IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-opsawg-syslog-msg-mib-04

"David Harrington" <ietfdbh@comcast.net> Mon, 20 July 2009 20:40 UTC

Return-Path: <ietfdbh@comcast.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85CF03A6AF8 for <secdir@core3.amsl.com>; Mon, 20 Jul 2009 13:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIVrM6AsNX5p for <secdir@core3.amsl.com>; Mon, 20 Jul 2009 13:40:30 -0700 (PDT)
Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by core3.amsl.com (Postfix) with ESMTP id 732AA3A6802 for <secdir@ietf.org>; Mon, 20 Jul 2009 13:40:29 -0700 (PDT)
Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA08.westchester.pa.mail.comcast.net with comcast id JKyh1c0040SCNGk58LdrUa; Mon, 20 Jul 2009 20:37:51 +0000
Received: from Harrington73653 ([24.147.240.21]) by OMTA09.westchester.pa.mail.comcast.net with comcast id JLdq1c0070UQ6dC3VLdqko; Mon, 20 Jul 2009 20:37:51 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Magnus Nyström' <magnus@rsa.com>, iesg@ietf.org, secdir@ietf.org, secdir-secretary@mit.edu, j.schoenwalder@jacobs-university.de, alex@cisco.com, akarmaka@cisco.com, sob@harvard.edu, ted.a.seely@sprint.com
References: <Pine.WNT.4.64.0805121031000.2612@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0811051802030.7640@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0812101529200.3888@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0902161338530.5224@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0905032241410.5248@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0906142309020.632@W-JNISBETTEST-1.tablus.com> <Pine.WNT.4.64.0907200900100.6844@W-JNISBETTEST-1.tablus.com>
Date: Mon, 20 Jul 2009 16:37:49 -0400
Message-ID: <1c7b01ca0979$f2c0b9d0$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-reply-to: <Pine.WNT.4.64.0907200900100.6844@W-JNISBETTEST-1.tablus.com>
Thread-Index: AcoJTwVURrAVHFgARtaldH15otnGHAAKrloA
Subject: Re: [secdir] SecDir review of draft-ietf-opsawg-syslog-msg-mib-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2009 20:40:31 -0000

Hi,

MIBs arewritten using SMIv2. I don't believe SMIv2 supports the range
on a SEQUENCE.

As Dan pointed out, the recommendation of SNMP versions is boilerplate
that was worked out between Security and OPS ADs.

dbh 

> -----Original Message-----
> From: secdir-bounces@ietf.org 
> [mailto:secdir-bounces@ietf.org] On Behalf Of Magnus Nyström
> Sent: Monday, July 20, 2009 11:30 AM
> To: iesg@ietf.org; secdir@ietf.org; secdir-secretary@mit.edu; 
> j.schoenwalder@jacobs-university.de; alex@cisco.com; 
> akarmaka@cisco.com; sob@harvard.edu; ted.a.seely@sprint.com
> Subject: [secdir] SecDir review of
draft-ietf-opsawg-syslog-msg-mib-04
> 
> I have reviewed this document as part of the security 
> directorate's ongoing 
> effort to review all IETF documents being processed by the 
> IESG. These 
> comments were written primarily for the benefit of the security area

> directors.  Document editors and WG chairs should treat these 
> comments just 
> like any other last call comments.
> 
> Background
> ----------
> This document defines a MIB module for use when mapping 
> SYSLOG messages to 
> SNMP notifications.
> 
> Comments
> --------
> 
> - In the SYSLOG-MSG-MIB module, the syslogMsgSDTable is 
> defined with the
>    syntax
> 
>    SEQUENCE OF SyslogMsgSDEntry
> 
>    Would it make sense to restrict this with an upper (and 
> perhaps lower)
>    bound to reduce the risk of either non-interop or 
> potential attacks?
>    E.g. like
> 
>    SEQUENCE SIZE (1..<upper-bound>) OF SyslogMsgSDEntry
> 
>    where <upper-bound> is replaced with something reasonable?
> 
> - (Editorial) In the Security Considerations section, there 
> is a paragraph
>    recommending against deployment of earlier versions of SNMP. For
>    clarity and correctness ("NOT RECOMMENDED" is not a key 
> word) I suggest
>    this paragraph is rewritten to (several changes in the below):
> 
>     Further, SNMP versions prior to SNMPv3 SHOULD NOT be deployed.
>     Instead, SNMPv3 with enabled cryptographic security 
> SHOULD be deployed.
>     It is then a customer/operator responsibility to ensure 
> that the SNMP
>     entity giving access to an instance of this MIB module is
properly
>     configured to give access to the objects only to those
principals
>     (users) that indeed have legitimate rights to GET or SET
>     (change/create/delete) them.
> 
> -- Magnus
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
>

v2.23.0 | Report a Bug | By Email