Re: [i2rs] draft-mglt-i2rs-security-environment-reqs-00 Thoughts on AAA
Daniel Migault <daniel.migault@ericsson.com> Fri, 02 October 2015 14:49 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 519C21B2BC8 for <i2rs@ietfa.amsl.com>; Fri, 2 Oct 2015 07:49:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6QCDjzBRe_X for <i2rs@ietfa.amsl.com>; Fri, 2 Oct 2015 07:49:14 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 660871A6F05 for <i2rs@ietf.org>; Fri, 2 Oct 2015 07:49:14 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so34325489wic.0 for <i2rs@ietf.org>; Fri, 02 Oct 2015 07:49:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=CtMVfLsGboXCaE7vQE8ttfUjMP2gZmbUfZuK6wHQDTo=; b=aUXTS+ozdf1iplrF/8KM7Fjz/B/ZI0RWqz8V1PDc/yLZ11s9cUf7zKUsXgoruSO5Xa M9ayAE1qsmSESq8/3Vlux+ZKQfz675fSGhbhTU90unzHnbq75K7PN7iDf/SttrpIqFeU 7IYOPx2p0chob4yPxgKGUiByLqTuyH0V9dtkcGasOp91SwBYCFNFEWkzYzX1xDYqikPd 8II4JiAgF8O9Bv/RGP9wE5uI/aDh47PVg6NMKZK2TWX0Ixey6nWf6W6scbY9Qzj4VPXn QOu8JWIoVY+v+gaToJ08BpRLsu+5DHUYDIMOz23UJ4lVzsrznVk9FT+Q88yR19ktIgHD atmg==
MIME-Version: 1.0
X-Received: by 10.194.80.71 with SMTP id p7mr15865651wjx.83.1443797353005; Fri, 02 Oct 2015 07:49:13 -0700 (PDT)
Sender: mglt.ietf@gmail.com
Received: by 10.194.88.98 with HTTP; Fri, 2 Oct 2015 07:49:12 -0700 (PDT)
In-Reply-To: <20150827213344.GF19039@pfrc.org>
References: <20150827213344.GF19039@pfrc.org>
Date: Fri, 02 Oct 2015 10:49:12 -0400
X-Google-Sender-Auth: wQOZwG5ng2sqToUGz8UNcZn9xJs
Message-ID: <CADZyTkmO8PMt91sM0XqnhCj+QMunhm5cvL1u2Aie+NfPjdn=_g@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Content-Type: multipart/alternative; boundary="047d7bb04da25a8d370521204471"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/qLnAB-vv7hLm9NR7IwTplUNBjRM>
Cc: i2rs@ietf.org
Subject: Re: [i2rs] draft-mglt-i2rs-security-environment-reqs-00 Thoughts on AAA
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2015 14:49:17 -0000
Hi Jeffrey,
Thank you for your feed back. We considered them - with all other feed
backs we received. We believe the new version address all of them. Feel
free to let us know if we missed something. Here is a small recap of the
modifications performed to address your comments.
BR,
The co-authors
I have some contrary thoughts on the AAA section of this document.
MGLT: The AAA section has completely be re-written.
Section 4.1 tries to describe requirements wherein the I2RS Clients may
request for subsets of AAA policy to be exported to the Client so that the
client may enforce them. While this seems like a nice way to scale the
operations, in some cases disclosing those policies (even if we find a good
way to encode the AAA validation in a generic enough way to distribute) may
accidentally disclose information that is otherwise intended to be secure.
MGLT: Thanks for pointing out this issue. Information leakage has been
added in the document as something to balance with a distributed access
control system.
I would seek comment from the security directorate, but I suspect we don't
want to do this.
But in section 4.4, we try to discuss availability. The first sentence
immediately says "enforcement should not remain local", while one way to
enable security in some environments is to distribute and synchronize
policy to be enforced locally.
It then goes on to talk about general availability mechanisms and then we
further dive into security against DoS.
MGLT: I agree with the comment. The section 4.4 has been removed and all
DoS specific consideration has been keept in a specific section to make the
document more coherent.
4.4. I2RS AAA Security Domain . . . . . . . . . . . . . . . . 12
4.4.1. Available I2RS Communication Channel . . . . . . . . 12
4.4.2. Trusted I2RS Communications Channel . . . . . . . . . 14
Have been removed.
I believe we may be boiling the ocean a bit to try to go into too many
details about the design of secure AAA systems. It seems a bit out of
scope for I2RS to do such work; we should defer to work done elsewhere on
the topic, if it exists. If it doesn't exist, I'm not sure we should do it.
What is right for us to point out is, "If we use a remote AAA mechanism, it
must be robust in hostile environments". Expand that as you will, but
being too proscriptive is not our job.
MGLT: I agree with the comment. I hope the new version of the section
address your comment.
On Thu, Aug 27, 2015 at 5:33 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> I have some contrary thoughts on the AAA section of this document.
>
> Section 4.1 tries to describe requirements wherein the I2RS Clients may
> request for subsets of AAA policy to be exported to the Client so that the
> client may enforce them. While this seems like a nice way to scale the
> operations, in some cases disclosing those policies (even if we find a good
> way to encode the AAA validation in a generic enough way to distribute) may
> accidentally disclose information that is otherwise intended to be secure.
>
> I would seek comment from the security directorate, but I suspect we don't
> want to do this.
>
> But in section 4.4, we try to discuss availability. The first sentence
> immediately says "enforcement should not remain local", while one way to
> enable security in some environments is to distribute and synchronize
> policy
> to be enforced locally.
>
> It then goes on to talk about general availability mechanisms and then we
> further dive into security against DoS.
>
> I believe we may be boiling the ocean a bit to try to go into too many
> details about the design of secure AAA systems. It seems a bit out of
> scope
> for I2RS to do such work; we should defer to work done elsewhere on the
> topic, if it exists. If it doesn't exist, I'm not sure we should do it.
>
> What is right for us to point out is, "If we use a remote AAA mechanism, it
> must be robust in hostile environments". Expand that as you will, but
> being
> too proscriptive is not our job.
>
> -- Jeff
>
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs
>
- [i2rs] draft-mglt-i2rs-security-environment-reqs-… Jeffrey Haas
- Re: [i2rs] draft-mglt-i2rs-security-environment-r… Daniel Migault