Re: [secdir] secdir review of draft-ietf-i2rs-pub-sub-requirements-06

"Eric Voit (evoit)" <evoit@cisco.com> Thu, 28 April 2016 14:11 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E2A12D7A4; Thu, 28 Apr 2016 07:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IO4d01rQSfca; Thu, 28 Apr 2016 07:11:35 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7674F12D7A2; Thu, 28 Apr 2016 07:11:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6792; q=dns/txt; s=iport; t=1461852694; x=1463062294; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=IrYMBD0/kAxVIQyMmCMxHmV5VovTTqdTDXFx9OqOq8c=; b=Eg/MLl/OqKSzV8NzOMeO4FJ1XLnVjkIqaVoSuLZVB5LDkKaITP45vkEC 8aKhOMYGy74kLyEm6WSig3X/tLVOFoKaw9YfYGmjdXHdzdMPUl09hs0+M aVAJHGRhGLXxEemBqSMVRu1SjR2I+ss+cXYOL3CXpJDXzSKYI4jm56UiA g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BaAgDdGCJX/5RdJa1egziBVrlvAQ2Bd?= =?us-ascii?q?oYPAhyBCzgUAQEBAQEBAWUnhEEBAQEDASMEDUoLAgEIEgMFAggeAgICMBUCDgI?= =?us-ascii?q?EARoXiAMIsiWRFwEBAQEBAQEBAgEBAQEBAQEZfIUlhEuEJ4MWglYFjVSFS4RxA?= =?us-ascii?q?YZqhyWBboRNgymFNI8vAR4BAUKDa4dVfwEBAQ?=
X-IronPort-AV: E=Sophos;i="5.24,547,1454976000"; d="scan'208";a="102327633"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Apr 2016 14:11:33 +0000
Received: from XCH-RTP-012.cisco.com (xch-rtp-012.cisco.com [64.101.220.152]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u3SEBXDe012904 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 28 Apr 2016 14:11:33 GMT
Received: from xch-rtp-013.cisco.com (64.101.220.153) by XCH-RTP-012.cisco.com (64.101.220.152) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 28 Apr 2016 10:11:32 -0400
Received: from xch-rtp-013.cisco.com ([64.101.220.153]) by XCH-RTP-013.cisco.com ([64.101.220.153]) with mapi id 15.00.1104.009; Thu, 28 Apr 2016 10:11:32 -0400
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Scott G. Kelly" <scott@hyperthought.com>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-i2rs-pub-sub-requirements.all@ietf.org" <draft-ietf-i2rs-pub-sub-requirements.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-i2rs-pub-sub-requirements-06
Thread-Index: AQHRoOqRI89YoNwpukOq3LHzSLJlEp+fTT0A
Date: Thu, 28 Apr 2016 14:11:32 +0000
Message-ID: <0f8b409c6018417eab61ea7ccb9f549c@XCH-RTP-013.cisco.com>
References: <1461805744.570422143@apps.rackspace.com>
In-Reply-To: <1461805744.570422143@apps.rackspace.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.118.56.228]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/zrTWV3W8dzxkhhK29SYEgoUdGdE>
Subject: Re: [secdir] secdir review of draft-ietf-i2rs-pub-sub-requirements-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 14:11:42 -0000

> From: Scott G. Kelly, April 27, 2016 9:09 PM
> 
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by IESG.  These comments
> were written primarily for the benefit of security area directors.  Document
> editors and WG chairs should these comments just like any other last call
> comments.
> 
> Summary: not ready
> 
> From the abstract, this document provides requirements for a service that
> allows client applications to subscribe to updates of a YANG datastore.
> 
> I looked up YANG, and wikipedia says it is a data modeling language for the
> NETCONF network configuration protocol.
> 
> The introduction says
> 
>    Applications interacting with YANG datastores require capabilities
>    beyond the traditional client-server configuration of network
>    elements.  One class of such applications are service-assurance
>    applications which must maintain a continuous view of operational
>    data and state.  Another class of applications are security
>    applications which must continuously track changes made upon network
>    elements to ensure compliance to corporate policy.
> 
> So, this suggests that this pub/sub mechanism will sometimes be used for
> security-related monitoring.
> 
> When I read the document, I wondered where the requirements were coming
> from. There is a brief “Business Drivers” section that tells why a “push
> mechanism” (different name for pub/sub?) is useful, but other than this, the
> document does not describe use cases. This makes it very difficult to evaluate
> the subsequent requirements assertions.
> 
> I don’t know anything about I2RS, and I won’t comment on anything other than
> the security considerations.  That section lists various MUSTs and SHOULDs, but
> gives no rationale. It is not possible to evaluate this section without
> understanding *why* these requirements are what they are.
>
 > It is possible that the rationale exists in companion documents. If so, this should
> be called out. If not, I think it should be given here.

Hi Scott,

Section 2.1 provides multiple references to numbered requirements in three other i2rs documents:
- [i2rs-usecase] draft-ietf-i2rs-usecase-reqs-summary
- [i2rs-arch] draft-ietf-i2rs-architecture
- [i2rs-traceability] draft-ietf-i2rs-traceability
Some of these references are coupled to security uses.   Look to those referred documents for details.

It would have been possible to provide more references to those documents.  But we didn't what to overwhelm the reader with too large a volume of cross-references.  For example, all the individual items from [i2rs-usecase] in Section 13 Large Data Collection System could be referenced as subscribing to an extract of a datastore can be used for a variety of security verification reasons (such as ensuring ACLs in the router are actually what the NMS systems think they are).  

Beyond the existing references in section 2.1, we could have also included items like [i2rs-usecase]
L-Data-REQ-04 (IC): I2RS should support capability negotiation to  inform a subscriber of the options for publication of data.  The options include transport, security, and error handling.
L-Data-REQ-03 (IC): I2RS should use a pub-sub model which allows scaling plus push or pull of data.
Topo-Req-10 (NA): I2RS must provide a common and up-to-date normalized view of the topologies that that support security auditing, and IP/MPLS Provisioning (L2/L3) which includes...

Beyond the i2rs requirements, Section 2.2 includes references to [sacm-requirements].  As SACM is about security and continuous monitoring, this should be a relevant reference.   Also something which use to be in Section 2 was an i2rs security specific pub sub use case / requirements document -> camwinget-i2rs-pubsub-sec.  The reference to the camwinget draft was removed due to its expiration, and because the author then moved on the create the [sacm-requirements] document as a result.   

If these existing references are insufficient, we could also and bring in new use case references.  For example we could bring in draft-voit-netmod-yang-mount-requirements > Use Case 4.2. 

Please let me know if the explanation meets your needs, if some of the above references should be expanded, or if you have some other request.

Thanks,
Eric


> The intro suggests that this
> mechanism will be used for enterprise security monitoring operations. Those
> operations should be described (at a high level), along with associated threats.
> From those threats come associated mitigation measures, and from those
> measures come requirements. If you want to punt on the specifics (and address
> it in later work), then the requirements should at least describe what threats
> should be mitigated.
> 
> I think the ADs should take a look at this document.
> 
> --Scott
>