Re: [secdir] SecDir review of draft-ietf-opsawg-syslog-msg-mib-04
"David Harrington" <ietfdbh@comcast.net> Mon, 20 July 2009 20:40 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85CF03A6AF8 for <secdir@core3.amsl.com>; Mon, 20 Jul 2009 13:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIVrM6AsNX5p for <secdir@core3.amsl.com>; Mon, 20 Jul 2009 13:40:30 -0700 (PDT)
Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by core3.amsl.com (Postfix) with ESMTP id 732AA3A6802 for <secdir@ietf.org>; Mon, 20 Jul 2009 13:40:29 -0700 (PDT)
Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA08.westchester.pa.mail.comcast.net with comcast id JKyh1c0040SCNGk58LdrUa; Mon, 20 Jul 2009 20:37:51 +0000
Received: from Harrington73653 ([24.147.240.21]) by OMTA09.westchester.pa.mail.comcast.net with comcast id JLdq1c0070UQ6dC3VLdqko; Mon, 20 Jul 2009 20:37:51 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Magnus Nyström' <magnus@rsa.com>, iesg@ietf.org, secdir@ietf.org, secdir-secretary@mit.edu, j.schoenwalder@jacobs-university.de, alex@cisco.com, akarmaka@cisco.com, sob@harvard.edu, ted.a.seely@sprint.com
References: <Pine.WNT.4.64.0805121031000.2612@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0811051802030.7640@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0812101529200.3888@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0902161338530.5224@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0905032241410.5248@W-JNISBETTEST-1.tablus.com><Pine.WNT.4.64.0906142309020.632@W-JNISBETTEST-1.tablus.com> <Pine.WNT.4.64.0907200900100.6844@W-JNISBETTEST-1.tablus.com>
Date: Mon, 20 Jul 2009 16:37:49 -0400
Message-ID: <1c7b01ca0979$f2c0b9d0$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-reply-to: <Pine.WNT.4.64.0907200900100.6844@W-JNISBETTEST-1.tablus.com>
Thread-Index: AcoJTwVURrAVHFgARtaldH15otnGHAAKrloA
Subject: Re: [secdir] SecDir review of draft-ietf-opsawg-syslog-msg-mib-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2009 20:40:31 -0000
Hi, MIBs arewritten using SMIv2. I don't believe SMIv2 supports the range on a SEQUENCE. As Dan pointed out, the recommendation of SNMP versions is boilerplate that was worked out between Security and OPS ADs. dbh > -----Original Message----- > From: secdir-bounces@ietf.org > [mailto:secdir-bounces@ietf.org] On Behalf Of Magnus Nyström > Sent: Monday, July 20, 2009 11:30 AM > To: iesg@ietf.org; secdir@ietf.org; secdir-secretary@mit.edu; > j.schoenwalder@jacobs-university.de; alex@cisco.com; > akarmaka@cisco.com; sob@harvard.edu; ted.a.seely@sprint.com > Subject: [secdir] SecDir review of draft-ietf-opsawg-syslog-msg-mib-04 > > I have reviewed this document as part of the security > directorate's ongoing > effort to review all IETF documents being processed by the > IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these > comments just > like any other last call comments. > > Background > ---------- > This document defines a MIB module for use when mapping > SYSLOG messages to > SNMP notifications. > > Comments > -------- > > - In the SYSLOG-MSG-MIB module, the syslogMsgSDTable is > defined with the > syntax > > SEQUENCE OF SyslogMsgSDEntry > > Would it make sense to restrict this with an upper (and > perhaps lower) > bound to reduce the risk of either non-interop or > potential attacks? > E.g. like > > SEQUENCE SIZE (1..<upper-bound>) OF SyslogMsgSDEntry > > where <upper-bound> is replaced with something reasonable? > > - (Editorial) In the Security Considerations section, there > is a paragraph > recommending against deployment of earlier versions of SNMP. For > clarity and correctness ("NOT RECOMMENDED" is not a key > word) I suggest > this paragraph is rewritten to (several changes in the below): > > Further, SNMP versions prior to SNMPv3 SHOULD NOT be deployed. > Instead, SNMPv3 with enabled cryptographic security > SHOULD be deployed. > It is then a customer/operator responsibility to ensure > that the SNMP > entity giving access to an instance of this MIB module is properly > configured to give access to the objects only to those principals > (users) that indeed have legitimate rights to GET or SET > (change/create/delete) them. > > -- Magnus > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir >
- [secdir] Review of draft-ietf-vrrp-unified-spec-02 Magnus Nyström
- Re: [secdir] Review of draft-ietf-vrrp-unified-sp… Stephen Nadas
- [secdir] Review of draft-freed-sieve-ihave-03 Magnus Nyström
- [secdir] SecDir review of draft-ietf-avt-rtp-uemc… Magnus Nyström
- [secdir] SecDir review of draft-ietf-mpls-p2mp-te… Magnus Nyström
- Re: [secdir] SecDir review of draft-ietf-mpls-p2m… Adrian Farrel
- [secdir] SecDir review of draft-ietf-sipping-cc-f… Magnus Nyström
- Re: [secdir] SecDir review of draft-ietf-sipping-… Alan Johnston
- [secdir] SecDir review of draft-ietf-opsawg-syslo… Magnus Nyström
- Re: [secdir] SecDir review of draft-ietf-opsawg-s… Romascanu, Dan (Dan)
- Re: [secdir] SecDir review of draft-ietf-opsawg-s… David Harrington