We really need to separate issues here.
The first part of your note talks about the need for metadata. You
assert that this is related to a need to compete with large scale
tracking. While I can not prohibit that use, that is NOT the problem
that drives this work.
Rather, the whole point is to support separating the currently
monolithic service platofrms into component services that can be
combined both to deliver existing services, and to deliver new service
combinations. To do that, the existing internal methods for passing
data within a service delivery monolith have to be replaced with an
external, interoperable, method for doing this.
My employer would be very happy if the operators would give up on this
and go back to buying our nice, high reliability, high price, intgrated
service platforms. But that is not what the operators are asking us
to provide.
Yours,
Joel
On 9/28/17 3:42 PM, Christian Huitema wrote:
Reviewer: Christian Huitema
Review result: Serious Issues
I have already reviewed previous iterations of this draft (18) and sent
comments on the mailing lists about revisions 20 to 24. The draft has
significantly improved through the revisions, but I still have concerns.
First, it should be clear that standardizing addition of metadata to packet
headers is, from a privacy standpoint, playing with fire. I understand that
many ISP believe that they need to accumulate and use metadata in order to
compete with the large scale tracking performed by some web companies. This
existing competition may well be driving a race to the privacy bottom.
Regardless, the minimum these ISP can do is ensure that the privacy sensitive
metadata that they collect is well protected. Collecting metadata is bad
enough; letting hackers access it would be disastrous, as shown in the Equifax
breach. I would like to see a stronger recognition in the security
consideration that this is indeed playing with fire.
I am also concerned that when writing the security considerations the authors
may be playing with words. Frankly, I do not believe that the data will be
magically protected because they are only transported in a single
administrative domain. As Randy Bush pointed out in an email comment, some of
the service functions are already provided "in the cloud" by third party
contractors to the ISP. This means that in practice, the data will probably not
be confined to a single provider domain. In the email, I listed three threats:
* Whether ISP believe it or not, their links will be snooped by third parties.
We have to assume that adversaries will have access to some of the transmission
equipment, even inside the perimeter.
* We also have to assume that persistent attackers will be able to compromise
some of the devices hosting some of the functions.
* And we have to assume that some third party providers will re-purpose the
metadata that they obtain through various contracts.
What worries me is not so much the inadequacies of the defenses proposed in the
security section as the absence of emphasis on the need to actually deploy
these defenses. Everything seems to be optional, left to the good will of the
ISP. Experience shows that in these conditions deployments use the most
convenient setup, clear text transmission with little defense in depth. The
security section ends up being so much empty talk designed to placate security
reviewers, playing with words for security without recognizing that
standardizing metadata collection is playing with fire.