Re: [secdir] Early SecDir Reviews
"Susan Hares" <shares@ndzh.com> Mon, 24 August 2015 19:20 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5636F1AD0AD; Mon, 24 Aug 2015 12:20:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.755
X-Spam-Level:
X-Spam-Status: No, score=-95.755 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DOS_OUTLOOK_TO_MX=2.845, J_CHICKENPOX_111=0.6, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Uzn5HMyVq8f; Mon, 24 Aug 2015 12:20:02 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web3.hickoryhill-consulting.com [64.9.205.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6B881ACD8F; Mon, 24 Aug 2015 12:19:30 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=174.124.218.207;
From: Susan Hares <shares@ndzh.com>
To: 'Russ Housley' <housley@vigilsec.com>, draft-mglt-i2rs-security-requirements.all@ietf.org, draft-hares-i2rs-auth-trans.all@ietf.org
References: <32779ADA-75D3-4754-AFD2-DFFE7237D939@vigilsec.com>
In-Reply-To:
Date: Mon, 24 Aug 2015 15:15:26 -0400
Message-ID: <00ed01d0dea1$3bf2c050$b3d840f0$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_00EE_01D0DE7F.B4E2A6F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHjR5i/kudQwZm7gHsLIiXDOIy/DAIIS9cHneZvz3A=
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/EaaQamtMf40WjQsNuKC79sSHzj0>
Cc: 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com>, 'IETF SecDir' <secdir@ietf.org>
Subject: Re: [secdir] Early SecDir Reviews
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 19:20:10 -0000
Russ: I've attached the revised draft-hares-i2rs-auth-trans.txt plus a diff file to let you see the changes. I still the following 4 questions answered. Thank you, Sue -----Original Message----- From: Susan Hares [mailto:shares@ndzh.com] Sent: Monday, August 24, 2015 2:10 PM To: 'Russ Housley'; 'draft-mglt-i2rs-security-requirements.all@ietf.org'; 'draft-hares-i2rs-auth-trans.all@ietf.org' Cc: 'Stephen Farrell'; 'Kathleen Moriarty'; 'IETF SecDir' Subject: RE: Early SecDir Reviews Russ: Thank you for your excellent review. Below I've included a description of the changes to the document. However, I have a few additional questions: 1) Is REQ-8 a security requirement? o SEC-REQ-08: Each Identity is associated with one secondary identity during a particular read/write sequence, but the secondary identity may vary during the time a connection between the I2RS client and I2RS agent is active. The variance of the secondary identity allows the I2rs client to be associated with multiple applications and pass along an identifier for these applications in the secondary identifier. 2) Is REQ-12 - a security requirement for a protocol? NETCONF asked this of I2RS. SEC-REQ-12: The I2RS Client and I2RS Agent protocol SHOULD implement mechanisms that mitigate DoS attacks 3) Section 2.4.1 - is a description of the what happens when multiple changes occur via multiple messages. My understanding from your question is that the implementation of how an I2RS Agent processes the changes (change1, change2, change3) that occur in multiple messages is not a security issue, but a implementation issue. If so, Please let me know. 4) Are you Ok with REQ-09 specifying a non-secure transport as an option? Changes =============== > Major Concerns: > > In Section 1.1, I do not understand the difference between "data > integrity" as defined in [RFC4949] and "I2RS integrity" as defined in > this section. Here's the changed text Added: --------- Data Integrity - RFC4949: states data integrity includes 1. (I)The property that data has not been changed, destroyed, or 2. (O) "The property that information has not been modified or destroyed in an unauthorized manner." I2RS protocol data integrity: The transfer of data via the I2RS protocol has the property of data integrity described in [RFC4949]. -------------- In Section 2.1. I was a bit surprised by the wording in SEC-REQ-03. The text requires the agent to "confirm that the client has a valid identity." How is this different than "confirming the I2RS client's identity"? If there is a difference, it needs some explanation. If it is the same, please use the same words in SEC-REQ-03 and SEC-REQ-04. How about this change: o SEC-REQ-03:An I2RS agent, upon receiving an I2RS message from a I2RS client, MUST confirm that the I2RS client has a valid identity. o SEC-REQ-04: The I2RS client, upon receiving an I2RS message from an I2RS agent, MUST confirm the I2RS agent's identity. -------------------- > In Section 2.2, SEC-REQ-10 says that BCP 107 does not apply. In my > view, significant justification is needed, and I do not find it here. > Perhaps this justification can go in the Security Considerations. At > a minimum, the Security Considerations should state the consequences > of selecting pre-shared keys, which I assume means manual key > management. > In section 2.2: s/need to be able to/MUST be able to/ Thank you for pointing out BCP107 applies: Would this change be acceptable for SEC-REQ-10? Or should some of this go into the security considerations? =========== SEC-REQ-10: A secure transport MUST be associated with a key management solution that can guarantee that only the entities having sufficient privileges can get the keys to encrypt/decrypt the sensitive data. Per BCP107, this key management system SHOULD be automatic, but MAY BE manual if the following constraints from BCP107: a) environment has limited bandwidth or high round-trip times, b) the information being protected has a low value and c) the total volume over the entire lifetime of the long- term session key will be very low, d) the scale of the deployment is limited. Most I2RS environments (I2RS Client - I2S Agents) will not have this environment, but a few I2RS use case provide limited non-secure light-weight telemetry messages that may support manual key management (E.g. pre-shared keys). An I2RS data model must indicate which portions can be served by manual key management versus automatic key management. ============ >Section 2.4 include data integrity, data authentication, and replay >prevention requirements. I do not understand why Section 2.4.1 is included in this >document. I have removed section 2.4.1. Please see my questions in the introduction. ================================ Minor Concerns: >Section 1 says: "These requirements were initially described in the >[I-D.ietf-i2rs-architecture] document." However, this is not important >to capture in the RFC. Instead, it is important to capture the >relationship of the information in this document to the information >that remain in [I-D.ietf-i2rs-architecture]. ----- These requirements align with the description of the I2RS architecture found in [I-D.ietf-i2rs-architecture]. =========== >I find the wording of SEC-REQ-09 a bit confusing. If I I was able to >get the meaning correct, I think a better wording is: > SEC-REQ-09: The I2RS protocol MUST be able to transfer data over a >secure transport and optionally be able to transfer data over a >non-secure transport. A secure transport MUST provide data >confidentiality, data integrity, and replay prevention. > >I find a great deal of overlap between SEC-REQ-09 and Section 2.4. It >is possible that I have misunderstood the intent of SEC-REQ-09. =============== >Please consider adding definitions from RFC 4949 for: > - access control > - role > - role-based access control I will add these definitions =========== Nits: >In Section 2.5, please remove this text: "Observers without permission >can refer to other I2RS clients, attackers, or assorted MITM >(man-in-the-middle) monkeys." --done ======== In Section 2: s/MUST BE able/MUST be able/ In Section 2.1: s/I2rs client/I2RS client/ In Section 2.2: s/replay attakc/replay attack/ In Section 2.4: s/Message Integrity/Data Integrity/ ==== Agreed to change. -----Original Message----- From: Russ Housley [mailto:housley@vigilsec.com] Sent: Friday, August 21, 2015 6:10 PM To: draft-mglt-i2rs-security-requirements.all@ietf.org; draft-hares-i2rs-auth-trans.all@ietf.org Cc: Stephen Farrell; Kathleen Moriarty; IETF SecDir Subject: Early SecDir Reviews Please fine the requested SecDir reviews. Russ
- [secdir] Early SecDir Reviews Russ Housley
- Re: [secdir] Early SecDir Reviews Joel Halpern
- Re: [secdir] Early SecDir Reviews Daniel Migault
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Russ Housley
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Russ Housley
- Re: [secdir] Early SecDir Reviews Hannes Tschofenig
- Re: [secdir] Early SecDir Reviews Joel Halpern
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Russ Housley
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Daniel Migault
- Re: [secdir] Early SecDir Reviews Susan Hares
- Re: [secdir] Early SecDir Reviews Russ Housley
- Re: [secdir] Early SecDir Reviews Susan Hares