Re: [secdir] Security directorate

Stephen Kent <> Thu, 18 December 2014 16:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2EB2C1A8A89 for <>; Thu, 18 Dec 2014 08:00:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O3sr8afBTu-N for <>; Thu, 18 Dec 2014 08:00:16 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 782CA1A1B2C for <>; Thu, 18 Dec 2014 08:00:16 -0800 (PST)
Received: from ([]:45587 helo=COMSEC.local) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1Y1dUV-000DiB-P6; Thu, 18 Dec 2014 10:59:51 -0500
Message-ID: <>
Date: Thu, 18 Dec 2014 10:59:51 -0500
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Susan Hares <>, 'Tero Kivinen' <>, 'Kathleen Moriarty' <>,
References: <074b01d00f31$1712da30$45388e90$> <> <> <00e601d01ac4$b5b69b60$2123d220$>
In-Reply-To: <00e601d01ac4$b5b69b60$2123d220$>
Content-Type: multipart/alternative; boundary="------------080502050906050203000806"
Cc:, secdir <>, 'Alia Atlas' <>,, 'Jeffrey Haas' <>,
Subject: Re: [secdir] Security directorate
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Dec 2014 16:00:21 -0000

SECDIR early review of draft-ietf-i2rs-problem-statement-04

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.These comments were written with the intent of improving security 
requirements and considerations in IETF drafts. Comments not addressed 
in last call may be included in AD reviews during the IESG 
review.Document editors and WG chairs should treat these comments just 
like any other last call comments.

This is a short document describing the problem being addressed by the 
I2RS WG, and establishing some requirements for solutions.

Section 2 describes the model for I2RS. It calls for using existing 
transport protocols to provide security, a good statement as part of the 
base protocol requirements. Looking at Figure 1, it seems that the only 
paths that are in scope for I2RS are between an I2RS agent and client 
and between clients.

In section 5, authentication, authorization, and integrity are 
explicitly cited as requirements. This is a good statement of 
requirements. It might be nice to state whether confidentiality is also 
perceived as a requirement, or if it explicitly not a requirement.

The Security Considerations section is a single paragraph consisting of 
2 sentences. It opens with a nice statement about the importance of 
security in the I2RS context. I think a back pointer to the “secure 
Control” text would be appropriate. The second sentence says that more 
investigation is needed to fully define security requirements such as 
authorization and authentication levels. I don’t know what this last 
phrase means. Authorization (aka access control) isn’t usually described 
as having levels per se. Do you mean granularity of access control, or 
something else. Also, for authentication, there are various mechanisms 
one can employ, and these may be described as offering varying “levels” 
of security, but that is an oversimplification in many cases. A clearer 
description of what the authors are trying to convey here would be good.

I also looked briefly at draft-hares-i2rs-security-02. That document 
begins with a very good discussion of security terminology based on RFC 
4949. It also proposes very specific security requirements for 
communications in the I2RS model. That document calls for 
confidentiality as a requirement, which further motivates some mention 
of this security service in the problem statement, even if the statement 
is equivocal.

Two typos I noted:

Section 2: measuresments -> measurements

Section 5:

Such communications must also have its integrity protected. ->

Such communications must also be integrity-protected.