summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8241.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc8241.txt')
-rw-r--r--doc/rfc/rfc8241.txt1123
1 files changed, 1123 insertions, 0 deletions
diff --git a/doc/rfc/rfc8241.txt b/doc/rfc/rfc8241.txt
new file mode 100644
index 0000000..a2e16af
--- /dev/null
+++ b/doc/rfc/rfc8241.txt
@@ -0,0 +1,1123 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) S. Hares
+Request for Comments: 8241 Huawei
+Category: Informational D. Migault
+ISSN: 2070-1721 J. Halpern
+ Ericsson
+ September 2017
+
+
+ Interface to the Routing System (I2RS) Security-Related Requirements
+
+Abstract
+
+ This document presents security-related requirements for the
+ Interface to the Routing System (I2RS) protocol, which provides a new
+ interface to the routing system described in the I2RS architecture
+ document (RFC 7921). The I2RS protocol is implemented by reusing
+ portions of existing IETF protocols and adding new features to them.
+ One such reuse is of the security features of a secure transport
+ (e.g., Transport Layer Security (TLS), Secure SHell (SSH) Protocol,
+ Datagram TLS (DTLS)) such as encryption, message integrity, mutual
+ peer authentication, and anti-replay protection. The new I2RS
+ features to consider from a security perspective are as follows: a
+ priority mechanism to handle multi-headed write transactions, an
+ opaque secondary identifier that identifies an application using the
+ I2RS client, and an extremely constrained read-only non-secure
+ transport.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8241.
+
+
+
+
+
+
+
+
+
+Hares, et al. Informational [Page 1]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+Copyright Notice
+
+ Copyright (c) 2017 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology and Concepts ........................................4
+ 2.1. Requirements Language ......................................4
+ 2.2. Security Terminology .......................................4
+ 2.3. I2RS-Specific Terminology ..................................5
+ 2.4. Concepts ...................................................5
+ 3. Security Features and Protocols: Reused and New .................6
+ 3.1. Security Protocols Reused by the I2RS Protocol .............6
+ 3.2. New Features Related to Security ...........................7
+ 3.3. I2RS Protocol Security Requirements vs. IETF
+ Management Protocols .......................................8
+ 4. Security-Related Requirements ..................................10
+ 4.1. I2RS Peer (Agent and Client) Identity Authentication ......10
+ 4.2. Identity Validation before Role-Based Message Actions .....11
+ 4.3. Peer Identity, Priority, and Client Redundancy ............12
+ 4.4. Multi-Channel Transport: Secure and Non-Secure ............13
+ 4.5. Management Protocol Security ..............................15
+ 4.6. Role-Based Data Model Security ............................16
+ 4.7. Security of the Environment ...............................17
+ 5. IANA Considerations ............................................17
+ 6. Security Considerations ........................................17
+ 7. References .....................................................18
+ 7.1. Normative References ......................................18
+ 7.2. Informative References ....................................18
+ Acknowledgements ..................................................20
+ Authors' Addresses ................................................20
+
+
+
+
+
+
+
+
+Hares, et al. Informational [Page 2]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+1. Introduction
+
+ The Interface to the Routing System (I2RS) protocol provides read and
+ write access to information and state within the routing system. An
+ I2RS client interacts with one or more I2RS agents to collect
+ information from network routing systems. [RFC7921] describes the
+ architecture of this interface, and this document assumes the reader
+ is familiar with this architecture and its definitions.
+
+ The I2RS interface is instantiated by the I2RS protocol connecting an
+ I2RS client and an I2RS agent associated with a routing system. The
+ I2RS protocol is implemented by reusing portions of existing IETF
+ protocols and adding new features to them. As a reuse protocol, it
+ can be considered a higher-layer protocol because it can be
+ instantiated in multiple management protocols (e.g., NETCONF
+ [RFC6241] or RESTCONF [RFC8040]) operating over a secure transport.
+ These protocols are what provide its security.
+
+ This document is part of a suite of documents outlining requirements
+ for the I2RS protocol, which also includes the following:
+
+ o "An Architecture for the Interface to the Routing System"
+ [RFC7921]
+
+ o "I2RS Ephemeral State Requirements" [RFC8242]
+
+ o "Interface to the Routing System (I2RS) Traceability: Framework
+ and Information Model" (which discusses traceability) [RFC7923]
+
+ o "Requirements for Subscription to YANG Datastores" (which
+ highlights the publication/subscription requirements) [RFC7922]
+
+ Since the I2RS "higher-layer" protocol changes the interface to the
+ routing systems, it is important that implementers understand the new
+ security requirements for the environment the I2RS protocol operates
+ in. A summary of the I2RS protocol security environment is found in
+ the I2RS architecture [RFC7921].
+
+ I2RS reuses the secure transport protocols (TLS, SSH, DTLS) that
+ support encryption, message integrity, peer authentication, and key
+ distribution protocols. Optionally, implementers may utilize
+ Authentication, Authorization, and Accounting (AAA) protocols (Radius
+ over TLS or Diameter over TLS) to securely distribute identity
+ information.
+
+ Section 2 highlights some of the terminology and concepts that the
+ reader is required to be familiar with.
+
+
+
+
+Hares, et al. Informational [Page 3]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ Section 3 provides an overview of security features and protocols
+ being reused (Section 3.1), lists the new security features being
+ required (Section 3.2), and explores how existing and new security
+ features and protocols would be paired with existing IETF management
+ protocols (Section 3.3).
+
+ The new features I2RS extends to these protocols are a priority
+ mechanism to handle multi-headed writes, an opaque secondary
+ identifier to allow traceability of an application utilizing a
+ specific I2RS client to communicate with an I2RS agent, and non-
+ secure transport constrained to be used only for read-only data,
+ which may include publicly available data (e.g., public BGP events,
+ public telemetry information, web service availability) and some
+ legacy data.
+
+ Section 4 provides the I2RS protocol security requirements of several
+ security features. Protocols designed to be I2RS higher-layer
+ protocols need to fulfill these security requirements.
+
+2. Terminology and Concepts
+
+2.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+2.2. Security Terminology
+
+ This document uses the terminology found in [RFC4949] and [RFC7921].
+ Specifically, this document reuses the following terms from
+ [RFC4949]:
+
+ o access control
+ o authentication
+ o data confidentiality
+ o data integrity
+ o data privacy
+ o identity
+ o identifier
+ o mutual authentication
+ o role
+ o role-based access control
+ o security audit trail
+ o trust
+
+
+
+
+Hares, et al. Informational [Page 4]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ [RFC7922] describes traceability for the I2RS interface and the I2RS
+ protocol. Traceability is not equivalent to a security audit trail
+ or simple logging of information. A security audit trail may utilize
+ traceability information.
+
+2.3. I2RS-Specific Terminology
+
+ This document discusses the security of the multiple I2RS
+ communication channels that operate over the higher-layer I2RS
+ protocol. The higher-layer I2RS protocol combines a secure transport
+ and I2RS contextual information, and it reuses IETF protocols and
+ data models to create the secure transport and the contextual
+ information driven by the I2RS data model. To describe how the I2RS
+ higher-layer protocol combines other protocols, the following terms
+ are used:
+
+ I2RS component protocols
+
+ Protocols that are reused and combined to create the I2RS higher-
+ layer protocol.
+
+ I2RS secure transport component protocols (required)
+
+ Secure transport protocols that combine to support the I2RS
+ higher-layer protocol.
+
+ I2RS management component protocols (required)
+
+ Management protocols that combine to provide the management-
+ information context for the I@RS higher-layer protocol.
+
+ I2RS AAA component protocols (optional)
+
+ AAA protocols supporting the I2RS higher-layer protocol.
+
+2.4. Concepts
+
+ The reader should be familiar with the pervasive security
+ requirements in [RFC7258].
+
+ This document uses the following concepts from the I2RS architecture
+ [RFC7921] listed below with their respective section numbers from
+ said RFC:
+
+ o I2RS client, agent, and protocol (Section 2)
+
+ o I2RS higher-layer protocol (Section 7.2)
+
+
+
+
+Hares, et al. Informational [Page 5]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ o scope: read, notification, identity, and write (Section 2)
+
+ o identity and secondary identity (Section 2)
+
+ o roles or security rules (Section 2)
+
+ o routing system/subsystem (Section 2)
+
+ o I2RS assumed security environment (Section 4)
+
+ o I2RS identity and authentication (Section 4.1)
+
+ o scope of Authorization in I2RS client and agent (Section 4.2)
+
+ o client redundancy with a single client identity (Section 4.3),
+
+ o restrictions on I2RS in personal devices (Section 4.4)
+
+ o communication channels and I2RS higher-layer protocol
+ (Section 7.2)
+
+ o active communication versus connectivity (Section 7.5)
+
+ o multi-headed control (Section 7.8)
+
+ o transaction, message, multi-message atomicity (Section 7.9)
+
+3. Security Features and Protocols: Reused and New
+
+3.1. Security Protocols Reused by the I2RS Protocol
+
+ I2RS requires a secure transport protocol and key distribution
+ protocols. The secure transport for I2RS requires one to provide
+ peer authentication. In addition, the features required for I2RS
+ messages are confidentiality, authentication, and replay protection.
+ According to [RFC8095], the secure transport protocols that support
+ peer authentication, confidentiality, data integrity, and replay
+ protection are the following:
+
+ 1. TLS [RFC5246] over TCP or Stream Control Transmission Protocol
+ (SCTP)
+
+ 2. DTLS over UDP with replay detection and an anti-DoS stateless
+ cookie mechanism required for the I2RS protocol and the DTLS
+ options of record-size negotiation and conveyance of the Don't
+ Fragment (DF) bit are set for IPv4, or no fragmentation extension
+ headers for IPv6 to be optional in deployments are allowed by the
+ I2RS protocol
+
+
+
+Hares, et al. Informational [Page 6]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ 3. HTTP over TLS (over TCP or SCTP)
+
+ 4. HTTP over DTLS (with the requirements and optional features
+ specified above in item 2)
+
+ As detailed in Section 3.3, the following protocols would need to be
+ extended to provide confidentiality, data integrity, peer
+ authentication, and key distribution and to run over a secure
+ transport (TLS or DTLS):
+
+ o IP Flow Information Export (IPFIX) over SCTP, TCP, or UDP
+
+ o Forwarding and Control Element Separation (ForCES) Transport
+ Mapping Layer (TML) over SCTP
+
+ The specific type of key management protocols an I2RS secure
+ transport uses depends on the transport. Key management protocols
+ utilized for the I2RS protocols SHOULD support automatic rotation.
+
+ An I2RS implementer may use AAA protocols over secure transport to
+ distribute the identities for the I2RS client, I2RS agent, and role-
+ authorization information. Two AAA protocols are as follows:
+ Diameter [RFC6733] and Radius [RFC2865]. To provide I2RS peer
+ identities with the best security, the AAA protocols MUST be run over
+ a secure transport (Diameter over secure transport (TLS over TCP)
+ [RFC6733]), Radius over a secure transport (TLS) [RFC6614]).
+
+3.2. New Features Related to Security
+
+ The new features are priority, an opaque secondary identifier, and a
+ non-secure protocol for read-only data constrained to specific
+ standard usages. The I2RS protocol allows multi-headed control by
+ several I2RS clients. This multi-headed control is based on the
+ assumption that the operator deploying the I2RS clients, I2RS agents,
+ and the I2RS protocol will coordinate the read, write, and
+ notification scope so the I2RS clients will not contend for the same
+ write scope. However, just in case there is an unforeseen overlap of
+ I2RS clients attempting to write a particular piece of data, the I2RS
+ architecture [RFC7921] provides the concept of each I2RS client
+ having a priority. The I2RS client with the highest priority will
+ have its write succeed. This document specifies requirements for
+ this new concept of priority (see Section 4.3).
+
+ The opaque secondary identifier identifies an application that uses
+ communication from the I2RS client to I2RS agent to manage the
+ routing system. The secondary identifier is opaque to the I2RS
+ protocol. In order to protect personal privacy, the secondary
+ identifier should not contain identifiable personal information.
+
+
+
+Hares, et al. Informational [Page 7]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ The last new feature related to I2RS security is the ability to allow
+ nonconfidential data to be transferred over a non-secure transport.
+ It is expected that most I2RS data models will describe information
+ that will be transferred with confidentiality. Therefore, any model
+ that transfers data over a non-secure transport is marked. The use
+ of a non-secure transport is optional, and an implementer SHOULD
+ create knobs that allow data marked as nonconfidential to be sent
+ over a secure transport.
+
+ Nonconfidential data can only be data with read-scope or
+ notification-scope transmission of events. Nonconfidential data
+ cannot have write-scope or notification-scope configuration.
+ Examples of nonconfidential data would be the telemetry information
+ that is publicly known (e.g., BGP route-views data or website status
+ data) or some legacy data (e.g., interface) that cannot be
+ transported using secure transport. The IETF I2RS data models MUST
+ indicate (in the model) the specific data that is nonconfidential.
+
+ Most I2RS data models will expect that the information described in
+ the model will be transferred with confidentiality.
+
+3.3. I2RS Protocol Security Requirements vs. IETF Management Protocols
+
+ Figure 1 provides a partial list of the candidate management
+ protocols. It also lists the secure transports each protocol
+ supports. The column on the right of the table indicates whether or
+ not the transport protocol will need I2RS security extensions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hares, et al. Informational [Page 8]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ Management I2RS Security
+ Protocol Transport Protocol Extensions
+ ========= ===================== =================
+ NETCONF TLS over TCP (*1) None required (*2)
+
+ RESTCONF HTTP over TLS with None required (*2)
+ X.509v3 certificates,
+ certificate validation,
+ mutual authentication:
+ 1) authenticated
+ server identity,
+ 2) authenticated
+ client identity
+ (*1)
+
+ ForCES TML over SCTP Needs an extension to
+ (*1) TML to run TML over
+ TLS over SCTP, or
+ DTLS with options for
+ replay protection
+ and anti-DoS stateless
+ cookie mechanism.
+ (DTLS record size
+ negotiation and conveyance
+ of DF bits are optional).
+ The IPsec mechanism is
+ not sufficient for
+ I2RS traveling over
+ multiple hops
+ (router + link) (*2)
+
+ IPFIX SCTP, TCP, UDP Needs an extension
+ TLS or DTLS for to support TLS or DTLS with
+ secure client (*1) options for replay protection
+ and anti-DoS stateless
+ cookie mechanism.
+ (DTLS record size
+ negotiation and conveyance
+ of DF bits are optional)
+
+
+ *1 - Key management protocols MUST support appropriate key
+ rotation.
+
+ *2 - Identity and role authorization distributed by Diameter or
+ Radius MUST use Diameter over TLS or Radius over TLS.
+
+ Figure 1: Candidate Management Protocols and Their Secure Transports
+
+
+
+Hares, et al. Informational [Page 9]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+4. Security-Related Requirements
+
+ This section discusses security requirements based on the following
+ security functions:
+
+ o peer identity authentication (Section 4.1)
+
+ o Peer Identity validation before role-based message actions
+ (Section 4.2)
+
+ o peer identity and client redundancy (Section 4.3)
+
+ o multi-channel transport requirements: Secure transport and non-
+ secure Transport (Section 4.4)
+
+ o management protocol security requirements (Section 4.5)
+
+ o role-based security (Section 4.6)
+
+ o security environment (Section 4.7)
+
+ The I2RS protocol depends upon a secure transport layer for peer
+ authentication, data integrity, confidentiality, and replay
+ protection. The optional non-secure transport can only be used for a
+ restricted set of data available publicly (events or information) or
+ a select set of legacy data. Data passed over the non-secure
+ transport channel MUST NOT contain any data that identifies a person.
+
+4.1. I2RS Peer (Agent and Client) Identity Authentication
+
+ Requirements:
+
+ SEC-REQ-01: All I2RS clients and agents MUST have an identity and
+ at least one unique identifier for each party in the I2RS protocol
+ context.
+
+ SEC-REQ-02: The I2RS protocol MUST utilize these identifiers for
+ mutual identification of the I2RS client and agent.
+
+ SEC-REQ-03: Identifier distribution and the loading of these
+ identifiers into the I2RS agent and client SHOULD occur outside
+ the I2RS protocol prior to the I2RS protocol establishing a
+ connection between I2RS client and agent. AAA protocols MAY be
+ used to distribute these identifiers, but other mechanism can be
+ used.
+
+
+
+
+
+
+Hares, et al. Informational [Page 10]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ Explanation:
+
+ These requirements are for I2RS peer (I2RS agent and client)
+ authentication. A secure transport (e.g., TLS) will authenticate
+ based on these identities, but these identities are for the I2RS
+ management layer. A AAA protocol distributing I2RS identity
+ information SHOULD transport its information over a secure transport.
+
+4.2. Identity Validation before Role-Based Message Actions
+
+ Requirements:
+
+ SEC-REQ-04: An I2RS agent receiving a request from an I2RS client
+ MUST confirm that the I2RS client has a valid identity.
+
+ SEC-REQ-05: An I2RS client receiving an I2RS message over a secure
+ transport MUST confirm that the I2RS agent has a valid identifier.
+
+ SEC-REQ-06: An I2RS agent receiving an I2RS message over a non-
+ secure transport MUST confirm that the content is suitable for
+ transfer over such a transport.
+
+ Explanation:
+
+ Each I2RS client has a scope based on its identity and the security
+ roles (read, write, or events) associated with that identity, and
+ that scope must be considered in processing an I2RS message sent on a
+ communication channel. An I2RS communication channel may utilize
+ multiple transport sessions or establish a transport session and then
+ close the transport session. Therefore, it is important that the
+ I2RS peers operate utilizing valid peer identities when a message is
+ processed rather than checking if a transport session exists.
+
+ During the time period when a secure transport session is active, the
+ I2RS agent SHOULD assume that the I2RS client's identity remains
+ valid. Similarly, while a secure connection exists that included
+ validating the I2RS agent's identity and a message is received via
+ that connection, the I2RS client SHOULD assume that the I2RS agent's
+ identity remains valid.
+
+ The definition of what constitutes a valid identity or a valid
+ identifier MUST be defined by the I2RS protocol.
+
+
+
+
+
+
+
+
+
+Hares, et al. Informational [Page 11]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+4.3. Peer Identity, Priority, and Client Redundancy
+
+ Requirements:
+
+ SEC-REQ-07: Each I2RS identifier MUST be associated with just one
+ priority.
+
+ SEC-REQ-08: Each identifier is associated with one secondary
+ identifier during a particular I2RS transaction (e.g., read/write
+ sequence), but the secondary identifier may vary during the time a
+ connection between the I2RS client and I2RS agent is active.
+
+ Explanation:
+
+ The I2RS architecture also allows multiple I2RS clients with unique
+ identities to connect to an I2RS agent (see Section 7.8 of
+ [RFC7921]). The I2RS deployment using multiple clients SHOULD
+ coordinate this multi-headed control of I2RS agents by I2RS clients
+ so no conflict occurs in the write scope. However, in the case of
+ conflict on a write-scope variable, the error resolution mechanisms
+ defined by the I2RS architecture multi-headed control (Section 7.8 of
+ [RFC7921]) allow the I2RS agent to deterministically choose one I2RS
+ client. The I2RS client with highest priority is given permission to
+ write the variable, and the second client receives an error message.
+
+ A single I2RS client may be associated with multiple applications
+ with different tasks (e.g., weekly configurations or emergency
+ configurations). The secondary identity is an opaque value that the
+ I2RS client passes to the I2RS agent so that this opaque value can be
+ placed in the tracing file or event stream to identify the
+ application using the communication from I2RS client to agent. The
+ I2RS client is trusted to simply assert the secondary identifier.
+
+ One example of the use of the secondary identity is the situation
+ where an operator of a network has two applications that use an I2RS
+ client. The first application is a weekly configuration application
+ that uses the I2RS protocol to change configurations. The second
+ application allows operators to makes emergency changes to routers in
+ the network. Both of these applications use the same I2RS client to
+ write to an I2RS agent. In order for traceability to determine which
+ application (weekly configuration or emergency) wrote some
+ configuration changes to a router, the I2RS client sends a different
+ opaque value for each of the applications. The weekly configuration
+ secondary opaque value could be "xzzy-splot" and the emergency
+ secondary opaque value could be "splish-splash".
+
+
+
+
+
+
+Hares, et al. Informational [Page 12]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ A second example is if the I2RS client is used for the monitoring of
+ critical infrastructure. The operator of a network using the I2RS
+ client may desire I2RS client redundancy where the monitoring
+ application with the I2RS client is deployed on two different boxes
+ with the same I2RS client identity (see Section 4.3 of [RFC7921]).
+ These two monitoring applications pass to the I2RS client whether the
+ application is the primary or back-up application, and the I2RS
+ client passes this information in the I2RS secondary identifier, as
+ the figure below shows. The primary application's secondary
+ identifier is "primary-monitoring", and the back-up application
+ secondary identifier is "backup-monitoring". The I2RS tracing
+ information will include the secondary identifier information along
+ with the transport information in the tracing file in the agent.
+
+ Application A--I2RS client--Secure transport(#1)
+ [I2RS identity 1, secondary identifier: "primary-monitoring"]-->
+
+ Application B--I2RS client--Secure transport(#2)
+ [I2RS identity 1, secondary identifier: "backup-monitoring"]-->
+
+ Figure 2: Primary and Back-Up Application for Monitoring
+ Identification Sent to Agent
+
+4.4. Multi-Channel Transport: Secure and Non-Secure
+
+ Requirements:
+
+ SEC-REQ-09: The I2RS protocol MUST be able to transfer data over a
+ secure transport and optionally MAY be able to transfer data over
+ a non-secure transport. The default transport is a secure
+ transport, and this secure transport is mandatory to implement in
+ all I2RS agents and in any I2RS client that a) performs a write
+ scope transaction that is sent to the I2RS agent or b) configures
+ an Event Scope transaction. This secure transport is mandatory to
+ use on any I2RS client's Write transaction or the configuration of
+ an Event Scope transaction.
+
+ SEC-REQ-10: The secure transport MUST provide data
+ confidentiality, data integrity, and practical replay prevention.
+
+ SEC-REQ-11: The I2RS client and I2RS agent SHOULD implement
+ mechanisms that mitigate DoS attacks. This means the secure
+ transport must support DoS prevention. For the non-secure
+ transport, the I2RS higher-layer protocol MUST contain a transport
+ management layer that considers the detection of DoS attacks and
+ provides a warning over a secure transport channel.
+
+
+
+
+
+Hares, et al. Informational [Page 13]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ SEC-REQ-12: A secure transport MUST be associated with a key
+ management solution that can guarantee that only the entities
+ having sufficient privileges can get the keys to encrypt/decrypt
+ the sensitive data.
+
+ SEC-REQ-13: A machine-readable mechanism to indicate that a data
+ model contains nonconfidential data MUST be provided. A non-
+ secure transport MAY be used to publish only read-scope or
+ notification-scope data if the associated data model indicates
+ that the data in question is nonconfidential.
+
+ SEC-REQ-14: The I2RS protocol MUST be able to support multiple
+ secure transport sessions providing protocol and data
+ communication between an I2RS agent and client. However, a single
+ connection between I2RS agent and client MAY elect to use a single
+ secure transport session or a single non-secure transport session
+ conforming to the requirements above.
+
+ SEC-REQ-15: Deployment configuration knobs SHOULD be created to
+ allow operators to send "nonconfidential" read scope (data or
+ event streams) over a secure transport.
+
+ SEC-REQ-16: The I2RS protocol makes use of both secure and non-
+ secure transports, but this use MUST NOT be done in any way that
+ weakens the secure transport protocol used in the I2RS protocol or
+ other contexts that do not have this requirement for mixing secure
+ and non-secure modes of operation.
+
+ Explanation:
+
+ The I2RS architecture defines three scopes: read, write, and
+ notification. Non-secure data can only be used for read and
+ notification scopes of "nonconfidential data". The configuration of
+ ephemeral data in the I2RS agent uses write scope either for data or
+ for configuration of event notification streams. The requirement to
+ use secure transport for configuration prevents accidental or
+ malevolent entities from altering the I2RS routing system through the
+ I2RS agent.
+
+ It is anticipated that the passing of most I2RS ephemeral state
+ operational statuses SHOULD be done over a secure transport.
+
+ In most circumstances, the secure transport protocol will be
+ associated with a key management system. Most deployments of the
+ I2RS protocol will allow for automatic key management systems. Since
+ the data models for the I2RS protocol will control key routing
+ functions, it is important that deployments of I2RS use automatic key
+ management systems.
+
+
+
+Hares, et al. Informational [Page 14]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ Per BCP 107 [RFC4107], while key management systems SHOULD be
+ automatic, the systems MAY be manual in the following scenarios:
+
+ a) The environment has limited bandwidth or high round-trip times.
+
+ b) The information being protected has low value.
+
+ c) The total volume of traffic over the entire lifetime of the long-
+ term session key will be very low.
+
+ d) The scale of the deployment is limited.
+
+ Operators deploying the I2RS protocol selecting manual key management
+ SHOULD consider both short- and medium-term plans. Deploying
+ automatic systems initially may save effort in the long term.
+
+4.5. Management Protocol Security
+
+ Requirements:
+
+ SEC-REQ-17: In a critical infrastructure, certain data within
+ routing elements is sensitive and read/write operations on such
+ data SHOULD be controlled in order to protect its confidentiality.
+ To achieve this, higher-layer protocols MUST utilize a secure
+ transport, and they SHOULD provide access-control functions to
+ protect confidentiality of the data.
+
+ SEC-REQ-18: An integrity protection mechanism for I2RS MUST be
+ provided that will be able to ensure the following:
+
+ 1) the data being protected is not modified without detection
+ during its transportation,
+
+ 2) the data is actually from where it is expected to come from,
+ and
+
+ 3) the data is not repeated from some earlier interaction the
+ higher-layer protocol (best effort).
+
+ The I2RS higher-layer protocol operating over a secure transport
+ provides this integrity. The I2RS higher-layer protocol operating
+ over a non-secure transport SHOULD provide some way for the client
+ receiving nonconfidential read-scoped or event-scoped data over
+ the non-secure connection to detect when the data integrity is
+ questionable; and in the event of a questionable data integrity,
+ the I2RS client should disconnect the non-secure transport
+ connection.
+
+
+
+
+Hares, et al. Informational [Page 15]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ SEC-REQ-19: The I2RS higher-layer protocol MUST provide a
+ mechanism for message traceability (requirements in [RFC7922])
+ that supports the tracking higher-layer functions run across
+ secure connection or a non-secure transport.
+
+ Explanation:
+
+ Most carriers do not want a router's configuration and data-flow
+ statistics to be known by hackers or their competitors. While
+ carriers may share peering information, most carriers do not share
+ configuration and traffic statistics. To achieve this, the I2RS
+ higher-layer protocol (e.g., NETCONF) requires access control
+ (NETCONF Access Control Model [RFC6536]) for sensitive data needs to
+ be provided; and the confidentiality protection on such data during
+ transportation needs to be enforced.
+
+ Integrity of data is important even if the I2RS protocol is sending
+ nonconfidential data over a non-secure connection. The ability to
+ trace I2RS protocol messages that enact I2RS transactions provides a
+ minimal aid to helping operators check how messages enact
+ transactions on a secure or non-secure transport. Contextual checks
+ on specific nonconfidential data sent over a non-secure connection
+ may indicate the data has been modified.
+
+4.6. Role-Based Data Model Security
+
+ In order to make access control more manageable, the I2RS
+ architecture [RFC7921] specifies a "role" to categorize users into a
+ group (rather than handling them individually) for access-control
+ purposes (role-based access control). Therefore, an I2RS role
+ specifies the access control for a group as being read, write, or
+ notification.
+
+ SEC-REQ-20: The rules around what I2RS security role is permitted
+ to access and manipulate what information over a secure transport
+ (which protects the data in transit) SHOULD ensure that data of
+ any level of sensitivity is reasonably protected from being
+ observed by those without permission to view it, so that privacy
+ requirements are met.
+
+ SEC-REQ-21: Role security MUST work when multiple transport
+ connections are being used between the I2RS client and agent as
+ the I2RS architecture [RFC7921] describes.
+
+ Sec-REQ-22: If an I2RS agent or client is tightly correlated with
+ a person, then the I2RS protocol and data models SHOULD provide
+ additional security that protects the person's privacy.
+
+
+
+
+Hares, et al. Informational [Page 16]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ Explanation:
+
+ An I2RS higher-layer protocol uses a management protocol (e.g.,
+ NETCONF, RESTCONF) to pass messages in order to enact I2RS
+ transactions. Role security must secure data (sensitive and normal
+ data) in a router even when it is operating over multiple connections
+ at the same time. NETCONF can run over TLS (over TCP or SCTP) or
+ SSH. RESTCONF runs over HTTP over a secure transport (TLS). SCTP
+ [RFC4960] provides security for multiple streams plus end-to-end
+ transport of data. Some I2RS functions may wish to operate over DTLS
+ [RFC6347], which runs over UDP ([RFC768]) and SCTP ([RFC5764]).
+
+ Please note the security of the connection between application and
+ I2RS client is outside of the I2RS protocol or I2RS interface.
+
+ While I2RS clients are expected to be related to network devices and
+ not individual people, if an I2RS client ran on a person's phone,
+ then privacy protection to anonymize any data relating to a person's
+ identity or location would be needed.
+
+ A variety of forms of management may set policy on roles: "operator-
+ applied knobs", roles that restrict personal access, data models with
+ specific "privacy roles", and access filters.
+
+4.7. Security of the Environment
+
+ The security for the implementation of a protocol also considers the
+ protocol environment. Implementers should review the summary of the
+ I2RS security environment in [RFC7921].
+
+5. IANA Considerations
+
+ This document does not require any IANA actions.
+
+6. Security Considerations
+
+ This is a document about security requirements for the I2RS protocol
+ and data models. Security considerations for the I2RS protocol
+ include both the protocol and the security environment.
+
+
+
+
+
+
+
+
+
+
+
+
+Hares, et al. Informational [Page 17]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+7. References
+
+7.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic
+ Key Management", BCP 107, RFC 4107, DOI 10.17487/RFC4107,
+ June 2005, <https://www.rfc-editor.org/info/rfc4107>.
+
+ [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
+ FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
+ <https://www.rfc-editor.org/info/rfc4949>.
+
+ [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
+ Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
+ 2014, <https://www.rfc-editor.org/info/rfc7258>.
+
+ [RFC7921] Atlas, A., Halpern, J., Hares, S., Ward, D., and T.
+ Nadeau, "An Architecture for the Interface to the Routing
+ System", RFC 7921, DOI 10.17487/RFC7921, June 2016,
+ <https://www.rfc-editor.org/info/rfc7921>.
+
+ [RFC7922] Clarke, J., Salgueiro, G., and C. Pignataro, "Interface to
+ the Routing System (I2RS) Traceability: Framework and
+ Information Model", RFC 7922, DOI 10.17487/RFC7922, June
+ 2016, <https://www.rfc-editor.org/info/rfc7922>.
+
+ [RFC7923] Voit, E., Clemm, A., and A. Gonzalez Prieto, "Requirements
+ for Subscription to YANG Datastores", RFC 7923,
+ DOI 10.17487/RFC7923, June 2016,
+ <https://www.rfc-editor.org/info/rfc7923>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+7.2. Informative References
+
+ [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
+ DOI 10.17487/RFC0768, August 1980,
+ <https://www.rfc-editor.org/info/rfc768>.
+
+
+
+
+
+
+Hares, et al. Informational [Page 18]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, DOI 10.17487/RFC2865, June 2000,
+ <https://www.rfc-editor.org/info/rfc2865>.
+
+ [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
+ RFC 4960, DOI 10.17487/RFC4960, September 2007,
+ <https://www.rfc-editor.org/info/rfc4960>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <https://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
+ Security (DTLS) Extension to Establish Keys for the Secure
+ Real-time Transport Protocol (SRTP)", RFC 5764,
+ DOI 10.17487/RFC5764, May 2010,
+ <https://www.rfc-editor.org/info/rfc5764>.
+
+ [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
+ and A. Bierman, Ed., "Network Configuration Protocol
+ (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
+ <https://www.rfc-editor.org/info/rfc6241>.
+
+ [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
+ Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
+ January 2012, <https://www.rfc-editor.org/info/rfc6347>.
+
+ [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
+ Protocol (NETCONF) Access Control Model", RFC 6536,
+ DOI 10.17487/RFC6536, March 2012,
+ <https://www.rfc-editor.org/info/rfc6536>.
+
+ [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga,
+ "Transport Layer Security (TLS) Encryption for RADIUS",
+ RFC 6614, DOI 10.17487/RFC6614, May 2012,
+ <https://www.rfc-editor.org/info/rfc6614>.
+
+ [RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn,
+ Ed., "Diameter Base Protocol", RFC 6733,
+ DOI 10.17487/RFC6733, October 2012,
+ <https://www.rfc-editor.org/info/rfc6733>.
+
+ [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
+ Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
+ <https://www.rfc-editor.org/info/rfc8040>.
+
+
+
+
+Hares, et al. Informational [Page 19]
+
+RFC 8241 I2RS Security Requirements September 2017
+
+
+ [RFC8095] Fairhurst, G., Ed., Trammell, B., Ed., and M. Kuehlewind,
+ Ed., "Services Provided by IETF Transport Protocols and
+ Congestion Control Mechanisms", RFC 8095,
+ DOI 10.17487/RFC8095, March 2017,
+ <https://www.rfc-editor.org/info/rfc8095>.
+
+ [RFC8242] Haas, J. and S. Hares, "Interface to the Routing System
+ (I2RS) Ephemeral State Requirements", RFC 8242,
+ DOI 10.17487/RFC8242, September 2017,
+ <http://www.rfc-editor.org/info/rfc8242>.
+
+Acknowledgements
+
+ The authors would like to thank Wes George, Ahmed Abro, Qin Wu, Eric
+ Yu, Joel Halpern, Scott Brim, Nancy Cam-Winget, Dacheng Zhang, Alia
+ Atlas, and Jeff Haas for their contributions to the I2RS security
+ requirements discussion and this document. The authors would like to
+ thank Bob Moskowitz, Kathleen Moriarty, Stephen Farrell, Radia
+ Perlman, Alvaro Retana, Ben Campbell, and Alissa Cooper for their
+ review of these requirements.
+
+Authors' Addresses
+
+ Susan Hares
+ Huawei
+ 7453 Hickory Hill
+ Saline, MI 48176
+ United States of America
+
+ Email: shares@ndzh.com
+
+
+ Daniel Migault
+ Ericsson
+ 8275 Trans Canada Route
+ Saint Laurent, QC H4S
+ Canada
+
+ Email: daniel.migault@ericsson.com
+
+
+ Joel Halpern
+ Ericsson
+ United States of America
+
+ Email: joel.halpern@ericsson.com
+
+
+
+
+
+Hares, et al. Informational [Page 20]
+