Kathleen Moriarty has entered the following ballot position for
draft-ietf-i2rs-protocol-security-requirements-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thanks for your work on this draft.  There may be some overlap in points,
I tried to minimize them...
----
Section 3.1:

I don't see any actual requirements for mutual authentication in this
section, just requirements for identifiers.  Did I miss something?

Are all mutual auth schemes in scope?  Are there any considerations for
mutual authentication (passwords, keys, etc.)?
----
I share the same concern as others for secure transport, but since there
are already discusses on that, I have one comment to add to the existing
discusses below.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Section 3: 
Can you clarify the second to last sentence?  Do you mean there are
sections that indicate an insecure transport should be used?

   I2RS allows the use of an
   insecure transport for portions of data models that clearly indicate
   insecure transport.

Perhaps:
   I2RS allows the use of an
   insecure transport for portions of data models that clearly indicate
the use of an
   insecure transport.
----
Section 3.2
I agree with Alissa's discuss point on the following sentence (that could
also be reworded a bit):
   A non-secure transport can be can be used for publishing telemetry
   data or other operational state that was specifically indicated to
   non-confidential in the data model in the Yang syntax.
----
Section 3.4: In the following text:
   SEC-REQ-15: The integrity that the message data is not repeated means
   that I2RS client to I2RS agent transport SHOULD protect against
   replay attack

I'm not sure why this just doesn't say:
   SEC-REQ-15: I2RS client to I2RS agent transport SHOULD protect
against
   replay attack

The additional text doesn't add anything and sounds a bit confusing. 
----
Nit:

I'm not sure these definitions add any value as they seem to restate the
term defined:

   I2RS protocol data integrity

      The transfer of data via the I2RS protocol has the property of
      data integrity described in [RFC4949].

   I2RS component protocols

      Protocols which are combined to create the I2RS protocol.
-----

I also agree that the definitions from 4949 should be removed.

Thank you in advance.