[secdir] SECDIR review of draft-ietf-eman-energy-aware-mib-15
Stephen Kent <kent@bbn.com> Tue, 24 June 2014 15:49 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4781B2DF9 for <secdir@ietfa.amsl.com>; Tue, 24 Jun 2014 08:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RiJx6LuKPF1n for <secdir@ietfa.amsl.com>; Tue, 24 Jun 2014 08:49:17 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88F201B2D70 for <secdir@ietf.org>; Tue, 24 Jun 2014 08:48:08 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:59572 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WzSxE-000KpZ-H3; Tue, 24 Jun 2014 11:48:17 -0400
Message-ID: <53A99DB2.5050707@bbn.com>
Date: Tue, 24 Jun 2014 11:48:02 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, bclaise@cisco.com, jparello@cisco.com, moulchan@cisco.com, n.brownlee@auckland.ac.nz, tnadeau@lucidvision.com, joel jaeggli <joelja@bogus.com>
Content-Type: multipart/alternative; boundary="------------060605060003090203090209"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/0Tm5J20cE1UbrCt6BrMrTUErRB8
Subject: [secdir] SECDIR review of draft-ietf-eman-energy-aware-mib-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jun 2014 15:49:22 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written primarily for the benefit of the security area directors.Document editors and WG chairs should treat these comments just like any other last call comments. Since I am not a MIB expert, my comments are strictly related to the security-relevant aspects of this document. This document, as its name implies, defines a MIB for energy management devices. Given increasing concern over security in the so-called "cyber-physical" realm, a MIB for such devices clearly merits scrutiny. Also, to the extent that such devices (e.g., meters) might be associated with residences, there are personal privacy issues that ought to be addressed, in the PERPASS era. The document is clearly written; my compliments to the authors in that regard. The one odd thing I noted was that Sections 11.1 and 11.2 appear between Sections 6 and 7! I think this was a cut and paste error that is easily remedied. The Security Considerations section (7) is about one-half page in length. I have several concerns with the text here. First, the text says "It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP." This seems to be an understatement. I'd like to see the text here RECOMMEND use of encryption to provide confidentiality. This would be supportive of personal privacy, in residential contexts, and physical security in residential and enterprise settings. I can imagine a movie in which burglars use a lack of encryption to gain critical information about building infrastructure from a an energy MIB J. The text later says "There are a number of management objects defined in these MIB modules with a MAX-ACCESS clause of read-write and/or read-create.Such objects MAY be considered sensitive or vulnerable in some network environments.The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. Again, this strikes me as a significant understatement, i.e., the scope of the "negative effect" could be much broader that just a network. (Power outlets are cited as examples of objects, so anything plugged into an outlet could be effected, right?) There should be more emphasis on the need for access control. The text later says "SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example, by using IPsec), there is still no secure control over who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in these MIB modules." This is a misleading. IPsec natively provides access control. It would be accurate to say that the access controls offered by IPsec would only limit who could access the MIB. What the authors seem to suggest here is finer-grained access control, so that one can manage GET/SET privileges for the set of individuals who are authorized to connect to the MIB via the SMTP port, right? The text discussing use of SNMPv3 security is a bit confusing. It RECOMMENDS that implementers "consider" SMNPv3 security features, but then says deployment of SNMP versions prior to v3 is NOT RECOMMENDED. The first paragraph discussing this topic deals with thinking about support (vs. use) of SNMPv3, while the second paragraph makes a much stronger statement about deployment. It would be more consistent to mandate support (MUST or SHOULD) for SNMPv3 in entities that incorporate this MIB. Separately the document can RECOMMEND enabling SNMPv3 security features in deployments, for the reasons cited.
- [secdir] SECDIR review of draft-ietf-eman-energy-… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-eman-ene… Juergen Schoenwaelder
- Re: [secdir] SECDIR review of draft-ietf-eman-ene… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-eman-ene… Benoit Claise
- Re: [secdir] SECDIR review of draft-ietf-eman-ene… Benoit Claise