Last Call Review of draft-ietf-anima-reference-model-06
review-ietf-anima-reference-model-06-secdir-lc-perlman-2018-08-23-00
| Request | Review of | draft-ietf-anima-reference-model |
|---|---|---|
| Requested revision | No specific revision (document currently at 10) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2018-08-21 | |
| Requested | 2018-08-07 | |
| Authors | Michael H. Behringer , Brian E. Carpenter , Toerless Eckert , Laurent Ciavaglia , Jéferson Campos Nobre | |
| I-D last updated | 2018-08-23 | |
| Completed reviews |
Rtgdir Telechat review of -07
by Christian Hopps
(diff)
Opsdir Last Call review of -06 by Tianran Zhou (diff) Genart Last Call review of -06 by Joel M. Halpern (diff) Secdir Last Call review of -06 by Radia Perlman (diff) Genart Telechat review of -08 by Joel M. Halpern (diff) |
|
| Assignment | Reviewer | Radia Perlman |
| State | Completed | |
| Request | Last Call review on draft-ietf-anima-reference-model by Security Area Directorate Assigned | |
| Reviewed revision | 06 (document currently at 10) | |
| Result | Ready | |
| Completed | 2018-08-23 |
review-ietf-anima-reference-model-06-secdir-lc-perlman-2018-08-23-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is an overview document (intended as informational) introducing a large collection of I-Ds (intended as Proposed) describing autonomic networking. Aimed at the Internet of Things with devices with very little in the way of user interface other than over the network, the design goal is to be maximally auto-configuring. Security is bootstrapped using private keys and certificates installed by the manufacturer, where to first goal is to join new devices to some sort of domain. The most suspicious thing from a security standpoint is that it appears all of the devices in a domain implicitly trust one another. This means that bringing in the proverbial light bulb into your house could compromise your whole house if the light bulb had a Trojan horse installed or some sort of bug that allowed it to be compromised. There is some mention of addressing this issue in the future, but unless I’m misunderstanding the approach this seems like a very dangerous thing to deploy even initially. It makes much more sense for each installed device to first become manageable by a single other device in the domain. That first management device could cautiously expand trust further. The dangers are well summarized in Section 9 (Security Considerations). Section 9.2 includes this text: The above threats are in principle comparable to other solutions: In the presence of design, implementation or operational errors, security is no longer guaranteed. However, the distributed nature of AN, specifically the Autonomic Control Plane, increases the threat surface significantly. For example, a compromised device may have full IP reachability to all other devices inside the ACP, and can use all AN methods and protocols. For the next phase of the ANIMA work it is therefore recommended to introduce a sub-domain security model, to reduce the attack surface and not expose a full domain to a potential intruder. Furthermore, additional security mechanisms on the ASA level should be considered for high-risk autonomic functions.