Re: [i2rs] WG adoption - draft-hares-i2rs-auth-trans-04 (8/17 to 8/31)
"Susan Hares" <shares@ndzh.com> Thu, 27 August 2015 16:17 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B59701AC3E2; Thu, 27 Aug 2015 09:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.555
X-Spam-Level:
X-Spam-Status: No, score=-96.555 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001, J_CHICKENPOX_111=0.6, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjcNrZRwrLoQ; Thu, 27 Aug 2015 09:17:29 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web3.hickoryhill-consulting.com [64.9.205.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB1B1B2B61; Thu, 27 Aug 2015 09:17:27 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=174.124.171.7;
From: Susan Hares <shares@ndzh.com>
To: i2rs@ietf.org
Date: Thu, 27 Aug 2015 12:17:23 -0400
Message-ID: <003001d0e0e3$db99eb80$92cdc280$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0031_01D0E0C2.548B58C0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdDg42cE3NvT5OZVTXW/wutHXrRCrw==
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/TUwovHLGnh8gJb8EuNujp-n79LE>
Cc: 'Netconf' <netconf@ietf.org>
Subject: Re: [i2rs] WG adoption - draft-hares-i2rs-auth-trans-04 (8/17 to 8/31)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 16:17:32 -0000
NETCONF and I2RS mail group: http://datatracker.ietf.org/doc/draft-hares-i2rs-auth-trans/ Russ Housley, a member of the security directorate, kindly provided reviews for this document, and the document has been changed in response to this review to a version -05. I believe these document addresses all of NETCONF WG questions from IETF 93. There are three sections below: 1) Specific response to NETCONF questions/concerns, 2) Why identity has been changed to Identifier in the draft, 3) New text for REQ-03, REQ-04, and REQ-10 which Juergen found was confusing. I want to thank Juergen and Russ for their excellent reviews. Sue Hares ============== NETCONF Concerns at IETF 93 1) Requirement 8 - is a security requirement. >> = Sue >> 1) Is REQ-8 a security requirement? >> >> o SEC-REQ-08: Each Identity is associated with one secondary >> identity during a particular read/write sequence, but the >> secondary identity may vary during the time a connection between >> the I2RS client and I2RS agent is active. The variance of the >> secondary identity allows the I2rs client to be associated with >> multiple applications and pass along an identifier for these >> applications in the secondary identifier. >[Russ] Yes, if that identity is going to be used to make the access control decision. 2) Requirement 12 is a security requirement for the protocol. >> 2) Is REQ-12 - a security requirement for a protocol? NETCONF asked >> this of I2RS. > > SEC-REQ-12: The I2RS Client and I2RS Agent protocol SHOULD implement > mechanisms that mitigate DoS attacks >Yes. For example, the IKE cookie mechanism is only there to make it much more > expensive the an attacker to implement DDoS. They can't fire and forget. They need to > keep state and hang around for at least 1.5 round trips. 3) Multiple message sequences do not belong in protocols [section 2.4.1] [Russ]: There might be some protocol issues to assist keep things atomic, but I agree it i not a security issue. 4) Why support an insecure protocol? >> [Sue] Are you Ok with REQ-09 specifying a non-secure transport as an option? [Russ]: The security considerations need to be clear what the consequences are if this option is selected. Editorial: 1) Russ agreed that Requirement 3 and 4 - were unclear, 2) Russ agreed that requirement 10 was ambiguous. These requirement have been rewritten. (see below). Other changes Joel suggested that "identity" is better stated as Identifier, and I agree. This change has been made through-out the document. Changes to requirements 3, 4, and 10 o SEC-REQ-03:An I2RS agent, upon receiving an I2RS message from a I2RS client, MUST confirm that the I2RS client has a valid identifier. o SEC-REQ-04: The I2RS client, upon receiving an I2RS message from an I2RS agent, MUST confirm the I2RS agent's identifier . SEC-REQ-10: A secure transport MUST be associated with a key management solution that can guarantee that only the entities having sufficient privileges can get the keys to encrypt/decrypt the sensitive data. Per BCP107 [RFC4107] this key management system SHOULD be automatic, but MAY BE manual if the following constraints from BCP107: a)environment has limited bandwidth or high round-trip times, b)the information being protected has a low value and c)the total volume over the entire lifetime of the long-term session key will be very low, d)the scale of the deployment is limited. Most I2RS environments (I2RS Client - I2S Agents) will not have this environment, but a few I2RS use case provide limited non-secure light-weight telemetry messages that have these requirements. An I2RS data model must indicate which portions can be served by manual key management.
- [i2rs] WG adoption - draft-hares-i2rs-auth-trans-… Susan Hares
- Re: [i2rs] WG adoption - draft-hares-i2rs-auth-tr… Daniel Migault
- Re: [i2rs] WG adoption - draft-hares-i2rs-auth-tr… Susan Hares
- Re: [i2rs] WG adoption - draft-hares-i2rs-auth-tr… Susan Hares