I2RS WG | D. Migault |
Internet-Draft | J. Halpern |
Intended status: Informational | Ericsson |
Expires: September 13, 2017 | S. Hares |
Huawei | |
March 12, 2017 |
I2RS Environment Security Requirements
draft-ietf-i2rs-security-environment-reqs-04
This document provides environment security requirements for the I2RS architecture. Environment security requirements are independent of the protocol used for I2RS. The security environment requirements are the good security practices to be used during implementation and deployment of the code related to the new interface to routing system (I2RS) so that I2RS implementations can be securely deployed and operated.
Environmental security requirements do not specify the I2RS protocol seecurity requirements. This is done in another document (draft-ietf-i2rs-protocol-security-requirements).
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2017.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document provides environment security requirements for the I2RS architecture. Environment security requirements are independent of the protocol used for I2RS. The I2RS protocol security requirements [I-D.ietf-i2rs-protocol-security-requirements] define the security for the communication between I2RS client and agent. The security environment requirements are good security practices to be used during implementation and deployment of the I2RS protocol so that I2RS protocol implementations can be securely deployed and operated. These environment security requirements address the security considerations described in the I2RS Architecture [RFC7921] required to provide a stable and secure environment in which the dynamic programmatic interface to the routing system (I2RS) should operates.
Even though the I2RS protocol is mostly concerned with the interface between the I2RS client and the I2RS agent, the environmental security requirements must consider the entire I2RS architecture and specify where security functions may be hosted and what criteria should be met in order to address any new attack vectors exposed by deploying this architecture. Environment security for I2RS has to be considered for the complete I2RS architecture and not only on the protocol interface.
This document is structured as follows:
The subsequent sections of the document focus on the security within the I2RS plane.
Motivations are described before the requirements are given.
The reader is expected to be familiar with the I2RS problem statement [RFC7920], I2RS architecture, [RFC7921], traceability requirements [RFC7922], I2RS Pub/Sub requirements [RFC7923], I2RS ephemeral state requirements [I-D.ietf-i2rs-ephemeral-state], I2RS protocol security requirements [I-D.ietf-i2rs-protocol-security-requirements].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Isolating the I2RS plane from other network planes (the management, forwarding, and control planes) is fundamental to the security of the I2RS environment. Clearly differentiating the I2RS components from the rest of the network device does the following:
Separating the I2RS plane from other network control and forwarding planes is similar to the best common practice of placing software into software containers within modules with clear interfaces to exterior modules. In a similar way, although the I2RS plane cannot be completely isolated from other planes, it can be carefully designed so the interactions between the I2RS plane and other planes can be identified and controlled. The following is a brief description of how the I2RS plane positions itself in regard to the other planes.
The purpose of the I2RS plane is to provide a standard programmatic interface to the routing system resources to network oriented applications. Routing protocols often run in a control plane and provide entries for the forwarding plane as shown in figure 1. The I2RS plane contains the I2RS applications, the I2RS client, the north bound interface between the I2RS client and I2RS applications, the I2RS protocol, the I2RS agent, and the south bound API (SB API) to the routing system. The communication interfaces in the I2RS plane are shown on the the left hand side of figure 1.
The management plane contains the mangement application, the management client, the north bound API between the management client and management application, the mangement server, the management protocol (E.g. RESTCONF) between mangement client and management server, and the south bound API between the management server and the control plane. The communication interfaces associated with the management plane are shown on the right hand side of figure 2.
The I2RS plane and the management plane both interact with the control plane on which the routing systems operate. [RFC7921] describes several of these interaction points such as the local configuration, the static system state, routing, and signaling. A routing resource may be accessed by I2RS plane, the mangement plane, or routing protocol(s) which creates the potential for overlapping access. The southbound APIs can limit the scope of the management plane's and the I2RS plane's interaction with the routing resources.
Security focus:
Implementers need to carefully examine the southbound APIs from the I2RS Plane and the management plane to determine if these APIs overlap or conflict during use. If these APIs overlap or conflict, these interactions can provide errors which are not traceable or provide a risk for security intrusions between the two planes.
APIs that interact with the I2RS Plane and Management Plane I2RS applications Mangement applications || NB API NB API || || || I2RS plane management plane || control plane configuration|| || datastore datastore || || || ||SB API SB API || --------------------------------------- | Routing System with protocols |<protocols> | control plane | | (applied datastore) | +-------------------------------------+ | forwarding plane | +-------------------------------------+ | system | +-------------------------------------+ Figure 1 - North Bound (NB) APIs and South Bound (SB) APIs
The north bound interface may also be a source of conflicting interactions between the I2RS plane and the management plane. It is important that conflicting interactions do not provide a deadlock situation or allow a vulnerability due to data store leaking.
How can a deadlock occur?
The I2RS applications and the management applications may both interact with the Routing System. For example, I2RS applications may set ephemeral state for a BGP routing process allowing a peer to temporarily increase the maximum number of prefixes it will accept. At the same time, a management plane process may change a BGP Peer's configuration for the maximum number of prefixes to decrease the maximum number of prefixes. [RFC7921] suggests that implementations SHOULD provide operator configurable knobs that will determine which functions (I2RS or configuration management) has precedence in the routing system, and that events should signal an I2RS agent if the I2RS ephemeral state is overwritten. This is an example of policy that prevents a deadlock situation for both the I2RS application and the management application.
It is important that implementations include both policy knobs for resolving the deadlocks between the the I2RS plane and the management plane, and event signaling which reports deadlocks occurring within a system supporting I2RS.
A vulnerability can occur if there is leakage between the I2RS ephemeral control plane data store and the management plane's configuration datastore. [I-D.ietf-netmod-revised-datastores] describes a datastore architecture with control plane datastores (such as the I2RS protocol's ephemeral datastore) being logically different than the the configuration data store. The mixture of the I2RS ephemeral configuration and management configuration is done by the routing system code (specific to an implementation). The routing system code resolves any conflict between I2RS control plane configuration and the management plane configuration, and then installs the state in the routing system. Implementation policy determines which configuration state should be installed.
The applied datastore provides information on what is installed in each part of a system - including the routing system. The operational state data store provides both the applied data store information and additional operational state from the control plane protocols and control plane datastore.
Since it is the routing system code which is combining the configuration from the I2RS control plane datastore and the management datastore to create applied datastore for the routing system, this code must take care to prevent:
In this circumstance, we define "infecting" as interfering with and leading into a incoherent state. Planned interactions such as interactions denoted in in two cooperating Yang data modules is not an incoherent state.
For example, BGP configuration and BGP I2RS ephemeral state configuration could have a defined interaction. The I2RS plane may legitimately update a routing resource configured by the management plane, or the reverse (the management plane updates a resource the I2RS plane has configured) if the interactions are defined by Yang modules or local policy. Infecting is when the implementation is updated by two processes resulting in an incoherent state. Indirect "infecting" we define as as changes made by the I2RS plane that cause changes in routing protocols which add state unexpected by the management plane or the reverse (the mangement plane adding changes in routing protocols the I2RS plane does not expect).
Prevention for Data Store Leakage
The primary protection in this space is going to need to be validation rules on:
The next few paragraphs will provide some ideas on how this might be implemented. These suggest implementation policy should resolve what is not resolved in the YANG Data module definitions.
The Network Access Control Module (NACM) has been define to control access to the configuration datastore via the management protocol across a network. A similar network access control module could be defined for the I2RS-NACM (per [I-D.ietf-netconf-rfc6536bis]. Figure 2 shows how the I2RS-NACM could be created to support parallel features with the management protocol (E.g. NETCONF) NACM.
I2RS implementations may also need to define access modules which control access to the routing system (Routing Access Control Module (RACM)) by policy. The I2RS-RACM would control how the I2RS agent accesses the routing system through the SB API interface. In parallel, the management system would have a RACM to control the SB API interface (see figure 2). I2RS agent and the management server may want to read/write system information interfaces or other system functions. In order to prevent leakage between the I2RS system and the management system, there needs to be a system access control module (SACM) that protects the jointly held data.
I2RS- || (I2RS Mgt protocol || NACM || Protocol) (E.g. NETCONF)|| NACM ------- ---------- I2RS ||I2RS Agent Mgt server|| SACM || I2RS Control-DS config DS || SACM -----|| (RACM) (RACM) ||=======|| | ||SB API SB API || || | +-----------------------------------+ || | | Routing System with protocols | || | | control plane | || | | (applied datastore) | || | | (operational state) | || | +--------------||-------------------+ || | | forwarding plane | || | +--------------||-------------------+ || ---| system |======|| +-----------------------------------+ *Mgt = management DS = Datastore Control-DS = Control plane protocol data store NACM = Network Access Control Module RACM = Routing System Access Control Module figure 2
The I2RS clients and the I2RS agents also need a set of policy which defines what can be received from the network or sent to the network.
I2RS applications Mangement applications || NB API MB API || || (APP NAC policy) (APP NAC policy)|| || I2RS client mgt client || || (NAC policy) (NAC policy)|| || || I2RS protocol mgt protocol (NETCONF/RESTCONF) figure 3
Applications hosted by the I2RS client belong to the I2RS plane. It is difficult to constrain these applications to the I2RS plane, or even to limit their scope within the I2RS plane. Applications using I2RS may also interact with components outside the I2RS plane. For example an application may use a management client to configure the network and monitored events via an I2RS agent as figure 4 shows.
+--------------------------------------+ | Application | +--------------------------------------+ || NB API NB API || || I2RS client mgt client || || || I2RS protocol mgt protocol (NETCONF/RESTCONF) figure 4
Applications may also communicate with multiple I2RS clients in order to have a broader view of the current and potential states of the network and the I2RS plane itself. These varied remote communication relationships between applications using the I2RS protocol to change the forwarding plane make it possible for an individual application to be an effective attack vector against the operation of the network, a router's I2RS plane, the forwarding plane of the routing system, and other planes (management and control planes).
Prevention measures:
Systems should consider the following prevention errors:
The network control plane consists of the processes and protocols that discover topology, advertise reachability, and determine the shortest path between any location on the network and any destination. I2RS client configures, monitors or receives events via the I2RS agent's interaction with the routing system including the process that handles the control plane signalling protocols (BGP, ISIS, OSPF, etc.), route information databases (RIBs), and interface databases. In some situations, to manage an network outage or to control traffic, the I2RS protocol may modify information in the route database or the configuration of routing process. While this is not a part of normal processing, such action allows the network operator to bypass temporary outages or DoS attacks.
This capability to modify the routing process information carries with it the risk that the I2RS agent may alter the normal properties of the routing protocols which provide normal loop free routing in the control plane. For example, information configured by the I2RS agent into routing process or RIBs could cause forwarding problems or routing loops. As a second example, state which is inserted or deleted from routing processes (control traffic, counters, etc.) could cause the routing protocols to fail to converge or loop).
Prevention measures:
The I2RS implementation can provide internal checks after a routing system protocol change that it is still operating correctly. These checks would be specific to the routing protocol the I2RS Agent would change. For example, if a BGP maximum prefix limit for a BGP peer is lowered then the BGP peer should not allow the number prefixes received from that peer to exceed this number.
To isolate I2RS transactions from other planes, it is required that:
Explanation:
When the I2RS agent performs an action on a routing element, the action is performed in a process (or processes) associated with a routing process. For example, in a typical UNIX system, the user is designated with a user id (uid) and belongs to groups designated by group ids (gid). If such a user id (uid) and group id (gid) is the identifier for the routing processes peforming routing tasks in the control plane, then the I2RS Agent process would communicate with these routing processes. It is important that the I2RS agent has its own unique identifier and the routing processes have their own identifier so that access control can uniquely filter data between I2RS Agent and routing processes.
The specific policy that the I2RS agent uses to filter data from the network or from different processes on a system (routing, system or cross-datastore) should be specific to the I2RS agent. For example, the network access filter policy that the I2RS agent uses should be uniquely identifiable from the configuration datastore updated by a management protocol.
Explanation:
This requirements is also described in section 7.6 of [RFC7921] for the I2RS client, and this section extends it to the entire I2RS plane (I2RS agent, client, and application).
A routing system resource may be accessed by management plane or control plane protocols so a change to a routing system resource may remain unnoticed unless and until the routing system resource notifies the I2RS plane by notifying the I2RS agent. Such notification is expected to trigger synchronization of the I2RS resource state between the I2RS agent and I2RS client - signalled by the I2RS agent sending a notification to an I2RS client.
The updated resource should be available in the operational state if there is a yang module referencing that operational state, but this is not always the case. In the cases where operational state is not updated, the I2RS SB (southbound) API should include the ability to send a notification.
Explanation:
A key part of the I2RS architecture is notification regarding routing system changes across the I2RS plane (I2RS client to/from I2RS agent). The security environment requirements above (SEC-ENV-REQ-03 to SEC-ENV-REQ-05) provide the assurance that the I2RS plane and the routing systems the I2RS plane attaches to remains untouched by the other planes or the I2RS plane is notificed of such changes. Section 6.3 of [RFC7921] describes how the I2RS agent within the I2RS plane interacts with forwarding plane's local configuration, and provides the example of an overwrite policy between the I2RS plane and local configuration (instantiated in 2 Policy Knobs) that operators may wish to set. The prompt notification of any outside overwrite is key to the architecture and proper interworking of the I2RS Plane.
This section provides recommendations on how the I2RS plane's access control should be designed to protect the routing system resources. These security policies for access control only apply within the I2RS plane. More especially, the policies are associated to the applications, I2RS clients and I2RS agents, with their associated identity and roles.
The I2RS deployment of I2RS applications, I2RS clients, and I2RS agents can be located locally in a closed environment or distributed over open networks. The normal case for routing system management is over an open environment. Even in a closed environment, access control policies should be carefully defined to be able to, in the future, carefully extend the I2RS plane to remote applications or remote I2RS clients.
[I-D.ietf-i2rs-protocol-security-requirements] defines the security requirements of the I2RS protocol between the I2RS client and the I2RS agent over a secure transport. This section focuses on I2RS access control architecture (section 4.1), access control policies of the I2RS agent (section 4.2), the I2RS client (section 4.3), and the application (section 4.4).
Overview:
Applications access the routing system resource via numerous intermediate nodes. The application communicates with an I2RS client. In some cases, the I2RS client is only associated with a single application attached to one or more agents (case a and case b in figure 4 below). In other cases, the I2RS client may be connected to two applications (case c in figure 4 below), or the I2RS may act as a broker (agent/client device shown in case d in figure 4 below). The I2RS client broker approach provides scalability to the I2RS architecture as it avoids each application being registered to the I2RS agent. Similarly, the I2RS access control should be able to scale to numerous applications.
The goal of the security environment requirements in this section are to control the interactions between the applications and the I2RS client, and the interactions between the I2RS client and the I2RS agent. The key challenge is that the I2RS architecture puts the I2RS Client in control of the stream of communication (application to I2RS client and I2RS client to the I2RS agent). The I2RS agent must trust the I2RS client's actions without having an ability to verify the I2RS client's actions.
a) I2RS application-client pair talking to one I2RS agent +-----------+ +---------+ +-------+ | I2RS |=====| I2RS |======| I2RS | |application| | client 1| | agent | +-----------+ +---------+ +-------+ b) I2RS application client pair talking to two i2RS agents +--------+ +-------------+ +---------+ | I2RS | | I2RS |===| I2RS |=====| agent 1| |application 1| | client 1| +--------+ | | | | +--------+ | | | |=====| I2RS | +-------------+ +---------+ | agent 2| +--------+ c) two applications talk to 1 client +--------+ +-------------+ +--------+ | I2RS | | I2RS |===|I2RS |=====| agent 1| |application 1| |client 1| +--------+ +-------------+ | | +--------+ +-------------+ | |=====| I2RS | | I2RS | | | | agent 2| |application 2|===| | +--------+ +-------------+ +--------+ d) I2RS Broker (agent/client +--------+ +-------------+ +--------+ | I2RS | | I2RS |==|I2RS |=====|agent 3/| |application 1| |client 1| ==|client 3+----+ +-------------+ +--------+ | +--+-----+ | | | | +-------------+ +--------+ | +-------+ +--|----+ | I2RS | |I2RS |===| |I2RS | |I2RS | |application 2|==|client 2| |agent 1| |agent 2| +-------------+ +--------+ +-------+ +-------+ figure 4
Explanation:
This architecture results in a layered and hierarchical or multi-party I2RS access control. An application will be able to access a routing system resource only if both the I2RS client is granted access by the I2RS agent and the application is granted access by the I2RS client.
Explanation:
In case the I2RS client access control or the I2RS agent access control does not grant access to a routing system resource, the application should be able to determine whether its request has been rejected by the I2RS client or the I2RS agent as well as the reason that caused the reject.
SEC-REQ-07 indicates the I2RS agent may reject the request because the I2RS client is not an authorized I2RS client or lacks the privileges to perform the requested transaction (read, write, start notifications or logging). The I2RS client should be notified of the reason the I2RS agent rejected the transaction due to a lack of authorization or privileges, and the I2RS client should return a message to the application indicating the I2RS agent reject the transaction with an indication of this reason. Similarly, if the I2RS client does not grant the access to the application, the I2RS client should also inform the application. An example of an error message could be, "Read failure: you do not have read permission", "Write failure: you do not have write permission", or "Write failure: resource accessed by someone else".
This requirement has been written in a generic manner as it relates to the following interactions:
Explanation:
The participants in the I2RS Plane (I2RS client, I2RS agent, and I2RS application) exchange critical information, and to be effective the communication should be trusted and free from security attacks.
The I2RS client or the I2RS agent should be able to reject messages over a communication channel that can be easily hijacked, like a clear text UDP channel.
For the I2RS client:
Similarly, for the applications:
For both the application and the client:
Explanation:
In order to limit the number of access requests that result in an error, each application or I2RS client can retrieve the I2RS access control policies that apply to it. This subset of rules is designated as the "Individual I2RS access control policies". As these policies are subject to changes, a dynamic synchronization mechanism should be provided. However, such mechanisms may be implemented with different levels of completeness and dynamicity of the individual I2RS access control policies. One example may be caching transaction requests that have been rejected.
I2RS access control should be appropriately balanced between the I2RS client and the I2RS agent. It remains relatively easy to avoid the complete disclosure of the access control policies of the I2RS agent. Relative disclosure of access control policies may allow leaking confidential information in case of misconfiguration. It is important to balance the level of trust of the I2RS client and the necessity of distributing the enforcement of the access control policies.
I2RS access control should not solely rely only on the I2RS client or the I2RS agent as illustrated below:
Overview:
To distribute the I2RS access control policies between I2RS clients and I2RS agents, I2RS access control policies can also be distributed within a set of I2RS clients or a set of I2RS agents.
Requirements:
Explanation:
This restriction for distributed I2RS clients to act as brokers only for applications with roughly the same privileges avoids the I2RS client having extra privileges compared to hosted applications, and discourages applications from performing privilege escalation within an I2RS client. For example, suppose an I2RS client requires write access to the resources. It is not recommended to grant the I2RS agent the write access in order to satisfy a unique I2RS client. Instead, the I2RS client that requires write access should be connected to an I2RS agent that is already shared by an I2RS client that requires write access.
Access control policies enforcement should be monitored in order to detect violation of the policies or detect an attack. Access control policies enforcement may not be performed by the I2RS client or the I2RS agent as violation may require a more global view of the I2RS access control policies. As a result, consistency check and mitigation may instead be performed by the management plane. However, I2RS clients and I2RS agents play a central role.
The I2RS agent can trace transactions that an I2RS client requests it to perform, and to link this to the application via the secondary opaque identifier to the application. This information is placed in a tracing log which is retrieved by management processes. If a particular application is granted a level of privileges it should not have, then this tracing mechanism may detect this security intrusion after the intrusion has occurred.
Access control policies should be implemented so that the policies remain manageable in short and longer term deployments of the I2RS protocol and the I2RS plane.
Requirements:
Explanation:
Granting or configuring an application with new policy should not require manual configuration of I2RS clients, I2RS agents, or other applications.
Explanation:
A typical implementation of a local I2RS client access control policies may result in creating manually a system user associated with each application. Such an approach is not likely to scale when the number of applications increases into the hundreds.
Explanation:
Although the number of I2RS clients is expected to be lower than the number of applications, as I2RS agents provide access to the routing resource, it is of primary importance that an access can be granted or revoke in an efficient way.
Explanation:
Centralized management of the access control policies of an I2RS plane with network that hosts several I2RS applications, clients and agents requires that each devices can be identified.
Overview:
The I2RS agent access control restricts routing system resource access to authorized identities - possible access policies may be none, read or write. The initiator of an access request to a routing resource is always an application. However, it remains challenging for the I2RS agent to establish its access control policies based on the application that initiates the request.
First, when an I2RS client acts as a broker, the I2RS agent may not be able to authenticate the application. In that sense, the I2RS agent relies on the capability of the I2RS client to authenticate the applications and apply the appropriated I2RS client access control.
Second, an I2RS agent may not uniquely identify a piece of software implementing an I2RS client. In fact, an I2RS client may be provided multiple identities which can be associated to different roles or privileges. The I2RS client is left responsible for using them appropriately according to the application.
Third, each I2RS client may contact various I2RS agent with different privileges and access control policies.
This section provides recommendations on the I2RS agent access control policies to keep I2RS access control coherent within the I2RS plane.
Requirements:
Explanation:
If the I2RS application is authenticated to the I2RS client, and the I2RS client is authenticated to the I2RS agent, and the I2RS client uses the opaque secondary identifier to pass an authenticated identifier to the I2RS agent, then this identifier may be used for access control. However, caution should be taken when using this chain of authentication since the secondary identifier is intended in the I2RS protocol only to aid traceability.
From the environment perspective the I2RS agent MUST be aware when the resource has been modified outside the I2RS plane by another plane (management, control, or forwarding). The prioritization between the different planes should set a deterministic policy that allows the collision of two planes (I2RS plane and another plane) to be resolved via an overwrite policy in the I2RS agent.
Similar requirements exist for knowledge about identities within the I2RS plane which modify things in the routing system, but this is within the scope of the I2RS protocol's requirements for ephemeral state [I-D.ietf-i2rs-ephemeral-state] and security requirements [I-D.ietf-i2rs-protocol-security-requirements].
Overview:
The I2RS client access control policies are responsible for authenticating the application managing the privileges for the applications, and enforcing access control to resources by the applications.
Requirements:
Explanation:
If no authentication mechanisms have being provided between the I2RS client and the application, then the I2RS client must be dedicated to a single application. By doing so, application authentication relies on the I2RS authentication mechanisms between the I2RS client and the I2RS agent.
If an I2RS client has multiple identities that are associated with different privileges for accessing an I2RS agent(s), the I2RS client access control policies should specify the I2RS client identity with the access control policy.
Overview
Applications do not enforce access control policies. Instead these are enforced by the I2RS clients and the I2RS agents. This section provides recommendations for applications in order to ease I2RS access control by the I2RS client and the I2RS agent.
Requirements:
Explanation:
Different application may use different methods (or multiple methods) to communicate with its associated I2RS client, and each application may not use the same form of an application identifier. However, the I2RS client must obtain an identifier for each application. One method for this identification can be a system user id.
Explanation:
The I2RS client provides access to resource on its behalf and this access should only be granted for trusted applications, or applications with an similar level of trust. This does not prevent an I2RS client to host a large number of applications with the same levels of trust.
Explanation:
It is obvious when an I2RS client belongs to the application as part of a module or a library that the application can communicate with a I2RS client. Similarly, if the application runs into a dedicated system with a I2RS client, it is obvious which I2RS client the application should contact. If the application connects to the I2RS client remotely, the application needs some means to retrieve the necessary information to contact its associated I2RS client (e.g. an IP address or a FQDN).
A key aspect of the I2RS architecture is the network oriented application that uses the I2RS high bandwidth programmatic interface to monitor or change one or more routing systems. I2RS applications could be control by a single entity or serve various tenants of the network. If multiple entities use an I2RS application to monitor or change the network, security policies must preserve the isolation of each entity's control and not let malicious entities controlling one I2RS application interfere with other I2RS applications.
This section discusses both security aspects related to programmability as well as application isolation in the I2RS architecture.
Overview
I2RS provides a programmatic interface in and out of the Internet routing system which provides the following advantages for security:
Programmability allows applications to flexible control which may cause problems due to:
The I2RS plane requires data and application isolation to prevent such situations from happening. However, to guarantee the network stability constant monitoring and error detection are recommended.
Requirement:
Explanation:
In the least, monitoring consists of logging events and receiving streams of data. I2RS Plane implementations should monitor the I2RS applications and I2RS clients for potential problems. The cause for the I2RS clients or applications providing problematic requests can be failures in the implementation code or malicious intent. ]
Overview:
Requirements for robustness to DoS attacks have been addressed in the communication channel section [RFC7921]. This section focuses on requirements for application isolation that help prevent DoS.
Requirements:
Explanation:
The I2RS interface is used by applications to interact with the routing states. If the I2RS client is shared between multiple applications, one application can use the I2RS client to perform DoS or DDoS attacks on the I2RS agent(s) and through the I2RS agents attack the network. DoS attack targeting the I2RS agent would consist in providing requests that keep the I2RS agent busy for a long time. These attacks on the I2RS agent may involve an application (requesting through an I2RS Client) heavy computation by the I2RS agent in order to block operations like disk access.
Some DoS attacks may attack the I2RS Client's reception of notification and monitoring data streams over the network. Other DoS attacks may focus on the application directly by performing reflection attacks to reflect traffic. Such an attack could be performed by first detecting an application is related to monitoring the RIB or changing the RIB. Reflection-based DoS may also attack at various levels in the stack utilizing UDP at the service to redirect data to a specific repository
I2RS implementation should consider how to protect I2RS against such attacks.
Overview
This section examines how application logic must be designed to ensure application isolation.
Requirements:
Explanation:
Applications use the I2RS interface in order to update the routing system. These updates may be driven by behaviour on the forwarding plane or any external behaviours. In this case, correlating observation with the I2RS traffic may enable the derivation the application logic. Once the application logic has been derived, a malicious application may generate traffic or any event in the network in order to activate the alternate application.
This whole document is about security requirements for the I2RS environment. To protect personal privacy, any identifier (I2RS application identifier, I2RS client identifier, or I2RS agent identifier) should not contain personal identifiable information.
No IANA considerations for this requirements.
A number of people provided a significant amount of helpful comments and reviews. Among them the authors would like to thank Russ White, Russ Housley, Thomas Nadeau, Juergen Schoenwaelder, Jeffrey Haas, Alia Atlas, and Linda Dunbar.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC7920] | Atlas, A., Nadeau, T. and D. Ward, "Problem Statement for the Interface to the Routing System", RFC 7920, DOI 10.17487/RFC7920, June 2016. |
[RFC7921] | Atlas, A., Halpern, J., Hares, S., Ward, D. and T. Nadeau, "An Architecture for the Interface to the Routing System", RFC 7921, DOI 10.17487/RFC7921, June 2016. |
[RFC7922] | Clarke, J., Salgueiro, G. and C. Pignataro, "Interface to the Routing System (I2RS) Traceability: Framework and Information Model", RFC 7922, DOI 10.17487/RFC7922, June 2016. |
[RFC7923] | Voit, E., Clemm, A. and A. Gonzalez Prieto, "Requirements for Subscription to YANG Datastores", RFC 7923, DOI 10.17487/RFC7923, June 2016. |
[I-D.ietf-i2rs-protocol-security-requirements] | Hares, S., Migault, D. and J. Halpern, "I2RS Security Related Requirements", Internet-Draft draft-ietf-i2rs-protocol-security-requirements-17, September 2016. |
[I-D.ietf-i2rs-ephemeral-state] | Haas, J. and S. Hares, "I2RS Ephemeral State Requirements", Internet-Draft draft-ietf-i2rs-ephemeral-state-23, November 2016. |
[I-D.ietf-netconf-rfc6536bis] | Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", Internet-Draft draft-ietf-netconf-rfc6536bis-00, January 2017. |
[I-D.ietf-netmod-revised-datastores] | Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K. and R. Wilton, "A Revised Conceptual Model for YANG Datastores", Internet-Draft draft-ietf-netmod-revised-datastores-00, December 2016. |