Last Call Review of draft-ietf-anima-reference-model-06
review-ietf-anima-reference-model-06-secdir-lc-perlman-2018-08-23-00

Request Review of draft-ietf-anima-reference-model
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-08-21
Requested 2018-08-07
Other Reviews Rtgdir Telechat review of -07 by Christian Hopps (diff)
Opsdir Last Call review of -06 by Tianran Zhou (diff)
Genart Last Call review of -06 by Joel Halpern (diff)
Genart Telechat review of -08 by Joel Halpern
Review State Completed
Reviewer Radia Perlman
Review review-ietf-anima-reference-model-06-secdir-lc-perlman-2018-08-23
Posted at https://mailarchive.ietf.org/arch/msg/secdir/8iynHg0xwspOrcsI7hdhuOqdLU4
Reviewed rev. 06 (document currently at 08)
Review result Ready
Draft last updated 2018-08-23
Review completed: 2018-08-23

Review
review-ietf-anima-reference-model-06-secdir-lc-perlman-2018-08-23

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.

These comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.



This document is an overview document (intended as informational)
introducing a large collection of I-Ds (intended as Proposed) describing
autonomic networking. Aimed at the Internet of Things with devices with
very little in the way of user interface other than over the network, the
design goal is to be maximally auto-configuring. Security is bootstrapped
using private keys and certificates installed by the manufacturer, where to
first goal is to join new devices to some sort of domain.



The most suspicious thing from a security standpoint is that it appears all
of the devices in a domain implicitly trust one another. This means that
bringing in the proverbial light bulb into your house could compromise your
whole house if the light bulb had a Trojan horse installed or some sort of
bug that allowed it to be compromised. There is some mention of addressing
this issue in the future, but unless I’m misunderstanding the approach this
seems like a very dangerous thing to deploy even initially. It makes much
more sense for each installed device to first become manageable by a single
other device in the domain. That first management device could cautiously
expand trust further.



The dangers are well summarized in Section 9 (Security Considerations).
Section 9.2 includes this text:



The above threats are in principle comparable to other solutions: In

the presence of design, implementation or operational errors,

security is no longer guaranteed. However, the distributed nature of

AN, specifically the Autonomic Control Plane, increases the threat

surface significantly. For example, a compromised device may have

full IP reachability to all other devices inside the ACP, and can use

all AN methods and protocols.



For the next phase of the ANIMA work it is therefore recommended to

introduce a sub-domain security model, to reduce the attack surface

and not expose a full domain to a potential intruder. Furthermore,

additional security mechanisms on the ASA level should be considered

for high-risk autonomic functions.