I2RS working group | S. Hares |
Internet-Draft | Huawei |
Intended status: Standards Track | June 23, 2015 |
Expires: December 25, 2015 |
I2RS Security Related Requirements
draft-hares-i2rs-auth-trans-01
This presents an security-related requirements for the I2RS protocol for mutual authentication, transport protocols, data transfer and transactions.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 25, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Interface to the Routing System (I2RS) provides read and write access to the information and state within the routing process. The I2RS client interacts with one or more I2RS agents to collect information from network routing systems.
This document describes the requirements for the I2RS protocol in the security-related areas of mutual authentication of the I2RS client and agent, the transport protocol carrying the I2RS protocol messages, and the atomicity of the transactions. These requirements were initially described in the [I-D.ietf-i2rs-architecture] document. These security requirements are also part of the list of top ten requirements for the I2RS protocol indicated in the section below.
[I-D.haas-i2rs-ephemeral-state-reqs] discusses of I2RS roles-based write conflict resolution in the ephemeral data store using the I2RS Client Identity, I2RS Secondary Identity and priority. The draft [I-D.ietf-i2rs-traceability] describes the traceability framework and its requirements for I2RS. The draft [I-D.ietf-i2rs-pub-sub-requirements] describe the requirements for I2RS to be able to publish information or have a remote client subscribe to an information data stream.
This document utilizes the definitions found in the following drafts: [RFC4949], and [I-D.ietf-i2rs-architecture]
Specifically, this document utilizes the following definitions:
The security for the I2RS protocol requires mutually authenticated I2RS client and I2RS agent. The I2RS client and I2RS agent using the I2RS protocol MUST be able to exchange data over a secure transport, but some functions may operate on non-secure transport. The I2RS protocol MUST BE able to provide atomicity of a transaction, but it is not required to multi-message atomicity and rollback mechanisms transactions. Multiple messages transactions may be impacted by the interdependency of data. This section discusses these details of these securitry requirements.
The I2RS architecture [I-D.ietf-i2rs-architecture]document states:
This architecture set the following requirements:
The data security of the I2RS protocol MUST be able to support transfer of the data over a secure transport and optionally be able to support a non-security transport. A security transport is defined to have the qualities of: confidentiality, has message integrity, and supports end-to-end integrity (in the case of stacked clients).
A secure transport also must be be associated with a key management solution that can guarantee that only the entities having sufficient privileges can get the keys to encrypt/decrypt the sensitive data. Pre-shared keys is considered for this document to be a key management system. In addition, the key management mechanisms need to be able to update the keys before they have lost sufficient security strengths, without breaking the connection between the agents and clients.
The rules around what role is permitted to access and manipulate what information combined a secure transport protect the data in transit SHOULD ensure that data of any level of sensitivity is reasonably protected from being observed by those without permission to view it so that privacy requirements are met. Observer without permission can refer to other I2RS clients, attackers, or assorted MITM (man-in-the-middle)monkeys.
The I2RS protocol MUST support multiple secure transport sessions providing protocol and data communication between the I2RS Agent and the I2RS client.
In a critical infrastructure, certain data within routing elements is sensitive and read/write operations on such data must be controlled in order to protect its confidentiality. For example, most carriers do not want a router's configuration and data flow statistics known by hackers or their competitors. While carriers may share peering information, most carriers do not share configuration and traffic statistics. To achieve this, access control to sensitive data needs to be provided for this data, and the confidentiality protection on such data during transportation needs to be enforced.
An integrity protection mechanism for I2RS should be able to ensure 1) the data being protected are not modified without detection during its transportation and 2) the data is actually from where it is expected to come from 3) the data is not repeated from some earlier interaction of the protocol. That is, when both confidentiality and integrity of data is properly protected, it is possible to ensure that encrypted data are not modified or replayed without detection.
>Section 7.9 of the [I-D.ietf-i2rs-architecture] states the I2RS architecture does not include multi-message atomicity and rollback mechanisms, but suggests an I2RS client may inidicate one of the following error handling techniques for a given message sent to the I2RS client:
Role security MUST work when multiple transport connections are being used between the I2RS client and I2RS agent as the I2RS architecture [I-D.ietf-i2rs-architecture] states. These transport message streams may start/stop without affecting the existence of the client/agent data exchange. TCP supports a single stream of data. SCTP [RFC4960] provides security for multiple streams plus end-to-end transport of data.
I2RS clients may be used by multiple applications to configure routing via I2RS agents, receive status reports, turn on the I2RS audit stream, or turn on I2RS traceability. An application software using I2RS client functions can host several multiple secure identities, but each connection will use only one identity with one priority.. Therefore, the security of each connection is unique..
The author would like to thank Wes George, Ahmed Abro, Qin Wu, Eric Yu, Joel Halpern, Scott Brim, Nancy Cam-Winget, DaCheng Zhang, Alia Atlas, and Jeff Haas for their contributions to I2RS security requirement discussion and this document.
This draft includes no request to IANA.
This is a document about security requirements for the I2RS protocol and data modules. The whole document is security considerations.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[I-D.haas-i2rs-ephemeral-state-reqs] | Haas, J., "I2RS Ephemeral State Requirements", Internet-Draft draft-haas-i2rs-ephemeral-state-reqs-00, May 2015. |
[I-D.ietf-i2rs-architecture] | Atlas, A., Halpern, J., Hares, S., Ward, D. and T. Nadeau, "An Architecture for the Interface to the Routing System", Internet-Draft draft-ietf-i2rs-architecture-09, March 2015. |
[I-D.ietf-i2rs-problem-statement] | Atlas, A., Nadeau, T. and D. Ward, "Interface to the Routing System Problem Statement", Internet-Draft draft-ietf-i2rs-problem-statement-06, January 2015. |
[I-D.ietf-i2rs-pub-sub-requirements] | Voit, E., Clemm, A. and A. Prieto, "Requirements for Subscription to YANG Datastores", Internet-Draft draft-ietf-i2rs-pub-sub-requirements-02, March 2015. |
[I-D.ietf-i2rs-rib-info-model] | Bahadur, N., Folkes, R., Kini, S. and J. Medved, "Routing Information Base Info Model", Internet-Draft draft-ietf-i2rs-rib-info-model-06, March 2015. |
[I-D.ietf-i2rs-traceability] | Clarke, J., Salgueiro, G. and C. Pignataro, "Interface to the Routing System (I2RS) Traceability: Framework and Information Model", Internet-Draft draft-ietf-i2rs-traceability-03, May 2015. |
[RFC4785] | Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)", RFC 4785, January 2007. |
[RFC4949] | Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. |
[RFC4960] | Stewart, R., "Stream Control Transmission Protocol", RFC 4960, September 2007. |