > > [Med] I remember we discussed this point with you here: > > https://mailarchive.ietf.org/arch/msg/sfc/rPsqPUisDj3lILJk-CVF- > ejBrVg/ > > . Please see also > > https://mailarchive.ietf.org/arch/msg/sfc/yC- > 3dN6jvyxZNZY9EYz3XIUlJMs/ > > . The wording in the spec is consistent with the positions > expressed there. Thanks. > > I remember that discussion, but I'm asking something different -- > at least trying to. ;-) > > > Let me rephrase: > > The text from §9/rfc9145 (pasted below) requires integrity > protection when "NSH data is exposed to several threats". But the > text in this draft only recommends it. Are OAM packets not > exposed to the same threats? If they are, why wouldn't the same > requirement be applicable here? > > I don't see a difference between OAM packets and any other > packets, but I may be missing something. Even if the use of > rfc9145 is optional (as we discussed before), I would still like > to understand the difference in criteria. > > If those differences exist, it would help implementations when > considering when it may be ok to not use integrity protection. > > > Thanks! > > Alvaro. > > > > > ===== > > > NSH data is exposed to several threats: > > > > > > * An on-path attacker modifying the NSH data. > > > > > > * An attacker spoofing the NSH data. > > > > > > * An attacker capturing and replaying the NSH data. > > > > > > * Data carried in Context Headers revealing privacy-sensitive > > > information to attackers. > > > > > > * An attacker replacing the packet on which the NSH is imposed > with > > > a modified or bogus packet. > > > > > > In an SFC-enabled domain where the above attacks are possible, > > > (1) NSH data MUST be integrity protected and replay protected, > and > > > (2) privacy-sensitive NSH metadata MUST be encrypted for > > > confidentiality preservation purposes. The Base and Service > Path > > > Headers are not encrypted. > > > ===== _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [sfc] Alvaro Retana's No Objection on draft-ietf-… Alvaro Retana via Datatracker
- Re: [sfc] Alvaro Retana's No Objection on draft-i… mohamed.boucadair
- Re: [sfc] Alvaro Retana's No Objection on draft-i… Alvaro Retana
- Re: [sfc] Alvaro Retana's No Objection on draft-i… mohamed.boucadair