IETF Logo Mail Archive

Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

"Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com> Tue, 24 July 2018 02:25 UTC

Return-Path: <linqiushi@huawei.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C733A130FAE for <sacm@ietfa.amsl.com>; Mon, 23 Jul 2018 19:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sr6gntfWXXGp for <sacm@ietfa.amsl.com>; Mon, 23 Jul 2018 19:25:07 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDDB8130F99 for <sacm@ietf.org>; Mon, 23 Jul 2018 19:25:07 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 955C3CF8F50A for <sacm@ietf.org>; Tue, 24 Jul 2018 03:25:03 +0100 (IST)
Received: from DGGEML423-HUB.china.huawei.com (10.1.199.40) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 24 Jul 2018 03:25:04 +0100
Received: from DGGEML510-MBX.china.huawei.com ([169.254.2.219]) by dggeml423-hub.china.huawei.com ([10.1.199.40]) with mapi id 14.03.0382.000; Tue, 24 Jul 2018 10:24:52 +0800
From: "Linqiushi (Jessica, CSPL)" <linqiushi@huawei.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Adam Montville <adam.w.montville@gmail.com>, Jarrett Lu <jarrett.lu@oracle.com>
CC: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
Thread-Index: AdQi9XPU2QPKHrwVRQyWW3uLpoAhcw==
Date: Tue, 24 Jul 2018 02:24:51 +0000
Message-ID: <E22A9D71257049438949CB43F3A093E621CD9F63@dggeml510-mbx.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.57.63.123]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/AQR7mbmJNFGYwtiVR0p2w8Qdss0>
Subject: Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 02:25:11 -0000

Hi Ben, Adam and Jarrett,

Thanks a lot for raising your concerns.

Please see my comments inline.

Best Regards,
Jessica

-----邮件原件-----
发件人: sacm [mailto:sacm-bounces@ietf.org] 代表 Benjamin Kaduk
发送时间: 2018年7月24日 2:01
收件人: sacm@ietf.org
主题: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

> During Jessica's talk I noticed a couple things I wanted to mention, 
> but that didn't seem to merit getting up to the mic:

> There's a container for 'telnet' admin access; my understanding is 
> that there are not any applications out there that could be called 
> "telnet" and are actually secure these days (but maybe I'm missing
> some!); e.g., kerberized telnet mostly only uses single-DES and a 
> lousy cipher mode, with a vendor-specific option for triple-DES, which
> is deprecated as of my document that's currently at the RFC Editor. 
> So we may want to have some text clarifying the situation and
> disrecommending its use (or even remove it entirely, if that's feasible).

The "telnet" admin access listed in the current draft is not meant to suggest the use of Telnet. In some legacy scenarios that the insecure channel like Telnet has to be used, some configuration such as changing the source port is recommended. We mentioned to disable the insecure channel, but didn't clarify it in details in the draft.
You're right. The security baseline is intended to be a minimal set of security controls and should be up-to-date. We'll remove it and other similar security controls in the next version of draft. 

> Similarly, there's a pwd-sec-policy container that describes password
> security policies.  While it's definitely true that password policies
> and mandatory change intervals are currently widely deployed, it's
> less clear whether their usage should still be considered useful or a
> best current practice -- I think I've seen some research go by that
> suggests that not requiring character classes or frequency of change
> can be just as secure (and, of course, if passwords can be avoided entirely that can also help).

As password security policy is the currently widely deployed mechanisms and devices support it,maybe we can make it optional, such as a feature? 
Currently the devices support this kind of feature, then it can be checked whether this policy is enabled.

>So, perhaps there is room for some qualifying text here as well.

> -Ben
> (with no hats)
_______________________________________________
sacm mailing list
sacm@ietf.org
https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email