draft-ietf-i2rs-protocol-security-requirements-13.txt   draft-ietf-i2rs-protocol-security-requirements-14.txt 
I2RS working group S. Hares I2RS working group S. Hares
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Informational D. Migault Intended status: Informational D. Migault
Expires: March 30, 2017 J. Halpern Expires: March 31, 2017 J. Halpern
Ericsson Ericsson
September 26, 2016 September 27, 2016
I2RS Security Related Requirements I2RS Security Related Requirements
draft-ietf-i2rs-protocol-security-requirements-13 draft-ietf-i2rs-protocol-security-requirements-14
Abstract Abstract
This presents security-related requirements for the I2RS protocol This presents security-related requirements for the I2RS protocol
which provides a new interface to the routing system described in the which provides a new interface to the routing system described in the
I2RS architecture document (RFC7921). The I2RS protocol is a re-use I2RS architecture document (RFC7921). The I2RS protocol is a re-use
protocol implemented by re-using portions of existing IETF protocols protocol implemented by re-using portions of existing IETF protocols
and adding new features to these protocols. The I2RS protocol re- and adding new features to these protocols. The I2RS protocol re-
uses security features of a secure transport (E.g. TLS, SSH, DTLS) uses security features of a secure transport (E.g. TLS, SSH, DTLS)
such as encryption, message integrity, mutual peer authentication, such as encryption, message integrity, mutual peer authentication,
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 30, 2017. This Internet-Draft will expire on March 31, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 46 skipping to change at page 2, line 46
4.4. Multi-Channel Transport: Secure Transport and Insecure 4.4. Multi-Channel Transport: Secure Transport and Insecure
Transport . . . . . . . . . . . . . . . . . . . . . . . . 13 Transport . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5. Management Protocol Security . . . . . . . . . . . . . . 15 4.5. Management Protocol Security . . . . . . . . . . . . . . 15
4.6. Role-Based Data Model Security . . . . . . . . . . . . . 16 4.6. Role-Based Data Model Security . . . . . . . . . . . . . 16
4.7. Security of the environment . . . . . . . . . . . . . . . 17 4.7. Security of the environment . . . . . . . . . . . . . . . 17
5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
7. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 17 7. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . 18 8.1. Normative References . . . . . . . . . . . . . . . . . . 18
8.2. Informative References . . . . . . . . . . . . . . . . . 18 8.2. Informative References . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
The Interface to the Routing System (I2RS) provides read and write The Interface to the Routing System (I2RS) provides read and write
access to information and state within the routing system. An I2RS access to information and state within the routing system. An I2RS
client interacts with one or more I2RS agents to collect information client interacts with one or more I2RS agents to collect information
from network routing systems. [RFC7921] describes the architecture from network routing systems. [RFC7921] describes the architecture
of this interface, and this documents assumes the reader is familiar of this interface, and this documents assumes the reader is familiar
with this architecture and its definitions. Section 2 highlights with this architecture and its definitions. Section 2 highlights
skipping to change at page 12, line 5 skipping to change at page 11, line 50
Each I2RS client has a scope based on its identity and the security Each I2RS client has a scope based on its identity and the security
roles (read, write, or events) associated with that identity, and roles (read, write, or events) associated with that identity, and
that scope must be considered in processing an I2RS messages sent on that scope must be considered in processing an I2RS messages sent on
a communication channel. An I2RS communication channel may utilize a communication channel. An I2RS communication channel may utilize
multiple transport sessions, or establish a transport session and multiple transport sessions, or establish a transport session and
then close the transport session. Therefore, it is important that then close the transport session. Therefore, it is important that
the I2RS peers are operating utilizing valid peer identities when a the I2RS peers are operating utilizing valid peer identities when a
message is processed rather than checking if a transport session message is processed rather than checking if a transport session
exists. exists.
During the time period when a secure transport session is active, the
I2RS agent SHOULD assume that the I2RS client's identity remains
valid. Similarly, while a secure connection exists that included
validating the I2RS agent's identity and a message is received via
that connection, the I2RS client SHOULD assume that the I2RS agent's
identity remains valid.
4.3. Peer Identity, Priority, and Client Redundancy 4.3. Peer Identity, Priority, and Client Redundancy
Requirements: Requirements:
SEC-REQ-07: Each I2RS Identifier MUST be associated with just one SEC-REQ-07: Each I2RS Identifier MUST be associated with just one
priority. priority.
SEC-REQ-08: Each Identifier is associated with one secondary SEC-REQ-08: Each Identifier is associated with one secondary
identifier during a particular I2RS transaction (e.g. read/write identifier during a particular I2RS transaction (e.g. read/write
sequence), but the secondary identifier may vary during the time a sequence), but the secondary identifier may vary during the time a
 End of changes. 6 change blocks. 
5 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/