Hi, Susan, On Fri, Aug 19, 2016 at 8:19 AM, Susan Hares <[email protected]> wrote:
> Spencer: > > > > You as asking if: > > > > 1) Can Yang Models be revised? - there is a revision tag on the > Yang model. > > 2) How long it takes to deploy revised models in the Internet, and > old-models to be timed out? This is an operational question on yang models > that no one has experience to determine. Andy suggest that the deployment > time is 20 years (the Age of the Commercial internet – 1996 -2016) rather > than the age of the Internet (1987-2016). > > > > However, the real question you should have asked is: Can operators deploy > models which are marked as “non-secure transport” with a secure transport? > I understood that part. My question was how long it would likely take them to switch to a secure transport if they had deployed a model with an insecure transport and figured out that was problematic. Thanks for the explanation. It was helpful. Spencer > The answer is yes. In fact, several operators in I2RS stated that all > I2RS protocol communication needed to be secure. Therefore, if the > people found out that a model was problematic to be insecure – operators > and vendors would simply turn the deployment knob switch that says – deploy > this always with a secure transport rather than optionally allow an > insecure transport. > > > > Now, the real problem is if the IESG has been cycling on this concept – > the text needs to change. I’m going to go ahead and release a > version-09.txt that tries to make this very clear. Please comment on that > text to help make this clear. > > > > Sue > > > > > > *From:* Spencer Dawkins at IETF [mailto:[email protected]] > *Sent:* Friday, August 19, 2016 9:08 AM > *To:* Andy Bierman > *Cc:* Susan Hares; [email protected]; Alissa Cooper; Juergen Schoenwaelder; > [email protected]; Kathleen Moriarty; IESG; Jeffrey Haas; Joel > Halpern; [email protected] > *Subject:* Re: [i2rs] Kathleen Moriarty's Discuss on > draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and > COMMENT) > > > > Dear All, > > > > On Thu, Aug 18, 2016 at 3:02 PM, Andy Bierman <[email protected]> wrote: > > > > > > On Thu, Aug 18, 2016 at 12:44 PM, Susan Hares <[email protected]> wrote: > > Andy: > > > > Thank you – I thought it was on whether we could implement insecure > transport in a Yang module. > > > > The requirement text you are working with is: > > > > SEC-REQ-08: The I2RS protocol MUST be able to transfer data over a > secure transport and optionally MAY be able to transfer data over a > non-secure transport. > > > > I do not understand why approving the ok for non-secure transport for some > modules means the following to you: > > > > *“ the IETF needs to agree that there could never possibly be any > deployment that would not want to allow exposure of the data.* > > *Not now. Not 20 years from now.”* > > > > > > > > As I understand it, this requirement has another requirement associated > with it > > that says the data has to be identified as OK-for-nonsecure-transport. > > > > An extension in the data model says that all instances of the object in > > all possible deployments cannot be considered sensistive and therefore > > needs disclosure protection. > > > > It may seem like even a simple octet counter is safe to send in the clear, > > but not if that opens up correlation attacks. (e.g., I can send data to > some > > host. I can see that index 455992 is incrementing the in-octets counters > > in a way that strongly correlates to my test traffic. Therefore I can > learn > > that arbitrary index 455992 is really John Doe or really suite #14, etc. > > > > Since Kathleen asked what other ADs were thinking ... > > > > I'm current on this thread, as of the time I'm sending my note, but > replying to Andy's note because it's poking where I am poking. > > > > So, if (say) an octet counter is considered safe to send in the clear, and > a Yang model that reflects that is approved and widely deployed, and then > someone realizes that it's not safe to send in the clear, is that a big > deal to fix, and get the updated Yang model widely deployed? > > > > My opinion on this point has a lot to do with how hard it is to recover if > a Yang model gets this wrong ... > > > > My apologies for not understanding enough about Yang and I2RS to be able > to answer my own question, of course. > > > > Thanks, > > > > Spencer >
_______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
