IETF Logo Mail Archive

Re: [sfc] proof-of-transit: continue with both approaches, or choose one?

"Diego R. Lopez" <diego.r.lopez@telefonica.com> Thu, 20 December 2018 20:56 UTC

Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA2113121F for <sfc@ietfa.amsl.com>; Thu, 20 Dec 2018 12:56:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.065
X-Spam-Level:
X-Spam-Status: No, score=-2.065 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telefonica.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sd0ZJ4aqhnUi for <sfc@ietfa.amsl.com>; Thu, 20 Dec 2018 12:55:55 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0718.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::718]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4793F131210 for <sfc@ietf.org>; Thu, 20 Dec 2018 12:55:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telefonica.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZpCcsRZ73Q4JMpCKzlg7oF5NUSKGEVI2DvqJ57UvRLo=; b=0Xh125vTElRjPUcfHSIC0bLue6a2utsxuC4ozLg/ILUozD/tpGyOFFyrWvpSDb9UxWxSLDwv2YbMM61C8ZBCFvEnRi7tu6J144lxywhIRA0qxk/TNVtfZ1UL1CSXCvre5GJA9D2ZIMwOqzhqhO1P5q42TQaQDt+f8a89tPw8fHY=
Received: from AM0PR0602MB3777.eurprd06.prod.outlook.com (52.133.36.138) by AM0PR0602MB3393.eurprd06.prod.outlook.com (52.133.48.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.17; Thu, 20 Dec 2018 20:55:50 +0000
Received: from AM0PR0602MB3777.eurprd06.prod.outlook.com ([fe80::5c78:1fd6:5dae:d6f2]) by AM0PR0602MB3777.eurprd06.prod.outlook.com ([fe80::5c78:1fd6:5dae:d6f2%3]) with mapi id 15.20.1446.020; Thu, 20 Dec 2018 20:55:50 +0000
From: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
To: "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "'Joel M. Halpern'" <jmh@joelhalpern.com>, "'Frank Brockners (fbrockne)'" <fbrockne@cisco.com>, "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: [sfc] proof-of-transit: continue with both approaches, or choose one?
Thread-Index: AdSUr4tJY6f8O8P3RGmbsA+imZnrVwA0b3KAAMT4MQAABmbUAA==
Date: Thu, 20 Dec 2018 20:55:50 +0000
Message-ID: <E53ED53A-C42D-45A9-AD23-B72308C2583D@telefonica.com>
References: <210af706ed8d4b73aa8c77a24777d622@XCH-RCD-008.cisco.com> <ef644b4b-afae-c5ea-da33-20ed63365988@joelhalpern.com> <001601d49895$2a908390$7fb18ab0$@olddog.co.uk>
In-Reply-To: <001601d49895$2a908390$7fb18ab0$@olddog.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.5.181209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-originating-ip: [88.6.225.123]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR0602MB3393; 6:cJlhiUawz50+JZEKxRIroiXaUlYb3k1yfYwStNjeO72/imGSY37QJy2EoLeOtbGUcLTCtZhdP28GLpy4sF7pZxfXQfEJaPzVXgR+R3VB76nLWhhqJ1smXaNxhnkF+m8IVHer12ibDUXFyB7Nxgwy1LJr5UJcEmuSOQ2ZT6iz+sxsWglIkPN76q5FTKfAAHXg0QEFHHgPN40fo0rQETFAR54Krjh96VXn3m0zIJk6B/DmBjkS2V6bLTPB0zmAAxFgkfZK5ytnbR9GzaNUjnlfJSKZPzNJ2s+bT80UBk6yluMaBxhfOFa3Q+MU1zYxtLw8Cepe6BGuiBlMb6KAoTY/LsYkjItlciEZ6cdDtCc/62BZPnENLxH9pP32IsUZGCuISTolS4tEcTXvL0PbMb+j2s1UHuy8A7vZO1q/IOeY+JymWX6FV1S6h/DFdea857fs2NyG6iMlt0H8+8jEQep9Xg==; 5:fFOIQR3dyc62pd0+pTsFagkC7F1VDP93jFO2hnOzwp5TQPOaN+sK3dqOTfezUYjsszt6Taf7i7zuBIre/kHVMqWB350gqZ9HlUlBoUETp3zQASjDgDhBEtlfl+mQ56cF595MlwSEeeyNYFKda6xHw/eVTxV+9ivrK0PYhmiGXLM=; 7:yIFNXKNm6EprOutIBsTl5AVVStoJL87iVmTaOlgc1MdOs3X/2/Alyhyf9S2KmxcurWmYMvoJwCi/w87UrNLI9GpRPCHiGn764Hj62fKcLx1u1C508zP1eZVxmQ1K1whklWBw0DEByRK/OvuSOWMYAw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 824db81b-8c0d-4208-8da4-08d666bd8622
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:AM0PR0602MB3393;
x-ms-traffictypediagnostic: AM0PR0602MB3393:
x-microsoft-antispam-prvs: <AM0PR0602MB33932FEAE42222B7A53D9FF3DFBF0@AM0PR0602MB3393.eurprd06.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(5005026)(6040522)(2401047)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231475)(944501520)(52105112)(6055026)(149066)(150057)(6041310)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:AM0PR0602MB3393; BCL:0; PCL:0; RULEID:; SRVR:AM0PR0602MB3393;
x-forefront-prvs: 0892FA9A88
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(136003)(366004)(396003)(13464003)(40134004)(189003)(199004)(53936002)(186003)(446003)(6486002)(6436002)(486006)(3846002)(6116002)(97736004)(8936002)(83716004)(102836004)(2616005)(476003)(71200400001)(11346002)(5660300001)(26005)(2501003)(71190400001)(58126008)(82746002)(2906002)(110136005)(256004)(33656002)(14454004)(76176011)(6506007)(14444005)(25786009)(53546011)(45080400002)(86362001)(81166006)(7736002)(229853002)(305945005)(36756003)(6246003)(105586002)(106356001)(66066001)(66574012)(6512007)(6306002)(786003)(68736007)(81156014)(316002)(966005)(99286004)(478600001)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:AM0PR0602MB3393; H:AM0PR0602MB3777.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: N138LrBxQGgFamWoMk6l02hzcIokR0vMm17c4CxcXlTXk0Fna8URt9c9h+mVj858gMlTrb2awCMmPD/WVdRDC6tbGzR8xIpTybB54pCA2ZVri7GEA4bHdHYQqXBOCfB2FndX02v9BgKZ5KERi60mfiqJ8JvD/zxiQtXRCWeCX0saAFE265ngTEkUE76N+7e3gSRNAXNHkPakQ92Dh7xSKTRqinUhWsZ6DfYrpj8WW77IgcQ2XqnagqKUHn74tZCJw+eZwIZVkYB7dPA9fVwc/Jjf/sQyab4cOitr7EMYYY34Yd8qtu6jsuGv0QqJdc6+
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <52D69A3530CD234F87072CAC5A1D25E5@eurprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 824db81b-8c0d-4208-8da4-08d666bd8622
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2018 20:55:50.3673 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0602MB3393
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/eMiEmUJun7n3tspKR-xaICTS11g>
Subject: Re: [sfc] proof-of-transit: continue with both approaches, or choose one?
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 20:56:00 -0000

Hi,

I agree with Stephen and Joel. In fact, finding a "happier" solution for OPOT was what moved us to explore the ideas introduced in Montreal.

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
https://www.linkedin.com/in/dr2lopez/

e-mail: diego.r.lopez@telefonica.com
Tel:         +34 913 129 041
Mobile:  +34 682 051 091
----------------------------------

On 20/12/2018, 19:52, "sfc on behalf of Adrian Farrel" <sfc-bounces@ietf.org on behalf of adrian@olddog.co.uk> wrote:

    I think I agree with Joel on this point.

    The nested encryption approach really did smell a bit :-) It was functional,
    but a rather sad solution.

    Since the 4S approach can now meet the requirement (that is quite important
    in security applications of SFC) to show ordered proof of transit, I should
    think the decision easy.

    Cheers,
    Adrian

    -----Original Message-----
    From: sfc <sfc-bounces@ietf.org> On Behalf Of Joel M. Halpern
    Sent: 16 December 2018 20:53
    To: Frank Brockners (fbrockne) <fbrockne@cisco.com>; sfc@ietf.org
    Subject: Re: [sfc] proof-of-transit: continue with both approaches, or
    choose one?

    <no hats>
    Personally, the argument for just using SSSS, given that it now can
    provide ordered verification, seems quite persuasive to me.
    Yours,
    Joel
    <hat floating back on slowly>

    On 12/15/18 3:19 PM, Frank Brockners (fbrockne) wrote:
    > During the SFC WG at IETF 103 in Bangkok we raised the question, whether
    > we could simplify the draft and choose a single algorithm for
    > proof-of-transit only (see also
    > https://datatracker.ietf.org/meeting/103/materials/minutes-103-sfc-01).
    > Given that we could not come to a conclusion, we decided to take the
    > discussion to the list.
    >
    > Background:
    >
    > draft-ietf-sfc-proof-of-transit-01 describes two different approaches:
    > "nested encryption" and "Shamir's secret sharing scheme (SSSS)".. We
    > documented both approaches in the initial version of the draft, because
    > the two approaches had different qualities: While SSSS was
    > computationally cheaper (each node only needs to perform two additions,
    > a multiplication and a modulo-division), nested-encryption allowed to
    > verify that packets traversed a set of nodes in a particular order
    > ("ordered POT - OPOT") - something that the SSSS-approach in the initial
    > version of the draft did not offer. With the changes discussed in IETF
    > 102 and now documented in draft-ietf-sfc-proof-of-transit-01, both
    > approaches offer order preservation.
    >
    > In summary, we can now observe the following qualities of the two
    > approaches:
    >
    >   * SSSS: Allows verification that a given set of nodes has been
    >     traversed in a specific order (POT and OPOT). SSSS without order
    >     preservation requires 2 additions, 1 multiplication, 1 division per
    >     node participating in POT. Order preservation on top of that
    >     requires an additional XOR (or similar).
    >   * Nested-encryption: Allows verification that a given set of nodes has
    >     been traversed in a specific order (POT and OPOT). The computational
    >     effort of nested encryption depends on the crypto algorithm chosen
    >     and typically higher than SSSS, i.e.. it requires/benefits from
    >     hardware with specific capabilities (e.g. AES-NI).
    >
    > Question:
    >
    > Given that both approaches both solve the problem of POT and ordered
    > POT, should we consider simplifying the draft and describe only a single
    > approach? If so, which approach should we choose?
    >
    > I.e. when taking the computational effort into account and the fact that
    > options increase the burden for any implementor, we could decide to only
    > describe the SSSS approach in the draft.
    >
    > Thoughts? Opinions?
    >
    > Many thanks, Frank
    >
    >
    >
    > _______________________________________________
    > sfc mailing list
    > sfc@ietf.org
    > https://www.ietf.org/mailman/listinfo/sfc
    >

    _______________________________________________
    sfc mailing list
    sfc@ietf.org
    https://www.ietf.org/mailman/listinfo/sfc

    _______________________________________________
    sfc mailing list
    sfc@ietf.org
    https://www.ietf.org/mailman/listinfo/sfc



________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

v2.23.0 | Report a Bug | By Email