Re: [savi] SAVI FCFS & Logging

Eric Levy-Abegnoli <elevyabe@cisco.com> Thu, 31 March 2011 07:25 UTC

Return-Path: <elevyabe@cisco.com>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCD8D28C23C for <savi@core3.amsl.com>; Thu, 31 Mar 2011 00:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9G4egiGwe2L for <savi@core3.amsl.com>; Thu, 31 Mar 2011 00:25:12 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by core3.amsl.com (Postfix) with ESMTP id 0612728C23A for <savi@ietf.org>; Thu, 31 Mar 2011 00:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=elevyabe@cisco.com; l=3656; q=dns/txt; s=iport; t=1301556411; x=1302766011; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=xkdvWxcSEbZWJvqIx9gns7mlPefHX/rvzThjE2PasRc=; b=Gaybz7WQmL/poAu12eqTevpq32UzYA+msfxdI77COE81+O24xjDFeiKQ fnUfJ/WgDLYo73cFNlMjs520eRpM+g7MMHTY5ecym4cXBVECS2JZ7DzGe YJA9O+YC4v3bBto699TMEWssD/avv+XsXpOCeZxJEMeaoRdUe7CnXgEhp Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtoDAI4rlE2Q/khMgWdsb2JhbAClTxQBARYmJaJinAGFawSNEYNVBg
X-IronPort-AV: E=Sophos;i="4.63,274,1299456000"; d="scan'208";a="23896778"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-2.cisco.com with ESMTP; 31 Mar 2011 07:26:50 +0000
Received: from xbh-ams-101.cisco.com (xbh-ams-101.cisco.com [144.254.74.71]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p2V7QoUH017454; Thu, 31 Mar 2011 07:26:50 GMT
Received: from xmb-ams-105.cisco.com ([144.254.74.80]) by xbh-ams-101.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 31 Mar 2011 09:26:50 +0200
Received: from [10.86.243.122] ([10.86.243.122]) by xmb-ams-105.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 31 Mar 2011 09:26:50 +0200
Message-ID: <4D942CB7.4030508@cisco.com>
Date: Thu, 31 Mar 2011 09:26:47 +0200
From: Eric Levy-Abegnoli <elevyabe@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
References: <4D71CDE6.1000707@joelhalpern.com> <4D71FF5A.8040800@it.uc3m.es> <4D7268E9.8000202@joelhalpern.com> <AANLkTi=79g_vshPChSQaQ=AEfY=tjtsLK4qWc8UKv-kQ@mail.gmail.com>
In-Reply-To: <AANLkTi=79g_vshPChSQaQ=AEfY=tjtsLK4qWc8UKv-kQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 31 Mar 2011 07:26:50.0303 (UTC) FILETIME=[002814F0:01CBEF75]
Cc: draft-ietf-savi-fcfs@tools.ietf.org, SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] SAVI FCFS & Logging
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 07:25:14 -0000

Le 31/03/2011 02:18, Jean-Michel Combes a écrit :
> Hi,
>
> I am in favor of the addition of such a text: logging could clearly help.
> Now, I would like to have feedback from the WG and especially from
> people implementing SAVI to know if logging could be easily
> implementing (i.e. with no expensive extra-cost): that would determine
> whether make that normative or not.
I support the addition. That has been #1 requirement from many 
organizations I dealt with deploying SAVI or IPSG solutions.
Not particular issue implementation-wise.
Eric
> Best regards.
>
> JMC.
>
> 2011/3/5 Joel M. Halpern<jmh@joelhalpern.com>:
>> I asked the SAVI FCFS the question below.  In response they quite reasonably
>> asked that I provide text.  Following the note excerpt is the suggestion on
>> placement and text.  THe text could include a reference to the savi threats
>> document.  I was not sure if that would be helpful, so I left it out.  Also,
>> as logging is basically an internal activity, I have written this suggestion
>> as non-normative text.
>>
>>> El 05/03/11 6:45, Joel M. Halpern escribió:
>>>> Looking at the traceability issues we raise in the threats document,
>>>> and looking at the uses I see people wanting to make of SAVI for
>>>> SLAAC, should we put some descriptive (not normative) text into SAVI
>>>> FCFS that talks about loggin?
>>>>
>>>> I wanted to check with you folks directly before raising this on the
>>>> list.
>>>>
>>>> Thank you,
>>>> Joel
>> I would suggest adding a section between 2.4 and 2.5 (i.e., it would be 2.5,
>> and the current 2.5 SAVI enforcement perimeter would become 2.6.)
>> ---------
>> 2.x SAVI Logging
>>
>> While the primary goal of SAVI is simply to prevent improper use of IP
>> addresses, a secondary goal is to assist in traceability for determining who
>> an imp-roper actor is.  For example, if a remote site reports that a DoS (or
>> component of a DDoS) is coming from the SAVI site, SAVI enforcement can be a
>> useful component in a response.
>>
>> In order to support these and other similar activities, it is a good idea if
>> SAVI devices perform logging of the creation, modification, or removal of
>> address bindings.  Any protocol support, such as SYSLOG support for sending
>> those logs to a common server, would be a topic for a future separate
>> document.
>> -----
>> If instead we want to make that normative, we could put a SHOULD in and put
>> this in section 3.2.6 instead.
>>
>> In addition, it would seem useful to add a short paragraph in the security
>> considerations section.  (If Denial of service attacks and Residual threats
>> were 4.1 and 4.2, then I would would att this as 4.3 Security Logging)
>> -------------
>> In order to improve the integration of SAVI into an overall security
>> environment, and enable response to additional indirect security issues
>> which SAVI can help ameliorate, it is helpful if SAVI systems log the
>> creation, modification, and deletion of binding entries.
>> ---------
>> I realize this basically duplicates the 2.x text.  I think it deserves
>> mention in the security considerations, because it is a security
>> consideration.  But I don't think that should be the first occurrence.
>> If the duplication is bothersome, then just use the 2.x text.
>>
>> Thank you,
>> Joel
>> _______________________________________________
>> savi mailing list
>> savi@ietf.org
>> https://www.ietf.org/mailman/listinfo/savi
>>
> _______________________________________________
> savi mailing list
> savi@ietf.org
> https://www.ietf.org/mailman/listinfo/savi
>