Re: [midcom] security recommendations in MIDCOM MIB draft

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 05 July 2007 11:20 UTC

Return-path: <midcom-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I6PNy-0006Yi-MP; Thu, 05 Jul 2007 07:20:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I6PNx-0006YV-4c for midcom@ietf.org; Thu, 05 Jul 2007 07:20:33 -0400
Received: from mailgw3.ericsson.se ([193.180.251.60]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I6PNt-0006eD-Ad for midcom@ietf.org; Thu, 05 Jul 2007 07:20:33 -0400
Received: from mailgw3.ericsson.se (unknown [127.0.0.1]) by mailgw3.ericsson.se (Symantec Mail Security) with ESMTP id AE72120C5C; Thu, 5 Jul 2007 13:20:28 +0200 (CEST)
X-AuditID: c1b4fb3c-b0e80bb0000007e1-56-468cd3fce704
Received: from esealmw127.eemea.ericsson.se (unknown [153.88.254.122]) by mailgw3.ericsson.se (Symantec Mail Security) with ESMTP id 9E5C720AF3; Thu, 5 Jul 2007 13:20:28 +0200 (CEST)
Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Jul 2007 13:20:28 +0200
Received: from [147.214.30.247] ([147.214.30.247]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Jul 2007 13:20:28 +0200
Message-ID: <468CD3FB.4040203@ericsson.com>
Date: Thu, 05 Jul 2007 13:20:27 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Juergen Quittek <quittek@netlab.nec.de>
Subject: Re: [midcom] security recommendations in MIDCOM MIB draft
References: <6AFFE92CEE03A3E6C2E61771@753F3B888A9969457862729D>
In-Reply-To: <6AFFE92CEE03A3E6C2E61771@753F3B888A9969457862729D>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 05 Jul 2007 11:20:28.0114 (UTC) FILETIME=[7D8F8B20:01C7BEF6]
X-Brightmail-Tracker: AAAAAA==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: midcom@ietf.org, Tim Polk <tim.polk@nist.gov>
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: midcom.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
Errors-To: midcom-bounces@ietf.org

Juergen Quittek skrev:
> Dear all,
> 
> The MIDCOM MIB is progressing and currently under IESG review.
> Tim Polk made a comment that I would like to discuss here on this list.
> 
> In the draft, we explicitly state hat a MIDCOM MIB implementation
> MUST support SNMPv3.  However, we pass the responsibility of switching
> on SNMPv3 to the operator.  The operator may still run SNMPv1 or SNMPv2
> if security is provided otherwise:
> 
>  "Compliant MIDCOM MIB implementations MUST support SNMPv3 security
>   services including data integrity, data origin authentication and
>   data confidentiality.
> 
>   It is REQUIRED that the implementations support the security features
>   as provided by the SNMPv3 framework.  Specifically, the use of the
>   User-based Security Model RFC 3414 [RFC3414] and the View- based
>   Access Control Model RFC 3415 [RFC3415] is RECOMMENDED.
> 
>   It is then a customer/operator responsibility to ensure that the SNMP
>   entity giving access to an instance of this MIB, is properly
>   configured to give access to the objects only to those principals
>   (users) that have legitimate rights to indeed GET or SET
>   (change/create/delete) them."
> 
> Now, Tim suggests to explicitly deprecate the use of (insecure) previous
> versions of SNMP, for example with a phrase like
> 
>  "Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.
>   Instead it is RECOMMENDED to deploy SNMPv3 and to enable
>   cryptographic security."
> 
> Are there any opinions about adding such a phrase to the security
> considerations?
> 

To make sure I understand this correctly. Without SNMPv3 and its 
security functions the MIDCOM MIB will not reach the security 
requirements identified? If this is true, I think it is quite clear that 
MIDCOM MIB should only be used with SNMPv3.

Cheers

Magnus Westerlund

IETF Transport Area Director & TSVWG Chair
----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM/M
----------------------------------------------------------------------
Ericsson AB                | Phone +46 8 4048287
Torshamsgatan 23           | Fax   +46 8 7575550
S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom