IETF Logo Mail Archive

Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

Benjamin Kaduk <kaduk@mit.edu> Wed, 25 July 2018 00:39 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3722812F18C for <sacm@ietfa.amsl.com>; Tue, 24 Jul 2018 17:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XP1u6ARJ9S7b for <sacm@ietfa.amsl.com>; Tue, 24 Jul 2018 17:39:16 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE8E6127333 for <sacm@ietf.org>; Tue, 24 Jul 2018 17:39:15 -0700 (PDT)
X-AuditID: 1209190f-d8fff700000019a4-d4-5b57c6b21505
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id F2.F0.06564.2B6C75B5; Tue, 24 Jul 2018 20:39:14 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w6P0dDfx029303; Tue, 24 Jul 2018 20:39:13 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6P0d8Dm015723 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 24 Jul 2018 20:39:11 -0400
Date: Tue, 24 Jul 2018 19:39:08 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>
Cc: Adam Montville <adam.w.montville@gmail.com>, Jarrett Lu <jarrett.lu@oracle.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
Message-ID: <20180725003907.GM92448@kduck.kaduk.org>
References: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMKsWRmVeSWpSXmKPExsUixG6nrrvpWHi0wdovGhZbHraxWPzpOsBs 0d9/j9XiQdNNRosXS7sYHVg9ds66y+7RcuQtq8eSJT+ZPD4+vcUSwBLFZZOSmpNZllqkb5fA lbH0Z2DBVfGK1Yv3sTYwThfuYuTkkBAwkVh5/AM7iC0ksJhJ4vtanS5GLiB7I6PEits/mSCc q0wS759OYAKpYhFQlTg2p50NxGYTUJFo6L7MDGKLCJhJ/Jt2mg2kgVngLaPEwv4NYAlhgSCJ 2+8usILYvEDrdp7ZxAKxLlTi/9tjzBBxQYmTM5+AxZkF1CX+zLsEFOcAsqUllv/jgAjLSzRv nQ1WzikQJrH3y22we0QFlCX29h1in8AoOAvJpFlIJs1CmDQLyaQFjCyrGGVTcqt0cxMzc4pT k3WLkxPz8lKLdE30cjNL9FJTSjcxguKAU5J/B+OcBu9DjAIcjEo8vB/swqOFWBPLiitzDzFK cjApifKaHwUK8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuF1OQyU401JrKxKLcqHSUlzsCiJ896r AUoJpCeWpGanphakFsFkZTg4lCR4G0GGChalpqdWpGXmlCCkmTg4QYbzAA1fBFLDW1yQmFuc mQ6RP8VoyXHq3pRJzBx/3k8Fkvu6p01iFmLJy89LlRLn7QBpEABpyCjNg5sJSmsS2ftrXjGK A70ozPsapIoHmBLhpr4CWsgEtFA0ORRkYUkiQkqqgdEvxFH+ftDNK7uYmFUez3sSmyEvr+hy cc3llffVxcpi9t4JDfu/8Yovd6rRy998vfZPUjf3OBzSSPWe++vQmwRx9VW3t++zXys+9d1C hp8LEj/FVa/u2H+17trBD2Zauf9Tu/tv1m8/fHlmjfJ+y5jjxfOsOtpPz5cSeDTv6LL+QJWO D+ZcUUJKLMUZiYZazEXFiQDGJy8wRgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/AIhwp0PBZ1dPv5kIE5bwapS-6n0>
Subject: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 00:39:18 -0000

On Tue, Jul 24, 2018 at 02:24:51AM +0000, Linqiushi (Jessica, CSPL) wrote:
> Hi Ben, Adam and Jarrett,
> 
> Thanks a lot for raising your concerns.
> 
> Please see my comments inline.
> 
> Best Regards,
> Jessica
> 
> -----邮件原件-----
> 发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk
> 发送时间: 2018年7月24日 2:01
> 收件人: sacm@ietf.org
> 主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
> 
> > During Jessica's talk I noticed a couple things I wanted to mention, 
> > but that didn't seem to merit getting up to the mic:
> 
> > There's a container for 'telnet' admin access; my understanding is 
> > that there are not any applications out there that could be called 
> > "telnet" and are actually secure these days (but maybe I'm missing
> > some!); e.g., kerberized telnet mostly only uses single-DES and a 
> > lousy cipher mode, with a vendor-specific option for triple-DES, which
> > is deprecated as of my document that's currently at the RFC Editor. 
> > So we may want to have some text clarifying the situation and
> > disrecommending its use (or even remove it entirely, if that's feasible).
> 
> The "telnet" admin access listed in the current draft is not meant to suggest the use of Telnet. In some legacy scenarios that the insecure channel like Telnet has to be used, some configuration such as changing the source port is recommended. We mentioned to disable the insecure channel, but didn't clarify it in details in the draft.
> You're right. The security baseline is intended to be a minimal set of security controls and should be up-to-date. We'll remove it and other similar security controls in the next version of draft. 

That would be fine with me.

> > Similarly, there's a pwd-sec-policy container that describes password
> > security policies.  While it's definitely true that password policies
> > and mandatory change intervals are currently widely deployed, it's
> > less clear whether their usage should still be considered useful or a
> > best current practice -- I think I've seen some research go by that
> > suggests that not requiring character classes or frequency of change
> > can be just as secure (and, of course, if passwords can be avoided entirely that can also help).
> 
> As password security policy is the currently widely deployed mechanisms and devices support it,maybe we can make it optional, such as a feature? 
> Currently the devices support this kind of feature, then it can be checked whether this policy is enabled.

I think that's the sort of thing I had in mind.

Thanks!

-Ben

> >So, perhaps there is room for some qualifying text here as well.
> 
> > -Ben
> > (with no hats)
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email