Re: [secdir] [I2nsf] Secdir telechat review of draft-ietf-i2nsf-framework-08
John Strassner <strazpdj@gmail.com> Mon, 13 November 2017 03:59 UTC
Return-Path: <strazpdj@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C07D21293FF; Sun, 12 Nov 2017 19:59:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58x1C7RwZ9ck; Sun, 12 Nov 2017 19:59:24 -0800 (PST)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D20B7129427; Sun, 12 Nov 2017 19:59:23 -0800 (PST)
Received: by mail-lf0-x22d.google.com with SMTP id a2so16774152lfh.11; Sun, 12 Nov 2017 19:59:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nOte95HlFVLDZeT/ERPpWyqP1+tnyCFmPOntrceGXXc=; b=LijmmCJWEkiSknYeEKCvFUyXSbmOd1SU8cO2vUC/nodC86rhmBfJoIazRdJ4vrNyW0 kgnKX7JVxeqelkn83Y2ePkQQ3Nbs9oZbj8GagDv1G9Apb6oxaU0G+lZymzYwUrrVon53 HGGV+dQM6NW5gk/cNmtZdrYq7uqnxA/Dl9Gnvxy3Lkgcs3bty57U+zlHEQMKGc2vjmwH bIUz8C7XkbiBQfAZ2pxfS+UkiWdIXHCGUmJm8k6jQ5O2d/DjDHqFwmM0BNYUF3kwJ/gn vMUQ19HHRAs46DAygnEloKsWU18D8uG4RM2zSXxfnZdW6wFNvd6RGJZgj3UzDyoVUXQ8 xPtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nOte95HlFVLDZeT/ERPpWyqP1+tnyCFmPOntrceGXXc=; b=IR9yUw07sr9XWfAWiAcfgbbZis9uimXV3LyhwcH8sVXnnXq+EwZfKyOIOHinLIM+qX XjInk+uTv1mnYc5EKYViuTdbvxWpM+89N/8WfXn+Rvk09brPuEIKh62wNaOOfRszgdFm nLy9SyFaCUpsu3IwqPulg3hDr6T2yuRJMWTvuBRdE44fV6KOlPsgTGTBXISydIWmELxh 2xfxwZ3FsavXmehmdKbvCP/0dMtZTM9sWFnBZIHGr+3muTGk5Zhxh6VVsTp97Y6IOUpa FGvTvdhIKje2aKIKMf85a85gBBD4TPj5vekizIiFf+38WP6RUM2ju4BLHU9Tf6qxUWeh VKdg==
X-Gm-Message-State: AJaThX7FryhA9kqlxlNaproOEQljSArdjGcxYm2NO/DWleUQOdicj5P3 2AQ8uz8MYL1b0SIm4BpD4Cftj15zE8hgbnaKvy8=
X-Google-Smtp-Source: AGs4zMaaOz4jvheqG6SMRHkrOAUCanPiHxOpQteRQENfyWmOHu2LuForC2476CEf7KNQz4V60vWSuRo5+1JTv+e2rZ0=
X-Received: by 10.25.80.87 with SMTP id z23mr2358692lfj.60.1510545562005; Sun, 12 Nov 2017 19:59:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.228.208 with HTTP; Sun, 12 Nov 2017 19:59:21 -0800 (PST)
In-Reply-To: <150888532124.4802.13758793569414682089@ietfa.amsl.com>
References: <150888532124.4802.13758793569414682089@ietfa.amsl.com>
From: John Strassner <strazpdj@gmail.com>
Date: Sun, 12 Nov 2017 19:59:21 -0800
Message-ID: <CAJwYUrFsMJ1BA+UF5vDNEZXS05rKJhgSQTJiw9mF_dtfhXqkSQ@mail.gmail.com>
To: Daniel Franke <dafranke@akamai.com>, John Strassner <strazpdj@gmail.com>
Cc: secdir@ietf.org, "i2nsf@ietf.org" <i2nsf@ietf.org>, draft-ietf-i2nsf-framework.all@ietf.org, ietf@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c1cb042a3f7ae055dd54b49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/V9u6UfQmMnceYLqhihpD7nRglro>
Subject: Re: [secdir] [I2nsf] Secdir telechat review of draft-ietf-i2nsf-framework-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 03:59:27 -0000
Dear Daniel, thank you for performing this review. The following changes will be implemented in version 9 of this I-D, to be released on Monday 11/13. In particular, Change the last paragraph in section 4, from: The above threats may be mitigated by requiring the use of an AAA framework for all users to access the I2NSF environment. This could be further enhanced by requiring attestation to be used to detect changes to the I2NSF environment by authorized parties. to: The use of authentication, authorization, accounting, and audit mechanisms is recommended for all users and applications to access the I2NSF environment. This can be further enhanced by requiring attestation to be used to detect changes to the I2NSF environment by authorized parties. The characteristics of these procedures will define the level of assurance of the I2NSF environment. Change section 6.1 from: 6.1. Network Connecting I2NSF Users and the I2NSF Controller ... Upon successful authentication, a trusted connection between the user and the I2NSF Controller (or an endpoint designated by it) will be established. All traffic to and from the NSF environment ... to: 6.1. Network Connecting I2NSF Users and the I2NSF Controller ... Upon successful authentication, a trusted connection between the user and the I2NSF Controller (or an endpoint designated by it) will be established. This means that a direct, physical point-to-point connection, with physical access restricted according to access control, must be used. All traffic to and from the NSF environment... Change 6.2: from: 6.2. Network Connecting the I2NSF Controller and NSFs ... to: 6.2. Network Connecting the I2NSF Controller and NSFs ... Therefore, the transport mechanism used to carry the control messages and monitoring information should provide reliable message delivery. TCP is the obvious current choice, but others such as Multipath TCP (MPTCP) and the Stream Control Transmission Protocol (SCTP) would be applicable as well. Latency requirements for control message delivery must also be evaluated. ... I2NSF needs to rely on the use of standard I2NSF interfaces to properly verify peer identities (e.g., through an AAA framework). The implementations of identity management functions, as well as the AAA framework, are out of scope for I2NSF. to: ... Therefore, the transport mechanism used to carry management data and information must be secure. It does not have to be a reliable transport; rather, a transport-independent reliable messaging mechanism is required, where communication can be performed reliably (e.g., by establishing end-to-end communication sessions and by introducing explicit acknowledgement of messages into the communication flow). Latency requirements for control message delivery must also be evaluated. Note that monitoring does not require reliable transport. ... The network connection between the I2NSF Controller and NSFs will use the trusted connection mechanisms described in section 6.1. Following these mechanisms, the connections need to rely on the use of properly verified peer identities (e.g., through an AAA framework). The implementations of identity management functions, as well as the AAA framework, are out of scope for I2NSF. In addition, please see other changes to this thread (yesterday and this morning, local time Singapore) best regards, John On Tue, Oct 24, 2017 at 3:48 PM, Daniel Franke <dafranke@akamai.com> wrote: > Reviewer: Daniel Franke > Review result: Not Ready > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments > were written primarily for the benefit of the security area directors. > Document > editors and WG chairs should treat these comments just like any other last > call > comments. > > This document is too broad and too vague for any reasonable security > review to > be possible. It expresses a desire to define a framework which satisfies > certain requirements and use cases, but does not actually define anything > concrete. At its most specific, the document gives parametricity > constraints > that future definitions must satisfy, such as being agnostic to network > topology. This doesn't give me much to go on. > > The security considerations section is brief, calling out the need for > access > control and for protecting the confidentiality and integrity of data. > Again, > with so few specifics, there's not much more to be said. > > I do not think it is useful to anyone to publish this document as an RFC, > not > even an informational one. It is perfectly fine, when specifying an > intricate > suite of protocols, to have a separate document that gives a broad > architectural overview of them all without delving into the specifics > necessary > for implementation. RFC 4251, which outlines the SSH protocol, is a good > example of this. But, crucially, RFC 4251 was published simultaneously with > 4252-4256, which provided all those specifics. This document has nothing > similar as a companion; everything it describes is simply aspirational. I > do > not see any value in publishing an RFC full of unfulfilled aspirations. > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf > -- regards, John
- [secdir] Secdir telechat review of draft-ietf-i2n… Daniel Franke
- Re: [secdir] Secdir telechat review of draft-ietf… Linda Dunbar
- Re: [secdir] Secdir telechat review of draft-ietf… Linda Dunbar
- Re: [secdir] [I2nsf] Secdir telechat review of dr… John Strassner