Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06

Alia Atlas <akatlas@gmail.com> Thu, 13 August 2015 19:42 UTC

Return-Path: <akatlas@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7679D1B3A09; Thu, 13 Aug 2015 12:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.999
X-Spam-Level:
X-Spam-Status: No, score=-100.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3oJ3QKnF8cd; Thu, 13 Aug 2015 12:42:42 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE3D71B3A15; Thu, 13 Aug 2015 12:42:31 -0700 (PDT)
Received: by oiev193 with SMTP id v193so32276942oie.3; Thu, 13 Aug 2015 12:42:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gBsUOyrxqmQKvFojFe8fodZnPyiWzPB3PE2GAn1gUYM=; b=u5p5CPmMnupskdmaLnDuP9AMYaFlX7vvW9AjpzXJQTgnFjtsvpg1mEnsGwDRTdGsLc 01KLm0lgrNszZr8F4NAVyh12+GmBuW0yGQoyawLo9eNxqK6ZTi4hzUDCqv3KKyQGgIs9 vmoEnkUFqzFuhfBvYIAzQUHqOE69R6ZikpAE7eTfipF72aFcMgRB90nV9A/cfoqjvvFf g8oEvRLZynaLuWobWw+OlnUKf8AiPGFhtKhcrKekTRqqqDj6qcoqvQ1BjaaWAwHovMYn j5qyTM8EpldXKORYU9PmzcOTLUnSeydmLUls24q+AxrIuHnYKsQtEN/sOW2xhZ9v88QI v/CQ==
MIME-Version: 1.0
X-Received: by 10.202.175.143 with SMTP id y137mr33089901oie.22.1439494951165; Thu, 13 Aug 2015 12:42:31 -0700 (PDT)
Received: by 10.60.41.99 with HTTP; Thu, 13 Aug 2015 12:42:31 -0700 (PDT)
In-Reply-To: <D1F2272D.E1A90%dekumar@cisco.com>
References: <E79C135A-3020-4DE9-86A2-275AC76E7201@gmail.com> <D1ED54D2.E1671%dekumar@cisco.com> <CAF4+nEH9eVnLdBd5Bgpo6g_pNtqLCRZ1zokb5vsiRpiu9vOQMg@mail.gmail.com> <CAG4d1rfWGtn=wgAWp1L0tNHYegLzUf9L7pybQG9pkM-J7H39rQ@mail.gmail.com> <D1F2272D.E1A90%dekumar@cisco.com>
Date: Thu, 13 Aug 2015 15:42:31 -0400
Message-ID: <CAG4d1rci9QojrZQmpM1Jo8jVihEEXOjQ3kVQn45Nwsg0sq2hOQ@mail.gmail.com>
From: Alia Atlas <akatlas@gmail.com>
To: "Deepak Kumar (dekumar)" <dekumar@cisco.com>
Content-Type: multipart/alternative; boundary="001a113ce89e386922051d368921"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Cmj6uLyU0bxVYgy58K2WAwrH5D8>
Cc: secdir <secdir@ietf.org>, "draft-ietf-trill-oam-mib.all@tools.ietf.org" <draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne <tsenevir@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 19:42:44 -0000

thanks - the IESG generally begins reading drafts for the telechat about
now - a week in advance.

Regards,
Alia

On Thu, Aug 13, 2015 at 1:52 PM, Deepak Kumar (dekumar) <dekumar@cisco.com>
wrote:

> Hi Alia,
>
> I will be able to take care of all comments  over weekend.
>
> Thanks,
> Deepak
>
> From: Alia Atlas <akatlas@gmail.com>
> Date: Thursday, August 13, 2015 at 10:44 AM
> To: "d3e3e3@gmail.com" <d3e3e3@gmail.com>
> Cc: dekumar <dekumar@cisco.com>, "
> draft-ietf-trill-oam-mib.all@tools.ietf.org" <
> draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne <
> tsenevir@gmail.com>, The IESG <iesg@ietf.org>, Yoav Nir <
> ynir.ietf@gmail.com>, secdir <secdir@ietf.org>
> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06
>
> Hi Deepak,
>
> Are you planning on publishing an updated draft today?
> I'd like to move the draft ahead to IESG Evaluation.
>
> Thanks,
> Alia
>
> On Mon, Aug 10, 2015 at 2:19 PM, Donald Eastlake <d3e3e3@gmail.com> wrote:
>
>> HI Deepak,
>>
>> On Sun, Aug 9, 2015 at 10:07 PM, Deepak Kumar (dekumar)
>> <dekumar@cisco.com> wrote:
>> > Hi Yoav,
>> >
>> > Thanks for review and comments. Please advise if we need to fix the nits
>> > and comments and upload new version as I am not sure about procedure of
>> > fixing comments during last call.
>> >
>> > Tissa has moved out of Cisco and working in another Company, I don¹t
>> have
>> > privy of his new contact so I will contact him to get new contact and
>> > update the document also.
>>
>> I've added Tissa to the cc list above. I believe that for now he wants
>> to be listed with "Consultant" as his affiliation and with email
>> address <tsenevir@gmail.com>.
>>
>> The IETF LC ends the 13th, in a few days. I suggest that you update
>> the contact info for Tissa, spell out OAM, and update the
>> MODULE-IDENTITY, since those don't seem like they would be
>> controversial. For any changes to the Security Considerations text, I
>> suggest you post proposed text in this thread before editing it in.
>>
>> Thanks,
>> Donald (Shepherd)
>> =============================
>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>  155 Beaver Street, Milford, MA 01757 USA
>>  d3e3e3@gmail.com
>>
>> > Thanks,
>> > Deepak
>> >
>> > On 8/8/15, 2:18 PM, "Yoav Nir" <ynir.ietf@gmail.com> wrote:
>> >
>> >>Hi.
>> >>
>> >>I have reviewed this document as part of the security directorate's
>> >>ongoing effort to review all IETF documents being processed by the IESG.
>> >>These comments were written primarily for the benefit of the security
>> >>area directors.  Document editors and WG chairs should treat these
>> >>comments just like any other last call comments.
>> >>
>> >>TL;DR: The document is ready with nits.
>> >>
>> >>The document contains a MIB for operations, administration, and
>> >>maintenance (OAM) of TRILL. As is common for such documents, 34 of its
>> 45
>> >>pages is section 7 ("Definition of the TRILL OAM MIB module²). Being an
>> >>expert on neither TRILL nor MIBs I have mostly skipped that section.
>> >>
>> >>Usually with MIB documents, the security considerations for the protocol
>> >>(several TRILL RFCs in this case) are in the protocol documents, while
>> >>the security considerations for SNMP are in the SNMP document (RFC
>> 3410).
>> >>The MIB document only points data that is sensitive (in terms of privacy
>> >>or information leakage), and data which is dangerous in the sense that
>> >>falsified or modified data could lead to damage.
>> >>
>> >>In this document the Security Considerations section does a good job of
>> >>explaining that modified data can lead to changes in routing and
>> >>potentially to denial of service. The second paragraph is a little
>> >>hand-wavy for my taste:
>> >>
>> >>   There are number of management objects defined in this MIB module
>> >>   with a MAX-ACCESS clause of read-create. Such objects may be
>> >>   considered sensitive or vulnerable in some network environments.
>> >>
>> >>What network environment? Why in some but not in others? The third
>> >>paragraph is similar:
>> >>
>> >>   Some of the readable objects in this MIB module (objects with a MAC-
>> >>   ACCESS other than not-accessible) may be considered sensitive or
>> >>   vulnerable in some network environments.
>> >>
>> >>The section concludes with text that looks very familiar from other MIB
>> >>documents, basically saying that you should use SNMPv3 because it has
>> >>protections whereas earlier versions don¹t. It is also important to have
>> >>proper access control rules. One nit is that the section says that the
>> >>cryptographic mechanisms in SNMPv3 provide ³privacy². As of late we tend
>> >>to use that word for the protection of information about humans, not so
>> >>much about link status.
>> >>
>> >>A few general nits:
>> >> - In most documents that I see, the content of sections 1-4 is in a
>> >>single section.
>> >> - OAM is not expanded before first use.
>> >> - The MODULE-IDENTITY has ³TBD² for ORGANIZATION and authors¹ names in
>> >>CONTACT-INFO. looking at a few recent MIB documents, the working group
>> is
>> >>usually given as ORGANIZATION and its mailing list is given as contact
>> >>info.
>> >>
>> >>Yoav
>> >>
>> >
>>
>>
>