[Roll] RtgDir review:
Russ White <russw@riw.us> Thu, 17 January 2013 02:24 UTC
Return-Path: <russw@riw.us>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87BF011E809C; Wed, 16 Jan 2013 18:24:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.796
X-Spam-Level:
X-Spam-Status: No, score=-0.796 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, LONGWORDS=1.803]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzWMWRBSVYyW; Wed, 16 Jan 2013 18:24:03 -0800 (PST)
Received: from da31.namelessnet.net (da31.namelessnet.net [74.124.205.66]) by ietfa.amsl.com (Postfix) with ESMTP id B385C1F0CF5; Wed, 16 Jan 2013 18:24:03 -0800 (PST)
Received: from [216.53.138.131] (helo=[10.96.7.37]) by da31.namelessnet.net with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <russw@riw.us>) id 1Tvf98-0004KU-Sk; Wed, 16 Jan 2013 18:24:03 -0800
Message-ID: <50F760C5.4030700@riw.us>
Date: Wed, 16 Jan 2013 21:24:05 -0500
From: Russ White <russw@riw.us>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: rtg-ads@tools.ietf.org
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner
X-Mailman-Approved-At: Mon, 21 Jan 2013 06:09:20 -0800
Cc: rtg-dir@ietf.org, roll@ietf.org, draft-ietf-roll-security-threats-00.all@tools.ietf.org
Subject: [Roll] RtgDir review:
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/roll>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2013 02:24:04 -0000
Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://www.ietf.org/iesg/directorate/routing.html Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-roll-security-threats-00.txt Reviewer: Russ White Review Date: 16 January 2013 IETF LC End Date: unknown Intended Status: Informational Summary: I have significant concerns about this document and recommend that the Routing ADs discuss these issues further with the authors. Comments: Philosophically, this document seems to treat routing as an "entity," that operates by itself, independent of other systems, within a network. In real networks, routing is primarily used to provide for forwarding, so security should really be couched in terms of how breaches in routing security impact forwarding. The direction taken in this draft leads to a single end --the encryption of all routing information carried through the network. I would really like to see routing security take a more creative turn, seeing routing as a part of an overall system, rather than as an end to end flow of information that must be secured in its own right --as "just another data stream." Specifically, the goals in section 3.4 would necessarily be resolvable only through the use of some form encrypted transport of routing information, which could easily overcome any possible low powered device in complexity and difficulty. It seems, to me, a better overall goal would be to ensure the routing database accurately reflects the actual state of the network topology, allowing for any means that will reach this goal, whether or not they include cryptography. A wider net is more likely to produce a stronger set of available options. The problems noted in section 4 are, in fact, countered with proposals in sections 5 and 6 that only propse cryptographic mechanisms generally planned around encrypting routing exchanges and/or signing routing information on the wire, adding weight to my thoughts above. It seems, to me, that sections 5 and 6 should be moved to a separate draft, so the general overview of the problems and possible solutions are decoupled a bit, to allow “breathing room,” for possible alternate solutions. == My one concern about section 3.2 is one of the implications carried in the statement, “non-repudiation will involve providing some ability to allow traceability or network management review of participants of the routing process including the ability to determine the events and actions leading to a particular routing state.” This implies, at least to me, that the actual processing of routing updates need to be logged in a way that prevents tampering at every node, as well as the actual routing updates received, transmitted, and otherwise handled by each node in the network — especially since routing is not always atomic, but rather timing dependent. How this particular “possible requirement,” might be implanted in a way that is practical. == The taxonomy in section 4 appears to be solid. == Overall, I found the writing style to be a bit opaque/obtuse — difficult to read in parts, perhaps a little “research,” if that makes sense. Some specific comments on the first few paragraphs are below, but I didn’t spend a great deal of time working through specific grammar issues throughout the entire document. == This document presents a framework for securing Routing Over LLNs (ROLL)... Using an acronym to expand another acronym will probably confuse at least some readers. LLNs also needs to be explained at it's first use. == Security, in essence, entails implementing measures to ensure controlled state changes... I'm not certain what's meant by "controlled," here, or how it relates to security. Is "unsecured," information about state changes therefore "uncontrolled?" Is "verifiable," what you're after here, or perhaps, "authorized," or... ?? == State changes would thereby involve proper authorization for actions, authentication, and potentially confidentiality, but also proper order of state changes through timeliness (since seriously delayed state changes, such as commands or updates of routing tables, may negatively impact system operation). Perhaps something like: Securing information about state changes would include ensuring devices match their claimed role (authentication), transmitted state changes are correct and allowed through policy (authorization), state changes are only visible to authorized devices (confidentiality), and operations are taken in the proper order (timeliness and atomicity). == An asset implies an important system component (including information, process, or physical resource), the access to, corruption or loss of which adversely affects the system. In network routing, assets lie in the routing information, routing process, and node's physical resources. That is, the access to, corruption, or loss of these elements adversely affects system routing. Perhaps something like: In the control plane context, an asset is information about the network, processes used to manage and manipulate this data, and the physical devices on which this data is stored and manipulated. The corruption or loss of these assets may adversely impact the control plane of the network. (Note you shouldn't imply any such breach "will," disrupt routing, because routing systems are, at base, designed to be resilient to information loss and corruption. There are some situations where loss or corruption will result in misrouted or lost data flows, but there are others where it will not.) == In network routing, a point of access refers to the point of entry facilitating communication with or other interaction with a system component in order to use system resources to either manipulate information or gain knowledge of the information contained within the system. Perhaps something like: Within the same context, a point of access is an interface or protocol that facilitates interaction between control plane components. == Security of the routing protocol must be focused on the assets of the routing nodes and the points of access of the information exchanges and information storage that may permit routing compromise. This sentence doesn't add to the flow of thought, so I would just remove it. == The identification of routing assets and points of access hence provides a basis for the identification of associated threats and attacks. Perhaps something like: Identifying these assets and points of access will provide a basis for enumerating the attack surface of the control plane. == This subsection identifies assets and points of access of a generic routing process with a level-0 data flow diagram [Yourdon1979] revealing how the routing protocol interacts with its environment. In particular, the use of the data flow diagram allows for a clear, concise model of the routing functionality; it also has the benefit of showing the manner in which nodes participate in the routing process, thus providing context when later threats and attacks are considered. Perhaps something like: A level-0 data flow diagram [Yourdon1979] is used here to identify the assets and points of access within a generic routing process. The use of a data flow diagram allows for a clear and concise model of the way in which routing nodes interact and process information, and hence provides a context for threats and attacks. Major Issues: My primary concern is the general philosophy within the draft --see my comments above. The working group may decide this philosophy is acceptable/good, but it should be brought out onto the table and discussed, and some explanation of why this path was chosen provided in the draft, rather than assumed, IMHO. Minor Issues: Writing style, as indicated in my comments above. == HTH :-) Russ
- [Roll] RtgDir review: Russ White