IETF Logo Mail Archive

Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib

Simon Perreault <simon.perreault@viagenie.ca> Thu, 30 May 2013 09:47 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9476921F8FEC for <behave@ietfa.amsl.com>; Thu, 30 May 2013 02:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.691
X-Spam-Level:
X-Spam-Status: No, score=-0.691 tagged_above=-999 required=5 tests=[AWL=-1.824, BAYES_00=-2.599, FM_ASCII_ART_SPACINGc=0.833, J_CHICKENPOX_74=0.6, MANGLED_PAIN=2.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eC2PJZQlVwEB for <behave@ietfa.amsl.com>; Thu, 30 May 2013 02:47:48 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDD121F8F9E for <behave@ietf.org>; Thu, 30 May 2013 02:47:47 -0700 (PDT)
Received: from porto.nomis80.org (unknown [IPv6:2620:0:230:2001::1000]) by jazz.viagenie.ca (Postfix) with ESMTPSA id E208E4689C; Thu, 30 May 2013 05:47:45 -0400 (EDT)
Message-ID: <51A72041.6060208@viagenie.ca>
Date: Thu, 30 May 2013 11:47:45 +0200
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130514 Thunderbird/17.0.6
MIME-Version: 1.0
To: Dave Thaler <dthaler@microsoft.com>
References: <7bc37af6cf764c2e965778b6b265a2d4@BY2PR03MB269.namprd03.prod.outlook.com> <ba99d2de63904656992c45255161910a@BY2PR03MB269.namprd03.prod.outlook.com>
In-Reply-To: <ba99d2de63904656992c45255161910a@BY2PR03MB269.namprd03.prod.outlook.com>
Content-Type: multipart/mixed; boundary="------------020306010209090309010503"
X-Mailman-Approved-At: Thu, 30 May 2013 10:10:25 -0700
Cc: "behave@ietf.org" <behave@ietf.org>, "draft-ietf-behave-nat-mib@tools.ietf.org" <draft-ietf-behave-nat-mib@tools.ietf.org>
Subject: Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 09:47:59 -0000

Le 2013-05-29 23:42, Dave Thaler a écrit :
> Some initial items noticed by document shepherd (me):
>
> 1) Section 5 of the current draft has
> " Some of the readable objects in this MIB module (i.e., objects with a
>     MAX-ACCESS other than not-accessible) may be considered sensitive or
>     vulnerable in some network environments.  It is thus important to
>     control even GET and/or NOTIFY access to these objects and possibly
>     to even encrypt the values of these objects when sending them over
>     the network via SNMP."
>
> Per http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security
> that's supposed to be followed with
> " These are the tables and objects and their
>     sensitivity/vulnerability:
>
>      <list the tables and objects and state why they are sensitive>"
>
> Also the document has 2 paragraphs of text
> "There are a number of managed objects in this MIB that may contain
> ...
> versions of SNMP provide features for such a secure environment."
> which do not appear in the current MIB boilerplate at the link above.
> Should those 2 paragraphs be removed?

How about this as a replacement?

    Some of the readable objects in this MIB module (i.e., objects with a
    MAX-ACCESS other than not-accessible) may be considered sensitive or
    vulnerable in some network environments.  It is thus important to
    control even GET and/or NOTIFY access to these objects and possibly
    to even encrypt the values of these objects when sending them over
    the network via SNMP.  These are the tables and objects and their
    sensitivity/vulnerability:

    Objects that reveal host identities:  Various objects can reveal the
       identity of private hosts that are engaged in a session with
       external end nodes.  A curious outsider could monitor these to
       assess the number of private hosts being supported by the NAT
       device.  Further, a disgruntled former employee of an enterprise
       could use the information to break into specific private hosts by
       intercepting the existing sessions or originating new sessions
       into the host.

       *  natMapIntAddrType

       *  natMapIntAddrInt

       *  natMapIntAddrExt

       *  natMappingIntRealm

       *  natMappingIntAddressType

       *  natMappingIntAddress

       *  natMappingIntPort

       *  natMappingMapBehavior

       *  natMappingFilterBehavior

       *  natMappingAddressPooling

       *  natSubscriberIntPrefixType

       *  natSubscriberIntPrefix

       *  natSubscriberIntPrefixLength

    Other objects that reveal NAT state:  Other managed objects in this
       MIB may contain information that may be sensitive from a business
       perspective, in that they may represent NAT state information.

       *  natCntAddressMappings

       *  natCntProtocolMappings

       *  natPoolUsage

       *  natPoolRangeAllocatedPorts

       *  natSubscriberCntMappings

    There are no objects that are sensitive in their own right, such as
    passwords or monetary amounts.

> 2) Section 5 contains MUST, SHOULD, etc.   But the document is missing
> the boilerplate reference to RFC 2119.

*gasp*

Added.

> 3) Section 6 does not say whether any additional actions for IANA
> are needed.  Suggest adding "No IANA actions are required by this document."

Added.

> 4) The MIB compiler I used complained about this:
>> natMappingPool OBJECT-TYPE
>>      SYNTAX NatPoolId (0|1..4294967295)
> Because of
>> NatPoolId ::= TEXTUAL-CONVENTION
>>      SYNTAX Unsigned32 (1..4294967295)
>
> That is, NatPoolId does not allow 0, and so natMappingPool cannot add it
> and still use the NatPoolId syntax.

Hmmmm... Would it be OK if I changed natMappingPool to an Unsigned32?

natMappingPool OBJECT-TYPE
     SYNTAX Unsigned32 (0|1..4294967295)

Updated draft is attached.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

v2.23.0 | Report a Bug | By Email