Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

"Joel M. Halpern" <jmh@joelhalpern.com> Wed, 17 August 2016 22:08 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 695EF12D7F5; Wed, 17 Aug 2016 15:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.722
X-Spam-Level:
X-Spam-Status: No, score=-2.722 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4SY5cBegn7J; Wed, 17 Aug 2016 15:08:57 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2BAB12D7EC; Wed, 17 Aug 2016 15:08:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id B29221C0038; Wed, 17 Aug 2016 15:08:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1471471730; bh=p3pnxMNVX/Hl6RWAzl1TOXJHfLyK/viw2bzkqxPNMi0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Mq5l0BI9DCZS4VYsQMjpYUWzEBFf3X7+X5UxuXur1dlgrPL0pGHA+bnSrrVZSiF7g /SFK7ncCPkfHKyad6ZAnh0ZPLNUj7XADLYF7N+kuktxVUje62t5xKKb1DKWnEbLs+u t7gcXKPsX7Vf9LRwauBa5kzwevZYfmS0yiX0Y9HI=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (209-255-163-147.ip.mcleodusa.net [209.255.163.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id EA12D1C028D; Wed, 17 Aug 2016 15:08:49 -0700 (PDT)
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
References: <147146974235.23784.4389421535496134619.idtracker@ietfa.amsl.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <fd884322-2b76-ba3f-7cf1-8ce81085dc06@joelhalpern.com>
Date: Wed, 17 Aug 2016 18:10:37 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <147146974235.23784.4389421535496134619.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/TiFLmp5c-a9kbRIvjx8bb5RDQHc>
Cc: jhaas@pfrc.org, i2rs@ietf.org, i2rs-chairs@ietf.org, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 22:08:59 -0000

In line, I hope answering the questions.
Yours,
Joel


On 8/17/16 5:35 PM, Kathleen Moriarty wrote:
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-i2rs-protocol-security-requirements-07: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Thanks for your work on this draft.  There may be some overlap in points,
> I tried to minimize them...
> ----
> Section 3.1:
>
> I don't see any actual requirements for mutual authentication in this
> section, just requirements for identifiers.  Did I miss something?

The second bullet in section 3.1 (Mutual Authentication) is about 
mutually authenticating.  The verbiage was chosen by the more 
security-experienced writer, so the co-authors assumed it was 
sufficient.  If you can suggest better words, we are happy to change it.

>
> Are all mutual auth schemes in scope?  Are there any considerations for
> mutual authentication (passwords, keys, etc.)?

I2RS does not have any constraints that we know of on the mutual 
authentication scheme used.  The I2RS protocol may have some constraints 
or assumptions, but this document does not place any such.

> ----
> I share the same concern as others for secure transport, but since there
> are already discusses on that, I have one comment to add to the existing
> discusses below.
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Section 3:
> Can you clarify the second to last sentence?  Do you mean there are
> sections that indicate an insecure transport should be used?
>
>    I2RS allows the use of an
>    insecure transport for portions of data models that clearly indicate
>    insecure transport.
>
> Perhaps:
>    I2RS allows the use of an
>    insecure transport for portions of data models that clearly indicate
> the use of an
>    insecure transport.

The ephemeral state document has wording that has been worked out 
carefully on how much we are mandating about the specificity of allowing 
non-secure transport.  Since this document points there, how specific do 
we need to be here?  (And do folks think that needs to be considered a 
normative reference?  We can do that if needed.)

> ----
> Section 3.2
> I agree with Alissa's discuss point on the following sentence (that could
> also be reworded a bit):
>    A non-secure transport can be can be used for publishing telemetry
>    data or other operational state that was specifically indicated to
>    non-confidential in the data model in the Yang syntax.
> ----
> Section 3.4: In the following text:
>    SEC-REQ-15: The integrity that the message data is not repeated means
>    that I2RS client to I2RS agent transport SHOULD protect against
>    replay attack
>
> I'm not sure why this just doesn't say:
>    SEC-REQ-15: I2RS client to I2RS agent transport SHOULD protect
> against
>    replay attack
>
> The additional text doesn't add anything and sounds a bit confusing.

As per Ben's comments, I think this will get cleaned up.  As you 
observe, it is overly verbose at the moment.


> ----
> Nit:
>
> I'm not sure these definitions add any value as they seem to restate the
> term defined:
>
>    I2RS protocol data integrity
>
>       The transfer of data via the I2RS protocol has the property of
>       data integrity described in [RFC4949].
>
>    I2RS component protocols
>
>       Protocols which are combined to create the I2RS protocol.
> -----
>
> I also agree that the definitions from 4949 should be removed.
>
> Thank you in advance.
>
>
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs
>