[secdir] Secdir review of draft-ietf-teas-actn-info-model-08

Roman Danyliw <rdd@cert.org> Wed, 13 June 2018 19:26 UTC

Return-Path: <rdd@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 788C012426A; Wed, 13 Jun 2018 12:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Oaj9l5V0qxo8; Wed, 13 Jun 2018 12:26:12 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6E1F130E87; Wed, 13 Jun 2018 12:26:11 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu []) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w5DJQAg8043882; Wed, 13 Jun 2018 15:26:10 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w5DJQAg8043882
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1528917970; bh=nX/nmiqXsDnszYneujh4erHhVwFGezsm7fzaWb85FpE=; h=From:To:Subject:Date:From; b=rVsHaaYOd07u77+IzbQJydf2AQ4DkRLXkvylrh0IaOuxB3T75U4tKa9igV3XEnVn8 gioLBVg/RYwy/ozHuY50QkI0jFSpaIw4yIF2gd4LpIIOWaPrFzT742lyLHH1IFADgx 0d7u00U+ZqOG2tzMQmMxN/3k1y/zHjwCobJogGJE=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu []) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w5DJQ7JT008782; Wed, 13 Jun 2018 15:26:07 -0400
Received: from MARATHON.ad.sei.cmu.edu ([]) by CASCADE.ad.sei.cmu.edu ([]) with mapi id 14.03.0399.000; Wed, 13 Jun 2018 15:26:07 -0400
From: Roman Danyliw <rdd@cert.org>
To: "draft-ietf-teas-actn-info-model@ietf.org" <draft-ietf-teas-actn-info-model@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir review of draft-ietf-teas-actn-info-model-08
Thread-Index: AdQDOhTrKf9Z1zyVTi6xa900/JYx/g==
Date: Wed, 13 Jun 2018 19:26:06 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C3E8109@marathon>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/kGrNaoq4aefmcgNKLunIN96HplY>
Subject: [secdir] Secdir review of draft-ietf-teas-actn-info-model-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 19:26:15 -0000

Reviewer: Roman Danyliw
Review result: Ready with nits

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is Ready with nits.

My feedback is as follows:

(1) Section 9, Security Considerations, Page 21, Paragraph 1

[original text]
   The ACTN information model described in this document defines key
   interfaces for managed traffic engineered networks.  Securing the
   request and control of resources, confidentiality of the
   information, and availability of function, should all be critical
   security considerations when deploying and operating ACTN platforms.


This section (Section 9) reads to me as if it is describing more than just the information model.  The text appears to be identical to the security considerations in draft-ietf-teas-actn-framework-15.  IMO, the text here would benefit from tighter scoping.  Perhaps something like:

"The ACTN information model does not directly introduce security issues.  Rather, it defines a set of interfaces for traffic engineered networks.  The underlying protocols, procedures, and implementations used to exchange the information model described in this draft will need to secure the request and control of resources ...:

Furthermore, I assumed that "securing the request and control of resources" was implying the need for authentication and authorization of requests.  However, there is no discussion of that in the subsequent text.  There is also no subsequent discussion of the significance of availability despite it being referenced in this paragraph.

(2) Section 9, Security Considerations, Page 21, Paragraph 2

[original text]
   Several distributed ACTN functional components are required, and
   implementations should consider encrypting data that flows between
   components, especially when they are implemented at remote nodes,
   regardless of these data flows are on external or internal network


Editorial -- This paragraph was a dense read for me.  Perhaps something like the following would be more approachable:

"Implementations of the ACTN framework will have distributed functional components that will exchange this information model.  Implementations SHOULD encrypt data that flows between them, especially when they are implemented at remote nodes and irrespective of whether these data flows are on external or internal network interfaces."

(3) Section 9, Security Considerations, Page 21, Paragraph 3

[original text]
   The ACTN security discussion is further split into two specific
   categories described in the following sub-sections:

   - Interface between the Customer Network Controller and Multi Domain
     Service Coordinator (MDSC), CNC-MDSC Interface (CMI)

   - Interface between the Multi Domain Service Coordinator and
     Provisioning Network Controller (PNC), MDSC-PNC Interface (MPI)


This sentence references additional sub-sections that don't appear to exist -- Section 9 has no sub-sections.  draft-ietf-teas-actn-framework-15 which has identical text does have these sub-sections (Sections 9.1 and 9.2).  Without additional text, this paragraph doesn't add anything.  If the text in draft-ietf-teas-actn-framework-15 is relevant, I would recommend simply referencing it.

(4) Section 9, Security Considerations, Page 21, Paragraph 4

[original text]
   From a security and reliability perspective, ACTN may encounter many
   risks such as malicious attack and rogue elements attempting to
   connect to various ACTN components.  Furthermore, some ACTN
   components represent a single point of failure and threat vector,
   and must also manage policy conflicts, and eavesdropping of
   communication between different ACTN components.


This text identifies some of the potential threats.  What mitigations should be applied?  Furthermore, these threats aren't scoped within the bounds of the information model.  I recommend revising this threat discussion to be around the information being exchange or dropping the paragraph.

(5) Section 9, Security Considerations, Page 22, Paragraph 5

[original text]
   The conclusion is that all data models and protocols used to realize
   the ACTN info model should have rich security features, and
   customer, application and network data should be stored in encrypted
   data stores.  Additional security risks may still exist.  Therefore,
   discussion and applicability of specific security functions and
   protocols will be better described in documents that are use case
   and environment specific.


Per "The conclusion is that ... should have rich security features".  What does "rich security" mean?

Per "... and customer, application and network data should be stored ...", this is a good point about encryption at rest.  Is the "customer, application and network data" a more descriptive version of "data in the information model"?  If no, then it's out of scope.  If yes, then I would recommend explicitly stating that "The information model may contain customer, application and network data that for business or privacy reasons may be considered sensitive.  It SHOULD be stored only in an encrypted data store".  As data in motion is discussed in paragraph 2, it might make sense to move this text there.