I2RS working group | S. Hares |
Internet-Draft | Huawei |
Intended status: Standards Track | S. Brim |
Expires: August 10, 2015 | Consultant |
N. Cam-Winget | |
Cisco | |
J. Halpern | |
Ericcson | |
D. Zhang | |
Q. Wu | |
Huawei | |
A. Abro | |
S. Asadullah | |
Cisco | |
J. Halpern | |
Ericcson | |
E. Yu | |
Cisco | |
February 6, 2015 |
I2RS Security Considerations
draft-hares-i2rs-security-03
This presents an expansion of the security architecture found in the i2rs architecture.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 10, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Interface to the Routing System (I2RS) provides read and write access to the information and state within the routing process and configuration process (as illustrated in the diagram in the architecture document within routing elements. The I2RS client [I-D.ietf-i2rs-architecture] interacts with one or more I2RS agents to collect information from network routing systems. This security architecture expands on the security issues involved in the I2RS protocol's message exchange between the I2RS client and the I2RS agent which are described in [I-D.ietf-i2rs-architecture]
This document utilizes the definitions found in the following drafts: [RFC4949], and [I-D.ietf-i2rs-architecture]
Specifically, this document utilizes the following definitions:
(c) Permission Inheritance Assignments (i.e., Role Hierarchy) [Constraints] +=====+ | | (a) Identity v v (b) Permission +----------+ Assignments +-------+ Assignments +----------+ |Identities|<=============>| Roles |<=============>|Permissions| +----------+ [Constraints] +-------+ [Constraints] +----------+ | | ^ ^ | | +-----------+ | | +---------------------+ | | | +-------+ | | | | Legend | | +====>|Session|=====+ | | | | | +-------+ | | | One-to-One | | | ... | | | =================== | | | +-------+ | | | | +========>|Session|=========+ | One-to-Many | (d) Identity | +-------+ | (e) Role | ==================> | Selections | | Selections | | [Constraints]| Access |[Constraints] | Many-to-Many | | Sessions | | <================> | +-----------+ +---------------------+ Figure 1 - Security definition of Role inheritance
The following diagram is a variation of the [RFC4949] diagram on role-based security, and provides the context for the assumptions of security on the role-based work.
The security for the I2RS protocol utilizes the role based access security for the I2RS client's access to the I2RS agent's data (read/write). The I2RS [I-D.ietf-i2rs-architecture] treats the agent's notification stream or publication stream as a pre-authorized read. This security consideration document examines the major points:
All I2RS clients and I2RS agents MUST have at least one unique identifier that uniquely identifies each party. The I2RS protocol MUST utilize these identifiers for mutual identification of the client and agent. An I2RS agent, upon receiving an I2RS message from a client, must confirm that the client has a valid identity. The client, upon receiving an I2RS message from an agent, must confirm the I2RS identity.
Identity distribution and the loading of these identities into I2RS agent and I2RS Client occur outside the I2RS protocol. The I2RS protocol SHOULD assume some mechanism (IETF or private) in order to distribute or load identities and that the I2RS client/agent will load the identities prior to the I2RS protocol establishing a connection between I2RS client and I2RS agent.
Each Identity will be linked (via internal policy) to one role. The context of the I2RS client-agent communication is based on a role which may/may not require message confidentiality, message integrity protection, or replay attack protection.
Role = routing tree + Read/Write/Read-Write
The rigorous definition of a role in RBAC-based security is role is function associated with an activity (set of actions). The set of actions in I2RS performs is limited are read or write actions on a specific set of data in the data model. Therefore, we can express:
Role security for an agent involves pairing the identity to the role. The data store can read information either by write or an event stream.
Role security exists even if multiple transport connections are being used between the I2RS client and I2RS agent as the I2RS architecture [I-D.ietf-i2rs-architecture] states. These transport message streams may start/stop without affecting the existence of the client/agent data exchange. TCP supports a single stream of data. SCTP [RFC4960] provides security for multiple streams plus end-to-end transport of data.
I2RS clients may be used by multiple applications to configure routing via I2RS agents, receive status reports, turn on the I2RS audit stream, or turn on I2RS traceability. An I2RS client software could arrange to store multiple secure identities, and use a specific identity that only associates roles which only have Read access. This administrative design of identities and roles could insure a "status-only" application did gain write access. This administrative design is possible within I2RS architecture but not mandated.
Multiple identities provide some secondary level support for the application-client, but may grow the number of identities. The multiple identities per client could also be used for multiple levels of security for the data passed between an I2RS client and agent as either: a) confidential, b) authorized with message integrity protection, c) authorized without message integrity protection, and or d) no protection.
I2RS data security involves determining of the I2RS client to I2RS agent data transfer needs to be confidential, or have message integrity, or support an end-to-end integrity (in the case of stacked clients). This section discuss the consideration of I2RS data security.
It is assumed that all I2RS data security mechanisms used for protecting the I2RS packets needs to be associated with proper key management solutions. A key management solution needs to guarantee that only the entities having sufficient privileges can get the keys to encrypt/decrypt the sensitive data. In addition, the key management mechanisms need to be able to update the keys before they have lost sufficient security strengths, without breaking the connection between the agents and clients.
The rules around what role is permitted to access and manipulate what information, combined with encryption to protect the data in transit is intended to help ensure that data of any level of sensitivity is reasonably protected from being observed by those without permission to view it. In that case 'those' can refer to either other roles, sub-agents, or to attackers and assorted MITM monkeys.
In a critical infrastructure, certain data within routing elements is sensitive and R/W operations on such data must be controlled in order to protect its confidentiality. For example, most carriers do not want a router's configuration and data flow statistics known by hackers or their competitors. While carriers may share peering information, most carriers do not share configuration and traffic statistics. To achieve this, access control to sensitive data needs to be provided, and the confidentiality protection on such data during transportation needs to be enforced.
It is normal to protect the confidentiality of the sensitive data during transportation by encrypting them. Encryption obscures the data transported on the wire and protects them against eavesdropping attacks. Because the encryption itself cannot guarantee the integrity or fresh of data being transported, in practice, confidentiality protection is normally provided with integrity protection.
An integrity protection mechanism for I2RS should be able to ensure 1) the data being protected are not modified without detection during its transportation and 2) the data is actually from where it is expected t come from 3) the data is not repeated from some earlier interaction of the protocol. That is, when both confidentiality and integrity of data is properly protected, it is possible to ensure that encrypted data are not modified or replayed without detection.
As a part of integrity protection, the replay protection approaches provided for I2RS must consider both online and offline attackers, and have sufficient capability to deal with intra connection and inter-connection attacks. For instance, when using symmetric keys, sequence numbers which increase monotonically could be useful to help in distinguishing the replayed messages, under the assistance of signatures or MACs (dependent on what types of keys are applied). In addition, in the cases where only offline attacker is considered, random nonce could be effective.
The following are open issues for the I2RS WG to discuss:
The authors would like to thank Wes George, Ahmed Abro, Qin Wu, Eric Yu, Alia Atlas, and Jeff Haas for their wonderful contributions to our discussion discussion.
This draft includes no request to IANA.
This is a document about security architecture beyond the consideration for I2RS. Additional security definitions will be added in this section.
[I-D.clarke-i2rs-traceability] | Clarke, J., Salgueiro, G. and C. Pignataro, "Interface to the Routing System (I2RS) Traceability: Framework and Information Model", Internet-Draft draft-clarke-i2rs-traceability-02, June 2014. |
[I-D.hares-i2rs-info-model-policy] | Hares, S. and W. Wu, "An Information Model for Network policy", Internet-Draft draft-hares-i2rs-info-model-policy-01, February 2014. |
[I-D.ietf-i2rs-architecture] | Atlas, A., Halpern, J., Hares, S., Ward, D. and T. Nadeau, "An Architecture for the Interface to the Routing System", Internet-Draft draft-ietf-i2rs-architecture-00, August 2013. |
[I-D.ietf-i2rs-problem-statement] | Atlas, A., Nadeau, T. and D. Ward, "Interface to the Routing System Problem Statement", Internet-Draft draft-ietf-i2rs-problem-statement-00, August 2013. |
[I-D.ietf-i2rs-rib-info-model] | Bahadur, N., Folkes, R., Kini, S. and J. Medved, "Routing Information Base Info Model", Internet-Draft draft-ietf-i2rs-rib-info-model-01, October 2013. |
[I-D.ji-i2rs-usecases-ccne-service] | Ji, X., Zhuang, S. and T. Huang, "I2RS Use Cases for Control of Forwarding Path by Central Control Network Element (CCNE)", Internet-Draft draft-ji-i2rs-usecases-ccne-service-00, October 2013. |
[I-D.keyupate-i2rs-bgp-usecases] | Patel, K., Fernando, R., Gredler, H., Amante, S., White, R. and S. Hares, "Use Cases for an Interface to BGP Protocol", Internet-Draft draft-keyupate-i2rs-bgp-usecases-01, February 2014. |
[I-D.white-i2rs-use-case] | White, R., Hares, S. and R. Fernando, "Use Cases for an Interface to the Routing System", Internet-Draft draft-white-i2rs-use-case-00, February 2013. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC4785] | Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)", RFC 4785, January 2007. |
[RFC4949] | Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. |
[RFC4960] | Stewart, R., "Stream Control Transmission Protocol", RFC 4960, September 2007. |