Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Sat, 28 February 2015 13:52 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: expand-draft-ietf-opsawg-coman-probstate-reqs.all@virtual.ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 433AA1A037D; Sat, 28 Feb 2015 05:52:20 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-coman-probstate-reqs.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-coman-probstate-reqs.all@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 253831A0155 for <xfilter-draft-ietf-opsawg-coman-probstate-reqs.all@ietfa.amsl.com>; Sat, 28 Feb 2015 05:52:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.86
X-Spam-Level:
X-Spam-Status: No, score=-3.86 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6L9oZOEKTbk for <xfilter-draft-ietf-opsawg-coman-probstate-reqs.all@ietfa.amsl.com>; Sat, 28 Feb 2015 05:52:16 -0800 (PST)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 983131A00E9 for <draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org>; Sat, 28 Feb 2015 05:52:16 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 1EDEBF78; Sat, 28 Feb 2015 14:52:15 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id cCTyQxt7dwcw; Sat, 28 Feb 2015 14:51:42 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Sat, 28 Feb 2015 14:52:13 +0100 (CET)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id C8D8420036; Sat, 28 Feb 2015 14:52:13 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id jxPc8ejolHul; Sat, 28 Feb 2015 14:52:12 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9B5F920031; Sat, 28 Feb 2015 14:52:11 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 9460132483AF; Sat, 28 Feb 2015 14:52:10 +0100 (CET)
Date: Sat, 28 Feb 2015 14:52:09 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "Ersue, Mehmet (Nokia - DE/Munich)" <mehmet.ersue@nokia.com>
Message-ID: <20150228135209.GA36283@elstar.local>
References: <20150219161002.7059.28113.idtracker@ietfa.amsl.com> <20150226201007.GA32537@elstar.local> <CAHbuEH6bZAazZxXsZ6QWiim7aaZW2T2n2e33Q_7oDZrHG138xg@mail.gmail.com> <E4DE949E6CE3E34993A2FF8AE79131F819645335@DEMUMBX005.nsn-intra.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E4DE949E6CE3E34993A2FF8AE79131F819645335@DEMUMBX005.nsn-intra.net>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/fjendg4Jw23vtEY0iKZHYF1T2xs>
X-Mailman-Approved-At: Sat, 28 Feb 2015 06:06:59 -0800
Cc: "draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org" <draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org>
Subject: Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Feb 2015 13:52:20 -0000
There were the other edits that Dan proposed for this document. I do not know who holds the pen and where the latest .xml of this document is. /js On Sat, Feb 28, 2015 at 01:22:17PM +0000, Ersue, Mehmet (Nokia - DE/Munich) wrote: > Is the only AI now uploading an update? > > Then pls go ahead. > > Cheers, > Mehmet > > From: ext Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > Sent: Thursday, February 26, 2015 9:14 PM > To: Juergen Schoenwaelder; Kathleen Moriarty; The IESG; opsawg@ietf.org; Warren Kumari; draft-ietf-opsawg-coman-probstate-reqs.all@ietf.org; opsawg-chairs@ietf.org > Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-probstate-reqs-04: (with DISCUSS) > > Hi, > > On Thu, Feb 26, 2015 at 3:10 PM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de<mailto:j.schoenwaelder@jacobs-university.de>> wrote: > Hi, > > I am not sure what to do about this comment. My take is that the > document is primarily scoped on the management interface and 6.003 > talks about access control towards the managing system and access > control towards the managed device. > > I certainly agree that devices should be robust, bug free, have no > backdoors, be tamper resitant, etc. but then this is, in an ideal > world, true for any device. That said, there is already text in the > security considerations that devices should make sure credentials are > properly protected. Perhaps if we can address this discuss by > expanding this sentence: > > OLD > > As a > consequence, it is crucial to properly protect any security > credentials that may be stored on the device (e.g., by using hardware > protection mechanisms). > > NEW > > As a consequence, it is crucial that devices are robust and tamper > resistant, have no backdoors, do not provide services that are not > essential for the primary function, and properly protect any > security credentials that may be stored on the device (e.g., by > using hardware protection mechanisms). > > Yes, that works for me in combination with the updates to the use case draft. Please let me know when the updated draft has been posted. > > Thank you, > Kathleen > > /js > > On Thu, Feb 19, 2015 at 08:10:02AM -0800, Kathleen Moriarty wrote: > > Kathleen Moriarty has entered the following ballot position for > > draft-ietf-opsawg-coman-probstate-reqs-04: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-opsawg-coman-probstate-reqs/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > I have not had time to read the full draft, but do see a gap in the > > security requirements that I'd like to see if we can address. The > > section on access controls for management systems and devices reads as > > follows: > > > > Req-ID: 6.003 > > > > Title: Access control on management system and devices > > > > Description: Systems acting in a management role must provide an > > access control mechanism that allows the security administrator to > > restrict which devices can access the managing system (e.g., using > > an access control white list of known devices). On the other hand > > managed constrained devices must provide an access control > > mechanism that allows the security administrator to restrict how > > systems in a management role can access the device (e.g., no- > > access, read-only access, and read-write access). > > > > Source: Basic security requirement for use cases where access > > control is essential. > > > > The way I read this, there is no statement about general access > > protections to the device outside of what is designated by a security > > administrator. I would think a statement on access controls on the > > device would be very important in consideration of safety concerns that > > put a strong need for security on such devices (medical, environmental > > monitors, etc.). Are there additional access mechanisms to the device > > besides what is possible by the management connection? Could there be > > factory defaults in place with local access work-arounds or even wireless > > int he even that there are issues accessing devices from management > > stations? Do these cause security problems? Are there ports other than > > those for management open that could lead to security breaches? Or are > > these out-of-scope because the discussion is about management > > connections? If it's out-of-scope, it would be good to state that it is > > even though that would be a concern. Text on this should be added to the > > security considerations section as a general discussion if it's a > > concern, but not in scope, similar to what was done for privacy. > > > > > > > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587<tel:%2B49%20421%20200%203587> Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103<tel:%2B49%20421%20200%203103> <http://www.jacobs-university.de/> > > > > -- > > Best regards, > Kathleen -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [OPSAWG] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Juergen Schoenwaelder
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Juergen Schoenwaelder
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Ersue, Mehmet (Nokia - DE/Munich)
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty