Re: [secdir] Security directorate

Alia Atlas <> Tue, 06 January 2015 22:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 71CED1A8716 for <>; Tue, 6 Jan 2015 14:18:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qo3D0s4CmNyD for <>; Tue, 6 Jan 2015 14:18:47 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0DA2B1A0103 for <>; Tue, 6 Jan 2015 14:18:47 -0800 (PST)
Received: by with SMTP id c41so80604yho.27 for <>; Tue, 06 Jan 2015 14:18:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DjAID+/XVg7dZnOA6dfY/pqpiOMrKcXEo/xAiprkFmI=; b=ou+j+gVJ3Ryq2EQmUwlGJWXxSB96FQGYn0x6NF/fetny1oh5vYVEMrZbuSyp43EoGD oCLyqGXmZOS4XwDFWilj+KnsYjAV+UfIMTg71GRd7ijjO6Kcs0dLVAHkx1mnEJ0R9uqG vNqn3B8QbNAuJXUYp8hSJzhJsF/hDEuXRpKBjvd9lcaTyO3mX/DnpfUbj+l/GqOXc7Az jvK6lC20kpVbT/qeImLcj6XIw7xpJ3s/Zkih2kIouM5DgJIUJMFbXOrwx9UnSS/STAO4 yppRpcoOJ7qk2zCWG3WRT6YnXMlZ0wKI0zKz/jr6fykqebo9uEJTWBV9fUU8ZTDyfbuB sjuA==
MIME-Version: 1.0
X-Received: by with SMTP id e67mr31289243yhe.3.1420582726269; Tue, 06 Jan 2015 14:18:46 -0800 (PST)
Received: by with HTTP; Tue, 6 Jan 2015 14:18:46 -0800 (PST)
In-Reply-To: <>
References: <074b01d00f31$1712da30$45388e90$> <> <> <00e601d01ac4$b5b69b60$2123d220$> <>
Date: Tue, 6 Jan 2015 17:18:46 -0500
Message-ID: <>
From: Alia Atlas <>
To: Stephen Kent <>
Content-Type: multipart/alternative; boundary=089e0122a476c61e05050c033016
X-Mailman-Approved-At: Tue, 06 Jan 2015 14:21:58 -0800
Cc: "Thomas D. Nadeau" <>, secdir <>, Kathleen Moriarty <>, "" <>, Jeffrey Haas <>, Adrian Farrel <>, Susan Hares <>
Subject: Re: [secdir] Security directorate
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Jan 2015 22:18:50 -0000

Hi Stephen,

Thanks very much for doing this review.

On Thu, Dec 18, 2014 at 10:59 AM, Stephen Kent <> wrote:

>  SECDIR early review of draft-ietf-i2rs-problem-statement-04
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.  These
> comments were written with the intent of improving security requirements
> and considerations in IETF drafts.  Comments not addressed in last call
> may be included in AD reviews during the IESG review.  Document editors
> and WG chairs should treat these comments just like any other last call
> comments.
> This is a short document describing the problem being addressed by the
> I2RS WG, and establishing some requirements for solutions.
> Section 2 describes the model for I2RS. It calls for using existing
> transport protocols to provide security, a good statement as part of the
> base protocol requirements. Looking at Figure 1, it seems that the only
> paths that are in scope for I2RS are between an I2RS agent and client and
> between clients.
> In section 5, authentication, authorization, and integrity are explicitly
> cited as requirements. This is a good statement of requirements. It might
> be nice to state whether confidentiality is also perceived as a
> requirement, or if it explicitly not a requirement.

The sad answer is that it depends on what data is being sent.  For
instance, I can see counters or events not requiring confidentiality
(depending) but some things being written or responses might require
I've added in
" Some communications will also require confidentiality."
at the end of the Secure Control bullet.

 The Security Considerations section is a single paragraph consisting of 2
> sentences. It opens with a nice statement about the importance of security
> in the I2RS context. I think a back pointer to the “secure Control” text
> would be appropriate. The second sentence says that more investigation is
> needed to fully define security requirements such as authorization and
> authentication levels. I don’t know what this last phrase means.
> Authorization (aka access control) isn’t usually described as having levels
> per se. Do you mean granularity of access control, or something else. Also,
> for authentication, there are various mechanisms one can employ, and these
> may be described as offering varying “levels” of security, but that is an
> oversimplification in many cases. A clearer description of what the authors
> are trying to convey here would be good.

I've updated the Security Considerations section to:

"Security is a key aspect of any protocol that allows state
      installation and extracting of detailed router state.  The need
      for secure control is mentioned in Section 5.  More architectural
      considerations are discussed in <xref
      target="I-D.ietf-i2rs-architecture"/>.  Briefly, the I2RS Agent
      is assumed to have a separate authentication and authorization
      channel by which it can validate both the identity and the
      permissions associated with an I2RS Client.  Mutual
      authentication between the I2RS Agent and I2RS Client is
      required.  Different levels of integrity, confidentiality, and
      replay protection are relevant for different aspects of

I also looked briefly at draft-hares-i2rs-security-02. That document begins
> with a very good discussion of security terminology based on RFC 4949. It
> also proposes very specific security requirements for communications in the
> I2RS model. That document calls for confidentiality as a requirement, which
> further motivates some mention of this security service in the problem
> statement, even if the statement is equivocal.
> Two typos I noted:
> Section 2: measuresments -> measurements
> Section 5:
> Such communications must also have its integrity protected. ->
> Such communications must also be integrity-protected.


Thanks again,