Re: [secdir] Early SecDir Reviews

Daniel Migault <> Fri, 02 October 2015 14:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 709BC1B2BFA; Fri, 2 Oct 2015 07:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GS2nQ3Kn4wZa; Fri, 2 Oct 2015 07:57:50 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8FEB81B2BF5; Fri, 2 Oct 2015 07:57:44 -0700 (PDT)
X-AuditID: c6180641-f792c6d00000686a-d4-560e2fa8703f
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 5A.4D.26730.8AF2E065; Fri, 2 Oct 2015 09:18:00 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0248.002; Fri, 2 Oct 2015 10:57:42 -0400
From: Daniel Migault <>
To: Joel Halpern <>, Russ Housley <>, "" <>, "" <>
Thread-Topic: Early SecDir Reviews
Thread-Index: AQHQ3F42YpIdMEmmOU6CVf8kLGx8pJ4XR16A///wvJCAQVOmsA==
Date: Fri, 2 Oct 2015 14:57:42 +0000
Message-ID: <>
References: <> <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMLMWRmVeSWpSXmKPExsUyuXSPn+4Kfb4wg87FFhYfXx9htVi7qpvV 4tWLm+wWDTvzLT4sfMhiMX3vNXYHNo+13VfZPHbOusvusWTJTyaPVXe+sAawRHHZpKTmZJal FunbJXBlLF2wg6Vgun7F6hOHGRsYD6p1MXJySAiYSDy9fIgVwhaTuHBvPVsXIxeHkMBRRol/ KxcxQTjLGCU2nlvCAlLFJmAk0Xaonx0kISIwm0li1o9uMIdZoI1RounyE3aQKmEBRYn2/7OY QWwRASWJZ4+3AnVzANlOEjNOB4OEWQRUJG5+Ow02lFfAV+LVmZtMILaQQAujxMnbqiA2I9BJ 30+tAYszC4hL3HoynwniVAGJJXvOM0PYohIvH/+DekFRYl//dHaIeh2JBbs/sUHY2hLLFr5m htglKHFy5hOWCYyis5CMnYWkZRaSlllIWhYwsqxi5CgtTi3LTTcy3MQIjKVjEmyOOxgXfLI8 xCjAwajEw7ughDdMiDWxrLgy9xCjNAeLkjjvvBn3Q4UE0hNLUrNTUwtSi+KLSnNSiw8xMnFw SgEjgn3SHV2RR/Mj8kL45JYV20d/mxBwf++Hy4pOHB3fvqoJc7dGGPpHue65k/F51+vSzNbD bqma0po3WJjlPVpaJjzxPz/jutV1jhqdhIlLbdyqXnOVFe7cMifluUOaZXp3jgPbDPMnEhsM tmzQmfAg+dzFZxKK827OuXWSu/2/2mpXyV9eF/qUWIozEg21mIuKEwFcxBdshgIAAA==
Archived-At: <>
Cc: Kathleen Moriarty <>, IETF SecDir <>
Subject: Re: [secdir] Early SecDir Reviews
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Oct 2015 14:57:52 -0000

Hi Russ, 

Thank you for your comments. We believe the version 01 of the draft have appropriately addressed these comments. Here is a small recap of the comments as well as how the new version addresses them. Feel free to let us know if we missed something.


The co-authors

In Section 1, the first sentence says: "This document addresses security considerations for the I2RS architecture."  This does not seem like the right way to begin this document.  This document seems to contain requirements on an implementation or deployment.  They are not protocol requirements, which is what I expected from the draft file name.  This context needs to be set in the Abstract and the first paragraph of the Introduction.

MGLT: Thank you for the feed back. We addressed this comment by starting the introduction (Section 1) with the following sentences :
This document provides environment security requirements for the I2RS architecture. Environment security requirements are independent of the protocol used for I2RS. As a result, the requirements provided in this document are intended to provide good security practise so I2RS can be securely deployed and operated.

Section 4.1 talks about the I2RS AAA architecture, but it does not cover authentication, authorization, and accounting.  The section seems to be talking about roles, privileges, and role-based access control.  Maybe the title of the section should be changed.

MGLT  The title has been changed to "I2RS Access Control for routing system resources"
AAA has been replaced by Access Control. We also completely re-write the section. 

In Section 4.2, REQ 17, I find the use of "origin" unclear.  The origin is the I2RS Client, not the application, right?

MGLT: REQ 17 corresponds to REQ 16 of the draft-mglt-security-environment-reqs-00. It is unclear. I removed the term origin and distinguish two cases one when the access control is made for the I2RS Client and one for the application. The text of the whole section has been updated and hopefully clarified. The term origin and component have been removed and replaced explicitly by Application, I2RS Client or I2RS Agent or identity. 

In Section 4.2, REQ 19, I find the use of "component" unclear.  The component is the I2RS Client, not the application, right?

MGLT: component is unclear and has been removed.

In section 4.3, 1st paragraph, I think this would be more clear without the use of "component".  That is, the I2RS client is responsible for authentication of the applications, managing the privileges for the applications, and enforcing access control to resources by the applications.

MGLT: component is unclear and it has been removed.

I do not understand Section 4.4.  If an I2RS Client authenticates to I2RS Agent 1 and 2, it is possible that these agents will grant different privileges to this client.  Is a security domain a set of agents that are expected  grant the same privileges to this client?
What does availability have to do with the definition of a security domain?  Maybe these two topics should be in separate sections.  DoS is also talked about in Section 5.2; I think that it would help the reader if all of the availability discussions are in one place.

MGLT: This section is too redundant with I-D.hares-i2rs-auth-trans. 
The main message was that local policies enforcement is not sufficient, and communications between points should be considered secured. This has been added in the Access Control architecture sub section. In addition, we added how transport and access control interact in the access control section. 
In Section 4.2, REQ 20, I think the wording needs to be clarified to indicate that I2RS Clients cane support multiple applications at the same time, and each of them needs to be authenticated.

MGLT: We explicitly specify the case of multiple applications.

In Section 5.1, REQ 29, It is unclear to me what part of the system is performing this monitoring.  When an error is detected, what part of the system takes corrective actions?

MGLT: The agent and client are expected to monitor, log, and eventually send alerts. The management plane is responsible in collecting and taking the appropriated decisions like updating Access Control policies, reconfiguring routing elements...)

In Section 4.2: s/On the hand/On the other hand/

-----Original Message-----
From: Daniel Migault 
Sent: Friday, August 21, 2015 9:29 PM
To: Joel Halpern; Russ Housley;;
Cc: Stephen Farrell; Kathleen Moriarty; IETF SecDir
Subject: RE: Early SecDir Reviews


Thank you Russ for the review. We can easily adapt inputs from the review for  draft-mglt-i2rs-security-environment-reqs-00.


-----Original Message-----
From: Joel Halpern [] 
Sent: Friday, August 21, 2015 6:13 PM
To: Russ Housley;;
Cc: Stephen Farrell; Kathleen Moriarty; IETF SecDir
Subject: RE: Early SecDir Reviews

There was confusion about the draft targets.  The last call was issued for the wrong name, but with the right URL for the environment document.  

The right environment document is draft-mglt-i2rs-security-environment-reqs-00

I expect that most of your concerns will still apply, but it would be helpful if you could check.


-----Original Message-----
From: Russ Housley [] 
Sent: Friday, August 21, 2015 6:10 PM
Cc: Stephen Farrell; Kathleen Moriarty; IETF SecDir
Subject: Early SecDir Reviews

Please fine the requested SecDir reviews.