[secdir] Sector review of draft-ietf-manet-rfc6779bis-05

Vincent Roca <vincent.roca@inria.fr> Tue, 24 May 2016 06:37 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C5C8C12DC6B; Mon, 23 May 2016 23:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.345
X-Spam-Status: No, score=-8.345 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9eAU0dss7_Dq; Mon, 23 May 2016 23:37:25 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A0012DC6C; Mon, 23 May 2016 23:37:21 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.26,359,1459807200"; d="asc'?scan'208,217";a="178778660"
Received: from geve.inrialpes.fr ([]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 24 May 2016 08:37:19 +0200
From: Vincent Roca <vincent.roca@inria.fr>
X-Pgp-Agent: GPGMail 2.6b2
Content-Type: multipart/signed; boundary="Apple-Mail=_6D272E8D-8DDC-4B4D-9C18-86D619D32699"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Tue, 24 May 2016 08:37:18 +0200
Message-Id: <4673D914-BF52-4C1D-A559-64C1FBBE4FC2@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-manet-rfc6779bis.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/89Le7y0H9EkxGI67GwquwNJ_AV4>
Subject: [secdir] Sector review of draft-ietf-manet-rfc6779bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 06:37:28 -0000


I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: ready

The security considerations section is a carbon copy of that of RFC 6779 published in 2012. The only modification is the addition of a reference to "Mobile Ad Hoc Network (MANET)".

As explained by the authors, information contained in this MIB is highly sensitive, both from the security and privacy point of views. This is all the most true when considering some of the target use-cases (emergency services or military tactical applications).

If I find this section globally well written. I'm just a bit surprised by the following sentence:
	"It is thus important to control even GET and/or NOTIFY access to these objects
	 and possibly to even encrypt the values of these objects when sending them
	over the network via SNMP."
I would rather say that it is essential to encrypt and verify the integrity of all the SNMP traffic. Here I find the style not sufficiently directive... But this is a detail.