IETF Logo Mail Archive

Re: [Teas-ns-dt] Security, and especially encryption.

Eric Gray <eric.gray@ericsson.com> Thu, 14 May 2020 21:47 UTC

Return-Path: <eric.gray@ericsson.com>
X-Original-To: teas-ns-dt@ietfa.amsl.com
Delivered-To: teas-ns-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3453A0D7E for <teas-ns-dt@ietfa.amsl.com>; Thu, 14 May 2020 14:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-DUbyE4ZOq9 for <teas-ns-dt@ietfa.amsl.com>; Thu, 14 May 2020 14:47:57 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2049.outbound.protection.outlook.com [40.107.243.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0791F3A0DB2 for <teas-ns-dt@ietf.org>; Thu, 14 May 2020 14:47:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gO/vDIDqYhgHvAgi2nRIHva7c48Q4s7ZmzC9PzDDeV4qHChbC029wrnNy4Js4PiEwCUmHeTgSqaXKJuritWEWYieco8KicVSNVD565CxK24aPnRU9skcybWO/+1GMyEmzA5i5TA8BsGKNUdXQodw+16epTw/wU71Hs6LDPstooyW9wEGF7o80tAWyj7PqCb8BkMGY051l/AOrR7BxD0kxrlcWx3OhyjFGGvfWIlTv0n/o04Mk5ggTJJodH2T/xv3DxnxkAxsTqhK0mleyh1ExNOgZ/EGKqws1aItyKgAxfdC3odeAJLfFjXYqxzjDvo8uGp0myG2bG5/f0Ihfl1F8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7OX+KQXMDBsDTZrw82cSmc3C/SNliMxjPH1A90hTM3g=; b=lrJqlO6pCfWQ8/gkG5Vdo+u8qr/ddfJ5IppRzynqi0kwZxQpf08PGX29QelPzr4ZVuyHiQpXqOArvuJNDHRsrDDMtavThnszPaf6KvmEP3lnl+3tndhG5sDNMhjD4baxjAu5n2PqkbA+y2bjes39rtsQTq8Fuiaw+nU78X7QZZbNyP5IVG19LjzukpyEH9UoXP1+4sL2JQGm8Z+sQ/O4w20V1e5LwvjF1MuGlF47eWF9bsw6S06FCwwlF0TWNKyyHGbcYQv30wOsp30GZ1woG/VKfRZlQJmb+rh10aG35dZ4SRGd+U+mkB0bUGez70T76JnzMa+JNw0e5HrJxfJ6Vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7OX+KQXMDBsDTZrw82cSmc3C/SNliMxjPH1A90hTM3g=; b=m5HWh185K4cLQ9vZVF61xlQV0iDTJgmg6LU/aCJkU9/FTryFmlYNR37LYNyXwkQ5MlfF2/smB8LKmAtegjd9kQ4tlVR9hZI4N8lHZdKqFFvBATbcJGiHbKFWo4BRDsi70LuP6NgQYaI3EUB1refOtb59/J6Yi9QqVUqSMqchO+A=
Received: from MN2PR15MB3103.namprd15.prod.outlook.com (2603:10b6:208:f9::10) by MN2PR15MB3711.namprd15.prod.outlook.com (2603:10b6:208:1bd::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.26; Thu, 14 May 2020 21:47:34 +0000
Received: from MN2PR15MB3103.namprd15.prod.outlook.com ([fe80::38fe:2984:60e3:3ad]) by MN2PR15MB3103.namprd15.prod.outlook.com ([fe80::38fe:2984:60e3:3ad%5]) with mapi id 15.20.3000.022; Thu, 14 May 2020 21:47:33 +0000
From: Eric Gray <eric.gray@ericsson.com>
To: Jeff Tantsura <jefftant.ietf@gmail.com>
CC: "teas-ns-dt@ietf.org" <teas-ns-dt@ietf.org>
Thread-Topic: Security, and especially encryption.
Thread-Index: AdYqCWpezdtTl7i5RPW/3KCwm2A3FAAJr62AAAAlBeA=
Date: Thu, 14 May 2020 21:47:33 +0000
Message-ID: <MN2PR15MB3103C0645A8A1B3CCAD7AE4F97BC0@MN2PR15MB3103.namprd15.prod.outlook.com>
References: <MN2PR15MB3103B30D3D80626371C241B497BC0@MN2PR15MB3103.namprd15.prod.outlook.com> <f2c245ce-a455-4348-a722-84471b0534fa@Spark>
In-Reply-To: <f2c245ce-a455-4348-a722-84471b0534fa@Spark>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [129.192.79.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0c5d2afa-8410-41ec-60df-08d7f85068f0
x-ms-traffictypediagnostic: MN2PR15MB3711:
x-microsoft-antispam-prvs: <MN2PR15MB371184812AF7FA85B7B0135C97BC0@MN2PR15MB3711.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 040359335D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hrpWk41bhnq9abNgN74lxzbEL9sBi9PMkCLWaJRgVuV7RS6tZ0IKVRDplXrjGjeGB7MLazab4UmfANmbbQn65svuiDSlKXejyeC5B/S45qCfAxISzlCNhbNV+oHPsVSh2ez3mrGdhU1N2BWnoQaREEM5bp7olBcp2dzzHnKHYkxex4ajTsbhEKuSLstsTUOuJes1KZC6ULZXKObfZG30U1Xdn6z4DTRDXtVi6na0ciCi472GU7n6QWKiWnJHb3TGgIrjciTLX8oFZQGCzu7Y4HQ537pNohQcoY5ikOC5YofwGqr8RzuUatN5nFGCgQ/vVnjWEEHYGehw9alMFhQriP+anwJ9yjUc5R9/2adZWBq1GVn5aNGM66n6/rs/nOUbNRNPo5DCCdtZ6l9Nxwo62l9+LL7l+DyDE1963Ye32YGkfiWm0aaB6iUNn3DPxb9s
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR15MB3103.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(396003)(136003)(346002)(376002)(33656002)(2906002)(44832011)(66556008)(15650500001)(71200400001)(6916009)(66446008)(64756008)(86362001)(66476007)(66946007)(6506007)(9686003)(8936002)(76116006)(478600001)(7696005)(53546011)(26005)(186003)(8676002)(55016002)(52536014)(4326008)(316002)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: F1/qg5X0XSpB2ttT4reeM7DyGhUB18MNQ4YuLUQo8LqZkix+KsYzmdS1Rcsb7/apmAqVWpR4d+r8LREQyBMv4k+yCkJpSsxwM/Z/ERkUajxHqvdh+bKcZWXSYIWornLrSANNZz6uZpZ04HGNVi25MU+PoXWLTeL9B1X02z1gNbTPLB7H7DBCAlw99GUOnnIV7/urrZ3+YWqkZbiD75aN1XZZHex7HJRjvM2LRpHG4rtd1mHLpM3jsHPI0A/PLN0kOiSDt9/u4mHjOGmsgs3KIfnd2VBidJkmOc268PkkMuBRT4N5zYUvCKszWNvLefIXF9pFYLNNAXBquQK65Pn2otLhl/Rn+m+WukCsVxUNLkJ/sry3+hpe90jl6hWck3vcDjjxxkPO3R8e9+JCr9mKy7GftIFcYfwD4vRTmmPwlpsdmC1FuJjRwM/fsObi8Pz3YnAnToGeIhIEKPe9Ajo3YJH473B7gR4f6gW+8qO/CqU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR15MB3103C0645A8A1B3CCAD7AE4F97BC0MN2PR15MB3103namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c5d2afa-8410-41ec-60df-08d7f85068f0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2020 21:47:33.2573 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UxKDf1B/12exhfUF1Q6lVQTxbpy5ElBttHupz0sm6Eq08S5Bjwl0MbHSlg8MdfaeikMiFKwaQH/Zep5t1A1yFw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR15MB3711
Archived-At: <https://mailarchive.ietf.org/arch/msg/teas-ns-dt/rqblobWEBu2JaVQjqgz-3YLCbrQ>
Subject: Re: [Teas-ns-dt] Security, and especially encryption.
X-BeenThere: teas-ns-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TEAS Network Slicing Design Team <teas-ns-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teas-ns-dt>, <mailto:teas-ns-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teas-ns-dt/>
List-Post: <mailto:teas-ns-dt@ietf.org>
List-Help: <mailto:teas-ns-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teas-ns-dt>, <mailto:teas-ns-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 21:48:00 -0000

Actually, Jeff, a user that truly wants to ensure that they get disjoined paths can easily determine that they got at least the appearance of disjoined paths because they get multiple separate service terminations.  One technique that has been used was to buy separate services from separate providers, and even that did not always work if multiple providers share common lower-tier services.

Asking for disjoined paths from a single provider reduces this risk, but not to zero.  So, what you get is what the provider can offer with some reasonable confidence based on reasonable and practical due diligence in checking it out in advance.

But that is a separate discussion.  As are a few other things in your reply.

If a provider is required – by law – to provide encryption for certain cases, then of course they must provide it (in order to be compliant).  The terms of that encryption are dictated by regulatory authority and established (in many cases) as determined via negotiation between the regulatory authority and the provider (up to and including exemption from meeting the requirement).  The “user” does not have to request encryption, nor would it matter if they were to try to specify encryption, methods that differ from those established in the agreement between the provider and the regulatory authority.

If you wish to assert that encryption is a Boolean service that is either provided or it is not, then – often the time – it is not.  If the end user expects the provider to encrypt their data traffic, then that encryption must necessarily occur in equipment owned/operated by the provider.  That equipment will have all of the vulnerabilities of any other equipment (vulnerable to insider attack, unauthorized traffic replication, recording or “scraping,” encryption hardware failure, etc.) – with the additional vulnerability of not being under the control of the entity who is expecting their data to be protected.

There are ways to improve the degree of confidence in the data protection provided (I mentioned at least a few in the mail below) and – whenever that is the case – then it must also be the case that there is at least the possibility that the confidence level in encryption is less than 100% (it is obvious that you cannot improve on a confidence of 100%).

In this you are conflating “data protection” with availability, because – if a provider has the means to determine if there is a data protection failure, and data protection is an explicit requirement of the service – then the provider should terminate the service, making it clearly unavailable.

To illustrate the “confidence factor” further, at least until recently, residential gateways provided as CPE used open source software that did not include any obvious mechanism to address automated updates to address security issues with essentially “free” (and sporadically supported) software.  Because I do not believe that service providers are somehow exempt from the rule that “you gets what you pays for,” my confidence in the ability of such a  provider to ensure protection of my data is – well – pretty low.

And, finally, you missed my point about why a provider might choose to provide data protection via encryption.  To the extent that it is effective, it is relatively cheap and easy to provide at least some level of protection using encryption.   Some types of service are unsellable to most people unless some form of data protection is provided – for example, cloud services.

--
Eric

PS – by the way, if you think that “legally required” means “not optional,” you are quite possibly unaware of the more than a decade in which LI was “required” but not supported by most service providers.  But that too is a different discussion.  😊

From: Jeff Tantsura <jefftant.ietf@gmail.com>
Sent: Thursday, May 14, 2020 4:42 PM
To: Eric Gray <eric.gray@ericsson.com>
Cc: teas-ns-dt@ietf.org
Subject: Re: Security, and especially encryption.
Importance: High

Eric,

Users are not just asking “random stuff”, end2end encryption is a basic feature of a SSLA (secure SLA).
This is not about user observability (user can’t observe disjoined paths or similar features either) but a capability of expressing particular logic in an NBI and ability of the provider to deliver it, there’s also no “confidence factor” it is binary, the service is either provided or it is not.
The service (TS in our case) as defined by a provider and as consumed by a consumer is a combination (logical AND) of a set of features, all of which has to be true is order for the service fulfillment to be successful.

Provider “doesn’t just want” to provide encryption as a service (it costs in OPEX and CAPEX) it is a value add service that could be delivered to a consumer as a distinct advantage ( in a competitive market) or against additional payment.

Note - end2end encryption for compliance reasons (e.g PCI, HIPAA, similar) if required is not optional

Cheers,
Jeff
On May 14, 2020, 10:42 AM -0700, Eric Gray <eric.gray@ericsson.com<mailto:eric.gray@ericsson.com>>, wrote:

Jeff,

I agree that a user may ask (or, if they are big enough, insist) that a provider encrypts their data.

However, as I said during the meeting, either a user encrypts their own data, or they have no way to determine that it is not encrypted – other than through some failure scenario where their data appears (in unencrypted form, or “plain text”) somewhere where it should not have.

If we allow that “detection” of non-performance on some service objective may occur in any failure scenario, then we cannot immediately distinguish the case where the provider intended to meet the criteria and the mechanism used (e.g. – encryption) failed, from a case where the provider did not take any steps to meet the criteria (again, encryption of the data) and this was only discoverable as a result of some other uncommon failure (e.g. - the unencrypted data was intercepted by some third party, or was stored in unencrypted format in some location which was subsequently accessed by an unauthorized entity).

If the data is “leaked” in unencrypted form in some extremely uncommon cases, it is not actually possible to determine if that was because it was never encrypted, or if it was only exceptionally unencrypted.

In this sense, a user requesting encryption is essentially saying “if the service can do so, I would like my data encrypted.”  That is, while I agree that we may want to include this as a parameter in the NBI (I suggest that is a bad idea), it would be unenforceable (except via legal recourse, and auditing).

And it is not actually the best way to represent what the customer really wants.

It is far more useful for the consumer to indicate their preference that their data is protected (in some way), with some degree of confidence (up to and including 100%) from exposure to unauthorized parties.

As a separate, out of scope in this work, issue – legal documents (e.g. – an SLA) may explicitly stipulate remedies and recourses.  IETF does not specify these

Many providers may find it simply easier to allow customers to request their data is encrypted – especially if their network equipment includes the capability at a relatively low cost (e.g. – no perceptible impact on traffic handling).  But that does not mean this is the only (or even necessarily the best) way to provide the data protection that a user requested.

Encryption, by the way, does not (by itself) ensure that a customer’s data is completely protected (which is another reason for the customers to ask for what they really want), because – if the provider is doing the encryption and decryption themselves, there are two (or more) points at which the data exists in the provider’s network equipment in an unencrypted form.

Note that – if a provider really wants to use encryption to meet the data protection requirement – there is actually no reason why a “higher layer” controller cannot translate a request for data protection at some (possibly variable) level of confidence into an explicit request to an NBI.

Another reason to list this as distinct “protection” and “confidence” factors (as opposed to a simple “encrypt my data” factor) is that additional degrees of confidence are achievable.  For instance, a provider  might choose to deploy a more expensive device on a customer’s premises that does whatever it is that the provider chooses to use for protecting the customer’s data (e.g. – encryption) using a platform that is explicitly hardened against unauthorized access and/or hacking (possibly using more sophisticated algorithms).

As it is, the current “Security” objective conflates multiple security aspects – of which data protection is but one.

--
Eric

v2.8.7 | Report a Bug | By Email