Re: [i2rs] Review comments to draft-mglt-i2rs-security-environment-reqs-00 (was RE: draft-mglt-i2rs-security-requirements-00 2 Week WG adoption call (8/17 to 8/31)
Daniel Migault <daniel.migault@ericsson.com> Mon, 24 August 2015 17:55 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB9011A8AF0 for <i2rs@ietfa.amsl.com>; Mon, 24 Aug 2015 10:55:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hB-SCfDhjvWh for <i2rs@ietfa.amsl.com>; Mon, 24 Aug 2015 10:55:02 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F34571ACDCA for <i2rs@ietf.org>; Mon, 24 Aug 2015 10:55:01 -0700 (PDT)
Received: by iodt126 with SMTP id t126so158330000iod.2 for <i2rs@ietf.org>; Mon, 24 Aug 2015 10:55:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:cc:content-type; bh=2CkJCchvtTxe5ZtWTA55V7ChZ/Md6X25U3a7g29pKBM=; b=G6Ik+q1NFE0+hBkXQRUidPDBI12khD0nKkwiojRz6pD5/Ana+wfjpWoJTqfoGWrn0g OtZkCRid+PPOr4WN8oMSB51JFLPbBJ0ozPvGJRRHrT/l9U2mx1xY7B+BW3xs9G/syXTr UOYPHq9VS8s+qypQ53m8dsgna/+RhaZ01swTE9K7wtreSXs77kWqBT8pTdAW8g7VXlk9 c2JJzGSKp44EIZyVla5orP6fXhfKg4NRFDNiDrwqjb55CtKxPjJH2en01loLML8tuPpi rs2JilRPYaLDwfO+A/DLjFHrG1+gDQvaXBzMt6+jlQKrHgYO55Cw/5bxSyXM3KxB0auv EsJQ==
MIME-Version: 1.0
X-Received: by 10.107.9.156 with SMTP id 28mr20497403ioj.173.1440438901390; Mon, 24 Aug 2015 10:55:01 -0700 (PDT)
Sender: mglt.ietf@gmail.com
Received: by 10.79.21.196 with HTTP; Mon, 24 Aug 2015 10:55:01 -0700 (PDT)
Date: Mon, 24 Aug 2015 13:55:01 -0400
X-Google-Sender-Auth: 1-Uh9BY4FQWJtPfxzldW4ZwmGpk
Message-ID: <CADZyTknZ4ZzrxTB_Miud=-xMfckmD4LR7vdz+3uAg9gL7X22-g@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Content-Type: multipart/alternative; boundary="001a113ec2f209c500051e1251b7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/n1jdKD4zaqCz9y0QlY6YQk8fRP8>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "i2rs@ietf.org" <i2rs@ietf.org>, "Joel M. Halpern" <jmh@joelhalpern.com>, Alia Atlas <akatlas@gmail.com>
Subject: Re: [i2rs] Review comments to draft-mglt-i2rs-security-environment-reqs-00 (was RE: draft-mglt-i2rs-security-requirements-00 2 Week WG adoption call (8/17 to 8/31)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 17:55:06 -0000
Hi Linda, Thank you for your comments. I agree we need to address more specifically or explicitly the "most common" use case. I agree with your comments and we will consider them to improve and clarify the text of the next version. Thank you. To me the i2rs plane provides a limited number of functionnalities that may be provided to different independant tenants. BR, Daniel On Mon, Aug 24, 2015 at 1:37 PM, Linda Dunbar <linda.dunbar@huawei.com> wrote: > Joel, > > Agree with you that “we don’t need to build different protocol stacks for > the different deployments”. > But the “environment-req” draft is not about “Protocol”, but about > security issues under different “environment”. > > Among all our customers who are interested in I2RS, majority of them > (>90%) will deploy them in a closed environment, i.e. physically secured > connection between I2RS agent and I2RS client. Therefore, it is important > to “provides an analysis of the security issues of” of this commonly > deployed environment. > > I suggest adding this Figure to Section 1 of the document: > > Closed (over open Chnl ###>) Open (over secure Chnl --->) > +---------------------------------+ > | *********************** | *********************** | > | * Application A * | * Application B * | > | * * | * * | > | * +----------------+ * | * +----------------+ * | > | * | Client A | * | * | Client B | * | > | * +----------------+ * | * +----------------+ * | > | ******* ^ ************* | ***** ^ ****** ^ ****** | > | # | | | | > | # | | | |-----| > | # | | | > | ************ v * * * * ********| ***************** v * v ******** > | * +---------------------+ | * +---------------------+ * > | * | Agent 1 | | * | Agent 2 | * > | * +---------------------+ | * +---------------------+ * > | * ^ ^ ^ ^ | * ^ ^ ^ ^ * > > > > Just think about this fact: today’s router configuration in production > environment can only be performed by a few authorized people with EMS/NMS > physically and securely separated. If the majority of the I2RS environment > requirement is about open connection, I2RS WG will spend a lot energy > developing the very sophisticated protocols which is expensive to develop > and harder to deploy. > > I am not against this development, but IMHO, to gain wider and quicker > I2RS deployment in production environment, it is necessary to have a very > *lean* I2RS solution first, and to have a well documented security > requirement for the common deployment environment. E.g. a single Controller > (or the I2RS client) directly connected to their devices via their internal > network, where the connection is physically isolated from other network and > protected by separate mechanisms. Also remember, many operators will use > I2RS to control a small number of selective routers (mostly routers at > ingress/egress boundary) for value added services. > > > > Some of my detailed questions and comments to the “security-requirements” > are still applicable to the “environment-req” document because they have > the same text. Plus a few more for the “environment-req” document. Hope the > authors can address them. > > > Section 3: > > What are the key differences with regard to the security requirements for > I2RS plane and for management plane? Section 3.1 describes the > interaction between I2RS plane and management plane. But I see the security > requirement for the management plane are all applicable to the security > requirement to I2RS plane . If you think that they are very different, can > you elaborate more? > > Section 3.4 has title “Recommendations”, but the content are all > requirements. Why not name the section “Requirement”? > > REQ 2: Does it that a different IP address than the one used by the > management system? > > REQ 21: is more about I2RS requirement, less about “Security” requirement. > > REQ 24: isn’t it the general goal of I2RS? Not really security per se. > (should be included in the general I2RS requirement or architecture). > > > REQ 26: simply controlling the resource can hardly prevent DoS. Malicious > client can occupy the resource while the valid one can't access. > > Thanks for your consideration, > Linda > > > -----Original Message----- > From: i2rs [mailto:i2rs-bounces@ietf.org <i2rs-bounces@ietf.org>] On > Behalf Of Joel M. Halpern > Sent: Friday, August 21, 2015 12:20 PM > To: Linda Dunbar; i2rs@ietf.org > Cc: 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Alia Atlas' > Subject: Re: [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG > adoption call (8/17 to 8/31) > > Yes, one of the two last calls is for the environment document. > > Having a dedicated physical channel is one of the ways identified in the > draft to provide the required isolation. > > While such an environment is clearly supportable, I do not think we should > reduce the internal protocol requirements (such as MTI security for the > control channel) just because there are circumstances where such it won't > be needed. I don't expect that we will build different protocol stacks for > the different deployments. > > The purpose of this draft is to describe the environmental assumptions, > which assumptions can be met in various ways. > > Yours, > Joel > > On 8/21/15 12:56 PM, Linda Dunbar wrote: > > Joel, > > > > If it is the "environmental one", it is more important to differentiate > the requirements for different environments on how the I2RS client & Agent > are connected. > > > > One of our customers stated that their environment has a single > Controller (or the I2RS client) directly connected to their devices via > their internal network, where the connection is physically isolated from > other network and protected by separate mechanisms, they don't need all > those sophisticated authentication procedure. > > > > We need to address this environment, i.e. having a simpler security > requirement for this environment than the environment where I2RS Client is > connected via public network. > > > > Linda > > > > > > -----Original Message----- > > From: Joel Halpern Direct [mailto:jmh.direct@joelhalpern.com > <jmh.direct@joelhalpern.com>] > > Sent: Friday, August 21, 2015 10:53 AM > > To: Linda Dunbar; i2rs@ietf.org > > Cc: 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Joel Halpern'; 'Alia > Atlas' > > Subject: Re: [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG > > adoption call (8/17 to 8/31) > > > > First, there may be some confusion because the announcement. I presume > that you are talking about the -environments documents. > > > > If the WG concludes that a different chapter structure is useful, we can > of course change it. Given that the goal is environment description, I am > not sure your proposed structure is significantly better than the existing > one. > > > > I believe your comment about the text reading "where security functions > may be hosted" is well taken, and we should remove that text when we next > revise the document. > > > > The isolation text is about the need to keep things separate, and the > various possible means are degrees / approaches to separation. > > Isolation is not about treating things differently, nor is it explicitly > about using different protocols. So the point of isolation is not that > there are different security requirements, but that in order to avoid > corss-effects, things should be kept separate. > > > > Yours, > > Joel > > > > On 8/20/15 6:42 PM, Linda Dunbar wrote: > >> I support the WG adoption because I think the I2RS WG needs it. > >> However, I hope the authors can consider/address the following > suggestions/comments: > >> > >> When you think about the I2RS security, there are following > >> different > >> aspects: > >> > >> -Communication channel between I2RS client and Agent (and the channel > >> between I2RS client and applications): > >> > >> The channel can be > >> > >> oVia physical Private network (e.g. within a secured direct connect > >> within one site), > >> > >> owithin one administrative domain, via virtual private network > >> > >> oSecured connection, such as TLS or IPSec > >> > >> oPublic internet > >> > >> o.. > >> > >> -Authentication & Authorization > >> > >> othe authentication & authorization requirement for different > >> communication channels can be different. Therefore, should have > >> separate sections to address specific requirement for each > >> communication channels between I2RS agent <-> clients (and client <-> > >> applications) > >> > >> The current Section 4 of the draft already has very good description > >> on the subject. I think 4.4.1 and 4.42 can be separated out of the > section. > >> > >> -Encryption for the actual content between Client and Agent > >> > >> -DoS Design requirement (currently in Section 5.2.1) > >> > >> -Management of conflict with other plane (e.g. the management plane, > >> multi-headed control, which has been discussed extensively in > >> ephemeral > >> draft) > >> > >> I think the draft should be organized from the aspects of the > >> security to I2RS as suggested above. > >> > >> Here are some detailed questions and comments to the requirements > >> listed in the document: > >> > >> Section 1: > >> > >> The second paragraph stated the security recommendations must > >> "specifying where security functions may be hosted". First of all I > >> don't see the draft address this aspect. Second, I think "where > >> security functions are hosted" is orthogonal to "I2RS security" . > >> > >> Section 3: > >> > >> what does isolating two planes mean? does it mean they have different > >> security requirement/issues? Or does it mean they need different > protocols? > >> > >> What are the key differences with regard to the security requirements > >> for I2RS plane and for management plane? Section 3.1 describes the > >> interaction between I2RS plane and management plane. But I see the > >> security requirement for the management plane is similar to I2RS plane . > >> If you think that they are very different, can you elaborate more? > >> > >> Section 3.4 has title "Recommendations", but the content are all > >> requirements. Why not name the section "Requirement"? > >> > >> REQ 2: Does it that a different IP address than the one used by the > >> management system? > >> > >> How is REQ 22 different from REQ 21? > >> > >> REQ 27 is hard to enforce. How about say something like "shouldn't > >> send any information beyond what have been defined by the I2RS data > model"? > >> > >> REQ 30: simply controlling the resource can hardly prevent DoS. > >> Malicious client can occupy the resource while the valid one can't > access. > >> > >> Thanks for consideration, > >> > >> Linda > >> > >> *From:*i2rs [mailto:i2rs-bounces@ietf.org <i2rs-bounces@ietf.org>] *On > Behalf Of *Susan Hares > >> *Sent:* Monday, August 17, 2015 12:50 PM > >> *To:* i2rs@ietf.org > >> *Cc:* 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Joel Halpern'; > >> shares@ndzh.com; 'Alia Atlas' > >> *Subject:* [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG > >> adoption call (8/17 to 8/31) > >> > >> This begins a 2 week WG adoption call for > >> draft-mglt-i2rs-security-requirements. This draft discusses the > >> security requirements for the I2RS environment. You can find the draft > at: > >> > >> https://tools.ietf.org/html/draft-mglt-i2rs-security-environment-reqs > >> - > >> 00 > >> > >> A security reviewer will review this draft during the time 8/20 to > >> 8/25. We will post the security directorate review to this discussion. > >> > >> Sue Hares > >> > > > > _______________________________________________ > i2rs mailing list > i2rs@ietf.org > https://www.ietf.org/mailman/listinfo/i2rs > > > _______________________________________________ > i2rs mailing list > i2rs@ietf.org > https://www.ietf.org/mailman/listinfo/i2rs > >
- Re: [i2rs] Review comments to draft-mglt-i2rs-sec… Daniel Migault
- [i2rs] Suggested section/text to be added to draf… Linda Dunbar
- Re: [i2rs] Suggested section/text to be added to … Linda Dunbar
- Re: [i2rs] Suggested section/text to be added to … Daniel Migault
- Re: [i2rs] Suggested section/text to be added to … Susan Hares
- Re: [i2rs] Suggested section/text to be added to … Susan Hares