Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib

"ietfdbh" <ietfdbh@comcast.net> Fri, 31 May 2013 13:48 UTC

Return-Path: <ietfdbh@comcast.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7814221F96E1 for <behave@ietfa.amsl.com>; Fri, 31 May 2013 06:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.437
X-Spam-Level:
X-Spam-Status: No, score=-100.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DY1IYIvxx32q for <behave@ietfa.amsl.com>; Fri, 31 May 2013 06:47:59 -0700 (PDT)
Received: from qmta02.westchester.pa.mail.comcast.net (qmta02.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:24]) by ietfa.amsl.com (Postfix) with ESMTP id 64CB121F969C for <behave@ietf.org>; Fri, 31 May 2013 06:47:59 -0700 (PDT)
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90]) by qmta02.westchester.pa.mail.comcast.net with comcast id iban1l0031wpRvQ51dnyw3; Fri, 31 May 2013 13:47:58 +0000
Received: from JV6RVH1 ([67.189.237.137]) by omta18.westchester.pa.mail.comcast.net with comcast id idnx1l00S2yZEBF3ednxej; Fri, 31 May 2013 13:47:58 +0000
From: "ietfdbh" <ietfdbh@comcast.net>
To: "'Simon Perreault'" <simon.perreault@viagenie.ca>, "'Dave Thaler'" <dthaler@microsoft.com>
References: <7bc37af6cf764c2e965778b6b265a2d4@BY2PR03MB269.namprd03.prod.outlook.com> <ba99d2de63904656992c45255161910a@BY2PR03MB269.namprd03.prod.outlook.com> <51A72041.6060208@viagenie.ca> <2d6b12df967d4faf8fcfd6d6891b2ca2@BN1PR03MB267.namprd03.prod.outlook.com> <51A8565B.5070700@viagenie.ca>
In-Reply-To: <51A8565B.5070700@viagenie.ca>
Date: Fri, 31 May 2013 09:47:41 -0400
Message-ID: <004a01ce5e05$6bf10c90$43d325b0$@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJBxKJNP60xDQ0hdWTuJWe6MT5M0gKTgyxEAo3yDToCQZO96AGHXu79l/EandA=
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1370008078; bh=B2IpskxIYdgMQEAMlybG8dAGz9zhGawck42yokzCoF0=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=bytcFEMmrxDYXTBVCvnyPszhCCq57UekmVJdzkM5vcSQy7aeTKlQUe2XEWJW3gqCZ j9WqUFoECYmTlbsETjpgKILfZ+Dy2mOPek1GTS7bK109C62Aa8owZzXxo0Pud2Rpp7 nPAkVyLN3j8w0+EgT/0gl7x1rtro3/COyb/NSF87nAzl8K5A3GTAP9y3rWZxEuGPWC Y4LuN72sM0xzebNQPTxPeAGhFwGfdVMtBL6L9D1Grc4tWeCUdJyr1TKacbPWjkAxTs sL1xi1he3UXXTyV77S/5WH6eVbjbDbHbUbVpup8JINqaRA1G7Vj+1Hr77gWsCepGek /hQVjlYxuQEkw==
Cc: draft-ietf-behave-nat-mib@tools.ietf.org, behave@ietf.org
Subject: Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 13:48:06 -0000

Hi,

Three things.

1) A while back, I suggested that, if you are deprecating all of the NAT-MIB
in rfc4008, that it would be better to do this as a separate document from
the NEW-NAT-MIB (or whatever the new module gets called). Simon asked me to
get consensus from the MIB Doctors.

I checked with the MIB Doctor list, and only got one reply - from Juergen,
who apparently recommended a single document. His response:
" I have probably been pushing them into this because at the beginning it
was not really clear why the existing NAT-MIB is fatally flawed such that it
needs a complete replacement. If the behave WG has meanwhile reached
consensus that indeed the existing NAT-MIB is fatally flawed and needs a
complete replacement, then indeed what you suggest makes sense. I assume the
WG has checked with those who have implementations of the existing NAT-MIB
(if any) that they agree on a need for a complete new MIB."

2) Since deprecated objects are not obsoleted, I think new security
considerations might be called for relating to the deprecated objects -
especially if there are security implications of implementing BOTH the
current and deprecated objects. 

Some NMS applications will support only the old MIB module; others may
support only the new MIB module. Some agents will want to implement both, to
make their devices manageable from either type of NMS application. Some NMS
applications will want to support both, to deal with both legacy and new
agents. 

MIB modules often make information available that could potentially be used
by attackers. 
Are there particular risks involved in exposing the information of these two
NAT-MIBs in combination? 
Are there potential risks associated with the potential confusion of looking
at a NAT from the different perspectives used by these two NAT MIB
approaches?

3) I notice there is no "Operational Considerations" section. I wonder if
one is called for here, because operators may be faced with NMS applications
and/or agents that support both the deprecated and the new MIB module. What
should operators (and NMS applications) do with this potentially conflicting
information? What should they explicitly NOT do? E.g., What assumptions
should they NOT make about the relationships between specific objects in the
old and new versions?

My impression is that the old and the new MIB modules might be appropriate
depending on the environment in which they exist, and the old MIB is
implemented (to whatever degree of compliance) in existing legacy devices,
so simply saying "never use the old MIB" is not going to be an acceptable
approach. 

David Harrington
ietfdbh@comcast.net
+1-603-828-1401
-----Original Message-----
From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf Of
Simon Perreault
Sent: Friday, May 31, 2013 3:51 AM
To: Dave Thaler
Cc: behave@ietf.org; draft-ietf-behave-nat-mib@tools.ietf.org
Subject: Re: [BEHAVE] WGLC on draft-ietf-behave-nat-mib

Le 2013-05-30 21:38, Dave Thaler a écrit :
>>> 4) The MIB compiler I used complained about this:
>>>> natMappingPool OBJECT-TYPE
>>>>       SYNTAX NatPoolId (0|1..4294967295)
>>> Because of
>>>> NatPoolId ::= TEXTUAL-CONVENTION
>>>>       SYNTAX Unsigned32 (1..4294967295)
>>>
>>> That is, NatPoolId does not allow 0, and so natMappingPool cannot 
>>> add it and still use the NatPoolId syntax.
>>
>> Hmmmm... Would it be OK if I changed natMappingPool to an Unsigned32?
>>
>> natMappingPool OBJECT-TYPE
>>       SYNTAX Unsigned32 (0|1..4294967295)
>
> Yes, but you should remove the range restriction since that's the full
range.
> So just
>          SYNTAX Unsigned32

Right. Removed.

> I see you added in the security considerations section:
>>       Note: This section only applies to objects with current status.
>>       For deprecated objects, please refer to the Security
>>       Considerations section from [RFC4008].
>
> However that doesn't make sense in my opinion unless we make RFC4008 a
> Normative (not informative) reference.   But I would prefer keeping it as
> an informative reference so it can be obsoleted.   So I disagree with the
> quoted limitation.

Hmmm... So what should we do instead? Keeping in mind that the security
considerations in 4008 aren't up to today's standards.

a) Copy the security section verbatim from 4008. Add a preamble saying
something like "These considerations apply to the deprecated elements. 
Others may apply, use at your own risk."

b) Create brand new security considerations for deprecated elements.

c) ???

Simon
_______________________________________________
Behave mailing list
Behave@ietf.org
https://www.ietf.org/mailman/listinfo/behave