[OPSAWG] Roman Danyliw's No Objection on draft-ietf-opsawg-mud-acceptable-urls-11: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 03 April 2024 02:20 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: opsawg@ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 68855C14F61E; Tue, 2 Apr 2024 19:20:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-mud-acceptable-urls@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, henk.birkholz@ietf.contact, henk.birkholz@sit.fraunhofer.de
X-Test-IDTracker: no
X-IETF-IDTracker: 12.9.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <171211080041.52998.16538712754663513072@ietfa.amsl.com>
Date: Tue, 02 Apr 2024 19:20:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/vUTiASvgh4vAJf4lhq_JrjK7xM8>
Subject: [OPSAWG] Roman Danyliw's No Objection on draft-ietf-opsawg-mud-acceptable-urls-11: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 02:20:00 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-opsawg-mud-acceptable-urls-11: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud-acceptable-urls/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I am balloting on this document from a GEN area perspective.

** Section 3.1
   While there is an argument that old firmware was insecure and should
   be replaced, it is often the case that the upgrade process involves
   downtime, or can introduce risks due to needed evaluations not having
   been completed yet.  As an example: moving vehicles (cars, airplanes,
   etc.) should not perform upgrades while in motion!  It is probably
   undesirable to perform any upgrade to an airplane outside the service
   facility.  A vehicle owner may desire only to perform software
   upgrades when they are at their residence.  Should there be a
   problem, they could make alternate arrangements for transportation.
   This contrasts with an alternative situation where the vehicle is
   parked at, for instance, a remote cabin, and where an upgrade failure
   could cause a much greater inconvenience.

   The situation for upgrades of medical devices has even more
   considerations involving regulatory compliance.

I’m having trouble understanding the examples provide and the associated
analysis. Editorial recommendation: cut all the text after the first sentence. 
Otherwise:

-- What does vehicles, aircraft and medical devices have to do with MUD? Is
there existing and planned penetration of MUD in those markets?

-- Per “While there is an argument that old firmware was insecure and should
   be replaced, it is often the case that the upgrade process involves
   downtime, or can introduce risks due to needed evaluations not having
   been completed yet. As an example, moving vehicles ...”

Where does the suggestion that moving cyber-physical systems should upgrade
their firmware in use come from?

-- What is the basis for the claim that the regulatory compliance of medical
devices is more considerations than say of aircraft?

** Reference

   [falsemalware]
              "False malware alerts cost organizations $1.27M annually,
              report says", 18 January 2020,
              <https://www.scmagazine.com/home/security-news/false-
              malware-alerts-cost-organizations-1-27m-annually-report-
              says/ and http://go.cyphort.com/Ponemon-Report-Page.html>.

Pick a single URL.