Last Call Review of draft-ietf-opsawg-model-automation-framework-06
review-ietf-opsawg-model-automation-framework-06-secdir-lc-huitema-2020-10-03-00

Request Review of draft-ietf-opsawg-model-automation-framework
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-10-08
Requested 2020-09-24
Authors Qin Wu, Mohamed Boucadair, Diego Lopez, Chongfeng Xie, Liang Geng
Draft last updated 2020-10-03
Completed reviews Secdir Last Call review of -06 by Christian Huitema (diff)
Tsvart Last Call review of -06 by Tommy Pauly (diff)
Genart Last Call review of -07 by Ines Robles
Assignment Reviewer Christian Huitema 
State Completed
Review review-ietf-opsawg-model-automation-framework-06-secdir-lc-huitema-2020-10-03
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ODGW1uy3D0JAAy3dz-Pb9ILrOVg
Reviewed rev. 06 (document currently at 07)
Review result Has Issues
Review completed: 2020-10-03

Review
review-ietf-opsawg-model-automation-framework-06-secdir-lc-huitema-2020-10-03

The document proposes an architecture for describing and provisioning services such as L3VPN or L2VPN. This is an ambitious architecture, aiming at providing end-to-end services over concatenations of network services provided by independent providers. I am concerned that the model does not expose trust boundaries during these providers, and that the security section does not discuss what happens when some providers try to game the system or otherwise fail to cooperate.

The architecture organizes functions in three levels, service, network and device. Creation of services will trigger requirements on the networks, and then configuration of devices. Performance monitoring at the device level will inform service assurance and service optimizatio at the network level, and service assurance, optimization and diagnostic at the service level. The configurations and the performance measurements are described using Yang models.

The Yang modules are designed to be accessed through secrure protocols, such as NETCONF over SSH or RESTCONF over HTTPS. This provides authentication of the servers and protection of the data, and allows implementation of access control. That's a good basis, but these processes only secure "point to point" interfaces between functions in the system. This presupposes honest cooperation between all actors, despite the fact that those actors often are in competition.

The security considerations consider misconfiguration attacks such as the creation of forwarding loops, leakage of sensitive information, and traffic isolation issues. These are all interesting issues, but they are only mentioned in the architecture document as guidelines for the future development of actual services. I think issues such as the protection of sensitive information should be developed in the model itself, because they are generic. The document articulates a hierarchy of Yang modules. Why does it not articulate the trust boundaries between the different actors?

In addition to three classes of issues listed in the security considerations, I am also concerned with possibilities of retaining or falsifying data. What if an actor hides or fakes performance monitoring data, either out of malice or due to faulty equipement? Will that disrupt the provision of the services? What tools are available to detect such behavior? What if a network provide overpromises, in order to attract contracts? I understand that the ultimate remedies lies in contract obligations and contract enforcement, but that enforcement has to be based on data. How is the architectur organizing the collection of the data?

On a side note, I find that this architecture cites a large number of other drafts such as evpn, l2vpn, l3vpn, etc. These drafts in turn presumably cite the architecture, thus forcing the RFC production to organize all of them in a large publication cluster. Is it really required for the architecture document to cite all the documents that will later use it?