Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-i2rs-protocol-security-requirements-06: (with DISCUSS and COMMENT)

stephen.farrell@cs.tcd.ie Wed, 17 August 2016 18:24 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883E612D727; Wed, 17 Aug 2016 11:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.548
X-Spam-Level:
X-Spam-Status: No, score=-5.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DjJOkYc9Ez2U; Wed, 17 Aug 2016 11:24:29 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3772812D1DD; Wed, 17 Aug 2016 11:24:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DF211BE50; Wed, 17 Aug 2016 19:24:27 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZRgeasV5wFW; Wed, 17 Aug 2016 19:24:26 +0100 (IST)
Received: from [127.0.0.1] (unknown [95.39.226.90]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8E424BE2F; Wed, 17 Aug 2016 19:24:25 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1471458266; bh=hm31Xi97Kb62EG0Lpad/sMarPcVpJIlp6SitORlF3aU=; h=To:Cc:From:Subject:In-Reply-To:References:Date:From; b=RtXg9mukD7UW5MIQD24l9S8pEIBf+1BOLPFFmcgSPN2wP+J6hwgFBzuj6hqIRpHXY VHCLTm/hzJhVKSCy8aDq64oOGaBSPOI1bX8v1/ahDfmmcesof0x0v7G4rpQW1N6QJy hfZCxVW9Bu37AF9iLxGG/zuDGOwId+PRl/hbLFQE=
X-Priority: 3
To: alissa@cooperw.in
From: stephen.farrell@cs.tcd.ie
In-Reply-To: <5B604C19-7AEF-4C92-B452-A034749A5FCA@cooperw.in>
References: <147144567895.12152.15403435188950086025.idtracker@ietfa.amsl.com> <CAG4d1rfSYjQLuZYi-g5eOukvMd86FyBs6oyeCk0pdjWYvvLWhA@mail.gmail.com> <5B604C19-7AEF-4C92-B452-A034749A5FCA@cooperw.in>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Date: Wed, 17 Aug 2016 18:24:22 +0000
Message-ID: <xu6csa.oc2ggp.1hge0yu-qmf@mercury.scss.tcd.ie>
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/YYwuJ2zv1C8DES5gCTwwHmYQ8zY>
Cc: i2rs@ietf.org, i2rs-chairs@ietf.org, akatlas@gmail.com, iesg@ietf.org, jhaas@pfrc.org, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: [i2rs] Alissa Cooper's Discuss on draft-ietf-i2rs-protocol-security-requirements-06: (with DISCUSS and COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 18:24:32 -0000

Hiya, 

I'm on vacation so won't be balloting this week and I only had a quick flick of this, but if I'd had time for a proper read I think I'd be asking how realistic are these requirements, possibly as a discuss ballot. If someone wanted to hit defer and blame me (sorry I don't have the right devices with me to do that) that'd be good. But if this draft is  time-critical for the WG then please ignore the above. 

S. 

On Wed Aug 17 19:02:09 2016 GMT+0200, Alissa Cooper wrote:
> Hi Alia,
> 
> > On Aug 17, 2016, at 11:07 AM, Alia Atlas <akatlas@gmail.com> wrote:
> > 
> > Hi Alissa,
> > 
> > On Wed, Aug 17, 2016 at 10:54 AM, Alissa Cooper <alissa@cooperw.in <mailto:alissa@cooperw.in>> wrote:
> > Alissa Cooper has entered the following ballot position for
> > draft-ietf-i2rs-protocol-security-requirements-06: Discuss
> > 
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> > 
> > 
> > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html <https://www.ietf.org/iesg/statement/discuss-criteria.html>
> > for more information about IESG DISCUSS and COMMENT positions.
> > 
> > 
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/ <https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/>
> > 
> > 
> > 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > == Section 3.2 ==
> > 
> > "A non-secure transport can be can be used for publishing telemetry
> >    data or other operational state that was specifically indicated to
> >    non-confidential in the data model in the Yang syntax."
> > 
> > What kind of telemetry data is it that is of no potential interest to any
> > eavesdropper? This is not my area of expertise so I'm having a hard time
> > conceiving of what that could be. I'm also wondering, since I2RS agents
> > and clients will have to support secure transports anyway (and RESTCONF
> > can only be used over a secure transport), why can't they be used for all
> > transfers, instead of allowing this loophole in the name of telemetry,
> > which undoubtedly will end up being used or exploited for other data
> > transfers?
> > 
> > If the argument was that this loophole is needed for backwards
> > compatibility with insecure deployments of NETCONF or something like that
> > I think it would make more sense, but my impression from the text is that
> > those will have to be updated anyway to conform to the requirements in
> > this document.
> > 
> > Data coming from a router can come from many different line-cards and processors.
> > The line-cards that may be providing the data are not going to be supporting the 
> > secure transports anyway. 
> 
> Will they also not be supporting the I2RS protocol then, given the requirement for support of a secure transport?
> 
> 
> > A goal is to allow easy distribution of streaming data
> > and event notifications.  As for what type of data, as far as I know, currently IPFIX 
> > streams telemetry data without integrity much less authorization protection.
> 
> What I’m questioning is the choice to extend that model to cases where a third-party controller or application is one endpoint of the data exchange, which is what I thought was part of the motivation for I2RS (happy to be corrected though).
> 
> > 
> > There are existing deployments that use gRPC now for streaming telemetry data.
> 
> Ok. So is the implication that the requirements here are needed for backwards compatability with those deployments?
> 
> Thanks,
> Alissa
> 
> > 
> >  Regards,
> > Alia
> >  
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> > 
> > In general I agree with Mirja that where other documents already provide
> > definitions, they should be referenced, not copied or summarized, in this
> > document.
> > 
> > == Section 2.1 ==
> > 
> > Using "privacy" as a synonym for "confidentiality" is outmoded, I think,
> > given current understanding of the many other facets of privacy (see,
> > e.g., RFC 6793). I would suggest dropping the definition of data privacy
> > and just using the word confidentiality when that is what you mean.
> > 
> > == Section 2.2 ==
> > 
> > "The I2RS protocol exists as a higher-level protocol which may
> >       combine other protocols (NETCONF, RESTCONF, IPFIX and others)
> >       within a specific I2RS client-agent relationship with a specific
> >       trust for ephemeral configurations, event, tracing, actions, and
> >       data flow interactions."
> > 
> > Reading the provided definition of "trust," I'm not sure what "with a
> > specific trust for" means in the sentence above.
> > 
> > "The I2RS architecture document [I-D.ietf-i2rs-architecture]
> >       defines a secondary identity as the entity of some non-I2RS entity
> >       (e.g. application) which has requested a particular I2RS client
> >       perform an operation."
> > 
> > Per my comment above, I would suggest just referencing the definition
> > from the architecture document. The text above is circular ("the entity
> > of some ... entity") and conflates an identity with an identifier.
> > 
> > == Section 3.1 ==
> > 
> > Agree with Mirja that this section is superfluous.
> > 
> > == Section 3.3 ==
> > 
> > Since the normative recommendation here isn't to be enforced by the
> > protocol, why is it SHOULD rather than MUST? Same question applies to
> > SEC-REQ-17.
> > 
> > == Section 3.5 ==
> > 
> > Is the omission of normative language from Sec-REQ-20 purposeful?
> 
>