IETF Logo Mail Archive

Re: [MIB-DOCTORS] Change the boilerplate - Alissa's DISCUSS

Benoit Claise <bclaise@cisco.com> Thu, 10 July 2014 14:13 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: mib-doctors@ietfa.amsl.com
Delivered-To: mib-doctors@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2B01B291A for <mib-doctors@ietfa.amsl.com>; Thu, 10 Jul 2014 07:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Level:
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JHuTzKurf5B for <mib-doctors@ietfa.amsl.com>; Thu, 10 Jul 2014 07:13:12 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F92D1B2918 for <mib-doctors@ietf.org>; Thu, 10 Jul 2014 07:13:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11419; q=dns/txt; s=iport; t=1405001591; x=1406211191; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=kpg9Vtqilyte3Beu8HYPRRfnN5QYuqadeTEl6dJJKNI=; b=iBUZKlN6Me/yUQEixcPXUyfDBnoYlCaErd77G2RRAqFh3m4X/7P0Vphj DnVEL43ztntgSu6Bu6Ooal/DoapVDXkZAbeZCSuUo1zqFlz5V2R6bETbx kLuksxglgs8yB/iA1MRu7SrrXJANVkIt6tfC7WfkqSOWiY5K4QvrT76UW k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnYLABKevlOtJssW/2dsb2JhbABZg2C/fAwJhzcBgSF1hAMBAQEDAQEBATU2CgEFBwQLEQMBAQEBCRYIBwkDAgECARUfCQgGAQwBBQIBAQUSiB8IDcdvF40JgVkRAQIsIgcGhD0BBJZmhBqBSIVHjQaDRTsvgQs
X-IronPort-AV: E=Sophos;i="5.01,638,1400025600"; d="scan'208";a="103022704"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP; 10 Jul 2014 14:13:09 +0000
Received: from [10.60.67.84] (ams-bclaise-8913.cisco.com [10.60.67.84]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s6AED8VA015245; Thu, 10 Jul 2014 14:13:09 GMT
Message-ID: <53BE9F74.9080705@cisco.com>
Date: Thu, 10 Jul 2014 16:13:08 +0200
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>, "MIB Doctors (E-mail)" <mib-doctors@ietf.org>
References: <CFE17DDA.458C3%alissa@cooperw.in> <53BC5081.6090809@cisco.com> <53BD6690.2040102@cisco.com> <53BE3D7E.2090302@bwijnen.net> <9904FB1B0159DA42B0B887B7FA8119CA5C83CC03@AZ-FFEXMB04.global.avaya.com>
In-Reply-To: <9904FB1B0159DA42B0B887B7FA8119CA5C83CC03@AZ-FFEXMB04.global.avaya.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/mib-doctors/j87PuJhTiLKyu1iZkZj8mrmj5kM
Cc: Adrian Farrel <adrian@olddog.co.uk>, 'Alissa Cooper' <alissa@cooperw.in>, sec-ads@tools.ietf.org
Subject: Re: [MIB-DOCTORS] Change the boilerplate - Alissa's DISCUSS
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mib-doctors/>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2014 14:13:14 -0000

Dear all,

The email below refers to Alissa's DISCUSS
See 
http://datatracker.ietf.org/doc/draft-ietf-eman-energy-monitoring-mib/ballot/#alissa-cooper

Alissa refers to this sentence in the boilerplate at 
http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security

         Implementations SHOULD provide the security features described 
by the
         SNMPv3 framework (see [RFC3410]), and implementations claiming 
compliance
         to the SNMPv3 standard MUST include full support for 
authentication and
         privacy via the User-based Security Model (USM) [RFC3414] with 
the AES
         cipher algorithm [RFC3826].

 From the discussion (Dan andBert's feedback, on top of mine) , it seems 
that there are valid reasons to keep a SHOULD here in the generic 
boilerplate.

So what next?
- Should we justify the reasons in the boiler plate
- Should we  give some freedom in the boilerplate?

         Implementations SHOULD provide the security features described 
by the
         SNMPv3 framework (see [RFC3410]), and implementations claiming 
compliance
         to the SNMPv3 standard MUST include full support for 
authentication and
         privacy via the User-based Security Model (USM) [RFC3414] with 
the AES
         cipher algorithm [RFC3826].

         <if there are use cases where a MUST is required, described 
them here>

   Now, I hope it will not be abused by Security ADs, requesting a MUST 
for every single MIB module.
- Something else?
- Stop writing MIB modules :-)

Regards, Benoit


> That is what I remember as well. I inherited the boilerplate text from Bert, and during my tenure as AD we had at least one round of text revision (maybe two?). AFAICT this part did not change for the reasons described by Bert. Another reason may have been that 3410 describes a number of security features, each of them may use different cryptographic algorithms, and not all are mandatory to implement (and of course to deploy) in order to obtain a secure solution.
>
> Regards,
>
> Dan
>
>
>> -----Original Message-----
>> From: MIB-DOCTORS [mailto:mib-doctors-bounces@ietf.org] On Behalf Of
>> Bert Wijnen (IETF)
>> Sent: Thursday, July 10, 2014 10:15 AM
>> To: Benoit Claise; MIB Doctors (E-mail)
>> Cc: Adrian Farrel; 'Alissa Cooper'
>> Subject: Re: [MIB-DOCTORS] Change the boilerplate
>>
>> it is always interesting to see that when we get new ADs that we must
>> rediscuss this whole topic.
>>
>> But yes, there are/were implementations/deployments where one uses
>> dedicated (secure) networks for the network management systems, and so
>> that would work under a SHOULD.
>>
>> I do not recall if that was/is the only reason why we agreed on a SHOULD
>> instead of MUST.
>>
>> Bert
>>
>> On 09/07/14 17:58, Benoit Claise wrote:
>>> MIB doctors,
>>>
>>> Let me focus the discussion a little bit.
>>> Alissa refers to this sentence in the boilerplate at
>>> http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security
>>>
>>>          Implementations SHOULD provide the security features described by
>> the
>>>          SNMPv3 framework (see [RFC3410]), and implementations claiming
>> compliance
>>>          to the SNMPv3 standard MUST include full support for authentication
>> and
>>>          privacy via the User-based Security Model (USM) [RFC3414] with the
>> AES
>>>          cipher algorithm [RFC3826].
>>>
>>>
>>> Alissa's feedback is:
>>>
>>>      It is a little disconcerting that use of SNMPv3 is provided as a SHOULD-
>> level requirement without discussion of deployment
>>>      scenarios and regardless of the sensitivity of the data being made
>> available by any new MIB. For example, the tradeoffs between
>>>      security and utility might be reasonable if (1) I'm using an older SNMP
>> version on my closed home network to monitor my own
>>>      energy use, but not if (2) my ISP is using it to monitor the same thing. The
>> text quoted above basically  endorses unauthorized
>>>      energy monitoring if the provider does not support SNMPv3, whereas it
>> seems like what we would want to be saying is that in
>>>      cases like (2) SNMPv3 is required.
>>>
>>> Can one of the old timers (who was part of the discussion) explain the
>>> SHOULD rational? Personally, I can see two use cases in favor off the
>>> SHOULD: an older SNMP version in a closed network,  or a private data
>>> communication network dedicated to network management with special
>>> protection out of SNMP (like encrypted tunnel)
>>>
>>> Should we now modify this sentence to say?
>>>
>>>      MUST provide the security features described by the
>>>      SNMPv3 framework (see [RFC3410])
>>>
>>> Regards, Benoit
>>>
>>>> MIB doctors,
>>>>
>>>> It seems that the "Security Guidelines for IETF MIB modules" receives
>> comment for each MIB module submitted to the IESG.
>>>> Is it time to modify it, or are we redoing the same discussions over and
>> over?
>>>> Regards, Benoit
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: 	Re: Alissa Cooper's Discuss on draft-ietf-eman-energy-
>> monitoring-mib-12: (with DISCUSS and COMMENT)
>>>> Date: 	Tue, 8 Jul 2014 13:02:50 -0700
>>>> From: 	Alissa Cooper <alissa@cooperw.in>
>>>> To: 	Benoit Claise <bclaise@cisco.com>, The IESG <iesg@ietf.org>
>>>> CC: 	<draft-ietf-eman-energy-monitoring-mib@tools.ietf.org>, <eman-
>> chairs@tools.ietf.org>
>>>>
>>>>
>>>> Hi Benoit,
>>>>
>>>> On 7/8/14, 1:44 AM, "Benoit Claise" <bclaise@cisco.com
>> <mailto:bclaise@cisco.com>> wrote:
>>>>      Hi Alissa,
>>>>
>>>>      Thanks for your review.
>>>>>      Alissa Cooper has entered the following ballot position for
>>>>>      draft-ietf-eman-energy-monitoring-mib-12: Discuss
>>>>>
>>>>>      When responding, please keep the subject line intact and reply to all
>>>>>      email addresses included in the To and CC lines. (Feel free to cut this
>>>>>      introductory paragraph, however.)
>>>>>
>>>>>
>>>>>      Please refer tohttp://www.ietf.org/iesg/statement/discuss-
>> criteria.html
>>>>>      for more information about IESG DISCUSS and COMMENT positions.
>>>>>
>>>>>
>>>>>      The document, along with other ballot positions, can be found here:
>>>>>
>>>>> http://datatracker.ietf.org/doc/draft-ietf-eman-energy-monitoring-mi
>>>>> b/
>>>>>
>>>>>
>>>>>
>>>>>      ----------------------------------------------------------------------
>>>>>      DISCUSS:
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> --
>>>>>
>>>>>      Section 11 is missing a discussion of the privacy considerations of
>>>>>      energy and power monitoring. I would suggest something along the
>> lines of
>>>>>      the following:
>>>>>
>>>>>      "In certain situations, energy and power monitoring can reveal
>> sensitive
>>>>>      information about individuals' activities and habits. Implementors of
>>>>>      this specification should use appropriate privacy protections as
>>>>>      discussed in Section 9 of RFC 6988 and monitoring of individuals and
>>>>>      homes should only occur with proper authorization."
>>>>      Regarding your first sentence, I propose the following text, which would
>> be in line with Security Guidelines for IETF MIB
>>>>      modules at
>>>> http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security
>>>>
>>>>          Some of the readable objects in this MIB module (i.e., objects with a
>>>>          MAX-ACCESS other than not-accessible) may be considered sensitive
>> or
>>>>          vulnerable in some network environments.  It is thus important to
>>>>          control even GET and/or NOTIFY access to these objects and possibly
>>>>          to even encrypt the values of these objects when sending them over
>>>>          the network via SNMP.  These are the tables and objects and their
>>>>          sensitivity/vulnerability:
>>>>
>>>>          Access to the content of the eoPowerStateTable, eoEnergyTable, and
>>>>          eoACPwrAttributesTable MIB tables can reveal sensitive
>>>>          information about individuals' activities and habits
>>>>
>>>> Sounds good to me.
>>>>
>>>>
>>>>      Since this document is essentially a MIB module, your last
>>>> sentence is covered by
>>>>
>>>>               implementations
>>>>               claiming compliance to the SNMPv3 standard MUST include full
>>>>               support for authentication and privacy via the User-based
>>>>               Security Model (USM) [RFC3414
>> <http://tools.ietf.org/html/rfc3414>] with the AES cipher algorithm
>>>>               [RFC3826  <http://tools.ietf.org/html/rfc3826>].
>>>>
>>>> RFC 6988 notes the need for privacy protections for stored data,
>>>> which the above text does not speak to, so I still think a reference to RFC
>> 6988 would add value here.
>>>> It is a little disconcerting that use of SNMPv3 is provided as a
>>>> SHOULD-level requirement without discussion of deployment scenarios
>>>> and regardless of the sensitivity of the data being made available by
>>>> any new MIB. For example, the tradeoffs between security and utility
>>>> might be reasonable if (1) I'm using an older SNMP version on my
>>>> closed home network to monitor my own energy use, but not if (2) my
>>>> ISP is using it to monitor the same thing. The text quoted above
>>>> basically  endorses unauthorized energy monitoring if the provider
>>>> does not support SNMPv3, whereas it seems like what we would want to
>>>> be saying is that in cases like
>>>> (2) SNMPv3 is required.
>>>>
>>>> I understand that this is basically boilerplate language for MIB docs, so I'm
>> not sure what can be done, but it seems unfortunate.
>>>> Alissa
>>>>
>>>>
>>>>
>>>>>      ----------------------------------------------------------------------
>>>>>      COMMENT:
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> --
>>>>>
>>>>>      Section 12.1:
>>>>>      "New Assignments (and potential deprecation) to Power State Sets
>>>>>               shall be administered by IANA and the guidelines and procedures
>>>>>               are specified in [EMAN-FMWK], and will, as a consequence, the
>>>>>               IANAPowerStateSet Textual Convention should be updated."
>>>>>
>>>>>      Not sure what this sentence means.
>>>>      Good catch.
>>>>      NEW:
>>>>
>>>>               "New Assignments (and potential deprecation) to Power State Sets
>>>>               shall be administered by IANA and the guidelines and procedures
>>>>               are specified in [EMAN-FMWK], and will, as a consequence, update
>> the
>>>>               IANAPowerStateSet Textual Convention."
>>>>
>>>>
>>>>      Regards, Benoit (as a document author)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> MIB-DOCTORS mailing list
>>>> MIB-DOCTORS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/mib-doctors
>>>
>>>
>>> _______________________________________________
>>> MIB-DOCTORS mailing list
>>> MIB-DOCTORS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mib-doctors
>>>
>> _______________________________________________
>> MIB-DOCTORS mailing list
>> MIB-DOCTORS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mib-doctors
> .
>

v2.23.0 | Report a Bug | By Email