IETF Logo Mail Archive

Re: [Spud] endpoint control

🔓Dan Wing <dwing@cisco.com> Thu, 30 June 2016 20:56 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954EF12D0A5 for <spud@ietfa.amsl.com>; Thu, 30 Jun 2016 13:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.947
X-Spam-Level:
X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yYbLYtMOqkah for <spud@ietfa.amsl.com>; Thu, 30 Jun 2016 13:56:13 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7BA312B017 for <spud@ietf.org>; Thu, 30 Jun 2016 13:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6872; q=dns/txt; s=iport; t=1467320172; x=1468529772; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=ZTj8ICL1CrgFrDWjg8i0+O2MANtyiwVvK7AFSOBaYWo=; b=F3Mlp0/a54RQZlaF6Z3Hf6RyK8w5hOs9n441WkKhU0ZC53pkbY0xcZhr koTzG+J/tVcaSJyuFwDPEJwwLRGZ1wkUPUQwspgxDkXHHYNunZbLcrLO1 eUwxvSrBqX58d3jDFj4G2J7jRBxKOVkSPtai12ME840PP6cNYRJMzj4LR A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BEBQBShnVX/4UNJK1bgz5WfblNgXwXDYVzAoE8OhIBAQEBAQEBZSeETAEBAQMBAQEBIARABwQHEAkCGAICJgICJzAGExuIDQgOlladHZAXAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwWBAYUngXcIgk6EEgoHAQYWgwErgi8FiA+GZT6JWY5BCo8gkAUlCCeCDReBbBwyh30PF4EeAQEB
X-IronPort-AV: E=Sophos;i="5.26,553,1459814400"; d="scan'208";a="292237528"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Jun 2016 20:56:11 +0000
Received: from dhcp-10-155-84-125.cisco.com (dhcp-10-155-84-125.cisco.com [10.155.84.125]) (authenticated bits=0) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u5UKuA40009526 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Jun 2016 20:56:11 GMT
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: 🔓Dan Wing <dwing@cisco.com>
In-Reply-To: <CALx6S366VKA1Cu68N9crOJg0YpJXBNHwoVS76TLQ1jCuS44SLw@mail.gmail.com>
Date: Thu, 30 Jun 2016 13:56:10 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E1C94FE5-B9B7-4959-A76D-6F0334263311@cisco.com>
References: <A4BAAB326B17CE40B45830B745F70F10EE37ACAE@VOEXM17W.internal.vodafone.com> <38EA0207-F18F-4AFC-B2CF-2FD7BA23281A@trammell.ch> <6B3B89C7-234E-4412-BD83-056A3C69483B@cisco.com> <3558A391-8B03-469E-BFA6-67F6D23C4188@trammell.ch> <2D94CFA8-0C4E-4167-86D8-2D36EF239B12@cisco.com> <CALx6S366VKA1Cu68N9crOJg0YpJXBNHwoVS76TLQ1jCuS44SLw@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3124)
X-Authenticated-User: dwing
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/fOE2b40q--BsCtepvRdOeToxx0E>
Cc: Brian Trammell <ietf@trammell.ch>, "Smith, Kevin, (R&D) Vodafone Group" <Kevin.Smith@vodafone.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] endpoint control
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 20:56:15 -0000

On 30-Jun-2016 11:11 am, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Thu, Jun 30, 2016 at 10:41 AM, 🔓Dan Wing <dwing@cisco.com> wrote:
>> 
>> On 30-Jun-2016 08:33 am, Brian Trammell <ietf@trammell.ch> wrote:
>>> 
>>> hi Dan,
>>> 
>>> (sorry it took me a while to get back to you here; need better email AQM)...
>>> 
>>>> On 28 Jun 2016, at 18:19, 🔓Dan Wing <dwing@cisco.com> wrote:
>>>> 
>>>> 
>>>> On 28-Jun-2016 05:20 am, Brian Trammell <ietf@trammell.ch> wrote:
>>>>> 
>>>>>> On 28 Jun 2016, at 12:41, Smith, Kevin, (R&D) Vodafone Group <Kevin.Smith@vodafone.com> wrote:
>>>>>> 
>>>>>> Hi Brian,
>>>>>> 
>>>>>> I think Mobile Throughput Guidance would be a good candidate for PLUS path-to-endpoint signalling. The latest (albeit expired) MTG draft [1] is bound to TCP Options, and was considering use of TCP-AO for authentication; PLUS could allow MTG for both TCP and UDP-based flows. However it seems that proposed PLUS mechanism:
>>>>>> 
>>>>>>> (1) For forward signaling, the sending endpoint must place "scratch space" in the packet with a label on it stating that it's okay to modify; this okay-to-modify state is enforced by a MAC which only verifies the length but not the content of the scratch space.
>>>>>> 
>>>>>> ...may not provide the guarantee that (1) the MTG information was indeed injected by the cellular network and (2) that it has not been modified by another node. Have I got that right?
>>>>> 
>>>>> Correct. It doesn't provide that guarantee at all, by design.
>>>>> 
>>>>>> Or would such an authentication/integrity check applicable to path data be in scope of PLUS?
>>>>> 
>>>>> As I see it now, not at first. The cases where the endpoint reliably has an way to authenticate a middlebox are limited (though mobile access networks are one such case),
>>>> 
>>>> How so?
>>>> 
>>>> -d
>>> 
>>> Well, you need the endpoint to know which and what kinds of middleboxes its traffic is likely to encounter on the way to the other endpoint. There are three cases I can think of here:
>>> 
>>> 1. An enterprise device can authenticate the enterprise firewall and/or VPN gateway.
>>> 
>>> 2. A mobile handset can authenticate infrastructure in the mobile access network.
>>> 
>>> 3. A server in a data center can authenticate infrastructure in the data center network.
>>> 
>>> (You could extend 1 to include home access networks as well, but getting the in-home devices and the gateways to authenticate each other reliably is an area that still needs some work to keep from being a giant support-call generator.)
>>> 
>>> In all three of these cases, the authentication relationship doesn't cross an administrative domain boundary. In an Internet context, this is what I mean by "limited". Note that it *doesn't* cover the case where a data center server says something to the mobile access network, or the handset and the server cooperate to say something to the same network, because as soon as you cross the admin domain boundary the device-to-device authentication problem quickly becomes intractable.
>>> 
>>> Building a common framework for making this kind of authentication work is a very interesting problem,
>> 
> The also would be a nice way to define domains of information
> exposure. For instance, in the case of a mobile client talking to its
> network there seems to be a case for beneficial, granular, possibly
> domain specific signaling. But as packets leave the trusted domain I
> don't believe we arbitrarily want to expose such localized information
> to the outside world. Even if it's authenticated this still would be
> exposing potentially sensitive information to untrusted parties. For
> example, if my mobile carrier gives me a deal on optimizing cat videos
> I might trust them enough and believe there is enough benefit to mark
> packets as carrying cat videos; but I wouldn't want to do this if it
> means blabbing to the whole Internet that I'm watching cat videos.

Yep, agreed that is all good and useful.  Could be achieved "as easily as" (1) a new DHCP option that indicates the key for that communication with the local network.  But that is a different trust model than what I understood Brian was mentioning originally, though.

(1) as in, this isn't the only piece missing.

-d


> 
> Tom
> 
> 
> 
>> Yes.  I was hoping you had a solution.  If we can solve that, we can achieve secure DHCP, among other things.
>> 
>> -d
>> 
>> 
>>> and if PLUS designs a protocol correctly this framework can run on top of PLUS. But I think it's a different problem than the one PLUS is trying to solve.
>>> 
>>> Cheers,
>>> 
>>> Brian
>>> 
>>>>> and IMO the mechanism should be as general as possible.
>>>>> 
>>>>> I will point out that integrity and authentication of information from a middlebox where the sending endpoint can authenticate the middlebox can trivially be implemented on top of this proposed mechanism: the definition of the exposed information could be "content plus MAC", where the MAC can be verified using the middlebox's certificate. But these can be implemented in information elements atop PLUS, without requiring additional support in the PLUS header.
>>>>> 
>>>>> In a mobile access network, on the upstream path this would look like:
>>>>> 
>>>>> user terminal --[ PLUS mobile-foo: 00000000 ]--> access network --[ PLUS mobile-foo CCCCCCMM ]--> server
>>>>> 
>>>>> (where mobile-foo is whatever you want the access network to be able to say, 00000000 is scratch space, C is content and M is MAC.)
>>>>> 
>>>>> The server can act on the throughput guidance (should it choose to, see spud-req 5.9), but since it's the user terminal that has a relationship with the access network, the server may need to feed the content and MAC back to the user terminal (see spud-req 5.5 and 6.4) for verification.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Brian
>>>>> 
>>>>>> Cheers,
>>>>>> Kevin
>>>>>> Vodafone R&D
>>>>>> 
>>>>>> [1] https://www.ietf.org/archive/id/draft-flinck-mobile-throughput-guidance-03.txt , expired
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Spud mailing list
>>>>>> Spud@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/spud
>>>>> 
>>>>> _______________________________________________
>>>>> Spud mailing list
>>>>> Spud@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/spud
>>>> 
>>>> 
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Spud mailing list
>> Spud@ietf.org
>> https://www.ietf.org/mailman/listinfo/spud
>>

v2.23.0 | Report a Bug | By Email