Re: [savi] SAVI FCFS & Logging

"Joel M. Halpern" <jmh@joelhalpern.com> Sat, 05 March 2011 16:45 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F0503A6AA1 for <savi@core3.amsl.com>; Sat, 5 Mar 2011 08:45:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.409
X-Spam-Level:
X-Spam-Status: No, score=-102.409 tagged_above=-999 required=5 tests=[AWL=0.190, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWzUmmv5Ewhi for <savi@core3.amsl.com>; Sat, 5 Mar 2011 08:45:28 -0800 (PST)
Received: from hgblob.out.tigertech.net (hgblob.out.tigertech.net [74.114.88.71]) by core3.amsl.com (Postfix) with ESMTP id 8EC023A6A8C for <savi@ietf.org>; Sat, 5 Mar 2011 08:45:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id 076E23244927; Sat, 5 Mar 2011 08:46:38 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net
Received: from [10.10.10.101] (pool-71-161-51-81.clppva.btas.verizon.net [71.161.51.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id EB977324410A; Sat, 5 Mar 2011 08:46:36 -0800 (PST)
Message-ID: <4D7268E9.8000202@joelhalpern.com>
Date: Sat, 05 Mar 2011 11:46:33 -0500
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110221 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: draft-ietf-savi-fcfs@tools.ietf.org, SAVI Mailing List <savi@ietf.org>
References: <4D71CDE6.1000707@joelhalpern.com> <4D71FF5A.8040800@it.uc3m.es>
In-Reply-To: <4D71FF5A.8040800@it.uc3m.es>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [savi] SAVI FCFS & Logging
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2011 16:45:29 -0000

I asked the SAVI FCFS the question below.  In response they quite 
reasonably asked that I provide text.  Following the note excerpt is the 
suggestion on placement and text.  THe text could include a reference to 
the savi threats document.  I was not sure if that would be helpful, so 
I left it out.  Also, as logging is basically an internal activity, I 
have written this suggestion as non-normative text.

> El 05/03/11 6:45, Joel M. Halpern escribió:
>> Looking at the traceability issues we raise in the threats document,
>> and looking at the uses I see people wanting to make of SAVI for
>> SLAAC, should we put some descriptive (not normative) text into SAVI
>> FCFS that talks about loggin?
>>
>> I wanted to check with you folks directly before raising this on the
>> list.
>>
>> Thank you,
>> Joel

I would suggest adding a section between 2.4 and 2.5 (i.e., it would be 
2.5, and the current 2.5 SAVI enforcement perimeter would become 2.6.)
---------
2.x SAVI Logging

While the primary goal of SAVI is simply to prevent improper use of IP 
addresses, a secondary goal is to assist in traceability for determining 
who an imp-roper actor is.  For example, if a remote site reports that a 
DoS (or component of a DDoS) is coming from the SAVI site, SAVI 
enforcement can be a useful component in a response.

In order to support these and other similar activities, it is a good 
idea if SAVI devices perform logging of the creation, modification, or 
removal of address bindings.  Any protocol support, such as SYSLOG 
support for sending those logs to a common server, would be a topic for 
a future separate document.
-----
If instead we want to make that normative, we could put a SHOULD in and 
put this in section 3.2.6 instead.

In addition, it would seem useful to add a short paragraph in the 
security considerations section.  (If Denial of service attacks and 
Residual threats were 4.1 and 4.2, then I would would att this as 4.3 
Security Logging)
-------------
In order to improve the integration of SAVI into an overall security 
environment, and enable response to additional indirect security issues 
which SAVI can help ameliorate, it is helpful if SAVI systems log the 
creation, modification, and deletion of binding entries.
---------
I realize this basically duplicates the 2.x text.  I think it deserves 
mention in the security considerations, because it is a security 
consideration.  But I don't think that should be the first occurrence.
If the duplication is bothersome, then just use the 2.x text.

Thank you,
Joel