Re: [i2rs] Alvaro Retana's No Objection on draft-ietf-i2rs-protocol-security-requirements-07: (with COMMENT)

"Susan Hares" <shares@ndzh.com> Thu, 18 August 2016 03:04 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC2A712D548; Wed, 17 Aug 2016 20:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.738
X-Spam-Level: *
X-Spam-Status: No, score=1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, RDNS_NONE=0.793] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUzYTLT1RSXt; Wed, 17 Aug 2016 20:04:24 -0700 (PDT)
Received: from hickoryhill-consulting.com (unknown [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A97012B041; Wed, 17 Aug 2016 20:04:24 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=174.124.169.225;
From: "Susan Hares" <shares@ndzh.com>
To: "'Alvaro Retana \(aretana\)'" <aretana@cisco.com>, "'The IESG'" <iesg@ietf.org>
References: <147148520752.23682.12743310118152055665.idtracker@ietfa.amsl.com> <000001d1f8f9$490933a0$db1b9ae0$@ndzh.com> <D3DA8AFF.13A8E7%aretana@cisco.com>
In-Reply-To: <D3DA8AFF.13A8E7%aretana@cisco.com>
Date: Wed, 17 Aug 2016 23:03:23 -0400
Message-ID: <000a01d1f8fd$157d1bb0$40775310$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJc/Nj7gQdXELJSuw4AgM5RmU8YzwL7CBnjApNgb5ifC4utIA==
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/SFaq7HsxskshLNW5248pZUSlC2s>
Cc: 'Jeffrey Haas' <jhaas@pfrc.org>, i2rs@ietf.org, i2rs-chairs@ietf.org, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: [i2rs] Alvaro Retana's No Objection on draft-ietf-i2rs-protocol-security-requirements-07: (with COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 03:04:26 -0000

Alvaro: 

How about the following for the introduction to section 3:

The security for the I2RS protocol requires mutually authenticated I2RS
clients
and I2RS agents. The I2RS client and I2RS agent using the I2RS protocol MUST
be able to exchange 
data over a secure transport.  Optionally, the I2RS Client and I2RS agent
MAY operate
on a non-secure transport to transfer a specific set of non-confidential
data 

I think this matches SEC-REQ-08 

SEC-REQ-08: The I2RS protocol MUST be able to transfer data over a
   secure transport and optionally MAY be able to transfer data over a
   non-secure transport.  A secure transport MUST provide data
   confidentiality, data integrity, and replay prevention.

The default I2RS transport is a secure transport. 

A non-secure transport can be used for publishing telemetry data 
or other operational state that was specifically indicated to
non-confidential in the data model in the Yang syntax.  
Anything not specifically marked as "non-confidential" MUST 
be transmitted over a secure transport connection. 

The configuration of ephemeral data in the I2RS Agent by the 
I2RS client SHOULD be done over a secure transport. It is anticipated
that the passing of most I2RS  ephemeral state operational 
status SHOULD be done over a secure transport.  
As draft-ietf-i2rs-ephemeral-state  notes
data model MUST indicate whether the transport
exchanging the data between I2RS client and I2RS agent is 
secure or insecure. The default mode of transport is 
secure so data models SHOULD clearly annotate what data nodes can 
be passed over an insecure connection.

What do you think? 


For SEC-REQ-05, I re-read it now and it is redundant.  I changed to: 

SEC-REQ-05: Identifier distribution and the loading of these identifiers
into I2RS agent
 and I2RS Client SHOULD occur outside the I2RS protocol prior to the 
 I2RS protocol establishing a connection between I2RS client and I2RS agent.

 (One mechanism such mechanism is AAA protocols.)

What do you think? 

These will be uploaded in a version -09.txt 

Sue 

-----Original Message-----
From: Alvaro Retana (aretana) [mailto:aretana@cisco.com] 
Sent: Wednesday, August 17, 2016 10:53 PM
To: Susan Hares; 'The IESG'
Cc: 'Jeffrey Haas'; i2rs@ietf.org; i2rs-chairs@ietf.org;
draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: Alvaro Retana's No Objection on
draft-ietf-i2rs-protocol-security-requirements-07: (with COMMENT)

On 8/17/16, 9:36 PM, "iesg on behalf of Susan Hares"
<iesg-bounces@ietf.org on behalf of shares@ndzh.com> wrote:

Sue:

Hi!

...
>
>>I think there is a contradiction between SEC-REQ-09 ("The I2RS 
>>protocol MUST be able to transfer data over a secure transport and 
>>optionally MAY be able to transfer data over a >non-secure transport") 
>>and this text from Section 3. (Security-Related Requirements): "ŠMUST 
>>be able to exchange data over a secure transport, but some functions 
>>may operate
>>>on a non-secure transport."  The latter text talks bout "some 
>>>functions" using a non-secure transport, while SEC-REQ-09 implies 
>>>that everything may use it.
>
>I do not see the contradiction in -08.txt.
>
>"The I2RS client and I2RS agent using the I2RS protocol MUST be able to 
>exchange data over a secure transport, but some functions may operate 
>on a non-secure transport."
>
>This says the I2RS client and I2RS agent must support using the I2RS 
>protocol over a security transport, but I2RS client software and I2RS 
>agent software may operate on non-secure transport.

-08 still has these two pieces of text:

"SEC-REQ-08: The I2RS protocol MUST be able to transfer data over a secure
transport and optionally MAY be able to transfer data over a non-secure
transport."


...and...

>From Section 3: "...MUST be able to exchange data over a secure 
>transport,
but some functions may operate on a non-secure transport."


Again, the difference is that the latter text mentions "some functions"
(which seems in line with the changes you made in this version to highlight
that not everything could be run over an insecure transport), while
SEC-REQ-08 basically says that the i2rs protocol MAY be run over non-secure
transport -- but it doesn't limit the i2rs protocol to some functions or
some type or information.



>
>
>Other comments from Section 3.1. (Mutual authentication of an I2RS 
>client and an I2RS Agent)
>
>>-- The text says that the "I2RS architecture 
>>[I-D.ietf-i2rs-architecture] sets the following requirements".  I'm 
>>not sure what you mean my "sets", as there are no requirements  
>>labeled as such) in the architecture document.  If there are, then 
>>this section doesn't seem to be needed (as others have mentioned).  
>>Maybe "these requirements are derived  from the architecture", or 
>>something similar may be more appropriate.
>
>You are correct, the I2RS architecture does not label such requirements.
>
>We got into discussing a strawman protocol, and we found we needed to 
>restate the I2RS architecture documents design in the specific
>requirements listed now in version 8 as:  SEC-REQ-01 to SEC-REQ-07.   In
>this case the restatement is useful (see Joel's comment).  Do you have 
>a suggestion for another term than "sets".

See above.


...
>
>
>>  SEC-REQ-05 and SEC-REQ-06 sound the same to me.  What is the 
>>difference?  BTW, if there is a difference, instead of "IETF" I think 
>>that "standardized" may be better.
>
>Merged these into one in version -08.txt .  Let me know what you think 
>of the merge.

Now the single requirement just sounds redundant...

Thanks!

Alvaro.