Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

Kathleen Moriarty <> Mon, 22 August 2016 20:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E7EBB12D7FF; Mon, 22 Aug 2016 13:08:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4thz3R5n97IV; Mon, 22 Aug 2016 13:08:16 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 79B0712D7F7; Mon, 22 Aug 2016 13:08:16 -0700 (PDT)
Received: by with SMTP id n59so209097717uan.2; Mon, 22 Aug 2016 13:08:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cjH1eaNWQcJAtCmQhmKjVcVOamFmtwgxG6vVTx8Yh7w=; b=E6aBbFpPhfv0eB7530wIEOcro0K9811imspKKA6qZ0oaLMsm1qAMoyPxVYa/0EbIjc QxEII425DbijcSL52RT/GpMCaGgGxkyLSKUM/U/Sc15Tya4W/0M4MxJio9GjtQSAqzmT 1PttJz1u0CQbjTwJE8MPeknh0wrr0zSV1uJMzGFzEZWAbXNVO+mD1+b4QyK3fyoZoLmK 7dGz3FHf5le4mYDhMDOv6OCJ+JIpw9Pwc6CWGtcCCdTjHgxBe6INDBR9iWeeYE6UUawT S5Ubx0GJmixXvx0rhXVVuLGzFf4gf2vQG5nn99o3fn8hCKzQ2iHvJxhS+2RyukTV35hA DyCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cjH1eaNWQcJAtCmQhmKjVcVOamFmtwgxG6vVTx8Yh7w=; b=L5ciODMVnuUa9aXK5c2dXTdHw9ng9++6GNe/vlL3aSB4SaGGst2q8KmdVhfQ6Lot7d /cvb1nO29F7Y7bC8I4ugh92Cu8I+FHycVhbmhAnvh983iR9I5FBHASqWUX1U+NR6qSCJ 2L7fMLhveF90SyWyq6+Iq9ykVnBSRcFEakH0r/jIlGiBZuVE313aM7IGlmULo0qXysSv zXWuAwKdFB1/jkHTN/r6rYfhJLEr+l6BsgkbVXa0GlvV2gAbroaUv0vXmT8ArXm741pt TZP6orf2lvONvlVquJykTm/azQMtZQcoukPEQ23HAkD71Idtv1fxbMGqw6orvaJkl44y pwAQ==
X-Gm-Message-State: AEkoousfe+Qo/bvFq3/HLkuZlFQO2Vcb7pyDRiH+PbWjK4TDyCIvb/U3ZQOX2bFLcdRhW/gMlZYLVGE2XS3G0w==
X-Received: by with SMTP id y31mr12470777uay.88.1471896495527; Mon, 22 Aug 2016 13:08:15 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 22 Aug 2016 13:08:13 -0700 (PDT)
In-Reply-To: <>
References: <> <003801d1f97f$3d16eb10$b744c130$> <20160819085756.GA6759@elstar.local> <01e501d1fa07$6d613fe0$4823bfa0$> <> <027a01d1fa12$3879b270$a96d1750$> <> <> <> <> <>
From: Kathleen Moriarty <>
Date: Mon, 22 Aug 2016 16:08:13 -0400
Message-ID: <>
To: Jeffrey Haas <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
X-Mailman-Approved-At: Tue, 23 Aug 2016 07:35:38 -0700
Cc: "" <>, Juergen Schoenwaelder <>, Alissa Cooper <>, Andy Bierman <>,, IESG <>, Joel Halpern <>, Lou Berger <>, Susan Hares <>,
Subject: Re: [i2rs] Kathleen Moriarty's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Aug 2016 20:08:18 -0000

On Mon, Aug 22, 2016 at 3:58 PM, Jeffrey Haas <> wrote:
> On Mon, Aug 22, 2016 at 03:51:09PM -0400, Kathleen Moriarty wrote:
>> > The underlying I2RS question is how to mark nodes in such a way that the
>> > insecure transport protocols may be permitted to publish them without
>> > requiring every single node to be audited if you have relatively weak
>> > deployment considerations?  If the answer is "read the security
>> > considerations and write a filter", it's not the answer i2rs is looking for.
>> I think it's just that it is easier to mark the items that require
>> confidentiality and integrity protection, when that is clear, rather
>> than trying to figure out that something is absolutely not in need of
>> any confidentiality and integrity protections.
> I think I2RS has done generally better than that.  When not so marked, the
> intent is secure.
> From a syntactic standpoint, it's much nicer to add keywords for the
> exceptions rather than the default. :-)
>> In this case, you are
>> not saying that items don't need security, you are just not taking an
>> official stance and it's up to the user to turn on or off the default
>> knob for session transport security.
> Mostly I'm saying that once you have annotated some data node as being "okay
> to be insecure", the user can have tools to programmatically act upon that
> based on information in the model.  Lacking that, we're back in SNMP land
> wherein people have to put in per-object filters to implement this.

One other important consideration from this discussion is the terms
used.  I have been careful to say needing confidentiality and
integrity protections, which is different from saying it needs to be
secure (or it doesn't need confidentiality and integrity protection).

> Note this is "can act".  It'd be fine to have your policy be "even if marked
> insecure, leave secure".  It's even fine, IMO (but not as an author of this
> document), for such "leave secure unless otherwise configured" to be the
> mandatory to implement default.
> I'm somewhat curious if you've done such configuration in SNMP.  It's a
> PITA. :-)

Not that it matters, but yes, one my masters degree projects involved
automating a bunch of functions in a service provider NOC with SNMP
and I wrote a MIB for one of my drafts that was later changed to XML.

> -- Jeff


Best regards,