Re: [Gen-art] Gen-ART review of draft-ietf-i2rs-problem-statement-04
Alia Atlas <akatlas@gmail.com> Tue, 06 January 2015 21:17 UTC
Return-Path: <akatlas@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D44D71A7033; Tue, 6 Jan 2015 13:17:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbmzAdaGaIDT; Tue, 6 Jan 2015 13:17:19 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DC241A86E8; Tue, 6 Jan 2015 13:17:16 -0800 (PST)
Received: by mail-yk0-f175.google.com with SMTP id 200so34726ykr.20; Tue, 06 Jan 2015 13:17:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EWXaN/QLODnKUB9QsSyHPq7apM/or5qF3ge/liJTtvs=; b=YGtiFtitb/1KtP3TkFjz7GnV6XJlLq4gi6A4PsU2I6xmUcx0c2mc6WpNSMsweTl54K 2Dvx3neVkfHLVh0WyTB9pFt9SOz9JfBsRXbNY1hfX9yyTX3FxBFO+rcrT9VRi7EZaAah TlaA69RkAtlPnu2sUu7K6cns9iEVswnAKUaGlbYJrZuI6i+XIXy5PZorsPjIxhVzWBHv nqQfqiGeD/Zlp6+zUZnvxH4Jyv3KSkIH2Oh0DE638WMeufZKcGEpXHyKYD712x6CLPpC DkHv7wEJEC2UjjLC62LYp1qhEtQi/aIHJeokfrqGma+0SSjM1cHpZi5VG8dEG9hi0mwd mA7A==
MIME-Version: 1.0
X-Received: by 10.236.23.228 with SMTP id v64mr15860760yhv.25.1420579035501; Tue, 06 Jan 2015 13:17:15 -0800 (PST)
Received: by 10.170.133.18 with HTTP; Tue, 6 Jan 2015 13:17:15 -0800 (PST)
In-Reply-To: <13F5C878-743C-41F4-AFCE-F3766D7BE0C4@vigilsec.com>
References: <13F5C878-743C-41F4-AFCE-F3766D7BE0C4@vigilsec.com>
Date: Tue, 06 Jan 2015 16:17:15 -0500
Message-ID: <CAG4d1rfQQ5sixz1c+5SThT-6rzC4ui2RwHq2e=PLg7yGOVg8aA@mail.gmail.com>
From: Alia Atlas <akatlas@gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="089e01229e7ec95a82050c0254ac"
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/0PMgrFHkwJqIEdHbmGb-kGu7oU8
Cc: "i2rs@ietf.org" <i2rs@ietf.org>, IETF Gen-ART <gen-art@ietf.org>, draft-ietf-i2rs-problem-statement.all@ietf.org
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-i2rs-problem-statement-04
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 21:17:23 -0000
Hi Russ, Thanks for the review. Responses in-line. On Fri, Dec 12, 2014 at 9:53 AM, Russ Housley <housley@vigilsec.com> wrote: > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > This review is in response to a request for early Gen-ART review. > > Document: draft-ietf-i2rs-problem-statement-04 > Reviewer: Russ Housley > Review Date: 2014-12-11 > IETF LC End Date: unknown > IESG Telechat date: unknown > > Summary: Almost Ready. > > Major Concerns: > > Section 5 says, "Data written can be owned by different I2RS clients." > The intended consequences are unclear. I assume that the data written > by one client cannot be rewritten by another client. However, I can > imagine some situations where the same data object might be written by > more than one client at different times. Please add some language to > say whether this situation is within scope or not. > It is possible for the same data object to be written by more than one client at different times; conflicts are resolved by priority. The details of how this are handled are described in draft-ietf-i2rs-architecture, which, quite reasonably, you many not have read. I have changed the text to read: " Data written can be owned by different I2RS clients at different times; data may even be overwritten by a different I2RS client. The details of how this should be handled are described in [draft-ietf-i2rs-architecture]." Section 5 includes a requirement for multi-channel. I would expect > policy to dictate that some requests, especially ones that impact the > whole router, come from a specific source. This might require that > the request arrive on a particular port or that it be authenticated in > a particular manner. Can more be said about the policy controls here? > In the problem statement? We do have "Secure Control: Any ability to manipulate routing state must be subject to authentication and authorization. Such communications must also have its integrity protected" It's important for most writable state. I could add a reference to the architecture again, but I'm not convinced that it is needed. These are different aspects that need to pull together into a single protocol - and the secure control with associated policy is definitely part of that. > Section 8 seems very thin to me. There are some lessons from MIBs > documented here: www.ops.ietf.org/mib-security.html. I think that > some of this extrapolates to this document, but I do not think that > a pointer to those guidelines is the best way forward. > You are right. I will add a reference to draft-ietf-i2rs-architecture, which has an extensive section discussing security. I've pulled a couple key concepts from there as well - since I think they are worth highlighting. "Security is a key aspect of any protocol that allows state installation and extracting of detailed router state. The security considerations are discussed in [draft-ietf-i2rs-architecture]. Briefly, the I2RS Agent is assumed to have a separate authentication and authorization channel by which it can validate both the identity and the permissions associated with an I2RS Client. Mutual authentication between the I2RS Agent and I2RS Client is required. Different levels of integrity, confidentiality, and replay protection are relevant for different aspects of I2RS." Minor Concerns: > > The document talks about the IESG statement issued on 2 March 2014. > Please add a reference, which is probably best done with a URL. > Done > Section 5 says that the ability to manipulate routing controls is > "subject to authentication and authorization." This is highly desirable. > Can we go a little bit further? Is it like root on a Unix box, or is > the authorization more granular? Are there known roles that must be > supported? > It is intended to be more granular and the expectation is that there are multiple roles - but the details of those roles aren't defined in the problem-statement or even the architecture. Given the updated security considerations section, I'd rather not specify too much here. > Other Comments: > > Section 5 says: "Such communications must also have its integrity > protected." I do not know how to do authentication without also > providing integrity, so this is really implied by the previous > sentence. That said, I suggest the following wording: "Such > communications must be integrity protected." > Sure - change made. I'll publish an updated version very soon (today/tomorrow) after I've dealt with outstanding comments. Thanks again for your review! Alia
- [Gen-art] Gen-ART review of draft-ietf-i2rs-probl… Russ Housley
- Re: [Gen-art] Gen-ART review of draft-ietf-i2rs-p… Alia Atlas