Skip to main content

Last Call Review of draft-ietf-anima-reference-model-06

Request Review of draft-ietf-anima-reference-model
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-08-21
Requested 2018-08-07
Authors Michael H. Behringer , Brian E. Carpenter , Toerless Eckert , Laurent Ciavaglia , Jéferson Campos Nobre
Draft last updated 2018-08-23
Completed reviews Rtgdir Telechat review of -07 by Christian Hopps (diff)
Opsdir Last Call review of -06 by Tianran Zhou (diff)
Genart Last Call review of -06 by Joel M. Halpern (diff)
Secdir Last Call review of -06 by Radia Perlman (diff)
Genart Telechat review of -08 by Joel M. Halpern (diff)
Assignment Reviewer Radia Perlman
State Completed
Review review-ietf-anima-reference-model-06-secdir-lc-perlman-2018-08-23
Reviewed revision 06 (document currently at 10)
Result Ready
Completed 2018-08-23
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.

These comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

This document is an overview document (intended as informational)
introducing a large collection of I-Ds (intended as Proposed) describing
autonomic networking. Aimed at the Internet of Things with devices with
very little in the way of user interface other than over the network, the
design goal is to be maximally auto-configuring. Security is bootstrapped
using private keys and certificates installed by the manufacturer, where to
first goal is to join new devices to some sort of domain.

The most suspicious thing from a security standpoint is that it appears all
of the devices in a domain implicitly trust one another. This means that
bringing in the proverbial light bulb into your house could compromise your
whole house if the light bulb had a Trojan horse installed or some sort of
bug that allowed it to be compromised. There is some mention of addressing
this issue in the future, but unless I’m misunderstanding the approach this
seems like a very dangerous thing to deploy even initially. It makes much
more sense for each installed device to first become manageable by a single
other device in the domain. That first management device could cautiously
expand trust further.

The dangers are well summarized in Section 9 (Security Considerations).
Section 9.2 includes this text:

The above threats are in principle comparable to other solutions: In

the presence of design, implementation or operational errors,

security is no longer guaranteed. However, the distributed nature of

AN, specifically the Autonomic Control Plane, increases the threat

surface significantly. For example, a compromised device may have

full IP reachability to all other devices inside the ACP, and can use

all AN methods and protocols.

For the next phase of the ANIMA work it is therefore recommended to

introduce a sub-domain security model, to reduce the attack surface

and not expose a full domain to a potential intruder. Furthermore,

additional security mechanisms on the ASA level should be considered

for high-risk autonomic functions.