IETF Logo Mail Archive

Re: [tcmtf] Answers to possible questions in the BOF

"Diego R. Lopez" <diego@tid.es> Mon, 08 July 2013 09:59 UTC

Return-Path: <diego@tid.es>
X-Original-To: tcmtf@ietfa.amsl.com
Delivered-To: tcmtf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217A711E81C5 for <tcmtf@ietfa.amsl.com>; Mon, 8 Jul 2013 02:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzGhg-mpUM9T for <tcmtf@ietfa.amsl.com>; Mon, 8 Jul 2013 02:59:09 -0700 (PDT)
Received: from tidos.tid.es (tidos.tid.es [195.235.93.44]) by ietfa.amsl.com (Postfix) with ESMTP id DFC9721F9ED3 for <tcmtf@ietf.org>; Mon, 8 Jul 2013 02:59:07 -0700 (PDT)
Received: from sbrightmailg01.hi.inet (sbrightmailg01.hi.inet [10.95.64.104]) by tid.hi.inet (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0MPM00IYC3QIC3@tid.hi.inet> for tcmtf@ietf.org; Mon, 08 Jul 2013 11:59:06 +0200 (MEST)
Received: from tid (tid.hi.inet [10.95.64.10]) by sbrightmailg01.hi.inet (Symantec Messaging Gateway) with SMTP id 76.82.03142.A6D8AD15; Mon, 08 Jul 2013 11:59:06 +0200 (CEST)
Received: from correo.tid.es (mailhost.hi.inet [10.95.64.100]) by tid.hi.inet (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0MPM00IY43QIC3@tid.hi.inet> for tcmtf@ietf.org; Mon, 08 Jul 2013 11:59:06 +0200 (MEST)
Received: from EX10-MB2-MAD.hi.inet ([169.254.2.38]) by EX10-HTCAS5-MAD.hi.inet ([::1]) with mapi id 14.02.0328.009; Mon, 08 Jul 2013 11:57:51 +0200
Date: Mon, 08 Jul 2013 09:59:06 +0000
From: "Diego R. Lopez" <diego@tid.es>
In-reply-to: <004601ce7bac$c8fc91b0$5af5b510$@unizar.es>
X-Originating-IP: [10.95.64.115]
To: "<jsaldana@unizar.es>" <jsaldana@unizar.es>
Message-id: <E6D8B95470ED0845B3376F61DCAB1A049CD0C7F1@EX10-MB2-MAD.hi.inet>
Content-id: <A59662B3AE0E07498A04FB136A601062@hi.inet>
MIME-version: 1.0
Content-type: text/plain; charset="Windows-1252"
Content-language: en-US
Content-transfer-encoding: quoted-printable
Accept-Language: en-US, es-ES
Thread-topic: [tcmtf] Answers to possible questions in the BOF
Thread-index: Ac5wycGHbApylKz/RhmtAnL3dgONFwJG8kQSAT8jBAUB238Z4AIljoQ2AbET9qADIMpcjQHjuA3AmKEnG0DnAsGfAA==
X-AuditID: 0a5f4068-b7f128e000000c46-0d-51da8d6a3aad
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjkeLIzCtJLcpLzFFi42Lhinfg0s3qvRVocHKbrMWuzxsYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcadrC3PBtpiKjpX3mBsYb3p1MXJwSAiYSLx/VNDFyAlkiklc uLeeDcQWEtjIKHF4vksXIxeQ/YNR4v6qHiYIZxqjxJYlr9hAmlkEVCXm3NcCaWADMh81/2YH sYUFbCX2/L3DCGJzClhI7Jzfxg6xQEHiz7nHLCC2iIC+xI3HIPVcHMwCixgl1r//B7aZV8Bb 4v/iLawgNrOAmcTfztVMEHFBiR+T77FAxPUkPv65zQhhi0s0t96EimtLPHl3AayXUUBW4t38 +awQy+wkpm/bCLU4R+LTuemMEAcJSCzZc54ZwhaVePn4HyvEkw1MEivuv2KZwCgxC8kds5Dc MQvJHbOQ3DELyR0LGFlXMYoVJxVlpmeU5CZm5qQbGOplZOpl5qWWbGKExF3GDsblO1UOMQpw MCrx8D54cjNQiDWxrLgy9xCjBAezkgivOOutQCHelMTKqtSi/Pii0pzU4kOMTBycUg2Mqzb7 OPbaHYn+I3vu2+n5LQp607PZ6nZXlpVOX/raYHd2sYTPbq8V96+E8VpMlYyflzgtyCuwYM9V ed2aVU4TFgtf5Yv7sLKr4q7bvmdeyxbVHvf2Zz3zM+uG6CHJ/7NF5grVmswoVGorn1S597ac smbSt63xzQ4qevunzszfueO8hN/m4nYZJZbijERDLeai4kQAijuunpkCAAA=
References: "\"<007e01ce70c9$fe1a0aa0$fa4e1fe0$@unizar.es> <009901ce725a$d1623360$74269a20$@unizar.es> <2543ED38-A2FF-49D7-85E0-4790A31415BC@cisco.com>" <20130628105725.lmag0xgqsgogggww@webmail.unizar.es> <004601ce7bac$c8fc91b0$5af5b510$@unizar.es>
Cc: "<tcmtf@ietf.org>" <tcmtf@ietf.org>, "Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com>, jsalazar <jsalazar@unizar.es>, Dan Wing <dwing@cisco.com>
Subject: Re: [tcmtf] Answers to possible questions in the BOF
X-BeenThere: tcmtf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Tunneling Compressed Multiplexed Traffic Flows \(TCMTF\) discussion list" <tcmtf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcmtf>, <mailto:tcmtf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcmtf>
List-Post: <mailto:tcmtf@ietf.org>
List-Help: <mailto:tcmtf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcmtf>, <mailto:tcmtf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 09:59:13 -0000

Hi,

When talking about security, we should not forget two different aspects:

1) Applying TCMTF to enhance (or provide a better support to) security network services, like IPsec or VPNs

2) Securing the application of TCMTF itself

As far as I can tell, most of the discussion so far has been on the first aspect. This could be outlined as an use case, and further discussed in a separate document if required, oriented towards "Applying TCMTF in secure environments" or the like

Regarding the second issue, I tried to make a few points some time ago:

8<---

> We can consider different security contexts for different tunnels, according to some policy agreed by both end-points at a given tunnel. The security contexts would define encryption, authentication, or both. We'd have to go into more detail to evaluate potential savings, but I have the feeling they could be worth considering.
>
> The point is that if we go for these different security contexts, we must consider how they can be established by mutual authentication of the tunnel end-points, and this opens additional issues regarding configuration and crypto material exchange, as well as the possibility of user-initiated authentication by means of protocols like OAuth.
>
> I'd keep this in the list of the "soon-to-open" issues, focusing on the three main docs we have been discussing so far.

8<---

I had the intention to elaborate them a little more, but other matters pre-empted this :-(
My take is that some reflections on this should be included in the "Security Considerations" section of the framework document, and a further document on this be considered in a further stage.

Be goode,

On 8 Jul 2013, at 09:28 , Jose Saldana wrote:

> Hi, Muthu, Dan, Jose Luis.
>
> It seems that we have identified some cases in which different security options are possible. The question here is:
>
> Can this be issued in the TCMTF main draft (TCMTF Reference Model)?
>
> Or do you think a TCMTF-security document would be interesting?
>
> Jose
>
> -----Mensaje original-----
> De: jsalazar [mailto:jsalazar@unizar.es]
> Enviado el: jueves, 04 de julio de 2013 19:36
> Para: jsaldana@unizar.es
> Asunto: RE: [tcmtf] Answers to possible questions in the BOF
>
> Hi all.
> With your last question, you have just hit the bullseye. I think the classification is correct. Cases 1 and 2a are a good way to keep the compromise between security and efficency. However, case 2b gives a step beyond and the security is compromised in the interest of efficiency.
> In that case, users have to trust in tcmtf manager for managing their privacy also. Then, we will leave the tipical Public Key Infraestructure
> (PKI) security architecture and use the Identity Based Encryption (IBE) one (http://tools.ietf.org/html/rfc5408).
> They are three different scenarios and all of them seem to be very interesting, but the last one a bit more.
> Regards:
>
> JL
>
> "I see them falling out the skies like eagles All mirrored glass and shattered egos"
>
> Simple Minds.
>
> El 2013-07-03 17:58, Jose Saldana escribió:
>> Hi, Jose Luis. Good point.
>>
>> Regarding security, we could establish this classification:
>>
>> 1- Adding security to TCM: I have a number of non-secured flows
>> traveling through a “dangerous” network segment (perhaps a tunnel
>> between appliances connecting remote offices of a company), and I want
>> not only traffic optimization but also security. In this case, I can
>> simply use IPsec on the tunnel.
>>
>>
>> 2- Using TCM for optimizing already secured communications: I have a
>> bunch of already secured flows. Which is the best way for tunneling,
>> compressing and multiplexing them?
>>
>> Two subcases:
>>
>> 2a- I can use TCM normally, but not only compress IP, TCP or UDP
>> headers, but also security headers using a header compression method.
>> Some possibilities for compressing security headers:
>>
>> - ROHCoIPsec, RFC5856 (http://tools.ietf.org/html/rfc5856)
>> - RFC5225 http://tools.ietf.org/html/rfc5225
>>
>>
>> 2b- But I can save more bandwidth if the TCM-ingress optimizer
>> (TCM-IO) is able to:
>> - rebuild the packets to their native form
>> - TCM-optimize them
>> - put them into a single security tunnel
>>
>> I have three phases (let's suppose I have 20 communications):
>>
>> Origin 1
>> Origin 2     <----20 secured flows --------> TCM-IO <------1
>> tunnel------> TCM-EO <-------- 20 secured flows----> destination 1, 2,
>> 20
>> ...
>> Origin 20
>>
>> I have an advantage: In the shared network path, I use a single tunnel
>> instead of 20 different tunnels.
>>
>> But I have some additional requirements: I need processing capacity in
>> the TCM optimizers, and the endpoints should trust them.
>>
>>
>> Is this classification correct? Any other options? Any other
>> requirements? It is time for "security experts".
>>
>> Jose
>>
>> -----Mensaje original-----
>> De: tcmtf-bounces@ietf.org [mailto:tcmtf-bounces@ietf.org] En nombre
>> de jsalazar Enviado el: lunes, 01 de julio de 2013 20:50
>> Para: tcmtf@ietf.org
>> Asunto: Re: [tcmtf] Answers to possible questions in the BOF
>>
>> Hi all:
>> Mmmmmmm. Since I see tcm-tf as a service, I can design the service
>> with added security features that the type of communication is
>> requiring. I think we have to be clear what we are expressing when we
>> are talking about secure tcm-tf: Ensuring the service tcm-tf or
>> applying the tcm-tf service for secure communications.
>> The first possibility is not a great technological sophistication and
>> the second one might consider the first one as a possible additional
>> service.
>> Therefore,
>> every time we use the term "secure tcm-tf" should think the second
>> option, for generality.
>> On the other hand, we must also keep in mind that whenever users
>> employ secure tcm-tf, they must trust the service fully and consider
>> delegating the use of their keys (including private ones) to tcm-tf.
>>
>> Regards.
>>
>> JL
>>
>> "I see them falling out the skies like eagles All mirrored glass and
>> shattered egos"
>>
>> Simple Minds.
>>
>> El 2013-07-01 18:55, Dan Wing escribió:
>>> On Jun 28, 2013, at 1:57 AM, jltornos@unizar.es wrote:
>>>
>>> Hi all,
>>>
>>> Few days ago Julian talked about TCM-TF's security and now I've read
>>> in the link included by Dan, saying that the gain obtained when
>>> multiplexing Ipsec-encrypted packets is 20-to-1. We have been
>>> looking for more information about this issue and thinking about a
>>> way to reduce the needed  bandwidth in IPsec flows.
>>>
>>> The main idea is to find a way to change the authentication of the
>>> individual packets and merge all of them in a unique authentication.
>>> Thus, instead of using 20 IPsec tunnels, we would have a single
>>> tunnel including 20 flows. Is this something similar than how Cisco
>>> gets the improvement?
>>>
>>> We would not be able to change IPsec any more than we could change
>>> TCP, so I would not look at how to change IPsec authentication.
>>>
>>> However, if there are a bunch of IPsec packets sharing a common
>>> path, I could see them being successfully multiplexed into one
>>> larger packet at one tunnel endpoint and then de-multiplexed at the
>>> other tunnel endpoint.  This can provide a packet per second
>>> reduction.  I don't think there are enough bytes in an IPsec header
>>> to bother trying to do IPsec header compression (SPI and sequence number are only 64 bits).
>>>
>>> -d
>>>
>>>
>>>
>>> José Luis
>>>
>>>
>>>
>>> Dan Wing <dwing@cisco.com> ha escrito:
>>>
>>>
>>> On Jun 26, 2013, at 3:49 AM, Jose Saldana <jsaldana@unizar.es> wrote:
>>>
>>> Question 4: Is TCM-TF interesting for the Industry? Should the IETF
>>> standardize this?
>>>
>>> Answer:
>>>
>>> 1) TCM-TF intends to update RFC4170, which optimizes RTP VoIP  traffic.
>>> So if RFC4170 was interesting, why not updating it?
>>>
>>> 2) TCM-TF can be useful in order to save bandwidth in many cases:
>>>
>>> - Aggregation network of *network operators*: We are saving
>>> bandwidth by optimizing and putting together traffic flows. Is this
>>> interesting for a network operator? What about overprovisioning?
>>> The idea is that there are places and moments in which a number of
>>> flows based on small packets are in the same place and at the same
>>> moment. Then, TCM-TF can be applied in order to provide
>>> flexibility. We are not optimizing the overall Internet traffic, we
>>> are optimizing specific flows with very tight delay requirements,
>>> which network operators have to take care of in a special way.
>>> www.huawei.com/ilink/en/download/HW_193034
>>>
>>> - *End to end* optimization: Nowadays, many appliances are used to
>>> connect remote offices of the same company (creating a VPN). So if
>>> a tunnel exists, why not optimizing this traffic when possible? We
>>> would save bandwidth in the access network, where it can be scarce.
>>>
>>> - Wireless and satellite scenarios.
>>>
>>> "Cisco adds IP multiplexing to mobile satellite package", April
>>> 2012,
>>> http://www.networkworld.com/news/2012/040912-cisco-ip-multiplexing-
>> 258082.html
>>>
>>>
>>>
>>>
>>>
>>> Any other thoughts? Any other scenarios in mind? Potential
>>> beneficiaries?
>>>
>>> Some networks, today, use cRTP (RFC2508) on their access links.   This
>>> gives bandwidth savings on the access link, but consumes
>>> considerable CPU horsepower on the aggregation router (to perform  cRTP), but
>>> provides no bandwidth savings across the network core.   If, instead,
>>> the bandwidth could be saved on the access link, across  the core,
>>> and on the far-end access link -- all without the CPU  impact on the
>>> aggregation router -- it is a considerable win.
>>>
>>> -d
>>>
>>>
>>>
>>>
>>>
>>> Jose
>>>
>>> De: tcmtf-bounces@ietf.org [mailto:tcmtf-bounces@ietf.org] En
>>> nombre de Jose Saldana Enviado el: lunes, 24 de junio de 2013 13:00
>>> Para: tcmtf@ietf.org
>>> Asunto: [tcmtf] Answers to possible questions in the BOF
>>>
>>> I would like to start a thread about possible questions people may
>>> ask in the BOF. Obviously, we also need answers, so we should  cooperate.
>>>
>>> This is different from the "questions to ask in the BOF". This will
>>> be discussed separately.
>>>
>>> Thanks!
>>>
>>> Jose
>>>
>>> _______________________________________________
>>> tcmtf mailing list
>>> tcmtf@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tcmtf
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> tcmtf mailing list
>>> tcmtf@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tcmtf
>>
>> _______________________________________________
>> tcmtf mailing list
>> tcmtf@ietf.org
>> https://www.ietf.org/mailman/listinfo/tcmtf
>
> _______________________________________________
> tcmtf mailing list
> tcmtf@ietf.org
> https://www.ietf.org/mailman/listinfo/tcmtf


--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego@tid.es
Tel:    +34 913 129 041
Mobile: +34 682 051 091
-----------------------------------------


________________________________

Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at:
http://www.tid.es/ES/PAGINAS/disclaimer.aspx

v2.23.0 | Report a Bug | By Email