IETF Logo Mail Archive

[sfc] FW: TR: New Version Notification for draft-rebo-sfc-nsh-integrity-01.txt

<Dirk.von-Hugo@telekom.de> Tue, 05 November 2019 15:21 UTC

Return-Path: <Dirk.von-Hugo@telekom.de>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF44B1200C3 for <sfc@ietfa.amsl.com>; Tue, 5 Nov 2019 07:21:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.799
X-Spam-Level:
X-Spam-Status: No, score=-3.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obkZJ8mkx41T for <sfc@ietfa.amsl.com>; Tue, 5 Nov 2019 07:20:58 -0800 (PST)
Received: from mailout21.telekom.de (mailout21.telekom.de [194.25.225.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD5B91200D6 for <sfc@ietf.org>; Tue, 5 Nov 2019 07:20:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1572967173; x=1604503173; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Aswn1a3gqhlXioyz9yuPnaW7FtYWkbp0KriOVo+IyzI=; b=Bk13zotgU0qRQOaaVGcSRBRPi8LkjUxWyGNp1sOgaASXm9B6wi+1xIRl YLObiH7yxGio4lAeHSVJbkjXcwOmKNgUkz3uls3CMrt0ZR3mgSpZo9cHB mRcvhDFuSBydFkF/QoN/WDWc/t/ALTN41ZyGsbRuHuVcrx+yjLnm6D4F8 phLdbjJLwQccYHQikgSYvIyDcLAtD0ZuUXQHrmPd9gWjab45B25kjTkGO D3vTI6qxOlV60XQZAfIGDy9fFPlKBzAa8lucHwhB1V8Awe869WL/saO6V WxymQ6pHRg1fciDHDikZXMn7icDM3pSXXi1GiusaeKb7NVQavAHtknBLa Q==;
IronPort-SDR: qcJzAuTXqjrrk8yKTAcnzDqJO0fzdtpqUFRHceSIVLRh9qdxKLGuEp7+EqkFIPSMsYCokCboQJ dcbOY9typPnw==
Received: from qde9xy.de.t-internal.com ([10.171.254.32]) by MAILOUT21.dmznet.de.t-internal.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Nov 2019 16:18:36 +0100
X-IronPort-AV: E=Sophos;i="5.68,271,1569276000"; d="scan'208";a="395022294"
X-MGA-submission: MDER5K4SYBZyidXd3SZjEmxyr5ux4z+wlii24HODU1BgY/QNWPn1IdcMwvm2rJ4TeNNoPZE8yL1OYIpZfjT9n2xSgpG1dA6bIjZyq4Q0IE+Jg7tDuw+SCr2mqFmh848BX+FPyI3ts97nm9erN20NfYVY95CIGk9isMoHgZh+yvB7mw==
Received: from he105717.emea1.cds.t-internal.com ([10.169.118.53]) by QDE9Y1.de.t-internal.com with ESMTP/TLS/AES256-SHA; 05 Nov 2019 16:20:00 +0100
Received: from HE105712.EMEA1.cds.t-internal.com (10.169.118.43) by HE105717.emea1.cds.t-internal.com (10.169.118.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 5 Nov 2019 16:20:00 +0100
Received: from HE104164.emea1.cds.t-internal.com (10.171.40.35) by HE105712.EMEA1.cds.t-internal.com (10.169.118.43) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 5 Nov 2019 16:20:00 +0100
Received: from GER01-FRA-obe.outbound.protection.outlook.de (51.4.80.23) by O365mail06.telekom.de (172.30.0.233) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 5 Nov 2019 16:19:58 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IxsexsMct6UBX5HPhydDnANB4xwx7vzFUk/xXQdH6s25EcYtjcMn+sVbuat+AkYWcIHXdUJtvFFEIYwvdx0UY7exoJQ0XaRM0MVTfjYGzMEImgdatoBhNeyRE/6YJlqcZmWy/g9PPLLXHrIxtLb58gA6ioeBSlYVO531Xrdl5zobdTXjFPyt+rDGGtn2GfuIFQoIua7aJ8i+Dk9HlNZw39/mujVwWgbMNeJkvQZHVZHJxbv9eiNdfWPdoTI0O6rD0IL6XXDclbu1fxqWriYsEMOEfWY7cqRiwSoUUON7IevlGBBF9uocfMOFbiJll2NKTSqoWBcgcz78SadxF2DEEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Aswn1a3gqhlXioyz9yuPnaW7FtYWkbp0KriOVo+IyzI=; b=nzPcLswxDyoyKnSTvLzecd2A9jDNP2xwod5B7xuGvKBYx+s1rNNytnr4bnEISb3HlNa65NEthwdsD2GcREb2Ax/pJNqfSfyP/hr8H6tSzIYcigOIvOAPS9WUF9BSYaVhVjMKlRgpYC/M0Hp21yoWiU+fbiPzzhLoNSQ8pKtXgtEpnDlpSzE8bPqRKysx104JlCl9Myl4fYZ5+OmK9DSXiTlsljHlzY7l2x9RZ/Zg1xunpmQxCH9/rd0TkJLaJtu4qNfjmFa0+bWRcQsKVLkd2ZoYQBTB5NkXi2zikvPdALbnMuye2gH2ZOg4nhbhaXJGTm60+SzfLcqxeGFTSTbHTw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=telekom.de; dmarc=pass action=none header.from=telekom.de; dkim=pass header.d=telekom.de; arc=none
Received: from LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE (10.158.162.154) by LEXPR01MB0255.DEUPRD01.PROD.OUTLOOK.DE (10.158.164.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Tue, 5 Nov 2019 15:19:59 +0000
Received: from LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE ([fe80::d4c0:c3e:f322:e06f]) by LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE ([fe80::d4c0:c3e:f322:e06f%3]) with mapi id 15.20.2408.024; Tue, 5 Nov 2019 15:19:59 +0000
From: Dirk.von-Hugo@telekom.de
To: sfc@ietf.org
Thread-Topic: [sfc] TR: New Version Notification for draft-rebo-sfc-nsh-integrity-01.txt
Thread-Index: AQHVkycEzZ5lKVBtyEerRla+vFxRYqd7KCSQgAAEe4CAATUysIAALipAgAASW9CAAA6EkA==
Date: Tue, 05 Nov 2019 15:19:59 +0000
Message-ID: <LEXPR01MB12464DE4C59DDDEA347F9720D17E0@LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE>
References: <157288238359.16503.4915397025250194299.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93303134D9F2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <3b5bf706-2676-db09-02da-2d2c314c0448@joelhalpern.com> <LEXPR01MB1246F506DC62AA4E491EE2A6D17E0@LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE> <LEXPR01MB124608908E46892E4064B388D17E0@LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE> <787AE7BB302AE849A7480A190F8B93303134F29F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93303134F29F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Dirk.von-Hugo@telekom.de;
x-originating-ip: [212.201.104.11]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 010dead1-cd1f-43ea-0022-08d762039f85
x-ms-traffictypediagnostic: LEXPR01MB0255:
x-ms-exchange-purlcount: 9
x-microsoft-antispam-prvs: <LEXPR01MB02553E96E7A557F475086327D17E0@LEXPR01MB0255.DEUPRD01.PROD.OUTLOOK.DE>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(366004)(136003)(396003)(376002)(13464003)(199004)(189003)(53754006)(966005)(413944005)(14444005)(5660300002)(256004)(15650500001)(14454004)(53546011)(478600001)(5640700003)(316002)(66066001)(66556008)(64756008)(66476007)(6916009)(76116006)(66946007)(66446008)(2906002)(6116002)(3846002)(2501003)(66574012)(81166006)(76176011)(11346002)(9686003)(486006)(476003)(26005)(186003)(7696005)(6306002)(2473003)(55016002)(86362001)(71190400001)(446003)(71200400001)(33656002)(1730700003)(7736002)(8936002)(305945005)(102836004)(2351001)(81156014)(8676002)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:LEXPR01MB0255; H:LEXPR01MB1246.DEUPRD01.PROD.OUTLOOK.DE; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: telekom.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hKdSjUKz2Yqt9K5RMOLVHdBEJ/WzdYdzgTH+tZ0EG3YAdVivGHhiv+gApinYw3np3Z3sQPZQkF9VPUoF9b7+3ELd1jlmD5+puYopXxoVNrJPunWsK0ju/D9tOCsyodZiij2ctT/BXRDOPxdsfAkxdPXtXfHbp/jqbiIUB3wPY72HXEBN5g+2qqm9BfWyRDf5/NqeTk+SpbOfM0zIZfCPkJFZaQghxvWWufbwVeVLxDb0VU7UbLPturC8lYlnUJvBAuUzC4wRR0lKYhowcB+uuYutrOb6hkL2LV5G1+ox7kDP2O1AIZt7oxekWVS0GaR6+3Aw/s+uwFCeNHl9GI6lhDhUScXNn3uOpk949hnp8b7m9h7uK9KFpSLWX0hb6dP1KzVrRjdhdPZstq/BrFD/hErc5z5thWPBJuEY0Ib6y8Ue9BscZpAeAbCCbwDZWVQOI4blI1ntByj8/rXvFCPz3KpV6FpqHUz+jKjV4SN0Ong=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 010dead1-cd1f-43ea-0022-08d762039f85
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2019 15:19:59.5868 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0zBIJrzlIrMvV3jkZ95NoE9CjBCYxEgRlAqsMPghpTraBxJjBVJtiJAjeaGs4SnDUrTpNyfvnV1PnZNvtWYlfTIhg7gVG3GQ4tutLRXTY44=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LEXPR01MB0255
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/tRVntJsGtxRipj08rYdQIdwpU_E>
Subject: [sfc] FW: TR: New Version Notification for draft-rebo-sfc-nsh-integrity-01.txt
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 15:21:02 -0000

Dear all,
regarding the draft by Med and Tiru I thankfully acknowledge that they have considered my (already announced) comments within a preliminary update of their draft - see below.
I am fine with all the changes.
Thanks!
Kind regards
Dirk


-----Original Message-----
From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> 
Sent: Dienstag, 5. November 2019 15:53
To: von Hugo, Dirk <Dirk.von-Hugo@telekom.de>; TirumaleswarReddy_Konda@McAfee.com
Cc: behcet.sarikaya@gmail.com
Subject: RE: [sfc] TR: New Version Notification for draft-rebo-sfc-nsh-integrity-01.txt

Hi Dirk, 

All good points. Thank you.

I implemented the changes to address these comments: 

https://github.com/boucadair/sfc-nsh-integrity/blob/master/draft-rebo-sfc-nsh-integrity-01.txt
diff: https://github.com/boucadair/sfc-nsh-integrity/commit/e2a088ca53976128a02c54696eb28ed35faa99db#diff-3457ce7d425fdeb9578acbd5b2e46793 

Can you forward this message to the sfc list?

Cheers,
Med

> -----Message d'origine-----
> De : Dirk.von-Hugo@telekom.de [mailto:Dirk.von-Hugo@telekom.de] Envoyé 
> : mardi 5 novembre 2019 15:07 À : TirumaleswarReddy_Konda@McAfee.com; 
> BOUCADAIR Mohamed TGI/OLN Cc : behcet.sarikaya@gmail.com Objet : RE: 
> [sfc] TR: New Version Notification for draft-rebo-sfc-nsh- 
> integrity-01.txt
> 
> Hi Tiru and Med
> Thanks again for your draft!
> As already promised I suggest in the next version to consider 
> following comments (mainly nits only ;-)):
> 
> p.2 (and following short headers):
> Intgerity Protection for NSH => Integrity Protection for NSH
> 
> p.4:
> SFP not defined - I suggest to change:
> within a service path. => within a service path or Service Function 
> Path (SFP).
> 
> p.7:
> not requrie to => not require to
> 
> p.9/10:
> Figures in sect. 6.1 and 6.2 have no caption
> 
> p.11:
> scope of this TLV is depicted in Figure 5. => scope of this TLV is 
> depicted in Figure 4.
> Figure 4: Scope of MAC# => Figure 4: Scope of MAC#1
> 
> p.13:
> SFC proxy that receive => SFC proxy that receives
> 
> p.15:
> that the Sequence Number that does not duplicate => that the Sequence 
> Number does not duplicate is to be used . => is to be used.
> 
> p.16:
> explain on AES or ChaCha20 that these are popular Authentication 
> Encryption Security modes as proposed for TLS ?
> NSH data are exposed to from to four primary attacks => NSH data are 
> exposed to threats by one or more out of up to four primary attack 
> situations
> 
> p.17:
> AS such this is attack is not => As such this attack is not
> 
> p.19:
> KMS => KMS (Key Management Server/Service??) SFC-aware SFs do not 
> share any credentials => In case an SFC domain stretches across 
> multiple independent operators' administrative domains SFC-aware SFs 
> do not share any credentials
> 
> I would question this sentence w/o extension in its generality - in 
> case an SFC domain is completely within an operator domain this would 
> be not true - at least I cannot imagine why a 3rd party should be included?
> 
> Thanks and
> Kind regards
> Dirk
> 
> 
> -----Original Message-----
> From: von Hugo, Dirk
> Sent: Dienstag, 5. November 2019 14:15
> To: Joel M. Halpern <jmh@joelhalpern.com>; sfc@ietf.org
> Cc: BOUCADAIR Mohamed OLNC/OLN (mohamed.boucadair@orange.com) 
> <mohamed.boucadair@orange.com>; Konda, Tirumaleswar Reddy
> (TirumaleswarReddy_Konda@McAfee.com) 
> <TirumaleswarReddy_Konda@McAfee.com>
> Subject: RE: [sfc] TR: New Version Notification for 
> draft-rebo-sfc-nsh- integrity-01.txt
> 
> Hi all,
> I think is very valuable work also from point of view of future 
> flexible network deployments - and also will help to put other WG 
> drafts further where security, privacy, and integrity should definitely be provided.
> Thanks to Med and Tiru!
> So far I detect no missing issues, only some nits which I will point 
> out to the authors ...
> Please progress in Singapure!
> Kind regards
> Dirk
> 
> -----Original Message-----
> From: sfc <sfc-bounces@ietf.org> On Behalf Of Joel M. Halpern
> Sent: Montag, 4. November 2019 17:04
> To: sfc@ietf.org
> Subject: Re: [sfc] TR: New Version Notification for 
> draft-rebo-sfc-nsh- integrity-01.txt
> 
> Thank you for your work on this Med and Tiru.
> Working Group, this is a topic we have in the charter, and explicitly 
> told the IESG we would work on.  Please review and comment on the 
> approach described here.
> 
> Thank you,
> Joel (as co-chair)
> 
> On 11/4/2019 10:56 AM, mohamed.boucadair@orange.com wrote:
> > Hi all,
> >
> > This new version integrates the comments we received offline. The 
> > main
> changes are:
> >
> > * Clarify why we don't encrypt the base and service path headers
> > * Clarify that all metadata is integrity protected
> > * Clarify that the Base header may (or not) be covered by integrity
> protection. Both schemes are discussed with trade-offs called out.
> > * Updated the solution overview to provide a big picture view.
> >
> > A detailed diff can be found at:
> > https://www.ietf.org/rfcdiff?url2=draft-rebo-sfc-nsh-integrity-01
> >
> > Please review and share your comments.
> >
> > Cheers,
> > Tiru & Med
> >
> >> -----Message d'origine-----
> >> De : internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
> >> Envoyé : lundi 4 novembre 2019 16:46 À : Reddy K; Tirumaleswar 
> >> Reddy; BOUCADAIR Mohamed TGI/OLN Objet : New Version Notification 
> >> for draft-rebo-sfc-nsh-integrity-01.txt
> >>
> >>
> >> A new version of I-D, draft-rebo-sfc-nsh-integrity-01.txt
> >> has been successfully submitted by Mohamed Boucadair and posted to 
> >> the IETF repository.
> >>
> >> Name:		draft-rebo-sfc-nsh-integrity
> >> Revision:	01
> >> Title:		Integrity Protection for Network Service Header (NSH) and
> >> Encryption of Sensitive Metadata
> >> Document date:	2019-11-04
> >> Group:		Individual Submission
> >> Pages:		21
> >> URL:            https://www.ietf.org/internet-drafts/draft-rebo-sfc-nsh-
> >> integrity-01.txt
> >> Status:         https://datatracker.ietf.org/doc/draft-rebo-sfc-nsh-
> >> integrity/
> >> Htmlized:       https://tools.ietf.org/html/draft-rebo-sfc-nsh-
> integrity-01
> >> Htmlized:       https://datatracker.ietf.org/doc/html/draft-rebo-sfc-
> nsh-
> >> integrity
> >> Diff:           https://www.ietf.org/rfcdiff?url2=draft-rebo-sfc-nsh-
> >> integrity-01
> >>
> >> Abstract:
> >>     This specification adds integrity protection and optional encryption
> >>     directly to Network Service Headers (NSH) used for Service Function
> >>     Chaining (SFC).
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of 
> >> submission until the htmlized version and diff are available at 
> >> tools.ietf.org.
> >>
> >> The IETF Secretariat
> >
> > _______________________________________________
> > sfc mailing list
> > sfc@ietf.org
> > https://www.ietf.org/mailman/listinfo/sfc
> >
> 
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email