RE: [imss] imss WG Last Call: FC-SP MIB
Black_David@emc.com Thu, 11 October 2007 05:23 UTC
Return-path: <imss-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfqWT-00074S-Pw; Thu, 11 Oct 2007 01:23:49 -0400
Received: from imss by megatron.ietf.org with local (Exim 4.43) id 1IfqWT-00074F-Cs for imss-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 01:23:49 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfqWS-0006yI-UJ for imss@ietf.org; Thu, 11 Oct 2007 01:23:49 -0400
Received: from mexforward.lss.emc.com ([128.222.32.20]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IfqWK-00037f-13 for imss@ietf.org; Thu, 11 Oct 2007 01:23:40 -0400
Received: from mailhub.lss.emc.com (uraeus.lss.emc.com [10.254.144.14]) by mexforward.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id l9B5Na4q023015; Thu, 11 Oct 2007 01:23:36 -0400 (EDT)
Received: from corpussmtp2.corp.emc.com (corpussmtp2.corp.emc.com [128.221.14.146]) by mailhub.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id l9B5Mg4G013039; Thu, 11 Oct 2007 01:23:33 -0400 (EDT)
From: Black_David@emc.com
Received: from CORPUSMX20A.corp.emc.com ([128.221.62.11]) by corpussmtp2.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 11 Oct 2007 01:23:09 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [imss] imss WG Last Call: FC-SP MIB
Date: Thu, 11 Oct 2007 01:23:09 -0400
Message-ID: <FF29F13E2D78C047B4B79F4E062D0363387988@CORPUSMX20A.corp.emc.com>
In-Reply-To: <200710102138.OAA11681@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [imss] imss WG Last Call: FC-SP MIB
thread-index: AcgLhgQjZKQfVGZiQvmYzrvy+0myVAAO3K3w
References: <no.id> from "Black_David@emc.com" at Oct 09, 2007 08:17:33 PM <200710102138.OAA11681@cisco.com>
To: kzm@cisco.com
X-OriginalArrivalTime: 11 Oct 2007 05:23:09.0751 (UTC) FILETIME=[CFC87470:01C80BC6]
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.5.1.298604, Antispam-Data: 2007.8.30.51425
X-PerlMx-Spam: Gauge=, SPAM=0%, Reason='EMC_BODY_1+ -3, EMC_FROM_0+ -3, NO_REAL_NAME 0, __C230066_P5 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0'
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 87a3f533bb300b99e2a18357f3c1563d
Cc: imss@ietf.org, Black_David@emc.com, dromasca@avaya.com
X-BeenThere: imss@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet and Management Support for Storage Working Group <imss.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/imss>, <mailto:imss-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:imss@ietf.org>
List-Help: <mailto:imss-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/imss>, <mailto:imss-request@ietf.org?subject=subscribe>
Errors-To: imss-bounces@ietf.org
Keith, > > I found two technical concerns: > > (1) The MIB defines precedence values for traffic selectors > > as opposed to implicitly presenting them in order of > > precedence. I guess this is ok, but Section 4.7 should > > explain why this approach was chosen. > > This point has a bearing on two issues related to the use of Precedence > objects in an INDEX clause. First, the question of whether an object > containing a Precedence value should be in an INDEX clause or not. > There are pros and cons: > > pro: having a Precedence object in a table's INDEX clause allows the > table's rows to be retrieved (by SNMP getNext/getBulk) in order > of Precedence. > con: in a read-write/create table, objects which are not in the INDEX > clause can be modified with a single PDU (SNMP setRequest), but an > object in an INDEX clause can only be changed by deleting its row(s) > and creating new row(s); this is not only two SNMP PDUs, but also > there is a "gap", a time-period between the two, and for a Security > MIB during such a gap, there is either too much or too little > security, where "too little" is likely a security hole. > > Note that the "con" applies only to read-write/create tables, and so > having t11FcSpSaTSelNegOutPrecedence in the INDEX clause of the > (read-only) t11FcSpSaTSelNegOutTable table is justified by the pro. > > There are two other xxxPrecedence objects, t11FcSpSaTSelDrByPrecedence > and t11FcSpSaTSelPropPrecedence, which are both in read-write/create > tables, but one of them is in an INDEX clause and the other is not. > As far as I can remember, this difference was created inadvertently, > and I'm unable (at present) to think of any reason to justify the > inconsistency. > > The second issue is that, when a Precedence object is used in an INDEX > clause, its value serves not only as an indication of precedence, but > also to distinguish one traffic selector from another. In other words, > Precedence values in INDEX clauses in this MIB have two functions: > "Traffic Selector index" and "Precedence vaue". So, the choice of > whether such an object is called a "Precedence" or a "TrafSelectorIndex" > is a terminology issue, not a structural issue. Its use in the INDEX > clauses clearly indicates its purpose as an index, without it being > so named explicitly. Thus, I think a greater increase in clarity is > achieved by naming it as xxxPrecedence. I appreciate the explanation, and agree with your line of reasoning. > So, I think the document should be changed in two ways: > > 1. t11FcSpSaTSelDrByPrecedence and t11FcSpSaTSelPropPrecedence should > be made consistent, either have both in their respective table's INDEX > clause, or, neither in their respective table's INDEX clause. Further, > I'll make a suggestion based on my expectation of the likely usage of > this MIB; specifically, that the majority of the expected usage of this > MIB will be for read-only monitoring, with > its capability for read-write configuration rarely implemented, and > even more rarely used. Thus, I recommend that we optimize for reading, > not for writing. Thus, I recommend we combine the semantics of > t11FcSpSaTSelPropPrecedence and t11FcSpSaTSelPropIndex with the former > taking the latter's place in the INDEX clause of the > t11FcSpSaTSelPropTable table. > > 2. that I add words (a subset of the above) to section 4.7 so as to > provide an explanation of the use of Precedence values in > INDEX clauses. I agree - both of these should be done. > > (2) Section 4.9 defines rate control for Authentication > > failures on a per-fabric granularity. That strikes > > me as overly coarse, and I wonder if per-SA would > > be a more appropriate/useful granularity. > > I think the question here is whether it's likely that authentication > failures will occur on many SA's at the same time -- if it is likely, > then per-Fabric rate control allows for plenty of notifications in > isolated cases without getting overloaded when many SA's have the > problem. But, if there's no correlation between occurrences on > different SA's, then the odds of many SA's having the problem at the > same time is presumably negligible, and I agree that per-SA would be > better. I think this also revolves around the number of SAs. I would expect FC-SP SA usage to be more akin to a site-to-site VPN (small number of SAs carrying large amounts of traffic) than a remote access VPN (large number of SAs carrying smaller amounts of traffic). That should limit the size of a one-per-SA notification burst in practice. I definitely agree with your concern about overload, as authentication failures are relatively cheap to generate (e.g., attacker need not do any crypto calculations), and hence causing a large number of such failures in a short time period could be a denial of service attack based on the work involved in generating the notifications. OTOH, this text: For t11FcSpSaNotifyAuthFailure, rate control is achieved by specifying that it is generated only for the first occurrence of an Authentication failure on a particular Fabric within a time window. strikes me as providing unwarranted help for an attacker trying to cover her tracks - she opens an SA to the victim, generates an authentication failure, thereby generating the first notification, and can then attack other SAs for the same fabric within the time window, since their notifications are suppressed. Perhaps what's appropriate is a 2-level rate limiting structure: - At most one notification per SA in the (settable) time window. - At most <n> (new settable value) notifications per fabric in the same (settable) time window. > (Aside: MIB objects which are powerful enough to slow down the rate of > Authentication failures is, unfortunately, wishful thinking :-). That's my mistake - I meant to write "rate control for Authentication failure notifications", but nonetheless, an authentication failure rate limiting mechanism in this sort of situation involving many independent authentications seems like a fine candidate for an April 1st RFC in the tradition of the "evil bit" (RFC 3514). > > I also found a number of editorial concerns: > > I'll make all of your editorial suggestions. > Great. Thanks, --David ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------- _______________________________________________ imss mailing list imss@ietf.org https://www1.ietf.org/mailman/listinfo/imss
- [imss] Changes to draft-ietf-imss-fc-fam-mib-00.t… Keith McCloghrie
- [imss] Re: Changes to draft-ietf-imss-fc-fam-mib-… Keith McCloghrie
- Re: [imss] Re: Changes to draft-ietf-imss-fc-fam-… Keith McCloghrie
- [imss] Re: Agenda for next week's T11.5 Managemen… Keith McCloghrie
- Re: [imss] FW: MIB Doctor review draft-ietf-imss-… Keith McCloghrie
- Re: [imss] FW: MIB Doctor review draft-ietf-imss-… Keith McCloghrie
- Re: [imss] FW: MIB Doctor review draft-ietf-imss-… Keith McCloghrie
- Re: [imss] Last Call: 'Fibre-Channel Name Server … Keith McCloghrie
- Re: [imss] Last Call: 'Fibre-Channel Name Server … Keith McCloghrie
- [imss] Re: DISCUSS on Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-rtm-m… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Keith McCloghrie
- [imss] Re: AD review of: draft-ietf-imss-fc-fspf-… Claudio DeSanti
- Re: [imss] RE: AD review of: draft-ietf-imss-fc-r… Keith McCloghrie
- Re: [imss] RE: AD review of: draft-ietf-imss-fc-r… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] WG last call: draft-ietf-imss-fc-rscn-… Keith McCloghrie
- Re: [imss] imss WG Last Call: Fibre Channel RSCN,… Keith McCloghrie
- Re: [imss] WG Last Call: draft-ietf-imss-fc-fcs-m… Keith McCloghrie
- [imss] A couple of loose ends Keith McCloghrie
- Re: [imss] WG last call review: T11-FC-FABRIC-LOC… Keith McCloghrie
- Re: [imss] WG last call review: T11-FC-FABRIC-LOC… Keith McCloghrie
- Re: [imss] WG last call review: T11-FC-FABRIC-LOC… Claudio DeSanti
- Re: [imss] WG last call review: T11-FC-ZONE-SERVE… Keith McCloghrie
- Re: [imss] Last Call comments on draft-ietf-imss-… Keith McCloghrie
- RE: [imss] Last Call comments on draft-ietf-imss-… Black_David
- Re: [imss] Keith McCloghrie
- Re: [imss] Keith McCloghrie
- Re: [imss] T11 MIB issue resolutions Keith McCloghrie
- Re: [imss] T11 MIB issue resolutions Keith McCloghrie
- [imss] Rereview for draft-ietf-imss-fc-rscn-mib-0… Wijnen, Bert (Bert)
- Re: [imss] Rereview of: draft-ietf-imss-fc-fcs-mi… Keith McCloghrie
- RE: [imss] Rereview of: draft-ietf-imss-fc-fcs-mi… Black_David
- Re: [imss] re-view: T11-FC-FABRIC-LOCK-MIB in Keith McCloghrie
- RE: [imss] re-view: T11-FC-FABRIC-LOCK-MIB in Wijnen, Bert (Bert)
- Re: [imss] re-review: T11-FC-ZONE-SERVER-MIB in Keith McCloghrie
- RE: [imss] re-review: T11-FC-ZONE-SERVER-MIB in Wijnen, Bert (Bert)
- Re: [imss] Acceptance of draft-kzm-imss-fc-fcsp-m… Keith McCloghrie
- RE: [imss] Acceptance of draft-kzm-imss-fc-fcsp-m… Romascanu, Dan (Dan)
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB Black_David
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB Black_David
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- Re: [imss] imss WG Last Call: FC-SP MIB Keith McCloghrie
- Re: [imss] MIB doctor review part 1 (SYNTAX Check… Keith McCloghrie
- Re: [imss] MIB doctor review part 2 (T11-FC-SP-TC… Keith McCloghrie
- RE: [imss] MIB doctor review part 2 (T11-FC-SP-TC… WIJNEN, Bert (Bert)
- RE: [imss] imss WG Last Call: FC-SP MIB WIJNEN, Bert (Bert)
- Re: [imss] AD Review for draft-ietf-imss-fc-fcsp-… Keith McCloghrie
- Re: [imss] AD Review for draft-ietf-imss-fc-fcsp-… Black_David
- Re: [imss] AD Review for draft-ietf-imss-fc-fcsp-… Romascanu, Dan (Dan)