IETF Logo Mail Archive

Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes

tirumal reddy <kondtir@gmail.com> Mon, 08 August 2022 06:08 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8772C14792E for <spasm@ietfa.amsl.com>; Sun, 7 Aug 2022 23:08:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v-krV8zF98uE for <spasm@ietfa.amsl.com>; Sun, 7 Aug 2022 23:08:13 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9E3C14F723 for <spasm@ietf.org>; Sun, 7 Aug 2022 23:08:13 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id c17so11203037lfb.3 for <spasm@ietf.org>; Sun, 07 Aug 2022 23:08:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=rj0D0PV4b00FTNCkDQw6eSUjKaF9Z5JzcESH69y4C2w=; b=FJzjhTwnLkE7CFWubX1Vd+Ec1+OVotMNawm3MQs+Ya8gqKrJV7EkT4aapR6uCKbJVA RzofJR/EoQn1BEuHagsTR//lDpy30dn+DIax54j5Odn/RhkphNHJ9P6njwO7fkIV4PDn nxuCp1mBrdxo00+GcTBNe6RfcDltc0P27bzbS1GQ3VZXRWjxlF+QEaOqrM4z0j7ogCCV EVrJCyDUW8i9FvQ9EqRe1pGlGYdbXdTqkounb53duZtPACZnRAZkTt7pDuSzQrTK7Yqt jlVR6PLjgfyC929mlVlRwXw270S0yskI9qVkuYppU1n3gzYbZDq38bcuJO9k3WlWj+8Z fR+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=rj0D0PV4b00FTNCkDQw6eSUjKaF9Z5JzcESH69y4C2w=; b=61LimqNLDf2ZNLlrbzSk1qGp26wL++ghudtGt4XbCsJN3H3DX377WpbsQpTBFcmFJM X53id2/4OVafJkMPk2Tmnm3dbLyFOTbPOFgm++wgP/XxX5wyVg+v9GJro2f6ng0kBTvy qcyZlEwavysBx8JxqrFGNcI1ni+jHslDXDb17bit9YkzGQUMU0irHOTE8cjSxxry3gWx 2DIv6kIe2kP+GiZ9zdcP4wIx1rcAOXrgeFwywYb/YhQFCnOhMVj2zTfy2Qpw3x0B+I7h g6DwBe1s5DIOqSTrdmsPDze9HyPlXObZNqMD2gSxkWvJLyAuIe9No6MmVAW4RvuRQOt8 El0w==
X-Gm-Message-State: ACgBeo0s5kY61Gb7cn3vF6mUdLJMyv096oT5Xarnpx+gH5bOcvfm2aeQ 8/rgWnnYOhtE5sLI1MV3VAj6QCCNdKFugToFlpdN25dMJ8M=
X-Google-Smtp-Source: AA6agR7sITSYli68o2KBCEwQJHtTH+G81pTERPxE/i35EJcsHkB8As0HHr3MeyivhKtj/wzp9iFs9mdaEGCI+dK3nRs=
X-Received: by 2002:a05:6512:3186:b0:48b:a14f:c78a with SMTP id i6-20020a056512318600b0048ba14fc78amr2533095lfe.28.1659938890511; Sun, 07 Aug 2022 23:08:10 -0700 (PDT)
MIME-Version: 1.0
References: <DM8PR14MB52376D8E7F6F414563238A18839F9@DM8PR14MB5237.namprd14.prod.outlook.com> <CAFpG3gciz2h+wTCnWy0Uazn+CLSKhWaCRnk6tNtptZriVtvseA@mail.gmail.com> <E1C193C7-F876-4F18-8AD8-8548F4BFA983@vigilsec.com>
In-Reply-To: <E1C193C7-F876-4F18-8AD8-8548F4BFA983@vigilsec.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 08 Aug 2022 11:37:58 +0530
Message-ID: <CAFpG3geF2jxoMZfeXO9hLM+9z6Ovsn59eBhYYmEez7A=AfF4eA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eafa1d05e5b4a347"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/iG-3vxbp2pALFqySr_YLHkfRr8w>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2022 06:08:13 -0000

On Fri, 5 Aug 2022 at 18:35, Russ Housley <housley@vigilsec.com> wrote:

> Tiru:
>
> Thanks for the review.
>
> 1. Yes, this is a good topic to expand the Security Considerations.
>
> 2. This seems pretty obvious to me, but I will think about a sentence or
> two for a more complete explanation.
>

Thanks. You may want to also discuss the privacy and security implications
of using NFType in the certificate extension for RBAC. For example (1) If
TLS 1.2 is used by network functions, pervasive monitoring is possible for
an attacker to identify the NFTypes visible in the TLS handshake and can
potentially target a specific NFType (e.g., subject to DDoS or launch a
targeted attack). (3) Misuse of NFType to gain additional privileges and
what are the potential remediation techniques ?


>
> 3. The goal is to meet the needs of 5G Network Functions.  I am not sure
> that it would apply to other environments without adding complexity.  I
> would not want to add that complexity without someone offering a use case.
>

Okay.

-Tiru


>
> Russ
>
>
> On Aug 5, 2022, at 3:31 AM, tirumal reddy <kondtir@gmail.com> wrote:
>
> It looks like a straight-forward proposal but I have the following
> comments on the draft:
>
> 1. It seems any NF can claim any NFType. If NFType is used for role based
> access control, the threat model needs to be discussed to identify
> potential misuse.
> 2. You may want to elaborate on how the NFType is used for role-based
> access control.
> 3. Network Functions are possibly applicable in other deployments as well
> and not specific to 3GPP. Any specific reason to restrict the scope to 5G ?
>
> Cheers,
> -Tiru
>
> On Thu, 4 Aug 2022 at 21:22, Tim Hollebeek <tim.hollebeek=
> 40digicert.com@dmarc.ietf.org> wrote:
>
>> At the LAMPS meeting at IETF 114, Sean and Russ presented the following
>> draft: https://datatracker.ietf.org/doc/draft-housley-lamps-3g-nftypes/
>>
>>
>>
>> Should the LAMPS WG adopt “X.509 Certificate Extension for 5G Network
>> Function Types” in draft-housley-lamps-3g-nftypes?
>>
>>
>>
>> Please reply to this message by Monday, 22 August 2022 to voice your
>> support or opposition to adoption.
>>
>>
>>
>> On behalf of the LAMPS WG Chairs,
>>
>>
>>
>> -Tim
>>
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
>>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>
>
>

v2.39.1 | Report a Bug | By Email | System Status