IETF Logo Mail Archive

Re: [sfc] John Scudder's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)

John Scudder <jgs@juniper.net> Thu, 15 July 2021 16:07 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A5D3A095E; Thu, 15 Jul 2021 09:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Level:
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=pgxKMUG+; dkim=pass (1024-bit key) header.d=juniper.net header.b=DpWRCkOL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXPpQ2gc2ynG; Thu, 15 Jul 2021 09:07:00 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A40FC3A0C4C; Thu, 15 Jul 2021 09:06:59 -0700 (PDT)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16FFov53032121; Thu, 15 Jul 2021 09:06:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=jkxICD7ZP2J8cxEpSGEgZ7zq4ik22ytCuabRTpAl+eg=; b=pgxKMUG+Xdck0gr9EtNSpSyDMQ03QDazUEz+IDDOFn7TXz75RiQv+nNLNbUhob7CkjV2 PJLnnHPxyHnWebqMnp5sbCF78tY5sGdz3/vGnmjkiRkjBJag7gjygr8CGNSd0ALIbQJE IAKPlzaPAH+HjPtt6XugPQADlhT6rYevHo60A/xNGZzyNPmAFaieXPtNNtfv+bNvKquC ODduC8Bpm6M0c4uhGVJjaaK+JccY1r0TxswO7rLI/WKA3pIMq7QySqFZUIcpqbZ88H3O RFfvfh5UZ3SP/UC9GJgLcuWS0/niNs5Dw4Qnu73f8xfZw6c+qNjhvO3l3EF+XKeQIQAK 2A==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2176.outbound.protection.outlook.com [104.47.56.176]) by mx0b-00273201.pphosted.com with ESMTP id 39tr0w014u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 15 Jul 2021 09:06:57 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CwdcxNDuit3QITRYPq7wHlOP4MtdV7RLsq1RZH/gYqXHWbVpaL/vhqRrAOpaUsauDtPkziH7bymmREdFrpE/ISOlVdO8eHlLBJyyjv6SOL7aJxZPLTVSQpDHdKnW7vub/fh5nVtConoY2zFxsn82pOXCdDu7z7QlI48gOvwEW/XGfI/d4QlfBi3OgL6TAo6RgYjbCfrkP3q1fGJn12ApNk0OBSfbBtqfcPO+EUEdQtx8x9D7FbcBiU3SEwg2FsTH9tLP91A1WyR8Lx5oW/S2fL7aa0CPLo1F193uW7zGTF3r8ojcSmPYTtCHZcUsf2g02JCluWI0DBtYR0uwW4M7Hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jkxICD7ZP2J8cxEpSGEgZ7zq4ik22ytCuabRTpAl+eg=; b=Q2gOSqNwXSqsP3J8hL1UUTTXL1qC839AMKABptUiTbfONbID6JYcD/0megpLaVtoJzMoBUD4nX6veK+UMqS0uAZp3x5YNUciVljXSInQSCsHE56IS7oB7ecCDMRH5VEx4YdRfmtXVv5iE/u1fKw5myzgISSrVPOxCnTUNWlVL8rm+5ufj3vFoqtmfeesFwf7S5orKWZv0S6PvEHgRmw+8dWuWAlJhy8XGr5kYDEolG2e72F9SyiNtmRNZKUfmy38rlb7gRpvfMpT2RfQGE7Vkd8bzjosvez9JnjfG51NMySFO09CmHp2xs65+eE9kVe2TwjcjluwsU3lyWO4syRWTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jkxICD7ZP2J8cxEpSGEgZ7zq4ik22ytCuabRTpAl+eg=; b=DpWRCkOLuYHR6WQbT7oP/1ZskC8YYcWaVY87HvCt1Z45PjBsZvP0vhtCRAQdV8+97hRQuHLCmE/piRMNn6XuKU/ViBwdJvfFzgapQ+bI4MJ414iPWyCwBYtAKC2K5KjY6u2BVERu/Xyz20EQZNRnOedaaJYg8ZT1vHtavBjowSM=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by BL0PR05MB7186.namprd05.prod.outlook.com (2603:10b6:208:1ca::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.8; Thu, 15 Jul 2021 16:06:55 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::e40e:672f:e689:cd0c]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::e40e:672f:e689:cd0c%7]) with mapi id 15.20.4331.022; Thu, 15 Jul 2021 16:06:55 +0000
From: John Scudder <jgs@juniper.net>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: The IESG <iesg@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>, "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: [sfc] John Scudder's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
Thread-Index: AQHXeQY6zKUu9wrRqk2rKi8P49lscKtDfi0AgAC2ogA=
Date: Thu, 15 Jul 2021 16:06:55 +0000
Message-ID: <4646DA07-E18B-49C9-891C-116F05EF71E8@juniper.net>
References: <162630455957.5451.359442420121368370@ietfa.amsl.com> <32352_1626325998_60EFC3EE_32352_250_1_787AE7BB302AE849A7480A190F8B9330353BF458@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <32352_1626325998_60EFC3EE_32352_250_1_787AE7BB302AE849A7480A190F8B9330353BF458@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.100.0.2.22)
authentication-results: orange.com; dkim=none (message not signed) header.d=none;orange.com; dmarc=none action=none header.from=juniper.net;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 05adf82b-8074-4463-c396-08d947aa9125
x-ms-traffictypediagnostic: BL0PR05MB7186:
x-microsoft-antispam-prvs: <BL0PR05MB7186FBD833A7BE6079E23667AA129@BL0PR05MB7186.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RFgk7oEVlcFvwtAW9GyP+Enlu6xg0v8EDThJXF6s0fxUXP+W5JUc97SzCZUXVFCPafOcChp63YBaqk2KknpJoKJA0PlJCJ22uL+R7IjdqX+EdJMPfewE1GJIUwRfFNeEwdGyYVIxFCeg+xQ1z7P9oF+KQFGST6eY4SzJVeVkxBsO1VRchwZSodxmW+it0H04wIq1GckRyj7sqaAHF45+olZ9IWTeRqHbaLbMDTggOSpaSHqXsL+kFDTFAut/O5W7mh8NDQ2/vJ3RkDt/KhfYNO07Dg3puUN1DKY5c0A3xNLtHT2N+tpslB82Xe8cvN7/hprivsIrO7Lji99Nq9maWRahOba3hMNtZ7FyyKKUbznNsFVS5mnj+fQxMUcnrGOF9FRG0V+zK+hvsgsjix29alasiNJl75KOtFLzk7eJuknAXWtxWIN+m3CD7/ogJpyH/hGCqKiQULNcav3JpRIW1YEXobo+7j6Ikx07xBFABn49o3XX1qmQQN/9FLTCIH52V/OwGrI2vn7aEnyIeXWpfJQB0GPq1RDUF26VrFisGJznhOKvxLLtBKfSFHSa5nTbqYcPxGAONgh1Lb8iKuVO7eEo5sQP25mB5nGNxucEFZHElNHZviajPBRNIMoPMGxMjQmcYviledx88TsDbQupDmplEeHSfYK8ZFl3W3HGxl+coeaWraVFhBalQQ0IejcGT8Jc/Hnr99pXaI2NEHRmFvMwaYtf4JTdu+9kxAcyM1enoa1zJH4Gdlrsgj4Y+0muHqUZwTXGB00Jw2qm5Z1tTnnVJFyBzGtPzvbQAQGoBtSBlc6lTLUg8FdoOK9WltMSpxK1hN3uokC1Wpuw1MO352qk6kw0owHrsrIcf6T92hE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(346002)(136003)(396003)(376002)(6486002)(8676002)(8936002)(316002)(4326008)(86362001)(5660300002)(38100700002)(91956017)(966005)(2616005)(6512007)(54906003)(122000001)(6506007)(6916009)(33656002)(66476007)(64756008)(186003)(2906002)(83380400001)(478600001)(71200400001)(36756003)(66946007)(26005)(53546011)(76116006)(66556008)(66446008)(38070700004)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WGuuIAMePv8NDedS1q77wsPurQ+7H5NaSzPxCfjBWhQtqbOAmUFjxGewzf1LejWLUlfGLBFE4CHo5stUghpOuZwrz/MfZ9cHKn4bnBQuBEQwvu7N8jE2owujzVDCEry4K60eaG6uma+yzYdHtHNyxpjLBGUMpl1q502lFdLVGrbb4/5Syj/sXxK3uj7BeLMtyGFcNGGlN0CLGa1FEjXodYHDzv5cD/BhcL20/kTSR0SC62whkIEXklhDCteWfCfrbrDUhvkQkh09hAXeCSwIEG5u6nUEwiXwltW+NrJB0bwF1aLjDj0db0ckKlabypUcQm+SuASiX2ri3C8/AHYukRBbb49So4gfax+0aLItB8kwYqzRiKl0o56VZNFv//rcbMhVc8mS2yivkekKxxAuKnnaSNgROQ07PJo0JJ09XGvLJ6ceWyMLJNMIynui8+F6leLTHKfRrVNeMuKi2wf6he6q+zeol9nMkmu8kb03uUH4B1geFDSoTMW5DUej6vfs3o3wblfYOTQ6UGMt8ghtbp5oV4r1XkvP9Y6PPk9EUUHbV/KUHego74ZX2jXDJ08XUGyVPmAZp9vEID3bL+YiqyqFvqhsOmCMvgPjGfM01tH0Ncj6Yrr4WxsLaXrCGhywKEvi5k/izGAC8gdvCGmG3artXV3pwho5xUNJvQU0GFyKdjIo5cx764Qoo1/YvFCAit7hfIlcn3SR8aC82hxL+e/7NW4w+RyXU3plPvmAUSO/AbqIQC8Z3xSjiiGcJgDr4cDfZ3ysWZOlIo0UEX1V2t4N4Sd43UfrcZqsn5GRCJTJpRzZg5v3eyRuYFoK1tMkjtUozDG+ayMwqhZCCYnEfpOkz6incNvGcuZMlUqxygir+ZKqSUG27AcJ1aPuJxlgKQOmYb8I6MY5RMTEFtSGJkXJJbQB4MGelj1yW2UF5ftXiRCwMpw0+uK30KGFS9tB+VFbj+cuN5qr1N5xb2FYa6wZIwUlnXPug1s11+Hoc/PLrQi2bZGTy6sfopfJasJuG9nGt09urGsZKiK0vPLd9K4QlDDxe+WW+ypcpCZnvc5kra9pq5CxDVfHH4ZZxVYGgW8yx8kML0Da2GAhaqPGo/3hCcE22bVTlmBSUgYMaWb9x0J0n18JNAF3k+i6yIWAVNQWB6hamCSy+tzNYb1MEsQcfw3lJUJr3eGX1OoE4plGXDjQ/FGWkUhYVuCycJseHanu7ZZ54BK8SqYK/+CWEaLIsp/S04qzEFbDmCegxN7mLurDd62pu7hKTQv3IasXg+OOiLNIMR3ufla0cPFYAeFn0v315HCvhO+O+nj0QzQO9DqDw/h6i+m+35l0Mq8F6xpAyEGys5CCRJIWuuld7w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FB51716C266AD14BBEA7D14BA8ADCED1@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 05adf82b-8074-4463-c396-08d947aa9125
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2021 16:06:55.3330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: i/E79zVhbCM5X8gyuJYiEi5P5k7gR3hZhRU7qHMoXJteWT6O4wi4Wi4/z7IhfieD
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB7186
X-Proofpoint-GUID: OR_AW7h8s2eo2NW_5Ocddd8WsbxyZs3l
X-Proofpoint-ORIG-GUID: OR_AW7h8s2eo2NW_5Ocddd8WsbxyZs3l
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-15_10:2021-07-14, 2021-07-15 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 impostorscore=0 phishscore=0 mlxlogscore=999 spamscore=0 clxscore=1011 malwarescore=0 suspectscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107150111
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/mgXCFAuOLe2VBquM1v2NiuDnc8I>
Subject: Re: [sfc] John Scudder's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 16:07:05 -0000

Hi Med,

A couple more comments inline below. 

> On Jul 15, 2021, at 1:13 AM, mohamed.boucadair@orange.com wrote:
> 
> [External Email. Be cautious of content]
> 
> 
> Hi John,
> 
> Thank you for the review.
> 
> Please see inline.
> 
> Cheers,
> Med
> 
>> -----Message d'origine-----
>> De : sfc [mailto:sfc-bounces@ietf.org] De la part de John Scudder
>> via Datatracker
>> Envoyé : jeudi 15 juillet 2021 01:16
>> À : The IESG <iesg@ietf.org>
>> Cc : gregimirsky@gmail.com; draft-ietf-sfc-nsh-integrity@ietf.org;
>> sfc-chairs@ietf.org; sfc@ietf.org
>> Objet : [sfc] John Scudder's No Objection on draft-ietf-sfc-nsh-
>> integrity-06: (with COMMENT)
>> 
>> John Scudder has entered the following ballot position for
>> draft-ietf-sfc-nsh-integrity-06: No Objection
>> 
>> When responding, please keep the subject line intact and reply to
>> all email addresses included in the To and CC lines. (Feel free to
>> cut this introductory paragraph, however.)
>> 
>> 
>> Please refer to https://urldefense.com/v3/__https://www.ietf.org/iesg/statement/discuss-__;!!NEt6yMaO-gk!Sh1wKLda1DQGznlanX_xiLmZjTH9iIAvF9LrQ5s_AWVJt39MDpVfCQKyWFOTMA$
>> criteria.html
>> for more information about DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/__;!!NEt6yMaO-gk!Sh1wKLda1DQGznlanX_xiLmZjTH9iIAvF9LrQ5s_AWVJt39MDpVfCQI4fak2Xw$
>> 
>> 
>> 
>> --------------------------------------------------------------------
>> --
>> COMMENT:
>> --------------------------------------------------------------------
>> --
>> 
>> 1. Section 4.2
>> 
>>   The authenticated encryption process takes as input four-octet
>>   strings: a secret key (K), a plaintext (P), Additional
>> Authenticated
>>   Data (A) (which contains the data to be authenticated, but not
>>   encrypted), and an Initialization Vector (IV).  The ciphertext
>> value
>>   (E) and the Authentication Tag value (T) are provided as outputs.
>> 
>> As written, this means that each of these quantities is a 32 bit
>> string, even P and A. I think you don’t mean that. If you mean each
>> quantity is a string of octets, then move the hyphen: “takes as
>> input four octet-strings“. (In the unlikely event you really do mean
>> each quantity is a string of four octets, then “… takes as input
>> four strings, each of four octets.”)
>> 
> 
> [Med] Good catch. Changed to "as input four octet strings:"

I suggest using the hyphen as in the earlier comment: “as input four octet-strings”. This makes it unambiguous that “four” modifies “octet strings” and not just “octet”, which is still slightly ambiguous in the non-hyphenated version. Possibly the RFC Editor will have comments too, of course. If you distinctly prefer the non-hyphenated version, it’s not a big deal though.

…

>> 3. Section 9.1
>> 
>> You use “should“ in several places. As written, it isn’t clear if
>> you’re indicating expectation, or requirement. After reading the
>> whole section, I think you’re indicating requirement. This seems
>> like a good place for use of the RFC 2119 style SHOULD keyword.
>> 
>> 
> 
> [Med] The normative language is not used because these are somehow covered by other normative text in the main document. See for example the statements about providing key materials to authorized entities and so on.

OK. In that case I think it would be beneficial to choose some other rewrite, to make it unambiguous that you mean something closer to “shall” and less like “will”. The problem is that “should” could mean either. For example,

OLD:
   No device other than the NSH-aware SFs in the SFC-enabled domain
   should be able to update the integrity protected NSH data.
   Similarly, no device other than the NSH-aware SFs and SFC proxies in
   the SFC-enabled domain should be able to decrypt and update the
   Context Headers carrying privacy-sensitive metadata.  In other words,
   if the NSH-aware SFs and SFC proxies in the SFC-enabled domain are
   considered fully trusted to act on the NSH data, only these elements
   can have access to privacy-sensitive NSH metadata and the keying
   material used to integrity protect NSH data and encrypt Context
   Headers.

NEW:
   It is expected that devices in the SFC-enabled domain will be configured
   such that no device other than the NSH-aware SFs in the domain
   will be able to update the integrity protected NSH data, and also
   such that no device other than the NSH-aware SFs and SFC proxies in
   the SFC-enabled domain will be able to decrypt and update the
   Context Headers carrying privacy-sensitive metadata.  In other words,
   if the NSH-aware SFs and SFC proxies in the SFC-enabled domain are
   considered fully trusted to act on the NSH data, only these elements
   can have access to privacy-sensitive NSH metadata and the keying
   material used to integrity protect NSH data and encrypt Context
   Headers.

I haven’t put a lot of thought into this proposal so consider it an example of what I’m talking about rather than a well-crafted replacement (although feel free to use it if you like). (If following this model, maybe after “it is expected” there would be one or more xrefs to the places where these requirements are stated normatively.)

Thanks,

—John

v2.23.0 | Report a Bug | By Email