Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 22 August 2016 20:08 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EBB12D7FF; Mon, 22 Aug 2016 13:08:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4thz3R5n97IV; Mon, 22 Aug 2016 13:08:16 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79B0712D7F7; Mon, 22 Aug 2016 13:08:16 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id n59so209097717uan.2; Mon, 22 Aug 2016 13:08:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cjH1eaNWQcJAtCmQhmKjVcVOamFmtwgxG6vVTx8Yh7w=; b=E6aBbFpPhfv0eB7530wIEOcro0K9811imspKKA6qZ0oaLMsm1qAMoyPxVYa/0EbIjc QxEII425DbijcSL52RT/GpMCaGgGxkyLSKUM/U/Sc15Tya4W/0M4MxJio9GjtQSAqzmT 1PttJz1u0CQbjTwJE8MPeknh0wrr0zSV1uJMzGFzEZWAbXNVO+mD1+b4QyK3fyoZoLmK 7dGz3FHf5le4mYDhMDOv6OCJ+JIpw9Pwc6CWGtcCCdTjHgxBe6INDBR9iWeeYE6UUawT S5Ubx0GJmixXvx0rhXVVuLGzFf4gf2vQG5nn99o3fn8hCKzQ2iHvJxhS+2RyukTV35hA DyCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cjH1eaNWQcJAtCmQhmKjVcVOamFmtwgxG6vVTx8Yh7w=; b=L5ciODMVnuUa9aXK5c2dXTdHw9ng9++6GNe/vlL3aSB4SaGGst2q8KmdVhfQ6Lot7d /cvb1nO29F7Y7bC8I4ugh92Cu8I+FHycVhbmhAnvh983iR9I5FBHASqWUX1U+NR6qSCJ 2L7fMLhveF90SyWyq6+Iq9ykVnBSRcFEakH0r/jIlGiBZuVE313aM7IGlmULo0qXysSv zXWuAwKdFB1/jkHTN/r6rYfhJLEr+l6BsgkbVXa0GlvV2gAbroaUv0vXmT8ArXm741pt TZP6orf2lvONvlVquJykTm/azQMtZQcoukPEQ23HAkD71Idtv1fxbMGqw6orvaJkl44y pwAQ==
X-Gm-Message-State: AEkoousfe+Qo/bvFq3/HLkuZlFQO2Vcb7pyDRiH+PbWjK4TDyCIvb/U3ZQOX2bFLcdRhW/gMlZYLVGE2XS3G0w==
X-Received: by 10.176.83.98 with SMTP id y31mr12470777uay.88.1471896495527; Mon, 22 Aug 2016 13:08:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.1.228 with HTTP; Mon, 22 Aug 2016 13:08:13 -0700 (PDT)
In-Reply-To: <20160822195821.GB5600@pfrc.org>
References: <F8C205FB-665C-422C-B991-2F97F75CAE42@cooperw.in> <003801d1f97f$3d16eb10$b744c130$@ndzh.com> <20160819085756.GA6759@elstar.local> <01e501d1fa07$6d613fe0$4823bfa0$@ndzh.com> <9c53ff98-3268-f6e2-fbe6-862fc3948794@labn.net> <027a01d1fa12$3879b270$a96d1750$@ndzh.com> <a0e36f97-b62d-228f-f8f7-fadefd1570a1@labn.net> <CABCOCHStcL9-j_ZzG+J+Gj2=kx+N_F9WVzAVTU2pdnLo5dOF+g@mail.gmail.com> <20160822194549.GA5600@pfrc.org> <CAHbuEH4Eim65T_SrsDnLf2bBLY2dhY1kKDEfZxKqmNyrpAq+fg@mail.gmail.com> <20160822195821.GB5600@pfrc.org>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 22 Aug 2016 16:08:13 -0400
Message-ID: <CAHbuEH6uO1BeodfY9ojUH3aqz8GhTO8aU3QQdr0LgkYHt_vwig@mail.gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/xQ07EBL5SxdzcsoeUdXOxrE8j04>
X-Mailman-Approved-At: Tue, 23 Aug 2016 07:35:38 -0700
Cc: "i2rs@ietf.org" <i2rs@ietf.org>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Alissa Cooper <alissa@cooperw.in>, Andy Bierman <andy@yumaworks.com>, i2rs-chairs@ietf.org, IESG <iesg@ietf.org>, Joel Halpern <joel.halpern@ericsson.com>, Lou Berger <lberger@labn.net>, Susan Hares <shares@ndzh.com>, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 20:08:18 -0000

On Mon, Aug 22, 2016 at 3:58 PM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> On Mon, Aug 22, 2016 at 03:51:09PM -0400, Kathleen Moriarty wrote:
>> > The underlying I2RS question is how to mark nodes in such a way that the
>> > insecure transport protocols may be permitted to publish them without
>> > requiring every single node to be audited if you have relatively weak
>> > deployment considerations?  If the answer is "read the security
>> > considerations and write a filter", it's not the answer i2rs is looking for.
>>
>> I think it's just that it is easier to mark the items that require
>> confidentiality and integrity protection, when that is clear, rather
>> than trying to figure out that something is absolutely not in need of
>> any confidentiality and integrity protections.
>
> I think I2RS has done generally better than that.  When not so marked, the
> intent is secure.
>
> From a syntactic standpoint, it's much nicer to add keywords for the
> exceptions rather than the default. :-)
>
>> In this case, you are
>> not saying that items don't need security, you are just not taking an
>> official stance and it's up to the user to turn on or off the default
>> knob for session transport security.
>
> Mostly I'm saying that once you have annotated some data node as being "okay
> to be insecure", the user can have tools to programmatically act upon that
> based on information in the model.  Lacking that, we're back in SNMP land
> wherein people have to put in per-object filters to implement this.

One other important consideration from this discussion is the terms
used.  I have been careful to say needing confidentiality and
integrity protections, which is different from saying it needs to be
secure (or it doesn't need confidentiality and integrity protection).

>
> Note this is "can act".  It'd be fine to have your policy be "even if marked
> insecure, leave secure".  It's even fine, IMO (but not as an author of this
> document), for such "leave secure unless otherwise configured" to be the
> mandatory to implement default.
>
> I'm somewhat curious if you've done such configuration in SNMP.  It's a
> PITA. :-)

Not that it matters, but yes, one my masters degree projects involved
automating a bunch of functions in a service provider NOC with SNMP
and I wrote a MIB for one of my drafts that was later changed to XML.

Kathleen
>
> -- Jeff



-- 

Best regards,
Kathleen