IETF Logo Mail Archive

Re: [i2rs] RTG-DIR QA review: draft-ietf-i2rs-protocol-security-requirements-04.txt

Tomonori Takeda <tomonori.takeda@ntt.com> Sat, 21 May 2016 13:51 UTC

Return-Path: <tomonori.takeda@ntt.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFB212B030; Sat, 21 May 2016 06:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OX_ZRBa_HgeV; Sat, 21 May 2016 06:51:24 -0700 (PDT)
Received: from mgw030.noc.ntt.com (mgw030.noc.ntt.com [210.160.55.3]) by ietfa.amsl.com (Postfix) with ESMTP id 2E52912D0AD; Sat, 21 May 2016 06:51:24 -0700 (PDT)
Received: from c0042i0.coe.ntt.com (c0042i0.nc.agilit-hosting.com [10.18.161.11]) by mgw030.noc.ntt.com (NTT Com MailSV) with ESMTP id 2987F1C58090; Sat, 21 May 2016 22:51:23 +0900 (JST)
Received: from C0036I0.coe.ntt.com (10.18.160.40) by c0042i0.coe.ntt.com (10.18.161.11) with Microsoft SMTP Server (TLS) id 14.3.181.6; Sat, 21 May 2016 22:51:14 +0900
Received: from C0561I0.coe.ntt.com ([169.254.1.38]) by C0036I0.coe.ntt.com ([10.18.160.40]) with mapi id 14.03.0181.006; Sat, 21 May 2016 22:51:22 +0900
From: Tomonori Takeda <tomonori.takeda@ntt.com>
To: 'Susan Hares' <shares@ndzh.com>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>
Thread-Topic: [i2rs] RTG-DIR QA review: draft-ietf-i2rs-protocol-security-requirements-04.txt
Thread-Index: AdGx5fCxDq0YNmnWSrK+7ayI8V3BEQAb0v2AAESJF1A=
Date: Sat, 21 May 2016 13:51:21 +0000
Message-ID: <EB0F2EAC05E9C64D80571F2042700A2A6C7FE8AE@C0561I0.coe.ntt.com>
References: <EB0F2EAC05E9C64D80571F2042700A2A6C7FDAB7@C0561I0.coe.ntt.com> <00c701d1b2a0$ad254f30$076fed90$@ndzh.com>
In-Reply-To: <00c701d1b2a0$ad254f30$076fed90$@ndzh.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ccmail-original-to: shares@ndzh.com, rtg-ads@ietf.org
x-ccmail-original-cc: rtg-dir@ietf.org, draft-ietf-i2rs-protocol-security-requirements.all@ietf.org, i2rs@ietf.org
x-originating-ip: [10.25.130.6]
Content-Type: multipart/alternative; boundary="_000_EB0F2EAC05E9C64D80571F2042700A2A6C7FE8AEC0561I0coenttco_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/kAs55iJTiTqL7111S6tMNpK0WZw>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "draft-ietf-i2rs-protocol-security-requirements.all@ietf.org" <draft-ietf-i2rs-protocol-security-requirements.all@ietf.org>, "i2rs@ietf.org" <i2rs@ietf.org>
Subject: Re: [i2rs] RTG-DIR QA review: draft-ietf-i2rs-protocol-security-requirements-04.txt
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2016 13:51:28 -0000

Hi Sue,

Thanks for the update.

This version looks good to me, except one editorial comment.


> 4) This is just an edit, but in page.10,

>    "Requirements SEC-REQ-13 and SEC-REQ-14" should be

>    "Requirements SEC-REQ-14 and SEC-REQ-15".

>

> --- Thank you for the editorial comment

Now, text is “Requirements SEC-REQ-14 and SEC-REQ-16”, but it should be “Requirements SEC-REQ-14 and SEC-REQ-15”.
(Again, this is just an editorial comment.)

Thanks,
Tomonori Takeda

From: Susan Hares [mailto:shares@ndzh.com]
Sent: Friday, May 20, 2016 11:06 PM
To: Tomonori Takeda(武田知典); rtg-ads@ietf.org
Cc: rtg-dir@ietf.org; draft-ietf-i2rs-protocol-security-requirements.all@ietf.org; i2rs@ietf.org
Subject: RE: [i2rs] RTG-DIR QA review: draft-ietf-i2rs-protocol-security-requirements-04.txt


Takeda-san:



Thank you for your excellent review.  My responses to your comments are below.  I’ve released a version-05 to address your comments.



Sue



-----Original Message-----

From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Tomonori Takeda

Sent: Thursday, May 19, 2016 12:39 PM

To: rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>

Cc: 'rtg-dir@ietf.org'; 'draft-ietf-i2rs-protocol-security-requirements.all@ietf.org'; i2rs@ietf.org<mailto:i2rs@ietf.org>

Subject: [i2rs] RTG-DIR QA review: draft-ietf-i2rs-protocol-security-requirements-04.txt



Hi,



I have been selected as the Routing Directorate QA reviewer for this draft.



Document: draft-ietf-i2rs-protocol-security-requirements-04.txt

Reviewer: Tomonori Takeda

Review Date: May 20, 2016

Intended Status: Standards Track



I am not following I2RS work closely, but in the spirit of QA review, this is OK in my understanding.

https://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDirDocQa



Here are my comments.



I think it is very important to have documents dedicated for security for new protocols such as I2RS protocols.

Overall, I think the document is well organized and clear what are security requirements for I2RS.



Some specific comments.



1) The document is intended to be Standards Track. I do not think it is common for requirement drafts to be Standards Track.



Sue: You are correct.  This is my error. I should have changed it this morning.



2) In Section 3.1, requirements are mentioned that are set in draft-ietf-i2rs-architecture-15.

   Some of these requirements are not directly mentioned in draft-ietf-i2rs-architecture-15,

   but rather implied.



   For example, draft-ietf-i2rs-architecture-15 mentions identifier for I2RS client,

   but does not mention identifier for I2RS agent (IMO).

   Please note that I think requirements mentioned in Section 3.1. makes sense and valid.

   I am just commenting on the way of writing.



Sue: You are correct that the mutual identification implies an identity for the agent.

Also in Section 2 of draft-ietf-i2rs-architecture-15 mentions:

   role or security role:   A security role specifies the scope,

      resources, priorities, etc. that a client or agent has.  If a

      identity has multiple roles in the security system, the identity

      is permitted to perform any operations any of those roles permit.

      Multiple identities may use the same security role.





3) I think there is dependency on requirements mentioned in this document.

   Specifically, if mutual authentication (Section 3.1), secure transport (Section 3.2),

   and role-based security (Section 3.3) are met, confidentiality (Section 3.3) and

   integrity (Section 3.4) can be achieved (expect SEC-REQ-16: traceability requirement).



   Perhaps, it depends on in which aspects security requirements should be written

   (in terms of mechanisms or in terms of features). Again, I am just commenting

   on the way of writing.



Sue: You make an excellent point:

I have added to the first part section 3.0 after the first paragraph:

New/

<t>There are dependencies in some of the requirements below.  For

confidentiality (section 3.3) and integrity (section 3.4) to be achieved, the

client-agent must have mutual authentication (section 3.1) and secure transport (section 3.2).   I2RS allows the use of an insecure transport for portions of data models that clearly indicate insecure transport.  If insecure transport is used, then confidentiality and integrity cannot be achieved.

</t>

4) This is just an edit, but in page.10,

   "Requirements SEC-REQ-13 and SEC-REQ-14" should be

   "Requirements SEC-REQ-14 and SEC-REQ-15".



--- Thank you for the editorial comment



Thanks,

Tomonori Takeda



_______________________________________________

i2rs mailing list

i2rs@ietf.org<mailto:i2rs@ietf.org>

https://www.ietf.org/mailman/listinfo/i2rs

v2.23.0 | Report a Bug | By Email