Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

"Susan Hares" <> Thu, 18 August 2016 13:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8303F12DEB2; Thu, 18 Aug 2016 06:50:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.738
X-Spam-Level: *
X-Spam-Status: No, score=1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, RDNS_NONE=0.793] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rlUfIyK8k5Pi; Thu, 18 Aug 2016 06:50:38 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0823912DEC6; Thu, 18 Aug 2016 06:50:37 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=;
From: "Susan Hares" <>
To: "'Kathleen Moriarty'" <>
References: <> <013b01d1f8ee$31fa09b0$95ee1d10$> <>
In-Reply-To: <>
Date: Thu, 18 Aug 2016 09:49:34 -0400
Message-ID: <062f01d1f957$5b540900$11fc1b00$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIa7Lz6VgZw6h2A0uGNzOgAA2Ic8QJ/RF5yAoBVGeiflNEcgA==
Content-Language: en-us
Archived-At: <>
Cc: 'Jeffrey Haas' <>,,, 'The IESG' <>,
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Aug 2016 13:50:39 -0000

-----Original Message-----
From: i2rs [] On Behalf Of Kathleen Moriarty
Sent: Thursday, August 18, 2016 9:18 AM
To: Susan Hares
Cc: Jeffrey Haas;; The IESG;;
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on
draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and

Hi Sue,

Thanks for your quick response.  inline

On Wed, Aug 17, 2016 at 9:16 PM, Susan Hares <> wrote:
> Kathleen:
> Thank you for your comments.  Please see the inline comments below.  I
will be uploading a version -08.txt that will resolve some of these
> Sue
> -----Original Message-----
> From: Kathleen Moriarty []
> Sent: Wednesday, August 17, 2016 5:36 PM
> To: The IESG
> Cc:; Jeffrey 
> Haas;;;
> Subject: Kathleen Moriarty's Discuss on 
> draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and 
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-i2rs-protocol-security-requirements-07: Discuss
> When responding, please keep the subject line intact and reply to all 
> email addresses included in the To and CC lines. (Feel free to cut 
> this introductory paragraph, however.)
> Please refer to 
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> uirements/
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Thanks for your work on this draft.  There may be some overlap in points,
I tried to minimize them...
> ----
>>>Section 3.1:
>>>I don't see any actual requirements for mutual authentication in this
section, just requirements for identifiers.  Did I miss something?
>> No, there are no additional requirements.  We only have requirements for
identifiers.   Do you have a suggestion for improved language.

>From your response & Joel's, I see bullet #2 is the only one that
>calls out the need for mutual authentication and it just states that with
no additional details.  That is fine, but the subject for section
>3.1 should be something more like authentication and identifiers to
represent the content better.

Any suggestions on the header you would like to see? 

>> Are all mutual auth schemes in scope?  Are there any considerations for
mutual authentication (passwords, keys, etc.)?
>> All mutual identification schemes are in scope.  Is there a reason we
should restrict the mutual authentication schemes to a subset.

>You don't have to, but the header of the section makes me think this is
going to happen in the section.  Maybe setting a baseline would be good if
possible. Not using passwords - so > a secure form of mutual authentication
would be good if the requirements are only high level.

Can you please suggest text for a removal of using passwords? 

> ----
>>I share the same concern as others for secure transport, but since there
are already discusses on that, I have one comment to add to the existing
discusses below.
> You have a concern regarding the secure transport?

KM: Yes, the wording that allows for insecure transport.  Same concern
expressed by other ADs.

SH: My understanding is that other people had a concern regarding the
insecure transport.   I have provide an example of the BGP data feed
utilized by project.

KM: Aren't you concerned about the integrity of this data?

SH:  Let me answer this from the operators feedback that causes this input. 
Some operators state, I will run everything over secure transport. 
Other operators state, I want to have light weight clients that will 
receive certain types of information via insecure transport. 
The light-weight client will have caveats (insecure transport, could be
and then present the information. 

The argument within the WG was strong from operators for this second case,
we made the decision to include the insecure data stream.   We can limit
second case to unique data models (due to the mount addition to
which can be mounted.   We could expand this to specific events. 

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
>>> Section 3:
>>> Can you clarify the second to last sentence?  Do you mean there are
sections that indicate an insecure transport should be used?
>>>   I2RS allows the use of an
>>>  insecure transport for portions of data models that clearly indicate  
>>> insecure transport.
>>>  Perhaps:
>>>  I2RS allows the use of an
>>>  insecure transport for portions of data models that clearly indicate 
>>> the use of an  insecure transport.
>> Changed to :
>> I2RS allows the use of an insecure transport for portions of data 
>> models that clearly indicate the use of an insecure transport. 
>> Operators deploying I2RS must determine if they want to populate and
deploy the portions of the data model which use insecure transports.

>I don't agree with the data model setting the transport requirements.
>If this is done, it should be an experiment IMO.

What does experimental mean in a re-use protocol requirements?  
Does it mean that the NETCONF/RESTCONF does not have to it functional? 
Does it mean that we indicate this function is experimental and needs to be 
reviewed again?  If so, what are the criteria for the experiment to be

If experimental has the following constraint: 
1) NETCONF/RESTCONF must provide both standards and experimental features in
a design,  
2) I2RS protocol may use standard and experimental features to judge a
protocol fits I2RS protocol needs, 
3) I2RS will write-up a document indicating what tests will be used to deem
that the experimental features are ready for protocol standardization. 

> ----
>> Section 3.2
>> I agree with Alissa's discuss point on the following sentence (that could
also be reworded a bit):
>>  A non-secure transport can be can be used for publishing telemetry  
>> data or other operational state that was specifically indicated to  
>> non-confidential in the data model in the Yang syntax.
> I would appreciate a recommended set of text or additional explanation on
what you would like to see in rewording.

> I'll have to look through Alissa's discuss, but isn't integrity a concern
if confidentiality and privacy are not?  I'm sure once this type of text is
altered and used to make important 
> decisions, this will come back to bite us.

Of course, integrity is desired. The non-secure transport is looking to
provide public information for a light-weight client.  Operators have
indicated a light-weight I2RS client will use this point.  The challenge
will be to have a light-weight integrity.    

> ----
>>>Section 3.4: In the following text:
>>>   SEC-REQ-15: The integrity that the message data is not repeated means
>>>   that I2RS client to I2RS agent transport SHOULD protect against
>>>   replay attack
>>>I'm not sure why this just doesn't say:
>>> SEC-REQ-15: I2RS client to I2RS agent transport SHOULD protect 
>  > replay attack
>>The additional text doesn't add anything and sounds a bit confusing.
>> Sue: Is this ok.  It will be changed

> KM: Thanks.

Sue: Please verify you have what you want in the -08.txt 

> ----
> Nit:
> I'm not sure these definitions add any value as they seem to restate the
term defined:
>>   I2RS protocol data integrity
>>    The transfer of data via the I2RS protocol has the property of
>>    data integrity described in [RFC4949].
> Deleted
>>   I2RS component protocols
>>    Protocols which are combined to create the I2RS protocol.
> Please suggest alternative text for this section.

KM: I think it is self explanatory.  But if that's just me, leave the
definition in.
Sue:  Other people did not find it self-explanatory. 

> -----
>> I also agree that the definitions from 4949 should be removed.
>> Thank you in advance.
> These definition have been removed.  I will provide feedback if this
removal cause problems in the creation of the protocol.

Sue: You are welcome. 

Thank you,


Best regards,

i2rs mailing list