Re: [secdir] Secdir review of draft-ietf-teas-actn-info-model-08

Roman Danyliw <rdd@cert.org> Fri, 15 June 2018 12:44 UTC

Return-Path: <rdd@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51737130E5C; Fri, 15 Jun 2018 05:44:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5ntPRwSoxhM; Fri, 15 Jun 2018 05:44:18 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3990130E0F; Fri, 15 Jun 2018 05:44:17 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w5FCi8r4027957; Fri, 15 Jun 2018 08:44:08 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w5FCi8r4027957
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1529066648; bh=Rcf1v84EkDf9AevWDyMN0x/2pkE0B1sbRrAvKyY0NeY=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=ak1GEX3uYxgUp4iVd+bYK0LGH/7Xxt99Ci3XD9Av2YiyhDt6UQAtoOPoBmzkPfOHg tpi5k/T7ZLOO85+ZXQnb5aJgj+hrQYvLADM7XK7fDSYpY2ZdgwmoP1vPDBgtjnfrVm OIMHusg6eVQDo04AMS9T1WMOZ8W3Ib9d4Vw09VJ4=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w5FCi72Z026222; Fri, 15 Jun 2018 08:44:08 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0399.000; Fri, 15 Jun 2018 08:44:07 -0400
From: Roman Danyliw <rdd@cert.org>
To: Leeyoung <leeyoung@huawei.com>, "draft-ietf-teas-actn-info-model@ietf.org" <draft-ietf-teas-actn-info-model@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
CC: "BRUNGARD, DEBORAH A" <db3546@att.com>
Thread-Topic: Secdir review of draft-ietf-teas-actn-info-model-08
Thread-Index: AdQDOhTrKf9Z1zyVTi6xa900/JYx/gAFptWQAFUtTCA=
Date: Fri, 15 Jun 2018 12:44:06 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C3E9923@marathon>
References: <359EC4B99E040048A7131E0F4E113AFC014C3E8109@marathon> <7AEB3D6833318045B4AE71C2C87E8E173D014345@sjceml521-mbx.china.huawei.com>
In-Reply-To: <7AEB3D6833318045B4AE71C2C87E8E173D014345@sjceml521-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: multipart/alternative; boundary="_000_359EC4B99E040048A7131E0F4E113AFC014C3E9923marathon_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_HW715miyv-ilxDLenJQyDylY24>
Subject: Re: [secdir] Secdir review of draft-ietf-teas-actn-info-model-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2018 12:44:22 -0000

Hi Young!

All of your proposed changes below address my concerns.  Thanks for the quick turn-around.

Cheers,
Roman

From: Leeyoung [mailto:leeyoung@huawei.com]
Sent: Wednesday, June 13, 2018 5:05 PM
To: Roman Danyliw <rdd@cert.org>rg>; draft-ietf-teas-actn-info-model@ietf.org; secdir@ietf.org
Cc: BRUNGARD, DEBORAH A <db3546@att.com>
Subject: RE: Secdir review of draft-ietf-teas-actn-info-model-08


Hi Roman,



Thanks for your review of the draft and providing good comments.



Please see inline for our responses to your comments. Please let us know if our responses are satisfactory to you; if not, please provide us your further comments.



Thanks & Best regards,

Young



-----Original Message-----
From: Roman Danyliw [mailto:rdd@cert.org]
Sent: Wednesday, June 13, 2018 2:26 PM
To: draft-ietf-teas-actn-info-model@ietf.org<mailto:draft-ietf-teas-actn-info-model@ietf.org>; secdir@ietf.org<mailto:secdir@ietf.org>
Subject: Secdir review of draft-ietf-teas-actn-info-model-08



Reviewer: Roman Danyliw

Review result: Ready with nits



I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.



The summary of the review is Ready with nits.



My feedback is as follows:



(1) Section 9, Security Considerations, Page 21, Paragraph 1



[original text]

   The ACTN information model described in this document defines key

   interfaces for managed traffic engineered networks.  Securing the

   request and control of resources, confidentiality of the

   information, and availability of function, should all be critical

   security considerations when deploying and operating ACTN platforms.



[feedback]



This section (Section 9) reads to me as if it is describing more than just the information model.  The text appears to be identical to the security considerations in draft-ietf-teas-actn-framework-15.  IMO, the text here would benefit from tighter scoping.  Perhaps something like:



"The ACTN information model does not directly introduce security issues.  Rather, it defines a set of interfaces for traffic engineered networks.  The underlying protocols, procedures, and implementations used to exchange the information model described in this draft will need to secure the request and control of resources ...:



Furthermore, I assumed that "securing the request and control of resources" was implying the need for authentication and authorization of requests.  However, there is no discussion of that in the subsequent text.  There is also no subsequent discussion of the significance of availability despite it being referenced in this paragraph.



YL>> Your suggested text is very good. How about the new paragraph as follows:



[new]

   The ACTN information model does not directly introduce security issues.

   Rather, it defines a set of interfaces for traffic engineered networks.

  The underlying protocols, procedures, and implementations used to exchange

  the information model described in this draft will need to secure the request and

  control of resources with proper authentication and authorization mechanisms.

  In addition, the data exchanged over the ACTN interfaces discussed in this

  document requires verification of data integrity. Backup or redundancies SHOULD

  also be available to restore the affected data to its correct state.



(2) Section 9, Security Considerations, Page 21, Paragraph 2



[original text]

   Several distributed ACTN functional components are required, and

   implementations should consider encrypting data that flows between

   components, especially when they are implemented at remote nodes,

   regardless of these data flows are on external or internal network

   interfaces.



[feedback]



Editorial -- This paragraph was a dense read for me.  Perhaps something like the following would be more approachable:



"Implementations of the ACTN framework will have distributed functional components that will exchange this information model.  Implementations SHOULD encrypt data that flows between them, especially when they are implemented at remote nodes and irrespective of whether these data flows are on external or internal network interfaces."



YL>> Thanks. I agree with your suggested text that will replace the original text.



(3) Section 9, Security Considerations, Page 21, Paragraph 3



[original text]

   The ACTN security discussion is further split into two specific

   categories described in the following sub-sections:



   - Interface between the Customer Network Controller and Multi Domain

     Service Coordinator (MDSC), CNC-MDSC Interface (CMI)



   - Interface between the Multi Domain Service Coordinator and

     Provisioning Network Controller (PNC), MDSC-PNC Interface (MPI)



[feedback]



This sentence references additional sub-sections that don't appear to exist -- Section 9 has no sub-sections.  draft-ietf-teas-actn-framework-15 which has identical text does have these sub-sections (Sections 9.1 and 9.2).  Without additional text, this paragraph doesn't add anything.  If the text in draft-ietf-teas-actn-framework-15 is relevant, I would recommend simply referencing it.



YL>> Correct. I think the text in draft-ietf-teas-actn-framework-15 is relevant. So I will reference it. So the new text will look like:



[new text]

   The ACTN security discussion is further split into two specific

   interfaces:



   - Interface between the Customer Network Controller and Multi Domain

     Service Coordinator (MDSC), CNC-MDSC Interface (CMI)



   - Interface between the Multi Domain Service Coordinator and

     Provisioning Network Controller (PNC), MDSC-PNC Interface (MPI)



See the detailed discussion of the CMI and MPI in Sections 9.1 and 9.2, respectively in [ACTN-Frame].





(4) Section 9, Security Considerations, Page 21, Paragraph 4



[original text]

   From a security and reliability perspective, ACTN may encounter many

   risks such as malicious attack and rogue elements attempting to

   connect to various ACTN components.  Furthermore, some ACTN

   components represent a single point of failure and threat vector,

   and must also manage policy conflicts, and eavesdropping of

   communication between different ACTN components.



[feedback]



This text identifies some of the potential threats.  What mitigations should be applied?  Furthermore, these threats aren't scoped within the bounds of the information model.  I recommend revising this threat discussion to be around the information being exchange or dropping the paragraph.



YL>> Thanks. I would drop the paragraph.



(5) Section 9, Security Considerations, Page 22, Paragraph 5



[original text]

   The conclusion is that all data models and protocols used to realize

   the ACTN info model should have rich security features, and

   customer, application and network data should be stored in encrypted

   data stores.  Additional security risks may still exist.  Therefore,

   discussion and applicability of specific security functions and

   protocols will be better described in documents that are use case

   and environment specific.



[feedback]



Per "The conclusion is that ... should have rich security features".  What does "rich security" mean?



YL>> for instance, encryption.



Per "... and customer, application and network data should be stored ...", this is a good point about encryption at rest.  Is the "customer, application and network data" a more descriptive version of "data in the information model"?  If no, then it's out of scope.  If yes, then I would recommend explicitly stating that "The information model may contain customer, application and network data that for business or privacy reasons may be considered sensitive.  It SHOULD be stored only in an encrypted data store".  As data in motion is discussed in paragraph 2, it might make sense to move this text there.



YL>> Yes, actually "customer, application and network data" is a more descriptive version of "data in the information model". As such, I would take your text to replace the first sentence of Paragraph 5 (and move it to Paragraph 2). So Paragraph 2 will look like:



[new - Paragraph 2]

   Implementations of the ACTN framework will have distributed

   functional components that will exchange this information model.

   Implementations SHOULD encrypt data that flows between them,

   especially when they are implemented at remote nodes and irrespective

   of whether these data flows are on external or internal network interfaces.

   The information model may contain customer, application and network

   data that for business or privacy reasons may be considered sensitive.

   It SHOULD be stored only in an encrypted data store.



[new - Paragraph 5]

   The conclusion is that all data models and protocols used to realize

   the ACTN info model should have rich security features as discussed

   in this section. Additional security risks may still exist.  Therefore,

   discussion and applicability of specific security functions and

   protocols will be better described in documents that are use case

   and environment specific.



Regards,

Roman