RE: R41 in draft-ietf-v6ops-cpe-simple-security-07

["Stark, Barbara" <bs7652@att.com>]

> Okay.  I'll leave R41 in the draft for now.  I think anybody in favor
> of removing it should bring rebuttals to the arguments already
> provided for leaving it in place.  As an individual contributor, I
> don't have any.

Fair enough. Here are my arguments.

R41 is not a core part of the simple-security "capability". It is about
how to manage this capability.

Frequently, consumer router vendors do not create their own firewall
code. They purchase it from some other vendor, such as Wind River. The
purchased application comes with APIs that allow the gateway vendor to
build management interfaces for it. The app vendor has no control over
the security requirements, IPR requirements, or use of specific
protocols of such management interfaces. Or even the existence or
non-existence of such interfaces. IMO, to include requirements around
existence, security, or IPR of management interfaces as a core part of
the description of the capability weakens the resulting RFC,
significantly. 

With that said, I'd like to suggest an alternative approach.

draft-ietf-opsawg-operations-and-management-08 describes a Management
Considerations document section, and what info would need to go into it.
It's my understanding that this is soon to be a BCP, and that there are
serious thoughts of requiring it for new protocol specs. While
simple-security isn't a protocol spec, I think that much of the
philosophy around a Management Considerations section could easily apply
to it. For example, it could recommend what sort of management info
needs to be made accessible (parameters that should be available for
reading, and parameters available for writing). It could recommend that
certain types of management interfaces exist (such as those needed by
passive listeners for automated behavior), and that these interfaces be
secured. It might even be appropriate to make some performance
recommendations around simple-security (like it better not add
noticeable latency). 

Note that this applies to R42, as well.

This sounds like a big task, though, and maybe not something that a
draft getting ready for Last Call would want to take on. But perhaps it
could be kept fairly brief. At a minimum, the "Passive Listeners"
section might be moved to a "Management Considerations" section.

In any case, I don't think that the 2nd sentence of R41 is appropriate.
There are many management protocols that are in common use that do not
meet IETF IPR requirements, but that manage IETF-created protocols and
capabilities. Manufacturers of consumer routers will include the
management capabilities that consumers want. If this statement conflicts
with what consumers want, then this statement will be ignored. Putting
in MUST statements that are likely to be ignored is a bad idea.

Barbara

*****

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. GA623