Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

Jeffrey Haas <> Thu, 25 August 2016 13:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 71B3512B04E; Thu, 25 Aug 2016 06:05:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id djp4TRnlgPVN; Thu, 25 Aug 2016 06:05:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5F9CB12B018; Thu, 25 Aug 2016 06:05:36 -0700 (PDT)
Received: by (Postfix, from userid 1001) id 315851E32B; Thu, 25 Aug 2016 09:06:18 -0400 (EDT)
Date: Thu, 25 Aug 2016 09:06:18 -0400
From: Jeffrey Haas <>
To: Susan Hares <>, 'Andy Bierman' <>,, 'Alissa Cooper' <>,, 'Kathleen Moriarty' <>, 'IESG' <>, 'Joel Halpern' <>, 'Lou Berger' <>,
Message-ID: <>
References: <003801d1f97f$3d16eb10$b744c130$> <20160819085756.GA6759@elstar.local> <01e501d1fa07$6d613fe0$4823bfa0$> <> <027a01d1fa12$3879b270$a96d1750$> <> <> <> <000d01d1fd74$53dcd4b0$fb967e10$> <20160824152437.GC17330@elstar.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160824152437.GC17330@elstar.local>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
X-Mailman-Approved-At: Fri, 26 Aug 2016 04:18:15 -0700
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Aug 2016 13:05:37 -0000


On Wed, Aug 24, 2016 at 05:24:37PM +0200, Juergen Schoenwaelder wrote:
> I fail to understand why it makes a difference whether something is
> accessed via pub/sub or in a more traditional way. We need to look at
> this from an architectural point of view. And I am a big fan of the
> separation of mechanism from policy [1].

The main i2rs use case is pub-sub.  I personally have no objection if the
use of such a mechanism is made general and is tied to the security
properties of the transport rather than the transport type.

> The question what can be sent over an insecure transport is a policy
> decision of a specific deployment and hard-coding such policies
> statically in a data model scares me. SNMP got this piece right since
> SNMP left it to the access control subsystem to take the decision and
> thus policies could be flexible.

In my opinion, SNMP is often improperly secured since the mechanisms
provided to lock down sensitive objects puts too much onus on the users
to "get it right".  This is made particularly difficult by the lack of
machine parseable hints in SMIv2 and requires the users to dig through
conformance statements, textual conventions and security considerations of
the underlying document which may not even be available in the extracted

I will concede that by starting with "we're secure by default", a number of
such headaches with regard to the security of objects is remediated.  What
is missing is the ability to make it easy to expose objects that have less

> If there is a need to document common policies that certain
> applications may find useful, then simply write them down as NACM
> rules in XML. (The only little issue is that NACM today does not know
> whether a request came via a non-secure transport since it assumes
> there are only secure transports. But this seems to be fixable and
> required to fix if NETCONF indeed introduces non-secure transports.)

Presume NACM gained visibility into the security profile of a transport.

What would such common policies look like?  Where do they get published?
Can we make them machine extractable so they can be loaded onto routers as a
default profile for a given presumed security level?

My suspicion is much of such a profile would simply reduce to "the following
nodes are permitted to be covered by the lower security profile".  Having
markup in the yang to permit extraction by NACM without explicit enumeration
in a per-module fashion helps quite a bit.

-- Jeff