Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
"Ersue, Mehmet (Nokia - DE/Munich)" <mehmet.ersue@nokia.com> Sun, 01 March 2015 17:52 UTC
Return-Path: <mehmet.ersue@nokia.com>
X-Original-To: expand-draft-ietf-opsawg-coman-probstate-reqs.all@virtual.ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id F11D11A066B; Sun, 1 Mar 2015 09:52:38 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-coman-probstate-reqs.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-coman-probstate-reqs.all@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 532281A0398; Sun, 1 Mar 2015 09:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYotyLKFp8hr; Sun, 1 Mar 2015 09:47:06 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19B671A0302; Sun, 1 Mar 2015 09:47:04 -0800 (PST)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd002.nsn-inter.net (8.14.3/8.14.3) with ESMTP id t21Hl2Ws007688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 1 Mar 2015 17:47:02 GMT
Received: from DEMUHTC001.nsn-intra.net ([10.159.42.32]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id t21Hl1CZ001919 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 1 Mar 2015 18:47:01 +0100
Received: from DEMUHTC008.nsn-intra.net (10.159.42.39) by DEMUHTC001.nsn-intra.net (10.159.42.32) with Microsoft SMTP Server (TLS) id 14.3.224.2; Sun, 1 Mar 2015 18:47:01 +0100
Received: from DEMUMBX005.nsn-intra.net ([169.254.5.51]) by DEMUHTC008.nsn-intra.net ([10.159.42.39]) with mapi id 14.03.0224.002; Sun, 1 Mar 2015 18:47:01 +0100
From: "Ersue, Mehmet (Nokia - DE/Munich)" <mehmet.ersue@nokia.com>
To: ext Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, The IESG <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, Warren Kumari <warren@kumari.net>, "draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org" <draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
Thread-Index: AQHQUgBD3wzhZxRNf0mPJVWQVSi7650DTK8AgASeAQA=
Date: Sun, 01 Mar 2015 17:47:00 +0000
Message-ID: <E4DE949E6CE3E34993A2FF8AE79131F81964A4A0@DEMUMBX005.nsn-intra.net>
References: <20150219161002.7059.28113.idtracker@ietfa.amsl.com> <20150226201007.GA32537@elstar.local> <CAHbuEH6bZAazZxXsZ6QWiim7aaZW2T2n2e33Q_7oDZrHG138xg@mail.gmail.com>
In-Reply-To: <CAHbuEH6bZAazZxXsZ6QWiim7aaZW2T2n2e33Q_7oDZrHG138xg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.159.42.155]
Content-Type: multipart/mixed; boundary="_004_E4DE949E6CE3E34993A2FF8AE79131F81964A4A0DEMUMBX005nsnin_"
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 57405
X-purgate-ID: 151667::1425232022-000067C4-538CEF0A/0/0
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/f5EYXu8Ig7ZIFM0wNvFjh4HqSgE>
X-Mailman-Approved-At: Sun, 01 Mar 2015 09:55:07 -0800
Subject: Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2015 17:52:39 -0000
Dear Kathleen, just to inform you, we uploaded the agreed changes as draft-ietf-opsawg-coman-probstate-reqs-05.txt. Cheers, Mehmet From: ext Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] Sent: Thursday, February 26, 2015 9:14 PM To: Juergen Schoenwaelder; Kathleen Moriarty; The IESG; opsawg@ietf.org; Warren Kumari; draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org; opsawg-chairs@ietf.org Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS) Hi, On Thu, Feb 26, 2015 at 3:10 PM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de<mailto:j.schoenwaelder@jacobs-university.de>> wrote: Hi, I am not sure what to do about this comment. My take is that the document is primarily scoped on the management interface and 6.003 talks about access control towards the managing system and access control towards the managed device. I certainly agree that devices should be robust, bug free, have no backdoors, be tamper resitant, etc. but then this is, in an ideal world, true for any device. That said, there is already text in the security considerations that devices should make sure credentials are properly protected. Perhaps if we can address this discuss by expanding this sentence: OLD As a consequence, it is crucial to properly protect any security credentials that may be stored on the device (e.g., by using hardware protection mechanisms). NEW As a consequence, it is crucial that devices are robust and tamper resistant, have no backdoors, do not provide services that are not essential for the primary function, and properly protect any security credentials that may be stored on the device (e.g., by using hardware protection mechanisms). Yes, that works for me in combination with the updates to the use case draft. Please let me know when the updated draft has been posted. Thank you, Kathleen /js On Thu, Feb 19, 2015 at 08:10:02AM -0800, Kathleen Moriarty wrote: > Kathleen Moriarty has entered the following ballot position for > draft-ietf-opsawg-coman-probstate-reqs-04: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-opsawg-coman-probstate-reqs/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I have not had time to read the full draft, but do see a gap in the > security requirements that I'd like to see if we can address. The > section on access controls for management systems and devices reads as > follows: > > Req-ID: 6.003 > > Title: Access control on management system and devices > > Description: Systems acting in a management role must provide an > access control mechanism that allows the security administrator to > restrict which devices can access the managing system (e.g., using > an access control white list of known devices). On the other hand > managed constrained devices must provide an access control > mechanism that allows the security administrator to restrict how > systems in a management role can access the device (e.g., no- > access, read-only access, and read-write access). > > Source: Basic security requirement for use cases where access > control is essential. > > The way I read this, there is no statement about general access > protections to the device outside of what is designated by a security > administrator. I would think a statement on access controls on the > device would be very important in consideration of safety concerns that > put a strong need for security on such devices (medical, environmental > monitors, etc.). Are there additional access mechanisms to the device > besides what is possible by the management connection? Could there be > factory defaults in place with local access work-arounds or even wireless > int he even that there are issues accessing devices from management > stations? Do these cause security problems? Are there ports other than > those for management open that could lead to security breaches? Or are > these out-of-scope because the discussion is about management > connections? If it's out-of-scope, it would be good to state that it is > even though that would be a concern. Text on this should be added to the > security considerations section as a general discussion if it's a > concern, but not in scope, similar to what was done for privacy. > > > > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587<tel:%2B49%20421%20200%203587> Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103<tel:%2B49%20421%20200%203103> <http://www.jacobs-university.de/> -- Best regards, Kathleen
--- Begin Message ---A new version of I-D, draft-ietf-opsawg-coman-probstate-reqs-05.txt has been successfully submitted by Mehmet Ersue and posted to the IETF repository. Name: draft-ietf-opsawg-coman-probstate-reqs Revision: 05 Title: Management of Networks with Constrained Devices: Problem Statement and Requirements Document date: 2015-03-01 Group: opsawg Pages: 46 URL: http://www.ietf.org/internet-drafts/draft-ietf-opsawg-coman-probstate-reqs-05.txt Status: https://datatracker.ietf.org/doc/draft-ietf-opsawg-coman-probstate-reqs/ Htmlized: http://tools.ietf.org/html/draft-ietf-opsawg-coman-probstate-reqs-05 Diff: http://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-coman-probstate-reqs-05 Abstract: This document provides a problem statement, deployment and management topology options as well as requirements addressing the different use cases of the management of networks where constrained devices are involved. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat--- End Message ---
- [OPSAWG] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Juergen Schoenwaelder
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Juergen Schoenwaelder
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Ersue, Mehmet (Nokia - DE/Munich)
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty