IETF Logo Mail Archive

Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)

"Joel M. Halpern" <jmh@joelhalpern.com> Mon, 12 July 2021 19:23 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 028893A1229; Mon, 12 Jul 2021 12:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RIKnYn6Om24; Mon, 12 Jul 2021 12:23:28 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 350C53A11D1; Mon, 12 Jul 2021 12:23:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4GNtwH6cHSz1ntHm; Mon, 12 Jul 2021 12:23:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1626117807; bh=WAoV8gKEeeXrsP4zs/ohZ/fiHHo3jfdwrzoJRl+N1vs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=o+qUKS6YOCFlHoRTSVe/jjaa7t+gs90ksXQ3UvTmHEvdUGZrglf3Ln1AZK2I1kx1E ePwLkjstys1pFPDGfILEpl9/hMjzMpXVOM+O83suzuuJ5d+6hfbi5YbsdB/r45c+ji FyDRc9aWGjRmtnBDrjzt8yIZGqLjkAQv8Tynrqno=
X-Quarantine-ID: <t-1vJ9KXNVAo>
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [192.168.23.64] (50-233-136-230-static.hfc.comcastbusiness.net [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4GNtwH1BnXz1ntRq; Mon, 12 Jul 2021 12:23:27 -0700 (PDT)
To: Alvaro Retana <aretana.ietf@gmail.com>, The IESG <iesg@ietf.org>
Cc: gregimirsky@gmail.com, draft-ietf-sfc-nsh-integrity@ietf.org, sfc@ietf.org
References: <162611498183.7775.3562397379733537345@ietfa.amsl.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <f5961690-4496-7f85-74ca-f3705d5a1c2e@joelhalpern.com>
Date: Mon, 12 Jul 2021 15:23:25 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <162611498183.7775.3562397379733537345@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/rPsqPUisDj3lILJk-CVF-ejBrVg>
Subject: Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 19:23:34 -0000

I find your description of this as a "required update to 8300" rather 
odd.  The working group did not agree to make implementation of this 
mandatory for 8300.  That would, indeed, be an update to 8300.   This is 
just another feature that can be used with NSH.  A useful feature.

The security considerations do give lots of reasons to do this. But that 
is not the same as making it "required" for all implementations of 8300.

Yours,
Joel

On 7/12/2021 2:36 PM, Alvaro Retana via Datatracker wrote:
> Alvaro Retana has entered the following ballot position for
> draft-ietf-sfc-nsh-integrity-06: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-integrity/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> (1) Given the required behavior specified in the Security Considerations
> section...
> 
>     NSH data are exposed to several threats:
> 
>     o  A man-in-the-middle attacker modifying the NSH data.
> 
>     o  Attacker spoofing the NSH data.
> 
>     o  Attacker capturing and replaying the NSH data.
> 
>     o  Data carried in Context Headers revealing privacy-sensitive
>        information to attackers.
> 
>     o  Attacker replacing the packet on which the NSH is imposed with a
>        bogus packet.
> 
>     In an SFC-enabled domain where the above attacks are possible, (1)
>     NSH data MUST be integrity-protected and replay-protected, and (2)
>     privacy-sensitive NSH metadata MUST be encrypted for confidentiality
>     preservation purposes.  The Base and Service Path headers are not
>     encrypted.
> 
> Why doesn't this document formally update rfc8300?  Concerns that eventually
> led to this solution have been expressed for several other documents, including
> rfc8459 and rfc8979.
> 
> It looks like the WG didn't consider the question of Updating the base NSH
> specification.  I believe that this document specifies a required update to
> NSH, and would like the WG to consider formally Updating rfc8300.  [My search
> of the archive didn't find any related discussion -- did I miss it?]
> 
> [Even though I consider this omission a serious oversight, I don't think this
> issue raises to the level of a DISCUSS.]
> 
> (2) §3: I find the use of normative language to describe requirements (that are
> met in this same document) not the best use of rfc2119 language because any
> interoperability concerns would result from the specification itself and not
> the requirements.
> 
> The use of rfc2119 keywords to describe requirements may result in confusion.
> For example, "The solution MAY provide integrity protection for the Base
> Header." -- as described later, protecting the Base Header is optional, but the
> solution *does* provide integrity protection for it.  IOW, the specification is
> what is reflected in the requirement, but referring to the solution, not the
> protection: providing integrity protection is not optional, using it is.  A
> better working would be: "The solution must provide optional integrity
> protection for the Base Header."
> 
> 
> 
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc
>

v2.23.0 | Report a Bug | By Email