Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT)
"Ben Campbell" <ben@nostrum.com> Sun, 15 May 2016 21:17 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F1AF12D538 for <i2rs@ietfa.amsl.com>; Sun, 15 May 2016 14:17:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSUqwA5Y1ORi for <i2rs@ietfa.amsl.com>; Sun, 15 May 2016 14:17:44 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FE1A12D537 for <i2rs@ietf.org>; Sun, 15 May 2016 14:17:43 -0700 (PDT)
Received: from [10.0.1.18] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id u4FLHdlf095111 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 15 May 2016 16:17:40 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.18]
From: Ben Campbell <ben@nostrum.com>
To: Susan Hares <shares@ndzh.com>, Eric Voit <evoit@cisco.com>
Date: Sun, 15 May 2016 14:17:57 -0500
Message-ID: <E6EC8518-6365-429F-B315-565FE15774F8@nostrum.com>
In-Reply-To: <00a901d1ad2e$f8a21e10$e9e65a30$@ndzh.com>
References: <nidiby0qci3n2ht5drnnsbdo.1462576153656@email.android.com> <9e9692bd22a041ba91e39a9f7dce8c9e@XCH-RTP-013.cisco.com> <00a901d1ad2e$f8a21e10$e9e65a30$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/-Dasr4CrrYL6K6ePvahYJOkWcQk>
Cc: i2rs@ietf.org, Eric Voit <evoit@cisco.com>, i2rs-chairs@ietf.org, Alia Atlas <akatlas@gmail.com>, draft-ietf-i2rs-pub-sub-requirements@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 May 2016 21:17:46 -0000
Hi Eric and Sue, Thanks for the change, and I think it's on the right track. But I notice most of the other requirements, in the security considerations section and in other sections, use 2119 keywords. Is there a reason not to do so here? Would it be reasonable to say that any embodiment of these requirements MUST support a transport that provides encryption and integrity protection, and such a transport MUST be used when carrying privacy-sensitive information? Thanks! Ben. On 13 May 2016, at 10:49, Susan Hares wrote: > Eric: > > > > Thanks for jumping in and putting out text that resolves Ben’s > comments. This text works for me with one addition. Add reference to > the security environment draft. > > > > Sue > > > > From: Eric Voit (evoit) [mailto:evoit@cisco.com] > Sent: Friday, May 13, 2016 11:26 AM > To: Susan Hares; Ben Campbell; Alia Atlas (akatlas@gmail.com) > Cc: The IESG; i2rs@ietf.org; > draft-ietf-i2rs-pub-sub-requirements@ietf.org; i2rs-chairs@ietf.org > Subject: RE: [i2rs] Ben Campbell's Discuss on > draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT) > > > > Hi Ben, > > > > I have added the text below as the lead-in to section 4.2.5. I > believe this meets the intents of your suggestions below. > > > > Hi Susan & Alia, > > > > I have uploaded v08 of > > https://datatracker.ietf.org/doc/draft-ietf-i2rs-pub-sub-requirements/ > > If Ben concurs with the text below, I am not aware of any remaining > discuss items. > > > > Thanks everyone for your reviews, > > Eric, Alex, & Alberto > > > 4.2.5. Security Requirements > > Some uses of this Subscription Service will push privacy-sensitive > updates and metadata. Good deployment practices will bind this > generated information within secure, encrypted transport layer > mechanisms. For example if NETCONF is used as transport, then > [RFC5539] would be a valid option to secure the transported > information. The Subscription Service can also be used with > emerging > deployment contexts as well. As an example, deployments based on > [i2rs-usecase] can apply these requirements in conjunction with > those > documented within [i2rs-protocol-security] to secure ephemeral > state > information being pushed from a Network Element. > > > > > From: Susan Hares [mailto:shares@ndzh.com] > Sent: Friday, May 06, 2016 7:09 PM > To: Ben Campbell > Cc: Eric Voit (evoit); The IESG; i2rs@ietf.org; > draft-ietf-i2rs-pub-sub-requirements@ietf.org; i2rs-chairs@ietf.org > Subject: Re: [i2rs] Ben Campbell's Discuss on > draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT) > > > > Ben: > > > > This is wise idea. I will suggest some text to Eric and you in the > morning. > > > > Sue > > > > > > > > Sent via the Samsung Galaxy Note5, an AT&T 4G LTE smartphone > > -------- Original message -------- > > From: Ben Campbell <ben@nostrum.com> > > Date: 5/6/2016 2:38 PM (GMT-06:00) > > To: Susan Hares <shares@ndzh.com> > > Cc: Eric Voit <evoit@cisco.com>, The IESG <iesg@ietf.org>, > i2rs@ietf.org, draft-ietf-i2rs-pub-sub-requirements@ietf.org, > i2rs-chairs@ietf.org > > Subject: Re: [i2rs] Ben Campbell's Discuss on > draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT) > > > > Hi Susan, > > To be clear, I do not object to the wider context per se. My concern > is > that the security and privacy requirements are left as implicit, based > on the more narrow i2rs/netconf context. I only mentioned the > potential > of restricting the contextas one possible way forward; I am certainly > not wedded to it. > > My suggestion for a way forward would be to document the high level > security and privacy requirements in this document. IIUC, the larger > context includes potentially unknown contexts, so some of this may > need > to be conditional. For example, language like the following might be > helpful (this is just an example--I don't mean to say that it is true > or > applicable): > > "Some uses of this mechanism may carry privacy-sensitive > information, > or generate privacy-sensitive metadata through the subscription > mechanism. In contexts where this is true, the following requirements > apply..." > > It might also be reasonable to say that, for the context of i2rs, > these > requirements are documented in [references] and are expected to be > fulfilled by the [transport and or protocol] > > Eric's email also suggested that the actual transport of data from the > Yang datastore may be out of scope for these requirements. I don't > object to that, either, as long as it is clear and explicit, although > it > would be good to point to where it is _in_ scope. > > Thanks! > > Ben. > > On 6 May 2016, at 1:06, Susan Hares wrote: > >> Ben: >> >> This is the first of the "re-use" management protocols. The >> requirements >> are set-up so that we can suggest additions to the NETCONF and >> RESTCONF for >> this first of I2RS. >> >> The I2RS ephemeral work, pub/sub, traceability, and security are >> target at >> the I2RS protocol definition with the I2RS use case. However, since >> these >> are general additions to NETCONF/RESTCONF, this work can be used >> elsewhere. >> >> I think the text you are highlighting has this larger context. Now, >> one of >> the really important things to chat with Alia and Benoit is how do we >> handle >> the wider use case. Do we mention the wider context? >> >> The WG thought mentioning it was important. >> >> Sue >> >> -----Original Message----- >> From: Ben Campbell [mailto:ben@nostrum.com] >> Sent: Thursday, May 05, 2016 5:31 PM >> To: Susan Hares >> Cc: Eric Voit; The IESG; i2rs@ietf.org; >> draft-ietf-i2rs-pub-sub-requirements@ietf.org; i2rs-chairs@ietf.org >> Subject: Re: [i2rs] Ben Campbell's Discuss on >> draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT) >> >> On 5 May 2016, at 5:15, Susan Hares wrote: >> >>> Eric, Ben and IESG members: >>> >>> >>> >>> The pub/sub requirements are part of a 5 part requirements. May I >>> quote >>> from the shepherd's report: >>> >>> --------------------- >>> >>> The requirements for the first version of I2RS are: >>> >>> 1) model driven ephemeral state - that is data models that do not >>> survive >>> >>> a software or hardware reboot. >>> >>> https://datatracker.ietf.org/doc/draft-ietf-i2rs-ephemeral-state/ >>> >>> >>> >>> 2) a secure protocol - >>> >>> https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-req >>> uireme >>> nts/ >>> >>> >>> >>> 3) traceability - ability to record interactions between I2RS >>> elements >>> >>> (Client, Agent, Routing system) >>> >>> https://datatracker.ietf.org/doc/draft-ietf-i2rs-traceability/ >>> >>> >>> >>> 4) notification publication via subscription >>> >>> https://datatracker.ietf.org/doc/draft-ietf-i2rs-pub-sub-requirements/ >>> >>> >>> >>> 5) Protocol to pass Data for Analytics >>> >>> The first version of these requirements does not include a >>> >>> separate analytical protocol requirements as the simple use cases >>> may >>> >>> pass information via query/poll or the notifications. >>> >>> >>> >>> The I2RS protocol exists in an secure environment described by: >>> >>> https://datatracker.ietf.org/doc/draft-ietf-i2rs-security-environment- >>> reqs/ >>> >>> >>> >>> ------------------------- >>> >>> >>> >>> Eric - Perhaps it would be good to point to: >>> >>> . draft-ietf-i2rs-protocol-security-requirements and >>> >>> . draft-ietf-i2rs-security-environment-reqs/ >>> >>> >>> >>> Ben - Can you tell me how the shepherd report could have been >>> clearer? >>> The >>> I2rs protocol security requirements require: confidentiality, >>> encryption, secure transport, protection against replay attack, >>> protection against DDoS attack (if possible). >> >> I think my confusion lies in the fact that, while the shepherd's >> writeup >> styles this draft as part of the I2RS protocol requirements, the >> draft >> itself claims to describe requirements for a generally useful pub-sub >> interface to a yang datastore. It's not clear to me how and when the >> I2RS >> protocol security requirements apply to it. If the described >> interface >> is >> intended to be useful in contexts other than I2RS (and the draft >> explicitly >> sets that expectation in 2.2), it needs to talk more generally about >> security and privacy. >> >> For example, it might make sense to say that certain security >> requirements >> apply in environments where the mechanism might carry privacy >> sensitive >> data, and then point to the i2rs requirements for when the mechanism >> is used >> in an I2RS context. >> >> A different approach might be to more tightly constrain this to i2rs >> >>> >>> >>> >>> Ben - On opting in, once the receive accepts a transport connection >>> from the I2RS server - how is this not an opt-in to receive data? >>> What >>> are you looking for? >> >> I guess that depends on the transport. The transport requirements say >> the >> mechanism has to work over multiple transports. The last paragraph in >> 4.2.4 >> says "In the case of connection-oriented transports..." which >> suggests >> that >> non-connection-oriented transports are possible. >> >> Even with a connection-oriented transport, this may depend on how >> connection-management is handled, and whether the receiver might be >> receiving things it _wants_ to receive on the same transport. >> >>> >>> >>> >>> Sue Hares >>> >>> (shepherd) >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Eric Voit >>> (evoit) >>> Sent: Wednesday, May 04, 2016 7:25 PM >>> To: Ben Campbell; The IESG >>> Cc: i2rs@ietf.org; draft-ietf-i2rs-pub-sub-requirements@ietf.org; >>> i2rs-chairs@ietf.org; shares@ndzh.com >>> Subject: Re: [i2rs] Ben Campbell's Discuss on >>> draft-ietf-i2rs-pub-sub-requirements-06: (with DISCUSS and COMMENT) >>> >>> >>> >>> Hi Ben, >>> >>> >>> >>> Thanks for the comment. In-line.... >>> >>> >>> >>>> From: Ben Campbell, May 04, 2016 2:49 PM >>> >>>> ---------------------------------------------------------------------- >>> >>>> DISCUSS: >>> >>>> ---------------------------------------------------------------------- >>> >>>> >>> >>>> I have a couple of points I would like to discuss. Hopefully they >>>> can >>> >>>> be resolved >>> >>>> easily: >>> >>>> >>> >>>> Are there really no requirements for privacy or integrity >>>> protection? >>> >>>> Is there an expectation that this mechanism would ever carry >>>> privacy >>> >>>> sensitive or otherwise sensitive information? >>> >>> >>> >>> [eric's comment: >>> >>> When the subscription is established dynamically via an existing >>> transport >>> session (which is expected to be the dominant case) we have the same >>> expectations for Privacy and integrity as would be provided via a >>> "GET" >>> instead of a "PUSH" over the same transport. We could have >>> replicated all >>> these requirements, but that was seen as unnecessary and likely less >>> secure >>> than adopting existing mechanisms. >>> >>> >>> >>> When the Subscriber and Receiver are different, then the transport >>> connection will have credentials passed as part of the >>> establishment. >>> These >>> credentials will be used as a Security Grooming Filter just like the >>> above >>> case so that pushed objects will be excluded from an Update >>> Notification as >>> per the permissions of the Receiver. (I.e., this is identical >>> behavior to >>> the above.) As several people have had questions about this, the >>> new v07 >>> will make this explicit in the Security section. >>> >>> End of eric's comment] >>> >>> >>> >>> Sue: The transport provides for privacy, integrity protection. >>> Most >>> configuration in network boxes would need privacy. >>> >>> >>> >>>> - 4.2.5, 2nd to last paragraph: >>> >>>> I am surprised to find that, when the receiver is not the >>>> subscriber, >>> >>>> that the receiver is expected to opt-out. It seems like some form >>>> of >>> >>>> opt-in or affirmative consent would be needed here. >>> >>> >>> >>> The question really was how heavy-weight should the mechanism be. >>> Transports been considering are all encrypted. So there is already >>> a >>> level >>> of trust between the peers. And a target can always pull down the >>> connection if there are issues. >>> >>> >>> >>> In addition, multicast transports are viable for some future cases. >>> We >>> didn't want mechanisms which complicated this type of interaction, >>> especially in a world where dumb IoT devices may be involved. >>> >>> >>> >>> Sue: If the receiver accepts a secure transport set-up from the >>> server, can >>> you provide the reason why this is not an "opt-in" once it receives >>> the >>> connection from the I2RS agent? >>> >>> >>> >>> >>> >>>> ---------------------------------------------------------------------- >>> >>>> COMMENT: >>> >>>> ---------------------------------------------------------------------- >>> >>>> >>> >>>> - General: I support Stephen's DISCUSS >>> >>>> >>> >>>> -2.2: What is the real scope of this work? Is it expected to >>>> supplant >>> >>>> the mentioned mechanisms? >>> >>> >>> >>> No. It is just showing that many specialized Push mechanism exist. >>> This >>> is not intended to supplant existing mechanisms, although perhaps it >>> can >>> help avoid future dedicated solutions. >>> >>>> - 2.3: "We need a new pub-sub >>> >>>> technology" >>> >>>> The shepherd write up mentioned a goal to use existing >>>> technologies. >>> >>>> Is the point of this sentence to suggest that is not feasible? >>> >>> >>> >>> Existing technologies cannot meet all the requirements specified. >>> There are >>> technology drafts progressing in NETCONF which can. >>> >>> >>> >>>> - 4.1, 4th paragraph: >>> >>>> The MAY doesn't seem right--is this a statement of fact that the >>> >>>> subscriber may have to resubscribe, or a requirement of the form >>>> that >>> >>>> the service MAY force the subscriber to resubscribe? (Be careful >>>> with >>> >>>> MAYs in requirements language--they imply unexpected things. For >>> >>>> example, several requirements say a SUBSCRIBE MAY do something--do >>> >>>> those imply that the service MUST allow the subscriber to do it ?) >>> >>> >>> >>> Good point. Reworded in v07. >>> >>> >>> >>>> -- 4.2.2, third bullet: The previous section said dampening periods >>> >>>> MUST be supported. >>> >>> >>> >>> Yes, but dampening is never for periodic subscriptions. >>> >>>> - 4.2.1, third paragraph: This is a bit ambiguous. I think it means >>>> to >>> >>>> change the what subtrees the subscription applies to, but could be >>> >>>> interpreted to change the subtrees themselves. >>> >>> >>> >>> Fixed >>> >>>> - 4.2.6.4: Would a mechanism that allowed out-of-order delivery but >>> >>>> gave the subscriber a way to reconstruct the order fulfill this >>> requirement? >>> >>> >>> >>> Yes, the timestamp within an update. But this requirement targets a >>> specific object in a specific subscription. So there should be no >>> issues. >>> >>>> Nits: >>> >>>> - The shepherd write up suggests this is standards track. The draft >>> >>>> and tracker both say informational. Please update the shepherd writ >>>> up. >>> >>> >>> >>> Fixed >>> >>>> -3, last paragraph: What's the difference between a "Push" and an >>> "Update"? >>> >>> >>> >>> Reworded >>> >>>> -4.1: A forward reference to the subscription QoS section would be >>> helpful. >>> >>> >>> >>> Moved the requirement in question to 4.2.6. >>> >>>> -- Last paragraph, last sentence: Sentence doesn't parse. >>> >>> >>> >>> Fixed >>> >>>> >>> >>>> - 4.2.8, third paragraph: I don't think that should be a 2119 MAY >>> >>> >>> >>> Fixed >>> >>> Thanks again for the review! >>> >>> Eric >>> >>> _______________________________________________ >>> >>> i2rs mailing list >>> >>> <mailto:i2rs@ietf.org> i2rs@ietf.org >>> >>> <https://www.ietf.org/mailman/listinfo/i2rs> >>> https://www.ietf.org/mailman/listinfo/i2rs
- [i2rs] Ben Campbell's Discuss on draft-ietf-i2rs-… Ben Campbell
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Eric Voit (evoit)
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Susan Hares
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Eric Voit (evoit)
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Eric Voit (evoit)
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Susan Hares
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Susan Hares
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Eric Voit (evoit)
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Susan Hares
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Eric Voit (evoit)
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Susan Hares
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Eric Voit (evoit)
- Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell