[Teas-ns-dt] Issues with Security objective in the definitions draft, especially Authentication and Access Control, and Isolation
Eric Gray <eric.gray@ericsson.com> Thu, 14 May 2020 20:45 UTC
Return-Path: <eric.gray@ericsson.com>
X-Original-To: teas-ns-dt@ietfa.amsl.com
Delivered-To: teas-ns-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 020DA3A08C5
for <teas-ns-dt@ietfa.amsl.com>; Thu, 14 May 2020 13:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id GUI8ANYKxjd8 for <teas-ns-dt@ietfa.amsl.com>;
Thu, 14 May 2020 13:45:50 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com
(mail-bn8nam11on2052.outbound.protection.outlook.com [40.107.236.52])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 292353A08C4
for <teas-ns-dt@ietf.org>; Thu, 14 May 2020 13:45:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=AlBiNi85qf5w08wTPmNhk5dDWtAyk6A2VGi5BKwoTOReWVYMnRels5sz9359Zq+9pWHxul7fHYejZSt4AeTnwqf19gjPkSnC8B4lxWP/bM7d/ez5BCHuH9ChuYFOGKkzJm0ox2gWI3sWfR+kaAh7mVfTRDPT/hDMqaaT234o+Oekz9cXkDOFXTurq4GwkXCdmgoRpaVA8bDAYbmF0LEA72AKc0P/Jov1kBbx4PsF02nEyIOFt7LMSxo/btszaIy7mr94bSlb7GbT3Y0BHbHqpuXVWN7Z+4bMnWqXzvM+VzpE9b5GLWEjryYMe/YKjaauaWxC8lNenup1go0W4xF1Aw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=NXvUk9bbYSRxpFKWY5mbE+ZVPqRt/wTCQFnz0NnvlbE=;
b=cCVkmCXy5tL5ZYlD0EdkPyohymR52J/FqnIqMDg0SVD1UXNYcJGWLRtwwiEOjMko2okQmBXgEALIMzjLxIfRdXaayupuTQKcoZmNGqTUez1tSYOw0X5VQ4yxzKvptjF0ulhIlkQmJOpONAd4nDmLgH85sHIQPvv8egrFQYDC1+nmzeMexEvID/dHcPfQx7y5GmlgOf+p+NVDCWBIX5ItcVm743p6pLyedleG54LbFLGzh4Qe89AxUnEKH5FlXgu7/6JccXyFjYVzXPIBsgHsjdBs1dfRm5KBD0G3pfcwWwjXdkv2dVLjTvcDDrnZMTz5VYR2922Nrbyb6e5o1QtszQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com;
dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=NXvUk9bbYSRxpFKWY5mbE+ZVPqRt/wTCQFnz0NnvlbE=;
b=pjPLS8ghboawJIqgS1jvZm7telQnozS0TF3wUTrojmfcYzgDwPMtGK7I+nEVuEW42VW0YcC4TkQMngcCL+YfI7blt9o62WBGq3XwrPuBY77gaDJqV/WWtWTQbcwG3fEbTVukAH7w1fuC4IMgad2GLk6nha48wH52nk4v0nGQVSA=
Received: from MN2PR15MB3103.namprd15.prod.outlook.com (2603:10b6:208:f9::10)
by MN2PR15MB3453.namprd15.prod.outlook.com (2603:10b6:208:a4::32)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.25; Thu, 14 May
2020 20:45:45 +0000
Received: from MN2PR15MB3103.namprd15.prod.outlook.com
([fe80::38fe:2984:60e3:3ad]) by MN2PR15MB3103.namprd15.prod.outlook.com
([fe80::38fe:2984:60e3:3ad%5]) with mapi id 15.20.3000.022; Thu, 14 May 2020
20:45:45 +0000
From: Eric Gray <eric.gray@ericsson.com>
To: Kiran Makhijani <kiranm@futurewei.com>, "'Rokui, Reza (Nokia -
CA/Ottawa)'" <reza.rokui@nokia.com>, Shunsuke Homma <s.homma0718@gmail.com>,
LUIS MIGUEL CONTRERAS MURILLO <luismiguel.contrerasmurillo@telefonica.com>
CC: "teas-ns-dt@ietf.org" <teas-ns-dt@ietf.org>
Thread-Topic: Issues with Security objective in the definitions draft,
especially Authentication and Access Control, and Isolation
Thread-Index: AdYqF2eRGGSyqRMbRRu+eeQ5t6HW6w==
Date: Thu, 14 May 2020 20:45:45 +0000
Message-ID: <MN2PR15MB31032EEFEA9D3BBDC1746C4197BC0@MN2PR15MB3103.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: futurewei.com; dkim=none (message not signed)
header.d=none; futurewei.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [129.192.79.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6ead9a13-d922-46ae-9f4f-08d7f847c6b5
x-ms-traffictypediagnostic: MN2PR15MB3453:
x-microsoft-antispam-prvs: <MN2PR15MB345301100B71E3078BEC735E97BC0@MN2PR15MB3453.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 040359335D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8sG27vxa27G8O1Z0kbEy2G47FM+/YSPEryLM+iKhXtdB5JPXB7Lp/0BwULmY13zKt4L+b5RiFDvCxKtzr8f2m3ZaOtNezYXxnrrDErEQ4NH4Pv2fy1kAoFXb3/TGQDssNxa5kzumd4K4QJS8nLs/AxRqhVQcc8gltP7zT0W0NXwQ/tgsSRBh19uxDredpQLkbd9Fw/6mDAQfHmBRjFqsoI+YyPWv9/nHpYpaIkIzMDbC0eOXnQkgA9SbqC2I8Q8QA1hMXI4CM4SprZwz+YnvpQKjB6jabHIUx3M2M5rx1IsaveLDI6nATDVPqJHjKxcio+d1VpcWbDJWHZEWEEzmwgbJSZufIa4QBzmpe1iLPQQfdScDH89PxhFN3raj4m0CpCa4OmH/1SYnEyqEfayKpQAdYmVRX38E8rzRFxCiMADmtpKoq5lfd12iWcJEDk6X
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:MN2PR15MB3103.namprd15.prod.outlook.com; PTR:; CAT:NONE;
SFTY:;
SFS:(4636009)(376002)(39860400002)(346002)(366004)(396003)(136003)(6506007)(44832011)(9686003)(478600001)(26005)(8676002)(186003)(8936002)(55016002)(7696005)(33656002)(316002)(110136005)(5660300002)(15650500001)(76116006)(66476007)(66946007)(66556008)(66446008)(52536014)(64756008)(86362001)(4326008)(71200400001)(2906002);
DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: FB5jaKNsGy8LYpZT16EbXVquK2FsowsVRhUJq1FuleQ4j95Pq3twr8Okcp3Vh2NJRz1jr2zD8YCKUc/iVR5gw1fNfWeNs5RHJOK5I1DxXjna/tyENpC2+ZzRtJBjC3Dc20G26ws8KvlixrHEHmr80Qig3iiUxW9r6gUGn7XVv3uY0BThWpfvvid2YXmQf8HHjxjfN2FcUCkoRNQYoQwl9VNCUveB+qInTpo1Ehwv9XSsUkEJkjinTs0udAU0LOvtZhPe05mCiZlD3F2gpbtASFKhR+HKLhiwY4pSkzw5c5C4Tpbz7exhPjb7M6XJamfbBUQVZ6ByYzfiJu3U5zBDlt6hvGNiHqTwUfC9MvSaVpQ2tjsUnNlzIAmqkHILWcskDL8O+3ZURuhV3UQdQzwWR4t9L4l70jjFa5SZ2yLDnk1nI3mDoK4ZuBs/IOtSkJbUv6vMRv2RG9RCRvIUkldHw2ZNyuURhu5gM/njx+ouGB4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative;
boundary="_000_MN2PR15MB31032EEFEA9D3BBDC1746C4197BC0MN2PR15MB3103namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ead9a13-d922-46ae-9f4f-08d7f847c6b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2020 20:45:45.5373 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GbDwbiAC8Z/p2sNsY7xoUkt7y809l+NNzCPINZSwryKhLxnlJtIHgcdGzfUgxcOoaXTbeXAbn/gJhfGZIR9Tyw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR15MB3453
Archived-At: <https://mailarchive.ietf.org/arch/msg/teas-ns-dt/7Ae1rlHr0VNe_GwqNmc96oyhiLM>
Subject: [Teas-ns-dt] Issues with Security objective in the definitions
draft, especially Authentication and Access Control, and Isolation
X-BeenThere: teas-ns-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TEAS Network Slicing Design Team <teas-ns-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teas-ns-dt>,
<mailto:teas-ns-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teas-ns-dt/>
List-Post: <mailto:teas-ns-dt@ietf.org>
List-Help: <mailto:teas-ns-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teas-ns-dt>,
<mailto:teas-ns-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 20:45:52 -0000
Authors,
The issue with Encryption as a specific part of "Security" as a service objective is discussed in a separate E-Mail. This E-Mail addresses issues with the remainder of the Security objective(s).
Authentication and Access Control:
These are actually either separate objectives, or one is part of the other. Using ACLs - even as an example - for security-based Access Control misses the point of "technology independence" - since ACLs are not used in very many technologies. But, in this definition, you are not including ACL as an example, but equating "Access Control" and "ACL" by he phrasing "access control (ACLs)." While ACL is defined for access control generally, an ACL is not the default mechanism for limiting access to network resources in at least some security protocols. Note that "Networking ACLs" are only one form of ACL, and not considered to be particularly secure.
In many cases, access is explicitly limited using Authentication (only allowed users can be successfully authenticated), encryption (not having the correct key prevents disallowed communication in multiple ways), or both.
Authentication has nothing to do with ACL, and vice versa, and authentication is often thought of as more scalable approach to limiting access (there is no need for possibly arbitrarily long lists to determine whether or not access is allowed (per PDU) to a network resource, if having the right authentication key is enough to establish that access is allowed).
Isolation
The term that applies to either security or privacy is "traffic separation" which does not need to be conflated with the term "isolation" in order to increase the confusion this term engenders.
Traffic separation is completely orthogonal to "interference avoidance" and "interference avoidance" has nothing what-so-ever to do with Security - except in the (almost universally avoided) case of a failure in "traffic separation."
To illustrate this point, if I start suddenly seeing a lot of traffic that doesn't belong on my network, the fact that this traffic is interfering with the use of resources allocated to my network is not usually the most important issue - especially from a security point of view. As another illustration - if I came home and discovered that some stranger was sitting in my living room, taking up my favorite seat, and watching a television program I don't care for - my security concern would be a lot less about the abuse of my living room, chair and television, than it would be about the fact that some stranger was able to just walk into my house and do whatever they wanted to do.
--
Eric