Re: [secdir] SECDIR review of draft-ietf-eman-energy-aware-mib-15

Benoit Claise <> Tue, 01 July 2014 11:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BF2361A003A for <>; Tue, 1 Jul 2014 04:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i_vG_VbuOLpv for <>; Tue, 1 Jul 2014 04:26:06 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3A3D11A0047 for <>; Tue, 1 Jul 2014 04:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=4965; q=dns/txt; s=iport; t=1404213966; x=1405423566; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=JCJEVDv6L8iLBaY74CQr6Mc3QPiqdlCpTzupwtPZoZA=; b=Yz3BWeuVkrKcqVKw/MCjRLWRxa/r7J/FSqs4EZ7ex+ydiW1RmtKXgX9/ HG4KfsGNMqrDsG22czUXMGleS4shQuUgW+U7oaqJPZsCIqZKPSSNXOahH itAoj09NjrYKKnXBpkZS9jkksBASMVJY8NO397CyvMu1mrYBFqiu2hU6w c=;
X-IronPort-AV: E=Sophos;i="5.01,581,1400025600"; d="scan'208";a="97466749"
Received: from (HELO ([]) by with ESMTP; 01 Jul 2014 11:26:05 +0000
Received: from [] ( []) by (8.14.5/8.14.5) with ESMTP id s61BQ3xe011468; Tue, 1 Jul 2014 11:26:04 GMT
Message-ID: <>
Date: Tue, 01 Jul 2014 13:26:03 +0200
From: Benoit Claise <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Stephen Kent <>, secdir <>,,,,, joel jaeggli <>
References: <> <20140624204718.GB19710@elstar.local>
In-Reply-To: <20140624204718.GB19710@elstar.local>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] SECDIR review of draft-ietf-eman-energy-aware-mib-15
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Jul 2014 11:26:08 -0000

Hi Stephen,

Thanks for your review.
We will post a new draft version with this boilerplate at
Our mistake for using a previous boilerplate.

Regards, Benoit
> Hi,
> there is a security boilerplate that we are following.
> If you think this is not appropriate anymore, we need to have a
> discussion to update the boilerplate instead of debating specific MIB
> modules.  Note that this topic comes up periodically - usually without
> much changes to the boilerplate at the end. Lets see the result this
> time. ;-)
> /js
> On Tue, Jun 24, 2014 at 11:48:02AM -0400, Stephen Kent wrote:
>> I reviewed this document as part of the security directorate's ongoing
>> effort to review all IETF documents being processed by the IESG.These
>> comments were written primarily for the benefit of the security area
>> directors.Document editors and WG chairs should treat these comments
>> just like any other last call comments. Since I am not a MIB expert, my
>> comments are strictly related to the security-relevant aspects of this
>> document.
>> This document, as its name implies, defines a MIB for energy management
>> devices. Given increasing concern over security in the so-called
>> "cyber-physical" realm, a MIB for such devices clearly merits scrutiny.
>> Also, to the extent that such devices (e.g., meters) might be associated
>> with residences, there are personal privacy issues that ought to be
>> addressed, in the PERPASS era.
>> The document is clearly written; my compliments to the authors in that
>> regard. The one odd thing I noted was that Sections 11.1 and 11.2 appear
>> between Sections 6 and 7! I think this was a cut and paste error that is
>> easily remedied.
>> The Security Considerations section (7) is about one-half page in
>> length. I have several concerns with the text here.
>> First, the text says "It is thus important to control even GET and/or
>> NOTIFY access to these objects and possibly to even encrypt the values
>> of these objects when sending them over the network via SNMP." This
>> seems to be an understatement. I'd like to see the text here RECOMMEND
>> use of encryption to provide confidentiality. This would be supportive
>> of personal privacy, in residential contexts, and physical security in
>> residential and enterprise settings. I can imagine a movie in which
>> burglars use a lack of encryption to gain critical information about
>> building infrastructure from a an energy MIB J.
>> The text later says "There are a number of management objects defined in
>> these MIB modules with a MAX-ACCESS clause of read-write and/or
>> read-create.Such objects MAY be considered sensitive or vulnerable in
>> some network environments.The support for SET operations in a non-secure
>> environment without proper protection can have a negative effect on
>> network operations. Again, this strikes me as a significant
>> understatement, i.e., the scope of the "negative effect" could be much
>> broader that just a network. (Power outlets are cited as examples of
>> objects, so anything plugged into an outlet could be effected, right?)
>> There should be more emphasis on the need for access control.
>> The text later says "SNMP versions prior to SNMPv3 did not include
>> adequate security. Even if the network itself is secure (for example, by
>> using IPsec), there is still no secure control over who on the secure
>> network is allowed to access and GET/SET (read/change/create/delete) the
>> objects in these MIB modules." This is a misleading. IPsec natively
>> provides access control. It would be accurate to say that the access
>> controls offered by IPsec would only limit who could access the MIB.
>> What the authors seem to suggest here is finer-grained access control,
>> so that one can manage GET/SET privileges for the set of individuals who
>> are authorized to connect to the MIB via the SMTP port, right?
>> The text discussing use of SNMPv3 security is a bit confusing.
>> It RECOMMENDS that implementers "consider" SMNPv3 security features, but
>> then says deployment of SNMP versions prior to v3 is NOT RECOMMENDED.
>> The first paragraph discussing this topic deals with thinking about
>> support (vs. use) of SNMPv3, while the second paragraph makes a much
>> stronger statement about deployment. It would be more consistent to
>> mandate support (MUST or SHOULD) for SNMPv3 in entities that incorporate
>> this MIB. Separately the document can RECOMMEND enabling SNMPv3 security
>> features in deployments, for the reasons cited.
>> _______________________________________________
>> secdir mailing list
>> wiki: