Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-i2rs-protocol-security-requirements-06: (with DISCUSS and COMMENT)
stephen.farrell@cs.tcd.ie Wed, 17 August 2016 18:24 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 883E612D727;
Wed, 17 Aug 2016 11:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.548
X-Spam-Level:
X-Spam-Status: No, score=-5.548 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DjJOkYc9Ez2U; Wed, 17 Aug 2016 11:24:29 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3772812D1DD;
Wed, 17 Aug 2016 11:24:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mercury.scss.tcd.ie (Postfix) with ESMTP id DF211BE50;
Wed, 17 Aug 2016 19:24:27 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1])
by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AZRgeasV5wFW; Wed, 17 Aug 2016 19:24:26 +0100 (IST)
Received: from [127.0.0.1] (unknown [95.39.226.90])
by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8E424BE2F;
Wed, 17 Aug 2016 19:24:25 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail;
t=1471458266; bh=hm31Xi97Kb62EG0Lpad/sMarPcVpJIlp6SitORlF3aU=;
h=To:Cc:From:Subject:In-Reply-To:References:Date:From;
b=RtXg9mukD7UW5MIQD24l9S8pEIBf+1BOLPFFmcgSPN2wP+J6hwgFBzuj6hqIRpHXY
VHCLTm/hzJhVKSCy8aDq64oOGaBSPOI1bX8v1/ahDfmmcesof0x0v7G4rpQW1N6QJy
hfZCxVW9Bu37AF9iLxGG/zuDGOwId+PRl/hbLFQE=
X-Priority: 3
To: alissa@cooperw.in
From: stephen.farrell@cs.tcd.ie
In-Reply-To: <5B604C19-7AEF-4C92-B452-A034749A5FCA@cooperw.in>
References: <147144567895.12152.15403435188950086025.idtracker@ietfa.amsl.com>
<CAG4d1rfSYjQLuZYi-g5eOukvMd86FyBs6oyeCk0pdjWYvvLWhA@mail.gmail.com>
<5B604C19-7AEF-4C92-B452-A034749A5FCA@cooperw.in>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Date: Wed, 17 Aug 2016 18:24:22 +0000
Message-ID: <xu6csa.oc2ggp.1hge0yu-qmf@mercury.scss.tcd.ie>
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/YYwuJ2zv1C8DES5gCTwwHmYQ8zY>
Cc: i2rs@ietf.org, i2rs-chairs@ietf.org, akatlas@gmail.com, iesg@ietf.org,
jhaas@pfrc.org, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: [i2rs] Alissa Cooper's Discuss on
draft-ietf-i2rs-protocol-security-requirements-06: (with DISCUSS and
COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>,
<mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>,
<mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 18:24:32 -0000
Hiya, I'm on vacation so won't be balloting this week and I only had a quick flick of this, but if I'd had time for a proper read I think I'd be asking how realistic are these requirements, possibly as a discuss ballot. If someone wanted to hit defer and blame me (sorry I don't have the right devices with me to do that) that'd be good. But if this draft is time-critical for the WG then please ignore the above. S. On Wed Aug 17 19:02:09 2016 GMT+0200, Alissa Cooper wrote: > Hi Alia, > > > On Aug 17, 2016, at 11:07 AM, Alia Atlas <akatlas@gmail.com> wrote: > > > > Hi Alissa, > > > > On Wed, Aug 17, 2016 at 10:54 AM, Alissa Cooper <alissa@cooperw.in <mailto:alissa@cooperw.in>> wrote: > > Alissa Cooper has entered the following ballot position for > > draft-ietf-i2rs-protocol-security-requirements-06: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html <https://www.ietf.org/iesg/statement/discuss-criteria.html> > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/ <https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/> > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > == Section 3.2 == > > > > "A non-secure transport can be can be used for publishing telemetry > > data or other operational state that was specifically indicated to > > non-confidential in the data model in the Yang syntax." > > > > What kind of telemetry data is it that is of no potential interest to any > > eavesdropper? This is not my area of expertise so I'm having a hard time > > conceiving of what that could be. I'm also wondering, since I2RS agents > > and clients will have to support secure transports anyway (and RESTCONF > > can only be used over a secure transport), why can't they be used for all > > transfers, instead of allowing this loophole in the name of telemetry, > > which undoubtedly will end up being used or exploited for other data > > transfers? > > > > If the argument was that this loophole is needed for backwards > > compatibility with insecure deployments of NETCONF or something like that > > I think it would make more sense, but my impression from the text is that > > those will have to be updated anyway to conform to the requirements in > > this document. > > > > Data coming from a router can come from many different line-cards and processors. > > The line-cards that may be providing the data are not going to be supporting the > > secure transports anyway. > > Will they also not be supporting the I2RS protocol then, given the requirement for support of a secure transport? > > > > A goal is to allow easy distribution of streaming data > > and event notifications. As for what type of data, as far as I know, currently IPFIX > > streams telemetry data without integrity much less authorization protection. > > What I’m questioning is the choice to extend that model to cases where a third-party controller or application is one endpoint of the data exchange, which is what I thought was part of the motivation for I2RS (happy to be corrected though). > > > > > There are existing deployments that use gRPC now for streaming telemetry data. > > Ok. So is the implication that the requirements here are needed for backwards compatability with those deployments? > > Thanks, > Alissa > > > > > Regards, > > Alia > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > In general I agree with Mirja that where other documents already provide > > definitions, they should be referenced, not copied or summarized, in this > > document. > > > > == Section 2.1 == > > > > Using "privacy" as a synonym for "confidentiality" is outmoded, I think, > > given current understanding of the many other facets of privacy (see, > > e.g., RFC 6793). I would suggest dropping the definition of data privacy > > and just using the word confidentiality when that is what you mean. > > > > == Section 2.2 == > > > > "The I2RS protocol exists as a higher-level protocol which may > > combine other protocols (NETCONF, RESTCONF, IPFIX and others) > > within a specific I2RS client-agent relationship with a specific > > trust for ephemeral configurations, event, tracing, actions, and > > data flow interactions." > > > > Reading the provided definition of "trust," I'm not sure what "with a > > specific trust for" means in the sentence above. > > > > "The I2RS architecture document [I-D.ietf-i2rs-architecture] > > defines a secondary identity as the entity of some non-I2RS entity > > (e.g. application) which has requested a particular I2RS client > > perform an operation." > > > > Per my comment above, I would suggest just referencing the definition > > from the architecture document. The text above is circular ("the entity > > of some ... entity") and conflates an identity with an identifier. > > > > == Section 3.1 == > > > > Agree with Mirja that this section is superfluous. > > > > == Section 3.3 == > > > > Since the normative recommendation here isn't to be enforced by the > > protocol, why is it SHOULD rather than MUST? Same question applies to > > SEC-REQ-17. > > > > == Section 3.5 == > > > > Is the omission of normative language from Sec-REQ-20 purposeful? > >
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Susan Hares
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Susan Hares
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Susan Hares
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Susan Hares
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… stephen.farrell
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Alissa Cooper
- Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-… Alia Atlas
- [i2rs] Alissa Cooper's Discuss on draft-ietf-i2rs… Alissa Cooper