1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
|
I2RS working group S. Hares
Internet-Draft Huawei
Intended status: Informational D. Migault
Expires: April 2, 2017 J. Halpern
Ericsson
September 29, 2016
I2RS Security Related Requirements
draft-ietf-i2rs-protocol-security-requirements-17
Abstract
This presents security-related requirements for the I2RS protocol
which provides a new interface to the routing system described in the
I2RS architecture document (RFC7921). The I2RS protocol is a re-use
protocol implemented by re-using portions of existing IETF protocols
and adding new features to these protocols. The I2RS protocol re-
uses security features of a secure transport (E.g. TLS, SSH, DTLS)
such as encryption, message integrity, mutual peer authentication,
and replay protection. The new I2RS features to consider from a
security perspective are: a priority mechanism to handle multi-headed
write transactions, an opaque secondary identifier which identifies
an application using the I2RS client, and an extremely constrained
read-only non-secure transport. This document provides the detailed
requirements for these security features.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 2, 2017.
Hares, et al. Expires April 2, 2017 [Page 1]
�
Internet-Draft I2RS Security Requirements September 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2.2. Security Definitions . . . . . . . . . . . . . . . . . . 4
2.3. I2RS Specific Definitions . . . . . . . . . . . . . . . . 5
3. Security Features and Protocols: Re-used and New . . . . . . 7
3.1. Security Protocols Re-Used by the I2RS Protocol . . . . . 7
3.2. New Features Related to Security . . . . . . . . . . . . 8
3.3. I2RS Protocol Security Requirements vs. IETF Management
Protocols . . . . . . . . . . . . . . . . . . . . . . . . 9
4. Security-Related Requirements . . . . . . . . . . . . . . . . 10
4.1. I2RS Peers(agent and client) Identity Authentication . . 10
4.2. Identity Validation Before Role-Based Message Actions . . 11
4.3. Peer Identity, Priority, and Client Redundancy . . . . . 12
4.4. Multi-Channel Transport: Secure Transport and Insecure
Transport . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5. Management Protocol Security . . . . . . . . . . . . . . 15
4.6. Role-Based Data Model Security . . . . . . . . . . . . . 16
4.7. Security of the environment . . . . . . . . . . . . . . . 17
5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
7. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 18
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . 18
8.2. Informative References . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
Hares, et al. Expires April 2, 2017 [Page 2]
�
Internet-Draft I2RS Security Requirements September 2016
1. Introduction
The Interface to the Routing System (I2RS) provides read and write
access to information and state within the routing system. An I2RS
client interacts with one or more I2RS agents to collect information
from network routing systems. [RFC7921] describes the architecture
of this interface, and this documents assumes the reader is familiar
with this architecture and its definitions. Section 2 highlights
some of the references the reader is required to be familiar with.
The I2RS interface is instantiated by the I2RS protocol connecting an
I2RS client and an I2RS agent associated with a routing system. The
I2RS protocol is a re-use protocol implemented by re-using portions
of existing IETF protocols, and adding new features to these
protocols. As a re-use protocol, it can be considered a higher-level
protocol since it can be instantiated in multiple management
protocols (e.g. NETCONF [RFC6241] or RESTCONF
[I-D.ietf-netconf-restconf]) operating over a secure transport. The
security for the I2RS protocol comes from the management protocols
operating over a a secure transport.
This document is part of the requirements for I2RS protocol which
also include:
o I2RS architecture [RFC7921],
o I2RS ephemeral state requirements [I-D.ietf-i2rs-ephemeral-state],
o publication/subscription requirements [RFC7922], and
o traceability [RFC7923].
Since the I2RS "higher-level" protocol changes the interface to the
routing systems, it is important that implementers understand the new
security requirements for the environment the I2RS protocol operates
in. These security requirements for the I2RS environment are
specified in [I-D.ietf-i2rs-security-environment-reqs]; and the
summary of the I2RS protocol security environment is found in the
I2RS Architecture [RFC7920].
I2RS reuses the secure transport protocols (TLS, SSH, DTLS) which
support encryption, message integrity, peer authentication, and key
distribution protocols. Optionally, implementers may utilize AAA
protocols (Radius over TLS or Diameter over TLS) to securely
distribute identity information.
Section 3 provides an overview of security features and protocols
being re-used (section 3.1) and the new security features being
Hares, et al. Expires April 2, 2017 [Page 3]
�
Internet-Draft I2RS Security Requirements September 2016
required (section 3.2). Section 3 also explores how existing and new
security features and protocols would be paired with existing IETF
management protocols (section 3.3).
The new features I2RS extends to these protocols are a priority
mechanism to handle multi-headed writes, an opaque secondary
identifier to allow traceability of an application utilizing a
specific I2RS client to communicate with an I2RS agent, and insecure
transport constrained to be utilized only for read-only data, which
may include publically available data (e.g. public BGP Events, public
telemetry information, web service availability) and some legacy
data.
Section 4 provides the I2RS protocol security requirements by the
following security features:
o peer identity authentication (section 4.1),
o peer identity validation before role-based message actions
(section 4.2)
o peer identity and client redundancy (section 4.3),
o multi-channel transport requirements: Secure transport and
insecure Transport (section 4.4),
o management protocol security requirements (section 4.5),
o role-based security (section 4.6),
o security environment (section 4.7)
Protocols designed to be I2RS higher-layer protocols need to fulfill
these security requirements.
2. Definitions
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2.2. Security Definitions
This document utilizes the definitions found in the following
documents: [RFC4949] and [RFC7921]
Hares, et al. Expires April 2, 2017 [Page 4]
�
Internet-Draft I2RS Security Requirements September 2016
Specifically, this document utilizes the following definitions from
[RFC4949]:
o access control,
o authentication,
o data confidentiality,
o data integrity,
o data privacy,
o identity,
o identifier,
o mutual authentication,
o role,
o role-based access control,
o security audit trail, and
o trust.
[RFC7922] describes traceability for I2RS interface and the I2RS
protocol. Traceability is not equivalent to a security audit trail
or simple logging of information. A security audit trail may utilize
traceability information.
This document also requires that the user is familiar with the
pervasive security requirements in [RFC7258].
2.3. I2RS Specific Definitions
The document utilizes the following concepts from the I2RS
architecture: [RFC7921]:
o I2RS client, I2RS agent, and I2RS protocol (section 2),
o I2RS higher-layer protocol (section 7.2)
o scope: read scope, notification scope, and write scope (section
2),
o identity and scope of the identity (section 2),
Hares, et al. Expires April 2, 2017 [Page 5]
�
Internet-Draft I2RS Security Requirements September 2016
o roles or security rules (section 2),
o identity and scope, and secondary identity (section 2),
o routing system/subsytem (section 2),
o I2RS assumed security environment (section 4),
o I2RS identity and authorization (section 4.1),
o I2RS authorization, scope of Authorization in I2RS client and
agent (section 4.2),
o client redundancy with a single client identity (section 4.3),
o restrictions on I2RS in personal devices (section 4.4),
o communication channels and I2RS high-layer protocol (section 7.2),
o active communication versus connectivity (section 7.5),
o multi-headed control (section 7.8), and
o transaction, message, multi-message atomicity (section 7.9).
This document assumes the reader is familar with these terms.
This document discusses the security of the multiple I2RS
communication channels which operate over the higher-layer I2RS
protocol. The higher-layer I2RS protocol combines a secure transport
and I2RS contextual information, and re-uses IETF protocols and data
models to create the secure transport and the I2RS data-model driven
contextual information. To describe how the I2RS high-layer protocol
combines other protocols into the I2RS higher-layer protocol, the
following terms are used:
I2RS component protocols
Protocols which are re-used and combined to create the I2RS
protocol.
I2RS secure-transport component protocols
The I2RS secure transport protocols that support the I2RS higher-
layer protocol.
I2RS management component protocols
Hares, et al. Expires April 2, 2017 [Page 6]
�
Internet-Draft I2RS Security Requirements September 2016
The I2RS management protocol which provide the management
information context.
I2RS AAA component protocols
The I2RS AAA protocols supporting the I2RS higher-layer protocol.
The I2RS higher-layer protocol requires implementation of a I2RS
secure-transport component protocol and the I2RS management component
protocol. The I2RS AAA component protocol is optional.
3. Security Features and Protocols: Re-used and New
3.1. Security Protocols Re-Used by the I2RS Protocol
I2RS requires a secure transport protocol and key distribution
protocols. The secure transport features required by I2RS are peer
authentication, confidentiality, data integrity, and replay
protection for I2RS messages. According to
[I-D.ietf-taps-transports], the secure transport protocols which
support peer authentication, confidentiality, data integrity, and
replay protection are the following:
1. TLS [RFC5246] over TCP or SCTP,
2. DTLS over UDP with replay detection and anti-DoS stateless cookie
mechanism required for the I2RS protocol, and the I2RS protocol
allow DTLS options of record size negotiation and and conveyance
of "don't" fragment bits to be optional in deployments.
3. HTTP over TLS (over TCP or SCTP), and
4. HTTP over DTLS (with the requirements and optional features
specified above in item 2).
The following protocols would need to be extended to provide
confidentiality, data integrity, peer authentication, and key
distribution protocols: IPFIX (over SCTP, TCP or UDP) and ForCES TML
layer (over SCTP). These protocols will need extensions to run over
a secure transport (TLS or DTLS) (see section 3.3 for details).
The specific type of key management protocols an I2RS secure
transport uses depends on the transport. Key management protocols
utilized for the I2RS protocols SHOULD support automatic rotation.
An I2RS implementer may use AAA protocols over secure transport to
distribute the identities for I2RS client and I2RS agent and role
authorization information. Two AAA protocols are: Diameter [RFC6733]
Hares, et al. Expires April 2, 2017 [Page 7]
�
Internet-Draft I2RS Security Requirements September 2016
and Radius [RFC2865]. To provide the best security I2RS peer
identities, the AAA protocols MUST be run over a secure transport
(Diameter over secure transport (TLS over TCP) [RFC6733]), Radius
over a secure transport (TLS) [RFC6614]).
3.2. New Features Related to Security
The new features are priority, an opaque secondary identifier, and an
insecure protocol for read-only data constrained to specific standard
usages. The I2RS protocol allows multi-headed control by several
I2RS clients. This multi-headed control is based on the assumption
that the operator deploying the I2RS clients, I2RS agents, and the
I2rs protocol will coordinate the read, write, and notification scope
so the I2RS clients will not contend for the same write scope.
However, just in case there is an unforseen overlap of I2RS clients
attempting to write a particular piece of data, the I2RS architecture
[RFC7921] provides the concept of each I2RS client having a priority.
The I2RS client with the highest priority will have its write
succeed. This document specifies requirements for this new concept
of priority.
The opaque secondary identifier identifies an application which is
using the I2RS client to I2RS agent communication to manage the
routing system. The secondary identifier is opaque to the I2RS
protocol. In order to protect personal privacy, the secondary
identifier should not contain personal identifiable information.
The last new feature related to I2RS security is the ability to allow
non-confidential data to be transferred over a non-secure transport.
It is expected that most I2RS data models will describe information
that will be transferred with confidentiality. Therefore, any model
which transfers data over a non-secure transport is marked. The use
of a non-secure transport is optional, and an implementer SHOULD
create knobs that allow data marked as non-confidential to be sent
over a secure transport.
Non-confidential data can only be read or notification scope
transmission of events. Non-confidential data cannot be write scope
or notification scope configuration. An example of non-confidential
data is the telemetry information that is publically known (e.g. BGP
route-views data or web site status data) or some legacy data (e.g.
interface) which cannot be transported in secure transport. The IETF
I2RS Data models MUST indicate in the data model the specific data
which is non-confidential.
Most I2RS data models will expect that the information described in
the model will be transferred with confidentiality.
Hares, et al. Expires April 2, 2017 [Page 8]
�
Internet-Draft I2RS Security Requirements September 2016
3.3. I2RS Protocol Security Requirements vs. IETF Management Protocols
Table 1 below provides a partial list of the candidate management
protocols and the secure transports each one of the support. One
column in the table indicates the transport protocol will need I2RS
security extensions.
Mangement
Protocol Transport Protocol I2RS Extensions
========= ===================== =================
NETCONF TLS over TCP (*1) None required (*2)
RESTCONF HTTP over TLS with None required (*2)
X.509v3 certificates,
certificate validation,
mutual authentication:
1) authenticated
server identity,
2) authenticated
client identity
(*1)
FORCES TML over SCTP Needs extension to
(*1) TML to run TML over
TLS over SCTP, or
DTLS with options for
replay protection
and anti-DoS stateless
cookie mechanism.
(DTLS record size
negotiation and conveyance
of "don't" fragment
bits are optional).
The IPSEC mechanism is
not sufficient for
I2RS traveling over
multiple hops
(router + link) (*2)
IPFIX SCTP, TCP, UDP Needs to extension
TLS or DTLS for to support TLS or
secure client (*1) DTLS with options for
replay protection
and anti-DoS stateless
cookie mechanism.
(DTLS record size
negotiation and conveyance
of "don't" fragment
Hares, et al. Expires April 2, 2017 [Page 9]
�
Internet-Draft I2RS Security Requirements September 2016
bits are optional).
*1 - Key management protocols
MUST support appropriate key rotation.
*2 - Identity and Role authorization distributed
by Diameter or Radius MUST use Diameter over TLS
or Radius over TLS.
4. Security-Related Requirements
This section discusses security requirements based on the following
security functions:
o peer identity authentication (section 4.1),
o Peer Identity validation before Role-based Message Actions
(section 4.2)
o peer identity and client redundancy (section 4.3),
o multi-channel transport requirements: Secure transport and
insecure Transport (section 4.4),
o management protocol security requirements (section 4.5),
o role-based security (section 4.6),
o security environment (section 4.7)
The I2RS Protocol depends upon a secure transport layer for peer
authentication, data integrity, confidentiality, and replay
protection. The optional insecure transport can only be used
restricted set of publically data available (events or information)
or a select set of legacy data. Data passed over the insecure
transport channel MUST NOT contain any data which identifies a
person.
4.1. I2RS Peers(agent and client) Identity Authentication
The following requirements specify the security requirements for Peer
Identity Authentication for the I2RS protocol:
o SEC-REQ-01: All I2RS clients and I2RS agents MUST have an
identity, and at least one unique identifier that uniquely
identifies each party in the I2RS protocol context.
Hares, et al. Expires April 2, 2017 [Page 10]
�
Internet-Draft I2RS Security Requirements September 2016
o SEC-REQ-02: The I2RS protocol MUST utilize these identifiers for
mutual identification of the I2RS client and I2RS agent.
o SEC-REQ-03: Identifier distribution and the loading of these
identifiers into I2RS agent and I2RS client SHOULD occur outside
the I2RS protocol prior to the I2RS protocol establishing a
connection between I2RS client and I2RS agent. AAA protocols MAY
be used to distribute these identifiers, but other mechanism can
be used.
Explanation:
These requirements specify the requirements for I2RS peer (I2RS agent
and I2RS client) authentication. A secure transport (E.g. TLS) will
authenticate based on these identities, but these identities are
identities for the I2RS management layer. An AAA protocol
distributing I2RS identity information SHOULD transport its
information over a secure transport.
4.2. Identity Validation Before Role-Based Message Actions
The requirements for I2RS clients with Secure Connections are the
following:
SEC-REQ-04: An I2RS agent receiving a request from an I2RS client
MUST confirm that the I2RS client has a valid identity.
SEC-REQ-05: An I2RS client receiving an I2RS message over a secure
transport MUST confirm that the I2RS agent has a valid identifier.
SEC-REQ-06: An I2RS agent receiving an I2RS message over an
insecure transport MUST confirm that the content is suitable for
transfer over such a transport.
Explanation:
Each I2RS client has a scope based on its identity and the security
roles (read, write, or events) associated with that identity, and
that scope must be considered in processing an I2RS messages sent on
a communication channel. An I2RS communication channel may utilize
multiple transport sessions, or establish a transport session and
then close the transport session. Therefore, it is important that
the I2RS peers are operating utilizing valid peer identities when a
message is processed rather than checking if a transport session
exists.
During the time period when a secure transport session is active, the
I2RS agent SHOULD assume that the I2RS client's identity remains
Hares, et al. Expires April 2, 2017 [Page 11]
�
Internet-Draft I2RS Security Requirements September 2016
valid. Similarly, while a secure connection exists that included
validating the I2RS agent's identity and a message is received via
that connection, the I2RS client SHOULD assume that the I2RS agent's
identity remains valid.
The definition of what constitutes a valid identity or a valid
identifier MUST be defined by the I2RS protocol.
4.3. Peer Identity, Priority, and Client Redundancy
Requirements:
SEC-REQ-07: Each I2RS Identifier MUST be associated with just one
priority.
SEC-REQ-08: Each Identifier is associated with one secondary
identifier during a particular I2RS transaction (e.g. read/write
sequence), but the secondary identifier may vary during the time a
connection between the I2RS client and I2RS agent is active.
Explanation:
The I2RS architecture also allows multiple I2RS clients with unique
identities to connect to an I2RS agent (section 7.8). The I2RS
deployment using multiple clients SHOULD coordinate this multi-headed
control of I2RS agents by I2RS clients so no conflict occurs in the
write scope. However, in the case of conflict on a write scope
variable, the error resolution mechanisms defined by the I2RS
architecture multi-headed control ([RFC7921], section 7.8) allow the
I2RS agent to deterministically choose one I2RS client. The I2RS
client with highest priority is given permission to write the
variable, and the second client receives an error message.
A single I2RS client may be associated with multiple applications
with different tasks (e.g. weekly configurations or emergency
configurations). The secondary identity is an opaque value that the
I2RS client passes to the I2RS agent so that this opaque value can be
placed in the tracing file or event stream to identify the
application using the I2RS client to I2RS agent communication. The
I2RS client is trusted to simply assert the secondary identifier.
One example of the use of the secondary identity is the situation
where an operator of a network has two applications that use an I2RS
client. The first application is a weekly configuration application
that uses the I2RS protocol to change configurations. The second
application is an application that allows operators to makes
emergency changes to routers in the network. Both of these
applications use the same I2RS client to write to an I2RS agent. In
Hares, et al. Expires April 2, 2017 [Page 12]
�
Internet-Draft I2RS Security Requirements September 2016
order for traceability to determine which application (weekly
configuration or emergency) wrote some configuration changes to a
router, the I2RS client sends a different opaque value for each of
the applications. The weekly configuration secondary opaque value
could be "xzzy-splot" and the emergency secondary opaque value could
be "splish-splash".
A second example is if the I2RS client is used for monitoring of
critical infrastructure. The operator of a network using the I2RS
client may desire I2RS client redundancy where the monitoring
application wth the I2RS client is deployed on two different boxes
with the same I2RS client identity (see [RFC7921] section 4.3) These
two monitoring applications pass to the I2RS client whether the
application is the primary or back up application, and the I2RS
client passes this information in the I2RS secondary identitifier as
the figure below shows. The primary applications secondary
identifier is "primary-monitoring", and the backup application
secondary identifier is "backup-monitoring". The I2RS tracing
information will include the secondary identifier information along
with the transport information in the tracing file in the agent.
Example 2: Primary and Backup Application for Monitoring
Identification sent to agent
Application A--I2RS client--Secure transport(#1)
[I2RS identity 1, secondary identifier: "primary-monitoring"]-->
Application B--I2RS client--Secure transport(#2)
[I2RS identity 1, secondary identifier: "backup-monitoring"]-->
Figure 1
4.4. Multi-Channel Transport: Secure Transport and Insecure Transport
Requirements:
SEC-REQ-09: The I2RS protocol MUST be able to transfer data over a
secure transport and optionally MAY be able to transfer data over
a non-secure transport. The default transport is a secure
transport, and this secure transport is mandatory to implement
(MTI) in all I2RS agents, and in any I2RS client which: a)
performs a Write scope transaction which is sent to the I2RS agent
or b): configures an Event Scope transaction. This secure
transport is mandatory to use (MTU) on any I2RS client's Write
transaction or the configuration of an Event Scope transaction.
Hares, et al. Expires April 2, 2017 [Page 13]
�
Internet-Draft I2RS Security Requirements September 2016
SEC-REQ-10: The secure transport MUST provide data
confidentiality, data integrity, and practical replay prevention.
SEC-REQ-11: The I2RS client and I2RS agent protocol SHOULD
implement mechanisms that mitigate DoS attacks. For the secure
transport, this means the secure transport must support DoS
prevention. For the insecure transport protocol, the I2RS higher-
layer protocol MUST contain a transport management layer that
considers the detection of DoS attacks and provides a warning over
a secure-transport channel.
SEC-REQ-12: A secure transport MUST be associated with a key
management solution that can guarantee that only the entities
having sufficient privileges can get the keys to encrypt/decrypt
the sensitive data.
SEC-REQ-13: A machine-readable mechanism to indicate that a data-
model contains non-confidential data MUST be provided. A non-
secure transport MAY be used to publish only read scope or
notification scope data if the associated data model indicates
that that data is non-confidential.
SEC-REQ-14: The I2RS protocol MUST be able to support multiple
secure transport sessions providing protocol and data
communication between an I2RS agent and an I2RS client. However,
a single I2RS agent to I2RS client connection MAY elect to use a
single secure transport session or a single non-secure transport
session conforming the requirements above.
SEC-REQ-15: Deployment configuration knobs SHOULD be created to
allow operators to send "non-confidential" Read scope (data or
Event streams) over a secure transport.
SEC-REQ-16: The I2RS protocol makes use of both secure and
insecure transports, but this use MUST NOT be done in any way that
weakens the secure transport protocol used in the I2RS protocol or
other contexts that do not have this requirement for mixing secure
and insecure modes of operation.
Explanation:
The I2RS architecture defines three scopes: read, write, and
notification scope. Insecure data can only be used for read scope
and notification scope of "non-confidential data". The configuration
of ephemeral data in the I2RS agent uses either write scope for data
or write scope for configuration of event notification streams. The
requirement to use secure transport for configuration prevents
Hares, et al. Expires April 2, 2017 [Page 14]
�
Internet-Draft I2RS Security Requirements September 2016
accidental or malevolent entities from altering the I2RS routing
system through the I2RS agent.
It is anticipated that the passing of most I2RS ephemeral state
operational status SHOULD be done over a secure transport.
In most circumstances the secure transport protocol will be
associated with a key management system. Most deployments of the
I2RS protocol will allow for automatic key management systems. Since
the data models for the I2RS protocol will control key routing
functions, it is important that deployments of I2RS use automatic key
management systems.
Per BCP107 [RFC4107] while key management system SHOULD be automatic,
the systems MAY be manual in the following scenarios:
a) The environment has limited bandwidth or high round-trip times.
b) The information being protected has low value.
c) The total volume of traffic over the entire lifetime of the
long-term session key will be very low.
d) The scale of the deployment is limited.
Operators deploying the I2RS protocol selecting manual key management
SHOULD consider both short and medium term plans. Deploying
automatic systems initially may save effort over the long-term.
4.5. Management Protocol Security
Requirements:
SEC-REQ-17: In a critical infrastructure, certain data within
routing elements is sensitive and read/write operations on such
data SHOULD be controlled in order to protect its confidentiality.
To achieve this, higher-layer protocols MUST utilize a secure
transport, and SHOULD provide access control functions to protect
confidentiality of the data.
SEC-REQ-18: An integrity protection mechanism for I2RS MUST be
provided that will be able to ensure the following:
1) the data being protected is not modified without detection
during its transportation,
2) the data is actually from where it is expected to come from,
and
Hares, et al. Expires April 2, 2017 [Page 15]
�
Internet-Draft I2RS Security Requirements September 2016
3) the data is not repeated from some earlier interaction the
higher layer protocol (best effort).
The I2RS higher-layer protocol operating over a secure transport
provides this integrity. The I2RS higher-layer protocol operating
over an insecure transport SHOULD provide some way for the client
receiving non-confidential read-scoped or event-scoped data over
the insecure connection to detect when the data integrity is
questionable; and in the event of a questionable data integrity
the I2RS client should disconnect the insecure transport
connection.
SEC-REQ-19: The I2RS higher-layer protocol MUST provide a
mechanism for message traceability (requirements in [RFC7922])
that supports the tracking higher-layer functions run across
secure connection or a non-secure transport.
Explanation:
Most carriers do not want a router's configuration and data flow
statistics known by hackers or their competitors. While carriers may
share peering information, most carriers do not share configuration
and traffic statistics. To achieve this, the I2RS higher-layer
protocol (e.g NETCONF) requires access control (NACM [RFC6536]) for
sensitive data needs to be provided; and the confidentiality
protection on such data during transportation needs to be enforced.
Integrity of data is important even if the I2RS protocol is sending
non-confidential data over an insecure connection. The ability to
trace I2RS protocol messages that enact I2RS transactions provides a
minimal aid to helping operators check how messages enact
transactions on a secure or insecure transport. Contextual checks on
specific non-confidential data sent over a insecure connection may
indicate the data has been modified.
4.6. Role-Based Data Model Security
The I2RS Architecture [RFC7921] specifies access control by "role"
where role is a method of making access control more manageable by
creating a grouping of users so that access control can be specified
for a role rather than for each of the individuals. Therefore, I2RS
role specifies the access control for a group as being read, write,
or notification.
SEC-REQ-20: The rules around what I2RS security role is permitted
to access and manipulate what information over a secure transport
(which protects the data in transit) SHOULD ensure that data of
any level of sensitivity is reasonably protected from being
Hares, et al. Expires April 2, 2017 [Page 16]
�
Internet-Draft I2RS Security Requirements September 2016
observed by those without permission to view it, so that privacy
requirements are met.
SEC-REQ-21: Role security MUST work when multiple transport
connections are being used between the I2RS client and I2RS agent
as the I2RS architecture [RFC7921] describes.
Sec-REQ-22: If an I2RS agents or an I2RS client is tightly
correlated with a person, then the I2RS protocol and data models
SHOULD provide additional security that protects the person's
privacy.
Explanation:
I2RS higher-layer uses management protocol E.g. NETCONF, RESTCONF)
to pass messages in order to enact I2RS transactions. Role Security
must secure data (sensitivity and normal data) in a router even when
it is operating over multiple connections at the same time. NETCONF
can run over TLS (over TCP or SCTP) or SSH. RESTCONF runs over HTTP
over a secure transport (TLS). SCTP [RFC4960] provides security for
multiple streams plus end-to-end transport of data. Some I2RS
functions may wish to operate over DTLS which runs over UDP
([RFC6347]), DDCP ([RFC6238]), and SCTP ([RFC5764]).
Please note the security of the application to I2RS client connection
is outside of the I2RS protocol or I2RS interface.
While I2RS clients are expected to be related to network devices and
not individual people, if an I2RS client ran on a person's phone,
then privacy protection to anonymize any data relating to a person's
identity or location would be needed.
A variety of forms of managemen may set policy on roles: "operator-
applied knobs", roles that restrict personal access, data-models with
specific "privacy roles", and access filters.
4.7. Security of the environment
The security for the implementation of a protocol also considers the
protocol environment. The environmental security requirements are
found in: [I-D.ietf-i2rs-security-environment-reqs].
5. Security Considerations
This is a document about security requirements for the I2RS protocol
and data modules. Security considerations for the I2RS protocol
include both the protocol and the security environment.
Hares, et al. Expires April 2, 2017 [Page 17]
�
Internet-Draft I2RS Security Requirements September 2016
6. IANA Considerations
This draft is requirements, and does not request anything of IANA.
7. Acknowledgement
The authors would like to thank Wes George, Ahmed Abro, Qin Wu, Eric
Yu, Joel Halpern, Scott Brim, Nancy Cam-Winget, DaCheng Zhang, Alia
Atlas, and Jeff Haas for their contributions to the I2RS security
requirements discussion and this document. The authors would like to
thank Bob Moskowitz, Kathleen Moriarty, Stephen Farrell, Radia
Perlman, Alvaro Retana, Ben Campbell, and Alissa Cooper for their
review of these requirements.
8. References
8.1. Normative References
[I-D.ietf-i2rs-security-environment-reqs]
Migault, D., Halpern, J., and S. Hares, "I2RS Environment
Security Requirements", draft-ietf-i2rs-security-
environment-reqs-01 (work in progress), April 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic
Key Management", BCP 107, RFC 4107, DOI 10.17487/RFC4107,
June 2005, <http://www.rfc-editor.org/info/rfc4107>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>.
[RFC7921] Atlas, A., Halpern, J., Hares, S., Ward, D., and T.
Nadeau, "An Architecture for the Interface to the Routing
System", RFC 7921, DOI 10.17487/RFC7921, June 2016,
<http://www.rfc-editor.org/info/rfc7921>.
Hares, et al. Expires April 2, 2017 [Page 18]
�
Internet-Draft I2RS Security Requirements September 2016
[RFC7922] Clarke, J., Salgueiro, G., and C. Pignataro, "Interface to
the Routing System (I2RS) Traceability: Framework and
Information Model", RFC 7922, DOI 10.17487/RFC7922, June
2016, <http://www.rfc-editor.org/info/rfc7922>.
[RFC7923] Voit, E., Clemm, A., and A. Gonzalez Prieto, "Requirements
for Subscription to YANG Datastores", RFC 7923,
DOI 10.17487/RFC7923, June 2016,
<http://www.rfc-editor.org/info/rfc7923>.
8.2. Informative References
[I-D.ietf-i2rs-ephemeral-state]
Haas, J. and S. Hares, "I2RS Ephemeral State
Requirements", draft-ietf-i2rs-ephemeral-state-18 (work in
progress), September 2016.
[I-D.ietf-netconf-restconf]
Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", draft-ietf-netconf-restconf-17 (work in
progress), September 2016.
[I-D.ietf-taps-transports]
Fairhurst, G., Trammell, B., and M. Kuehlewind, "Services
provided by IETF transport protocols and congestion
control mechanisms", draft-ietf-taps-transports-11 (work
in progress), July 2016.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, DOI 10.17487/RFC2865, June 2000,
<http://www.rfc-editor.org/info/rfc2865>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007,
<http://www.rfc-editor.org/info/rfc4960>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>.
Hares, et al. Expires April 2, 2017 [Page 19]
�
Internet-Draft I2RS Security Requirements September 2016
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP:
Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<http://www.rfc-editor.org/info/rfc6241>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <http://www.rfc-editor.org/info/rfc6347>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012,
<http://www.rfc-editor.org/info/rfc6536>.
[RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga,
"Transport Layer Security (TLS) Encryption for RADIUS",
RFC 6614, DOI 10.17487/RFC6614, May 2012,
<http://www.rfc-editor.org/info/rfc6614>.
[RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn,
Ed., "Diameter Base Protocol", RFC 6733,
DOI 10.17487/RFC6733, October 2012,
<http://www.rfc-editor.org/info/rfc6733>.
[RFC7920] Atlas, A., Ed., Nadeau, T., Ed., and D. Ward, "Problem
Statement for the Interface to the Routing System",
RFC 7920, DOI 10.17487/RFC7920, June 2016,
<http://www.rfc-editor.org/info/rfc7920>.
Authors' Addresses
Susan Hares
Huawei
7453 Hickory Hill
Saline, MI 48176
USA
Email: shares@ndzh.com
Hares, et al. Expires April 2, 2017 [Page 20]
�
Internet-Draft I2RS Security Requirements September 2016
Daniel Migault
Ericsson
8400 boulevard Decarie
Montreal, QC HAP 2N2
Canada
Email: daniel.migault@ericsson.com
Joel Halpern
Ericsson
US
Email: joel.halpern@ericsson.com
Hares, et al. Expires April 2, 2017 [Page 21]
|
