Hi Sue, On 21/04/16 19:59, Susan Hares wrote: > Stephen: > > I have added another section in the security consideration section: > > 4.4. I2RS in Personal Devices > > If an I2RS agent or I2RS client is tightly correlated with a person > (such as if an I2RS agent is running on someone's phone to control > tethering) then this usage can raise privacy issues, over and above > the security issues normally need to be handled in I2RS. One > example > of an I2RS interaction that could raise privacy issues, is if the > I2RS interaction enabled easier location tracking of a person's > phone. The I2RS protocol and data models should consider if privacy > issues can arise when clients or agents are used for such use-cases. > > Does this address your issue with privacy issues?
Well, given that those are almost exactly the words I suggested below, sure, they're good enough:-) Cheers, S. > > Sue Hares > > -----Original Message----- > From: Stephen Farrell [mailto:[email protected]] > Sent: Thursday, March 17, 2016 9:28 AM > To: Joel Halpern; Susan Hares; 'The IESG' > Cc: [email protected]; [email protected]; [email protected]; > [email protected] > Subject: Re: Stephen Farrell's No Objection on > draft-ietf-i2rs-architecture-13: (with COMMENT) > > > > On 17/03/16 13:25, Joel Halpern wrote: >> Can you suggest wording to add to the architecture document to reflect this >> consideration? > > Maybe something along the lines of: > > "If an i2rs agent or client is such that it is likely > tightly correlated with a person (say if an agent is > running on someone's phone to control tethering) then > that can raise privacy issues, over and above.the > security and privacy issues that normally need to be > handled in i2rs. For example, if an i2rs interaction > enabled easier location tracking in the above example. > i2rs protocols should consider if such privacy issues > can arise when clients or agents are used for such > use-cases." > > Cheers > S. > > >> >> Yours, >> Joel >> >> -----Original Message----- >> From: Stephen Farrell [mailto:[email protected]] >> Sent: Thursday, March 17, 2016 2:23 PM >> To: Joel Halpern; Susan Hares; 'The IESG' >> Cc: [email protected]; [email protected]; [email protected]; >> [email protected] >> Subject: Re: Stephen Farrell's No Objection on >> draft-ietf-i2rs-architecture-13: (with COMMENT) >> >> >> >> On 17/03/16 13:15, Joel Halpern wrote: >>> I would hope that I2RS could be used for that (applying policy to home >>> devices) use case. >> >> Ah. Good to know. >> >>> >>> But I am not at all clear how I2RS could protect the IP address of the >>> router >>> containing the communicating I2RS agent. We have to have an available IP >>> address for IP Routing. >> >> I didn't say it needed protecting (as in encrypting) necessarily, >> but that it could be more sensitive. >> >>> >>> I am also not clear why this IP address is particularly more sensitive than >>> an >>> enterprise device IP address, or a router inside an ISP. >> >> In general, if an identifier is also something one can correlate >> with a person, or with a person's movements or presence, then it >> is more privacy sensitive. If you can tell I'm at home because of >> an i2rs event say. >> >> For a router on the 4th floor of an office building, those are >> less likely interesting issues. >> >> In the home case, one needs to think more about such stuff than >> in the office case basically. >> >> Whether/how that impacts on protocol design is hard to say. But >> it's good to know that it's something that i2rs needs to consider. >> >> Cheers, >> S. >> >> >>> >>> Yours, >>> Joel >>> >>> -----Original Message----- >>> From: Stephen Farrell [mailto:[email protected]] >>> Sent: Thursday, March 17, 2016 2:11 PM >>> To: Susan Hares; 'The IESG' >>> Cc: [email protected]; [email protected]; >>> [email protected]; [email protected] >>> Subject: Re: Stephen Farrell's No Objection on >>> draft-ietf-i2rs-architecture-13: (with COMMENT) >>> >>> >>> Hiya, >>> >>> Just on that one point (the rest seems fine): >>> >>> On 17/03/16 13:00, Susan Hares wrote: >>>>>> - If i2rs were used to control home networks, then that would >>>>>> raise more privacy issues, e.g. the agent's IP address can be >>>>>> privacy sensitive. Would it be useful to rule that out of >>>>> scope? E.g. to say that i2rs SHOULD NOT be used where the >>>>> agent/router in question >>>>>> is specific to one person or home? >>> >>>> Sue: I'm really not sure what you are getting at. Data in routers >>>> is privacy sensitive. Data between I2RS Agent and I2RS client will be >>>> encrypted except in very, very rare circumstances where is defined to >>>> be public data in the data model. SECDIR, OPSDIR, RTGWG, >>>> Transport-directorate will be asked to review any IETF data model >>>> that claims this is the case to validate it is appropriate. So... I >>>> think we are going beyond what people use for home networks. >>> >>> Let's assume all client/agent stuff is wonderfully protected >>> e.g. via TLS. >>> >>> Normally, the fact that a client at IP1 is managing an agent at >>> IP2, which is still visible despite the TLS, is not much of a >>> deal. Nor is it a deal when that happens, e.g. in reaction to >>> some other event, perhaps even one triggered by an attacker. >>> >>> But if the agent is my home g/w, then the sensitivity level goes >>> up I think, or at least it can. The reason is that the agent's >>> address (IP2) is tied to me. If the agent was on my phone (e.g. >>> for tethering) then it'd be even more of a deal perhaps, as I >>> carry it with me. >>> >>> If i2rs just isn't intended for such use-cases, it may be worth >>> saying that was all I meant. >>> >>> Cheers, >>> S. >>> >>> >>>> >>> >> > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
