IETF Logo Mail Archive

Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)

Alvaro Retana <aretana.ietf@gmail.com> Mon, 12 July 2021 19:26 UTC

Return-Path: <aretana.ietf@gmail.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46F873A120C; Mon, 12 Jul 2021 12:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4NHJzXnFeXy; Mon, 12 Jul 2021 12:26:50 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B475B3A1209; Mon, 12 Jul 2021 12:26:49 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id gn32so36774114ejc.2; Mon, 12 Jul 2021 12:26:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=zrAMwT95S/c2NlGaye7etfqCe1STk9CxdulPvIaJzCk=; b=m1bmppqxwX8mIJUarxUkEwF8XBgsTH69iIrwkv+RxMqFxWZ5dvULKfvmtXWsIQgnVk W4CDJjWa1OFKgng5e9STKzy5/EfXjnbHsYzfPatLcD1t3OCopN9dBsjzCrNzAr8pZB41 dZI8yHuKMIYGQdy8/lHXpNK6qefX32dLmHPtnKLGq7a28wHMjpOrMgoLixPIFJcgAHDV 42d8hmZoj/CU0uI/6+ppg6yNNXE0uhaUmWffXJc3LuV3qhJV/cNoMFggapdG/SDI6N97 95DLVIWZgQ91As/aZatD9vw0yvMD0hRsqnPeTK97qTHq4dfcMkxBcFLcnsK8uMOam1B3 Urdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=zrAMwT95S/c2NlGaye7etfqCe1STk9CxdulPvIaJzCk=; b=aJb/NF0bYxGxbEj7Ojfv7lv85heOS0JWo3fiWqMq8bmXklxfk0U8fI3by5icfb6283 8cJWqtry+oIignCtkTrzT7mc+Fgl7MgBF/8r85YC4imHOZN2xO7ESff8RjK7z+0mzRFN d/5RaqaOP2XYMyNJW08bFCrYtbNohmfwBQ644guLGY7AtVY3iX7VK6TuyHKUoKlTcgI8 qiC+5ik96Tr0aTBlpRALjjlP70Ydxqy2ZQqoelhHqiDwAtYOIJRZWFR3ELaHLyOd7GmB XBh5y5KRm/f7thWjk1bMl8rdtvfyatzz28Q8sLmjT3kTytDon4+aydLuDBXv4I9x7oj8 TSWA==
X-Gm-Message-State: AOAM532YFy4dzRSjqxvewfv89unyAcDnhfU5sTjO0n3gb7li5CVYr+FY Z7IV0Yxu2vhput1c6S5GsU7+Lb2rkn5kmTXdEZI=
X-Google-Smtp-Source: ABdhPJxg7KsSoDYFGmL17d1ytgAXxoHTckh6j0Hwpm87XGkIDbdMylI2Ud7EvbIduCmjWLhJu867zY9uBdLEjAufh90=
X-Received: by 2002:a17:906:1cd5:: with SMTP id i21mr717232ejh.478.1626118006493; Mon, 12 Jul 2021 12:26:46 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 12 Jul 2021 12:26:45 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <23837_1626115941_60EC8F65_23837_478_1_787AE7BB302AE849A7480A190F8B9330353BD8C2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <162611498183.7775.3562397379733537345@ietfa.amsl.com> <23837_1626115941_60EC8F65_23837_478_1_787AE7BB302AE849A7480A190F8B9330353BD8C2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Date: Mon, 12 Jul 2021 12:26:45 -0700
Message-ID: <CAMMESsx0ARXu2gpDT0MDxWT8ZPCZ8p97mcS43usAvPz=79vbiA@mail.gmail.com>
To: mohamed.boucadair@orange.com, The IESG <iesg@ietf.org>
Cc: "draft-ietf-sfc-nsh-integrity@ietf.org" <draft-ietf-sfc-nsh-integrity@ietf.org>, "sfc-chairs@ietf.org" <sfc-chairs@ietf.org>, "gregimirsky@gmail.com" <gregimirsky@gmail.com>, "sfc@ietf.org" <sfc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/vOPYKZJbrVViPofOmANnIv4J89w>
Subject: Re: [sfc] Alvaro Retana's No Objection on draft-ietf-sfc-nsh-integrity-06: (with COMMENT)
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 19:26:56 -0000

On July 12, 2021 at 2:52:22 PM, mohamed.boucadair@orange.com wrote:


Med:

Hi!

...
> > (1) Given the required behavior specified in the Security
> > Considerations section...
> >
> > NSH data are exposed to several threats:
> >
> > o A man-in-the-middle attacker modifying the NSH data.
> >
> > o Attacker spoofing the NSH data.
> >
> > o Attacker capturing and replaying the NSH data.
> >
> > o Data carried in Context Headers revealing privacy-sensitive
> > information to attackers.
> >
> > o Attacker replacing the packet on which the NSH is imposed with a
> > bogus packet.
> >
> > In an SFC-enabled domain where the above attacks are possible, (1)
> > NSH data MUST be integrity-protected and replay-protected, and (2)
> > privacy-sensitive NSH metadata MUST be encrypted for confidentiality
> > preservation purposes. The Base and Service Path headers are not
> > encrypted.
> >
> > Why doesn't this document formally update rfc8300? Concerns that
> > eventually led to this solution have been expressed for several other
> > documents, including rfc8459 and rfc8979.
> >
> > It looks like the WG didn't consider the question of Updating the
> > base NSH specification. I believe that this document specifies a
> > required update to NSH, and would like the WG to consider formally
> > Updating rfc8300. [My search of the archive didn't find any related
> > discussion -- did I miss it?]
>
> [Med] We don't use the update header as we don't formally update any text
> in 8300.

Updating text is not the only reason to formally Update another specification.

This document requires the use of both integrity and encryption if
specific attacks are possible (text above).  It is reasonable to
interpret that as cases where the "operator deems protection is
required", which is the text that rfc8300 uses when it talks about the
need for integrity protection (similar text can also be found about
encryption).  IOW, the formal Update that I'm suggesting here is to
provide more insight into when integrity protection and encryption are
required, and the mechanism to use.


As I look into this further, I believe there is a normative
inconsistency between this document and rfc8300:

- rfc8300 requires the use of an encapsulating transport protocol that
can provide integrity protection and/or encryption, as needed.

- This document requires protection as specified in the text above.  A
stated goal of this specification is so that "the NSH does not have to
rely upon an underlying transport encapsulation for security and
confidentiality".

The outcome is that the requirements in rfc8300 would result in not
using this specification.


> I know that we can interpret the update as "amends", but unless I'm mistaken
> there is no formal IETF consensus on this.

True.

Without at least some text explaining the relationship between the
requirements in this document and how they may be considered instead
of the ones in rfc8300, I don't think this document is complete.  For
better or worse, the only tool we have right now to make that link
clear is the Updates tag.


Thanks!

Alvaro.

v2.23.0 | Report a Bug | By Email