RE: [Bridge-mib] Begin WG Last Call - draft-ietf-bridge-8021x-00 .txt
"Les Bell" <Les_Bell@eur.3com.com> Wed, 22 January 2003 17:41 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA02065 for <bridge-archive@odin.ietf.org>; Wed, 22 Jan 2003 12:41:30 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h0MHxb407590 for bridge-archive@odin.ietf.org; Wed, 22 Jan 2003 12:59:37 -0500
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0MHxWJ07576; Wed, 22 Jan 2003 12:59:32 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h0MHwdJ07534 for <bridge-mib@optimus.ietf.org>; Wed, 22 Jan 2003 12:58:39 -0500
Received: from columba.www.eur.3com.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA02030 for <bridge-mib@ietf.org>; Wed, 22 Jan 2003 12:40:00 -0500 (EST)
Received: from toucana.eur.3com.com (toucana.EUR.3Com.COM [140.204.220.50]) by columba.www.eur.3com.com with ESMTP id h0MHixNS010289; Wed, 22 Jan 2003 17:45:00 GMT
Received: from notesmta.eur.3com.com (eurmta1.EUR.3Com.COM [140.204.220.206]) by toucana.eur.3com.com with SMTP id h0MHioQ00697; Wed, 22 Jan 2003 17:44:50 GMT
Received: by notesmta.eur.3com.com(Lotus SMTP MTA v4.6.3 (733.2 10-16-1998)) id 80256CB6.00616733 ; Wed, 22 Jan 2003 17:43:54 +0000
X-Lotus-FromDomain: 3COM
From: Les Bell <Les_Bell@eur.3com.com>
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
cc: bridge-mib@ietf.org
Message-ID: <80256CB6.0061671C.00@notesmta.eur.3com.com>
Date: Wed, 22 Jan 2003 17:43:16 +0000
Subject: RE: [Bridge-mib] Begin WG Last Call - draft-ietf-bridge-8021x-00 .txt
Mime-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-Disposition: inline
Sender: bridge-mib-admin@ietf.org
Errors-To: bridge-mib-admin@ietf.org
X-BeenThere: bridge-mib@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/bridge-mib>, <mailto:bridge-mib-request@ietf.org?subject=unsubscribe>
List-Id: <bridge-mib.ietf.org>
List-Post: <mailto:bridge-mib@ietf.org>
List-Help: <mailto:bridge-mib-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/bridge-mib>, <mailto:bridge-mib-request@ietf.org?subject=subscribe>
On 11th Dec 2002, Dan Romascanu wrote: > I think that the Security Considerations section is much too weak > taking into account the scope of the IEEE 802.1X standard. We need > to fix this before it gets under the IESG scrutiny. The security > section needs to mention the fact that the standard modeled by this > MIB has a strong security functionality. It needs to list explicitly > the objects with MAX-ACCESS of read-write or read-create that if be > potentially written by a malicious attacker can endanger the security > by allowing access to the layer 2 network by un-authorized users. It > also needs to mention that some of the objects (even of those with > MAX-ACCESS clause of read-only) if exposed can allow for security holes > in the access to the network to be exposed to un-authorized viewers. I think it is not just the read-write objects that can allow access to the network by un-authorized users, but also those objects that can inhibit access to the network by authorized users. Also, exposure of all of these MIB values, including the read-only objects (with the possible exception of some of the statistics), may allow security holes to be exploited. Therefore, I suggest it is not worth listing most, if not all, of the managed objects in the security section, and instead, we should replace the first paragraph of the security section with the following: "The Port Access Entity defined in this MIB is integral to the security of the network accessed through the Authenticator. The managed objects in this MIB that have a MAX-ACCESS clause of read-write or read-create must be considered sensitive in a secure environment. The support of SET operations in a non-secure environment without proper protection can have a negative effect on the security of access to the network, for both the Authenticator and the Supplicant. The managed objects in this MIB that have a MAX-ACCESS clause of anything other than not-accessible may allow users, including authenticated users that have authorised access to the secured network, to discover information that may help to compromise the access and security of others. Therefore the support of GET operations for all managed objects in this MIB must also be considered sensitive in a secure environment." Les... "Romascanu, Dan (Dan)" <dromasca@avaya.com> on 11/12/2002 13:03:33 Sent by: "Romascanu, Dan (Dan)" <dromasca@avaya.com> To: Les Bell/GB/3Com, bridge-mib@ietf.org cc: Subject: RE: [Bridge-mib] Begin WG Last Call - draft-ietf-bridge-8021x-00.txt As the scope of this document is to produce a replica of the MIB defined in the IEEE document, I will not refer my comments to the MIB itself, but to the surrounding IETF-ish envelope. I have one fundamental issue, and a few editorials. The fundamental one: I think that the Security Considerations section is much too weak taking into account the scope of the IEEE 802.1X standard. We need to fix this before it gets under the IESG scrutiny. The security section needs to mention the fact that the standard modeled by this MIB has a strong security functionality. It needs to list explicitly the objects with MAX-ACCESS of read-write or read-create that if be potentially written by a malicious attacker can endanger the security by allowing access to the layer 2 network by un-authorized users. It also needs to mention that some of the objects (even of those with MAX-ACCESS clause of read-only) if exposed can allow for security holes in the access to the network to be exposed to un-authorized viewers. Now the editorial issues: 1. page 3, section 2 - the second paragraph seems broken in syntax, and content - Source Route and transparent are not modes, by rather methods. They happen to be the ones standardized in IEEE 802, but there are at least two other methods (translation and encapsulation) which are not covered by IEEE 802 standards. 2. Formatting of section 3, paragraph 1 seems broken 3. Same for section 3.1 4. The numbering of some of the objects (9.4.3, 9.4.4, etc.) in section 3.1 seems out of context 5. Section 3.3 and following - the term 'System' is used here, without a clear explanation of what it means 6. I think that it would help to define shortly (or at least refer to the IEEE standard) the supplicant and authenticator 7. Section 3.6 - there seems to be a mis-spelling of an object name referred from RFC 2863 8. Section 6 - IEEE is duplicated 9. Section 7 - need to divide references into normative and non-normative. Thanks, Dan > -----Original Message----- > From: Les Bell [mailto:Les_Bell@eur.3com.com] > Sent: Tuesday, November 26, 2002 5:24 PM > To: bridge-mib@ietf.org > Subject: [Bridge-mib] Begin WG Last Call - > draft-ietf-bridge-8021x-00.txt > > > > > > Hi, > > The Bridge MIB WG has completed work on the "Definitions for > Port Access Control > (IEEE 802.1X) MIB". This memo proposes to re-publish the > Port Access Entity > MIB, as defined in IEEE 802.1X, in an Informational RFC, for > the convenience of > the IETF community. > > The WG proposes that the I-D 'draft-ietf-bridge-8021x-00.txt' > is the completed > version of this document. The WG members are strongly urged > to review this > document as soon as possible, and express any concerns, or > identify any errors, in an email to the Bridge MIB WG mailing list. > > Unless there are strong objections, published on the WG > mailing list by December > 11, 2002, this document will be forwarded to the OPS Area > Directors for > consideration to publish as an Informational RFC. > > Please send all comments to the WG mailing list at > bridge-mib@ietf.org. > > Thanks, > Les... > > > _______________________________________________ > Bridge-mib mailing list > Bridge-mib@ietf.org > https://www1.ietf.org/mailman/listinfo/bridge-mib > _______________________________________________ Bridge-mib mailing list Bridge-mib@ietf.org https://www1.ietf.org/mailman/listinfo/bridge-mib
- RE: [Bridge-mib] Begin WG Last Call - draft-ietf-… Les Bell
- Re: [Bridge-mib] Begin WG Last Call - draft-ietf-… Les Bell
- Re: [Bridge-mib] Begin WG Last Call - draft-ietf-… Michael MacFaden
- Re: [Bridge-mib] Begin WG Last Call - draft-ietf-… kcn
- RE: [Bridge-mib] Begin WG Last Call - draft-ietf-… Les Bell