Re: [i2rs] Suggested section/text to be added to draft-mglt-i2rs-security-environment-reqs-00 to address security threats in Closed Envionment.
Daniel Migault <daniel.migault@ericsson.com> Tue, 25 August 2015 17:04 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 707691A90F0 for <i2rs@ietfa.amsl.com>; Tue, 25 Aug 2015 10:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Ae13fZB2yzK for <i2rs@ietfa.amsl.com>; Tue, 25 Aug 2015 10:04:11 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F65C1A8913 for <i2rs@ietf.org>; Tue, 25 Aug 2015 10:04:11 -0700 (PDT)
Received: by iods203 with SMTP id s203so194460208iod.0 for <i2rs@ietf.org>; Tue, 25 Aug 2015 10:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=P6TK5j9K017aFgxdkcayB319n3k9sWT/1Mf4MiB2sIo=; b=GrrccDHilz0slLjo210RY/dQXAsZllXL/nvQnXlmaL+5Vah931s/TIb7DwksxNizMZ Wp/5cH7LQk08J85+qilcgYqKbBRwQUE/Gl+iZ546wFpd2fvRu7D/ldPvLyN/kuPlbyFt XsPHwh9yQWXnQCzPHNL8WtO0p3uXhRwnRNbs8RcZuuvHwBPCORRryaBY7N5PWSqLdbFv RbnDuU8p52Df+5fXrMiGyoB7gPHdZ8dbISPWKxvSfcqPvNzjZgk1TbVFPjWvvvyVMqYY wrkujGQBCcIMtKvT0qMWnLNv1Ubr3dTHbb3HXFPUnZPpR/xlbk5WhBfoIco+FlctutUq IWVQ==
MIME-Version: 1.0
X-Received: by 10.107.37.12 with SMTP id l12mr22591672iol.92.1440522250573; Tue, 25 Aug 2015 10:04:10 -0700 (PDT)
Sender: mglt.ietf@gmail.com
Received: by 10.79.21.196 with HTTP; Tue, 25 Aug 2015 10:04:10 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657D17BA5@dfweml701-chm>
References: <CADZyTknZ4ZzrxTB_Miud=-xMfckmD4LR7vdz+3uAg9gL7X22-g@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F657D1757E@dfweml701-chm> <4A95BA014132FF49AE685FAB4B9F17F657D17BA5@dfweml701-chm>
Date: Tue, 25 Aug 2015 13:04:10 -0400
X-Google-Sender-Auth: ocXw-CTE5p2i933LsFBkIvymIRY
Message-ID: <CADZyTkm3Fj4=XCGkuuCf9UFnEQV0=wQ3s_SXnyn_t8VUkA97sA@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Content-Type: multipart/alternative; boundary="001a1141b24e095bc3051e25b9e8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/kUTVySHv7nrViW34924UJfcAAsM>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "i2rs@ietf.org" <i2rs@ietf.org>, "Joel M. Halpern" <jmh@joelhalpern.com>, Susan Hares <shares@ndzh.com>, Alia Atlas <akatlas@gmail.com>
Subject: Re: [i2rs] Suggested section/text to be added to draft-mglt-i2rs-security-environment-reqs-00 to address security threats in Closed Envionment.
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 17:04:16 -0000
Hi Linda, Thank for the comments. I am currently addressing all comments I received.. I hope I can provide a updated version soon. I will keep you informed as soon as I have something more or less in shape. BR, Daniel On Tue, Aug 25, 2015 at 12:21 PM, Linda Dunbar <linda.dunbar@huawei.com> wrote: > Daniel, > > > > I added 3 more I2RS security requirements for the “Closed Environment”, > please use the revised section attached. > > > > Cheers, > > Linda > > > > *From:* i2rs [mailto:i2rs-bounces@ietf.org] *On Behalf Of *Linda Dunbar > *Sent:* Monday, August 24, 2015 5:09 PM > *To:* Daniel Migault > *Cc:* Jeffrey Haas; i2rs@ietf.org; Joel M. Halpern; Alia Atlas > *Subject:* [i2rs] Suggested section/text to be added to > draft-mglt-i2rs-security-environment-reqs-00 to address security threats in > Closed Envionment. > > > > Daniel, > > > > Thank you for willing to address my comments. To make it easier for you, I > put together a section to describe the security threats in Closed > Environment and necessary requirement for I2RS. See the attached. > > > > Closed environment deployment can easily give people a sense of secure > because the links between I2RS Client and I2RS Agent are guided by a > physical “Wall”. The false sense of “Secure” is actually more dangerous > because it can easily make the deployment miss the crucial security > procedure. > > > > Therefore, I think it is important to have a dedicated section on security > threats and requirement for the Closed Environment. > > > > Linda > > > > *From:* mglt.ietf@gmail.com [mailto:mglt.ietf@gmail.com > <mglt.ietf@gmail.com>] *On Behalf Of *Daniel Migault > *Sent:* Monday, August 24, 2015 12:55 PM > *To:* Linda Dunbar > *Cc:* Joel M. Halpern; i2rs@ietf.org; Jeffrey Haas; Alia Atlas > *Subject:* Re: [i2rs] Review comments to > draft-mglt-i2rs-security-environment-reqs-00 (was RE: > draft-mglt-i2rs-security-requirements-00 2 Week WG adoption call (8/17 to > 8/31) > > > > Hi Linda, > > Thank you for your comments. I agree we need to address more specifically > or explicitly the "most common" use case. I agree with your comments and we > will consider them to improve and clarify the text of the next version. > Thank you. To me the i2rs plane provides a limited number of > functionnalities that may be provided to different independant tenants. > > BR, > > Daniel > > > > > > On Mon, Aug 24, 2015 at 1:37 PM, Linda Dunbar <linda.dunbar@huawei.com> > wrote: > > Joel, > > > > Agree with you that “we don’t need to build different protocol stacks for > the different deployments”. > > But the “environment-req” draft is not about “Protocol”, but about > security issues under different “environment”. > > > > Among all our customers who are interested in I2RS, majority of them > (>90%) will deploy them in a closed environment, i.e. physically secured > connection between I2RS agent and I2RS client. Therefore, it is important > to “provides an analysis of the security issues of” of this commonly > deployed environment. > > > > I suggest adding this Figure to Section 1 of the document: > > > > Closed (over open Chnl ###>) Open (over secure Chnl --->) > > +---------------------------------+ > > | *********************** | *********************** | > > | * Application A * | * Application B * | > > | * * | * * | > > | * +----------------+ * | * +----------------+ * | > > | * | Client A | * | * | Client B | * | > > | * +----------------+ * | * +----------------+ * | > > | ******* ^ ************* | ***** ^ ****** ^ ****** | > > | # | | | | > > | # | | | |-----| > > | # | | | > > | ************ v * * * * ********| ***************** v * v ******** > > | * +---------------------+ | * +---------------------+ * > > | * | Agent 1 | | * | Agent 2 | * > > | * +---------------------+ | * +---------------------+ * > > | * ^ ^ ^ ^ | * ^ ^ ^ ^ * > > > > > > > > Just think about this fact: today’s router configuration in production > environment can only be performed by a few authorized people with EMS/NMS > physically and securely separated. If the majority of the I2RS environment > requirement is about open connection, I2RS WG will spend a lot energy > developing the very sophisticated protocols which is expensive to develop > and harder to deploy. > > > > I am not against this development, but IMHO, to gain wider and quicker > I2RS deployment in production environment, it is necessary to have a very > *lean* I2RS solution first, and to have a well documented security > requirement for the common deployment environment. E.g. a single Controller > (or the I2RS client) directly connected to their devices via their internal > network, where the connection is physically isolated from other network and > protected by separate mechanisms. Also remember, many operators will use > I2RS to control a small number of selective routers (mostly routers at > ingress/egress boundary) for value added services. > > > > > > > > Some of my detailed questions and comments to the “security-requirements” > are still applicable to the “environment-req” document because they have > the same text. Plus a few more for the “environment-req” document. Hope the > authors can address them. > > > > > > Section 3: > > > > What are the key differences with regard to the security requirements for > I2RS plane and for management plane? Section 3.1 describes the > interaction between I2RS plane and management plane. But I see the security > requirement for the management plane are all applicable to the security > requirement to I2RS plane . If you think that they are very different, can > you elaborate more? > > > > Section 3.4 has title “Recommendations”, but the content are all > requirements. Why not name the section “Requirement”? > > > > REQ 2: Does it that a different IP address than the one used by the > management system? > > > > REQ 21: is more about I2RS requirement, less about “Security” requirement. > > > > REQ 24: isn’t it the general goal of I2RS? Not really security per se. > (should be included in the general I2RS requirement or architecture). > > > > > > REQ 26: simply controlling the resource can hardly prevent DoS. Malicious > client can occupy the resource while the valid one can't access. > > > > Thanks for your consideration, > > Linda > > > > > > -----Original Message----- > From: i2rs [mailto:i2rs-bounces@ietf.org <i2rs-bounces@ietf.org>] On > Behalf Of Joel M. Halpern > Sent: Friday, August 21, 2015 12:20 PM > To: Linda Dunbar; i2rs@ietf.org > Cc: 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Alia Atlas' > Subject: Re: [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG > adoption call (8/17 to 8/31) > > > > Yes, one of the two last calls is for the environment document. > > > > Having a dedicated physical channel is one of the ways identified in the > draft to provide the required isolation. > > > > While such an environment is clearly supportable, I do not think we should > reduce the internal protocol requirements (such as MTI security for the > control channel) just because there are circumstances where such it won't > be needed. I don't expect that we will build different protocol stacks for > the different deployments. > > > > The purpose of this draft is to describe the environmental assumptions, > which assumptions can be met in various ways. > > > > Yours, > > Joel > > > > On 8/21/15 12:56 PM, Linda Dunbar wrote: > > > Joel, > > > > > > If it is the "environmental one", it is more important to differentiate > the requirements for different environments on how the I2RS client & Agent > are connected. > > > > > > One of our customers stated that their environment has a single > Controller (or the I2RS client) directly connected to their devices via > their internal network, where the connection is physically isolated from > other network and protected by separate mechanisms, they don't need all > those sophisticated authentication procedure. > > > > > > We need to address this environment, i.e. having a simpler security > requirement for this environment than the environment where I2RS Client is > connected via public network. > > > > > > Linda > > > > > > > > > -----Original Message----- > > > From: Joel Halpern Direct [mailto:jmh.direct@joelhalpern.com > <jmh.direct@joelhalpern.com>] > > > Sent: Friday, August 21, 2015 10:53 AM > > > To: Linda Dunbar; i2rs@ietf.org > > > Cc: 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Joel Halpern'; 'Alia > Atlas' > > > Subject: Re: [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG > > > adoption call (8/17 to 8/31) > > > > > > First, there may be some confusion because the announcement. I presume > that you are talking about the -environments documents. > > > > > > If the WG concludes that a different chapter structure is useful, we can > of course change it. Given that the goal is environment description, I am > not sure your proposed structure is significantly better than the existing > one. > > > > > > I believe your comment about the text reading "where security functions > may be hosted" is well taken, and we should remove that text when we next > revise the document. > > > > > > The isolation text is about the need to keep things separate, and the > various possible means are degrees / approaches to separation. > > > Isolation is not about treating things differently, nor is it explicitly > about using different protocols. So the point of isolation is not that > there are different security requirements, but that in order to avoid > corss-effects, things should be kept separate. > > > > > > Yours, > > > Joel > > > > > > On 8/20/15 6:42 PM, Linda Dunbar wrote: > > >> I support the WG adoption because I think the I2RS WG needs it. > > >> However, I hope the authors can consider/address the following > suggestions/comments: > > >> > > >> When you think about the I2RS security, there are following > > >> different > > >> aspects: > > >> > > >> -Communication channel between I2RS client and Agent (and the channel > > >> between I2RS client and applications): > > >> > > >> The channel can be > > >> > > >> oVia physical Private network (e.g. within a secured direct connect > > >> within one site), > > >> > > >> owithin one administrative domain, via virtual private network > > >> > > >> oSecured connection, such as TLS or IPSec > > >> > > >> oPublic internet > > >> > > >> o.. > > >> > > >> -Authentication & Authorization > > >> > > >> othe authentication & authorization requirement for different > > >> communication channels can be different. Therefore, should have > > >> separate sections to address specific requirement for each > > >> communication channels between I2RS agent <-> clients (and client <-> > > >> applications) > > >> > > >> The current Section 4 of the draft already has very good description > > >> on the subject. I think 4.4.1 and 4.42 can be separated out of the > section. > > >> > > >> -Encryption for the actual content between Client and Agent > > >> > > >> -DoS Design requirement (currently in Section 5.2.1) > > >> > > >> -Management of conflict with other plane (e.g. the management plane, > > >> multi-headed control, which has been discussed extensively in > > >> ephemeral > > >> draft) > > >> > > >> I think the draft should be organized from the aspects of the > > >> security to I2RS as suggested above. > > >> > > >> Here are some detailed questions and comments to the requirements > > >> listed in the document: > > >> > > >> Section 1: > > >> > > >> The second paragraph stated the security recommendations must > > >> "specifying where security functions may be hosted". First of all I > > >> don't see the draft address this aspect. Second, I think "where > > >> security functions are hosted" is orthogonal to "I2RS security" . > > >> > > >> Section 3: > > >> > > >> what does isolating two planes mean? does it mean they have different > > >> security requirement/issues? Or does it mean they need different > protocols? > > >> > > >> What are the key differences with regard to the security requirements > > >> for I2RS plane and for management plane? Section 3.1 describes the > > >> interaction between I2RS plane and management plane. But I see the > > >> security requirement for the management plane is similar to I2RS plane . > > >> If you think that they are very different, can you elaborate more? > > >> > > >> Section 3.4 has title "Recommendations", but the content are all > > >> requirements. Why not name the section "Requirement"? > > >> > > >> REQ 2: Does it that a different IP address than the one used by the > > >> management system? > > >> > > >> How is REQ 22 different from REQ 21? > > >> > > >> REQ 27 is hard to enforce. How about say something like "shouldn't > > >> send any information beyond what have been defined by the I2RS data > model"? > > >> > > >> REQ 30: simply controlling the resource can hardly prevent DoS. > > >> Malicious client can occupy the resource while the valid one can't > access. > > >> > > >> Thanks for consideration, > > >> > > >> Linda > > >> > > >> *From:*i2rs [mailto:i2rs-bounces@ietf.org <i2rs-bounces@ietf.org>] *On > Behalf Of *Susan Hares > > >> *Sent:* Monday, August 17, 2015 12:50 PM > > >> *To:* i2rs@ietf.org > > >> *Cc:* 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Joel Halpern'; > > >> shares@ndzh.com; 'Alia Atlas' > > >> *Subject:* [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG > > >> adoption call (8/17 to 8/31) > > >> > > >> This begins a 2 week WG adoption call for > > >> draft-mglt-i2rs-security-requirements. This draft discusses the > > >> security requirements for the I2RS environment. You can find the draft > at: > > >> > > >> https://tools.ietf.org/html/draft-mglt-i2rs-security-environment-reqs > > >> - > > >> 00 > > >> > > >> A security reviewer will review this draft during the time 8/20 to > > >> 8/25. We will post the security directorate review to this discussion. > > >> > > >> Sue Hares > > >> > > > > > > > _______________________________________________ > > i2rs mailing list > > i2rs@ietf.org > > https://www.ietf.org/mailman/listinfo/i2rs > > > > > _______________________________________________ > i2rs mailing list > i2rs@ietf.org > https://www.ietf.org/mailman/listinfo/i2rs > > > > _______________________________________________ > i2rs mailing list > i2rs@ietf.org > https://www.ietf.org/mailman/listinfo/i2rs > >
- Re: [i2rs] Review comments to draft-mglt-i2rs-sec… Daniel Migault
- [i2rs] Suggested section/text to be added to draf… Linda Dunbar
- Re: [i2rs] Suggested section/text to be added to … Linda Dunbar
- Re: [i2rs] Suggested section/text to be added to … Daniel Migault
- Re: [i2rs] Suggested section/text to be added to … Susan Hares
- Re: [i2rs] Suggested section/text to be added to … Susan Hares