Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 01 March 2015 23:54 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9522C1A00C8; Sun, 1 Mar 2015 15:54:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ch3gxOs0H-AD; Sun, 1 Mar 2015 15:54:27 -0800 (PST)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 380FE1A1C02; Sun, 1 Mar 2015 15:54:24 -0800 (PST)
Received: by lbdu10 with SMTP id u10so26735680lbd.7; Sun, 01 Mar 2015 15:54:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BmLPmXB1B7/TyF5Qu9uO5x3DfpM4/+efIfAgxbw08dQ=; b=qUKeszjJ/yfOe3Xfn4PJBcY6OPSwuOi4oqzW7OLJG3boa6ndZz3qn9ALKxSmmsWpdf P46ziBK+INHRE3k+AKzpQjoqPaivSpzavVOlyb802Tn6Ek0wRQp+D10zt0Q0ok6rCweW 2rSW4rN4LTHwOU0qjBWDp+rIUzOwfub9j7TKOkdLCTzmes+ueRORllx+IS8uSkwnz0Ax XmAfANK5j8vYxkT4CVlp22cIZKBfSLVqo7Y21baKhUy2yJ6GOs0jZWguw1lnMPG+DZ6f fuGVpzWIXEiAnyy98j18NURVtsDj78TyUskkDJ+F1AoDh7qeOp1qqLT9qKk7FXDS0oAR W0sQ==
MIME-Version: 1.0
X-Received: by 10.112.181.41 with SMTP id dt9mr22453982lbc.56.1425254062662; Sun, 01 Mar 2015 15:54:22 -0800 (PST)
Received: by 10.112.167.101 with HTTP; Sun, 1 Mar 2015 15:54:22 -0800 (PST)
In-Reply-To: <E4DE949E6CE3E34993A2FF8AE79131F81964A4A0@DEMUMBX005.nsn-intra.net>
References: <20150219161002.7059.28113.idtracker@ietfa.amsl.com> <20150226201007.GA32537@elstar.local> <CAHbuEH6bZAazZxXsZ6QWiim7aaZW2T2n2e33Q_7oDZrHG138xg@mail.gmail.com> <E4DE949E6CE3E34993A2FF8AE79131F81964A4A0@DEMUMBX005.nsn-intra.net>
Date: Sun, 01 Mar 2015 18:54:22 -0500
Message-ID: <CAHbuEH53HveCkY8oG_y-CRstyU-JNWCONkOpE9jckVHCtqB0QQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "Ersue, Mehmet (Nokia - DE/Munich)" <mehmet.ersue@nokia.com>
Content-Type: multipart/alternative; boundary="001a11c369861eaeb1051042d284"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/6iPfD7Vw8Xyvui8Rrr9QH5tz88M>
Cc: "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, The IESG <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org" <draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org>
Subject: Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2015 23:54:30 -0000
Thank you for the edits and for letting me know the new version was ready. Best regards, Kathleen On Sun, Mar 1, 2015 at 12:47 PM, Ersue, Mehmet (Nokia - DE/Munich) < mehmet.ersue@nokia.com> wrote: > Dear Kathleen, > > > > just to inform you, we uploaded the agreed changes as > draft-ietf-opsawg-coman-probstate-reqs-05.txt. > > > > Cheers, > Mehmet > > > > *From:* ext Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > *Sent:* Thursday, February 26, 2015 9:14 PM > *To:* Juergen Schoenwaelder; Kathleen Moriarty; The IESG; opsawg@ietf.org; > Warren Kumari; draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org; > opsawg-chairs@ietf.org > *Subject:* Re: Kathleen Moriarty's Discuss on > draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS) > > > > Hi, > > > > On Thu, Feb 26, 2015 at 3:10 PM, Juergen Schoenwaelder < > j.schoenwaelder@jacobs-university.de> wrote: > > Hi, > > I am not sure what to do about this comment. My take is that the > document is primarily scoped on the management interface and 6.003 > talks about access control towards the managing system and access > control towards the managed device. > > I certainly agree that devices should be robust, bug free, have no > backdoors, be tamper resitant, etc. but then this is, in an ideal > world, true for any device. That said, there is already text in the > security considerations that devices should make sure credentials are > properly protected. Perhaps if we can address this discuss by > expanding this sentence: > > OLD > > As a > consequence, it is crucial to properly protect any security > credentials that may be stored on the device (e.g., by using hardware > protection mechanisms). > > NEW > > As a consequence, it is crucial that devices are robust and tamper > resistant, have no backdoors, do not provide services that are not > essential for the primary function, and properly protect any > security credentials that may be stored on the device (e.g., by > using hardware protection mechanisms). > > > > Yes, that works for me in combination with the updates to the use case > draft. Please let me know when the updated draft has been posted. > > > > Thank you, > > Kathleen > > > /js > > > On Thu, Feb 19, 2015 at 08:10:02AM -0800, Kathleen Moriarty wrote: > > Kathleen Moriarty has entered the following ballot position for > > draft-ietf-opsawg-coman-probstate-reqs-04: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-opsawg-coman-probstate-reqs/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > I have not had time to read the full draft, but do see a gap in the > > security requirements that I'd like to see if we can address. The > > section on access controls for management systems and devices reads as > > follows: > > > > Req-ID: 6.003 > > > > Title: Access control on management system and devices > > > > Description: Systems acting in a management role must provide an > > access control mechanism that allows the security administrator to > > restrict which devices can access the managing system (e.g., using > > an access control white list of known devices). On the other hand > > managed constrained devices must provide an access control > > mechanism that allows the security administrator to restrict how > > systems in a management role can access the device (e.g., no- > > access, read-only access, and read-write access). > > > > Source: Basic security requirement for use cases where access > > control is essential. > > > > The way I read this, there is no statement about general access > > protections to the device outside of what is designated by a security > > administrator. I would think a statement on access controls on the > > device would be very important in consideration of safety concerns that > > put a strong need for security on such devices (medical, environmental > > monitors, etc.). Are there additional access mechanisms to the device > > besides what is possible by the management connection? Could there be > > factory defaults in place with local access work-arounds or even wireless > > int he even that there are issues accessing devices from management > > stations? Do these cause security problems? Are there ports other than > > those for management open that could lead to security breaches? Or are > > these out-of-scope because the discussion is about management > > connections? If it's out-of-scope, it would be good to state that it is > > even though that would be a concern. Text on this should be added to the > > security considerations section as a general discussion if it's a > > concern, but not in scope, similar to what was done for privacy. > > > > > > > > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > > > > > -- > > > > Best regards, > > Kathleen > -- Best regards, Kathleen
- [OPSAWG] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Juergen Schoenwaelder
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Juergen Schoenwaelder
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Ersue, Mehmet (Nokia - DE/Munich)
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty