John, Thanks for the review and comment. I absolutely agree. Joel mentioned that we'd missed the agent authentication requirement. It will have to be in the next version.
Any other feedback or suggestions? Alia On Thu, Feb 20, 2014 at 8:00 AM, John Mattsson <[email protected]>wrote: > Hi, > > Reading draft-ietf-i2rs-architecture-02 I notice that the draft only talks > about ³client authentication² with the possible exception of: > > ³all control exchanges between the I2RS client and agent should be > authenticated and integrity protected² (Which could indicate that messages > from the agent is authenticated and not only integrity protected.) > > My view is that the client and the agent should always be mutually > authenticated. Otherwise I2RS is open for attacks with fake agents falsly > claiming to be a Routing Element. > > E.g. the current draft of "ETSI Network Functions Virtualisation (NFV); > NFV Security; Problem Statement" states that: > > "It is important, of course, for there to be two-way authentication > between the controller and switching/routing entities. Should the > controller be spoofed, the switching fabric is at risk of being taken over > and misused. On the other hand, should the switches be spoofed, there are > equally concerning issues: > > The intended topology of the virtual network may be revealed to an attack, > yielding useful mapping and attack data; > > The controller, which should act as a trusted holder of knowledge of the > state of the network, ceases to hold this role. > " > > In any case, text talking about the requirements on agent authentication > should be added to the architecture draft. > > > > - Small editorial in section 4: > "requires integrity, privacy and replay protection." -> "requires > integrity, confidentiality and replay protection." > > > --------------------------------------------------------------------------- > ----------------------------------------- > JOHN MATTSSON > MSc Engineering Physics, MSc Business Administration and Economics > Ericsson IEFT Security Coordinator > Senior Researcher, Security > > Ericsson AB > Security Research > Färögatan 6 > SE-164 80 Stockholm, Sweden > Phone +46 10 71 43 501 > SMS/MMS +46 76 11 53 501 > [email protected] > > _______________________________________________ > i2rs mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2rs >
_______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
