Re: [eman] Ben Campbell's Discuss on draft-ietf-eman-applicability-statement-10: (with DISCUSS)

Benoit Claise <bclaise@cisco.com> Thu, 23 April 2015 07:01 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: eman@ietfa.amsl.com
Delivered-To: eman@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCB31B2E88; Thu, 23 Apr 2015 00:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4Kv_YXcEoh2; Thu, 23 Apr 2015 00:01:28 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C83B1B2C58; Thu, 23 Apr 2015 00:01:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4313; q=dns/txt; s=iport; t=1429772487; x=1430982087; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=Qhu49uKs05+jcRBMsRoeDBtz6w5zJriOamlhHDdJ2iM=; b=k1ZbVAog20v8jBoTAgdEAjRyJGPGn2gxj9tZn+QgadRgE9QLHAXcOVJp haqllATCC1Hm0Sr6vb8ReAtXDHonvryRR2PE3KQ1tJr4qbXx0S3GU8dd1 FcuB/nYO3TZiQpJY9FRUMFQUCZq2xGEu9QvGlyyoYBLaxoJC3UmvWv/Lk 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D9AwDWlzhV/xbLJq1bg15cgxq7IogYCYFRhgICgXEUAQEBAQEBAYEKhCEBAQQjDwEFQAEQCxgCAgUWCwICCQMCAQIBRQYBDAEFAgEBBYgiDbcUlRkBAQEBAQEBAQEBAQEBAQEBAQEBAQEXgSGKFoJkgT0RAQJPB4JogUUBBIY3jwuGMIEiO4MEgk6ODSOBZFOBPjwxAYEKgTkBAQE
X-IronPort-AV: E=Sophos;i="5.11,629,1422921600"; d="scan'208";a="440458421"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP; 23 Apr 2015 07:01:25 +0000
Received: from [10.60.67.85] (ams-bclaise-8914.cisco.com [10.60.67.85]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t3N71PfH017013; Thu, 23 Apr 2015 07:01:25 GMT
Message-ID: <553898EE.4020104@cisco.com>
Date: Thu, 23 Apr 2015 09:02:06 +0200
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Ben Campbell <ben@nostrum.com>, "Thomas D. Nadeau" <tnadeau@lucidvision.com>
References: <20150422192021.30691.70336.idtracker@ietfa.amsl.com> <5538109D.1070103@cisco.com> <DBA94551-493C-4FFD-8C9F-49D9A3D2351C@nostrum.com> <FC8494B3-6774-4E9F-B04C-5483F75E8061@lucidvision.com> <A86B6F26-185E-4B81-B57A-3DBA46737066@nostrum.com>
In-Reply-To: <A86B6F26-185E-4B81-B57A-3DBA46737066@nostrum.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/eman/_M0m3wp8DA9NX2cB6LzDxE0lAZg>
Cc: eman-chairs@ietf.org, eman@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [eman] Ben Campbell's Discuss on draft-ietf-eman-applicability-statement-10: (with DISCUSS)
X-BeenThere: eman@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussions about the Energy Management Working Group <eman.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eman>, <mailto:eman-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/eman/>
List-Post: <mailto:eman@ietf.org>
List-Help: <mailto:eman-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eman>, <mailto:eman-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 07:01:30 -0000

Hi Ben,

Thanks for proposing text (btw, it makes a lot of sense)
That surely helps the authors.

Regards, Benoit
> On 22 Apr 2015, at 17:20, Thomas D. Nadeau wrote:
>
>>> On Apr 22, 2015:5:51 PM, at 5:51 PM, Ben Campbell <ben@nostrum.com> 
>>> wrote:
>>>
>>> On 22 Apr 2015, at 16:20, Benoit Claise wrote:
>>>
>>>> On 22/04/2015 21:20, Ben Campbell wrote:
>>>>> Ben Campbell has entered the following ballot position for
>>>>> draft-ietf-eman-applicability-statement-10: Discuss
>>>>>
>>>>> When responding, please keep the subject line intact and reply to all
>>>>> email addresses included in the To and CC lines. (Feel free to cut 
>>>>> this
>>>>> introductory paragraph, however.)
>>>>>
>>>>>
>>>>> Please refer to 
>>>>> http://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>
>>>>>
>>>>> The document, along with other ballot positions, can be found here:
>>>>> http://datatracker.ietf.org/doc/draft-ietf-eman-applicability-statement/ 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------- 
>>>>>
>>>>> DISCUSS:
>>>>> ---------------------------------------------------------------------- 
>>>>>
>>>>>
>>>>> [edited to fix missing word]
>>>>>
>>>>> I agree with Stephen's comments that the security considerations are
>>>>> sorely lacking. I understand his reasoning for not asking the 
>>>>> group to do
>>>>> considerably more work at this point in the process. But I'd like 
>>>>> to see
>>>>> at least an explicit mention that power management as described in 
>>>>> some
>>>>> of the use cases in this draft may have significant privacy
>>>>> considerations--even if that mention takes the form of "We haven't 
>>>>> fully
>>>>> analyzed privacy issues, and leave that work to a follow on effort."
>>>> The question is: can we rely on the security considerations of RFC 
>>>> 7326, RFC 7460, and RFC 7461?
>>>> For example:
>>>>
>>>> In certain situations, energy and power monitoring can reveal
>>>> sensitive information about individuals' activities and habits.
>>>> Implementors of this specification should use appropriate privacy
>>>> protections as discussed in Section 9 of RFC 6988 and monitoring of
>>>> individuals and homes should only occur with proper authorization.
>>>
>>> It would help if the security considerations in the applicability 
>>> statement referenced those docs :-) Even so, references scoped to 
>>> the MIBs are not completely satisfying when the draft says it is 
>>> equally applicable to things like YANG and NETCONF.
>>>
>>> (By the way, it looks like the references to 7460 and 7461 elsewhere 
>>> in the draft still point to outdated drafts.)
>>>
>>>>
>>>> Or asked differently: should an applicability statement document 
>>>> review and discuss the security considerations of each of the use 
>>>> cases mentioned?
>>>
>>> That would be nice--really, each use case may have different privacy 
>>> issues. But I agree with Stephen that it's kind of late to ask the 
>>> WG to analyze those.
>>>
>>> Would you consider adding something to the effect of the following 
>>> to the security considerations?
>>>
>>> NEW:
>>>
>>> " [RFC7460] section X and [RFC7461] section Y mention that power 
>>> monitoring and management MIBs may have certain privacy 
>>> implications. Applications of this spec that use other mechanisms 
>>> (e.g. YANG) may have similar implications, which are beyond this 
>>> scope of this document. There may be additional privacy 
>>> considerations specific to each use case; this document has not 
>>> attempted to analyze these. “
>>
>>     This is a (thankfully) simple, and reasonable approach. My only 
>> question is why are we mentioning Yang here? The WG only produced 
>> SNMP MIBs.
>
> I suggested mentioning Yang here because section 1.1 mentioned that 
> the information model was equally applicable to non-SNMP approaches 
> such as YANG and NETCOMF. I'd be willing to entertain arguments that 
> such things are not really applications of this spec, i.e. I won't 
> complain if you drop that sentence.
>
>>
>>     Would this fix resolve Stephen’s comments as well?
>>
>>     —Tom
> .
>