Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 18 August 2016 13:18 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E1B12D6B9; Thu, 18 Aug 2016 06:18:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_3Zg4rz_jy8; Thu, 18 Aug 2016 06:18:29 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BC4612DE16; Thu, 18 Aug 2016 06:18:20 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id 97so27212928uav.3; Thu, 18 Aug 2016 06:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=emJbhCLkWOOT4BKVosRYdL+/xv6dNh2WL/L9bW34y4c=; b=n9E0Vvb0XYq+PzY5tHz84f4/N3NBUEqym9mNYDNwtVaEeaGnLxIEuyXcUTa4gjsiha v/kOp/X0rcO/u1TYgCtL5W8MNt46Hwlr7HpwzdIMo1bRsGLp0c8/PX/hYb/uz3m7EeJO 2QeaRl9aa8tHzQKplLqE/pEIyhhm2I9v6qtsqvMEXEZQflK9ogLyI1GJnxkXfwsddQED IBbgAEYlwDbamA2SpoGtwlxaA8fPEHo34Ak0BVgFxaleJLZ0/MHhib+YjkucINwg1F+a lvcdz+McP6yrIyZGFRV1Ik4mFYVAmsfykIj/qlTwf0spuKIZzdRCelZ8Lbz5rxtRUERh E/dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=emJbhCLkWOOT4BKVosRYdL+/xv6dNh2WL/L9bW34y4c=; b=cmaB14zvzCfwKo9vdyyZ8UC6NxDOgVOm1lSzy0aYLePfZDS/Txv/k7qEbms3CjhcAb Hi68iAUlpAOMrwfuqOB1kh2Ze37zT65eLHFu1kwoLBGEMxyImBfia4cc/jIYGemOta2P 1M2Y2o+liA8eMZpW7A5WCs0YmmwLYhdDvak4ozW9U0SxUpOnOZ8zpPOshBWI5VkxM5DM fI24PpepsSMeEdmqjAPCSPHxIhs5hOQWCEoz7+B0xS/kanXMZ5LR+o4sN4qRwZADJDdr 5Rmd9b7dQHPfdgq5l1II6Im/xddC4anM9/028Ks9FNWW0qsXfxaExpQxHMtKJSXbAU89 IH3w==
X-Gm-Message-State: AEkoouvn2u8xahQtV30Bqt2+thpd8ZgCZVOy/uSMUMRnXcS/jyIjCICO3eGLGLoVC2IEJzFy6/ahsZEtzWhr8Q==
X-Received: by 10.159.53.1 with SMTP id o1mr996318uao.15.1471526299283; Thu, 18 Aug 2016 06:18:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.1.228 with HTTP; Thu, 18 Aug 2016 06:18:18 -0700 (PDT)
In-Reply-To: <013b01d1f8ee$31fa09b0$95ee1d10$@ndzh.com>
References: <147146974235.23784.4389421535496134619.idtracker@ietfa.amsl.com> <013b01d1f8ee$31fa09b0$95ee1d10$@ndzh.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 18 Aug 2016 09:18:18 -0400
Message-ID: <CAHbuEH6NcZYf2bWZZ=cJ-K4F_OcPPrBo6=JVYyTeU4hqhVu+qQ@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/lfNAKL1wNHC_ryhmZ3eOMBWlmgA>
Cc: Jeffrey Haas <jhaas@pfrc.org>, i2rs@ietf.org, The IESG <iesg@ietf.org>, i2rs-chairs@ietf.org, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 13:18:32 -0000

Hi Sue,

Thanks for your quick response.  inline

On Wed, Aug 17, 2016 at 9:16 PM, Susan Hares <shares@ndzh.com> wrote:
> Kathleen:
>
> Thank you for your comments.  Please see the inline comments below.  I will be uploading a version -08.txt that will resolve some of these comments.
>
> Sue
>
> -----Original Message-----
> From: Kathleen Moriarty [mailto:Kathleen.Moriarty.ietf@gmail.com]
> Sent: Wednesday, August 17, 2016 5:36 PM
> To: The IESG
> Cc: draft-ietf-i2rs-protocol-security-requirements@ietf.org; Jeffrey Haas; i2rs-chairs@ietf.org; jhaas@pfrc.org; i2rs@ietf.org
> Subject: Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
>
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-i2rs-protocol-security-requirements-07: Discuss
>
> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Thanks for your work on this draft.  There may be some overlap in points, I tried to minimize them...
> ----
>>Section 3.1:
>>
>>I don't see any actual requirements for mutual authentication in this section, just requirements for identifiers.  Did I miss something?
>
> No, there are no additional requirements.  We only have requirements for identifiers.   Do you have a suggestion for improved language.

>From your response & Joel's, I see bullet #2 is the only one that
calls out the need for mutual authentication and it just states that
with no additional details.  That is fine, but the subject for section
3.1 should be something more like authentication and identifiers to
represent the content better.

>
>> Are all mutual auth schemes in scope?  Are there any considerations for mutual authentication (passwords, keys, etc.)?
>
> All mutual identification schemes are in scope.  Is there a reason we should restrict the mutual authentication schemes to a subset.

You don't have to, but the header of the section makes me think this
is going to happen in the section.  Maybe setting a baseline would be
good if possible. Not using passwords - so a secure form of mutual
authentication would be good if the requirements are only high level.

>
> ----
>>I share the same concern as others for secure transport, but since there are already discusses on that, I have one comment to add to the existing discusses below.
>
> You have a concern regarding the secure transport?

KM: Yes, the wording that allows for insecure transport.  Same concern
expressed by other ADs.

My understanding is that other people had a concern regarding the
insecure transport.   I have provide an example of the BGP data feed
utilized by http://www.routeviews.org/ project.

KM: Aren't you concerned about the integrity of this data?
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>> Section 3:
>> Can you clarify the second to last sentence?  Do you mean there are sections that indicate an insecure transport should be used?
>>   I2RS allows the use of an
>>  insecure transport for portions of data models that clearly indicate
>>  insecure transport.
>
>>  Perhaps:
>>  I2RS allows the use of an
>>  insecure transport for portions of data models that clearly indicate the use of an
>>  insecure transport.
>
> Changed to :
>
> I2RS allows the use of an insecure transport for portions of data models that clearly indicate
> the use of an insecure transport. Operators deploying I2RS must determine if they want to populate and
> deploy the portions of the data model which use insecure transports.
>

I don't agree with the data model setting the transport requirements.
If this is done, it should be an experiment IMO.

>
> ----
>> Section 3.2
>> I agree with Alissa's discuss point on the following sentence (that could also be reworded a bit):
>>  A non-secure transport can be can be used for publishing telemetry
>>  data or other operational state that was specifically indicated to
>>  non-confidential in the data model in the Yang syntax.
>
> I would appreciate a recommended set of text or additional explanation on what you would like to see in rewording.

I'll have to look through Alissa's discuss, but isn't integrity a
concern if confidentiality and privacy are not?  I'm sure once this
type of text is altered and used to make important decisions, this
will come back to bite us.

>
> ----
>>Section 3.4: In the following text:
>>   SEC-REQ-15: The integrity that the message data is not repeated means
>>   that I2RS client to I2RS agent transport SHOULD protect against
>>   replay attack
>
>>I'm not sure why this just doesn't say:
>> SEC-REQ-15: I2RS client to I2RS agent transport SHOULD protect against
>  > replay attack
>>The additional text doesn't add anything and sounds a bit confusing.
>
> Sue: Is this ok.  It will be changed

Thanks.

>
> ----
> Nit:
>
> I'm not sure these definitions add any value as they seem to restate the term defined:
>
>>   I2RS protocol data integrity
>>
>>    The transfer of data via the I2RS protocol has the property of
>>    data integrity described in [RFC4949].
>
> Deleted
>
>
>>   I2RS component protocols
>>
>>    Protocols which are combined to create the I2RS protocol.
>
> Please suggest alternative text for this section.

I think it is self explanatory.  But if that's just me, leave the definition in.

>
> -----
>
>> I also agree that the definitions from 4949 should be removed.
>> Thank you in advance.
>
> These definition have been removed.  I will provide feedback if this removal cause problems in the creation of the protocol.

Thank you,
Kathleen
>



-- 

Best regards,
Kathleen