Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export.

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 18 November 2015 10:16 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18CFD1B2BC1 for <secdir@ietfa.amsl.com>; Wed, 18 Nov 2015 02:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.435
X-Spam-Level:
X-Spam-Status: No, score=-4.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKAX3OAc8mqf for <secdir@ietfa.amsl.com>; Wed, 18 Nov 2015 02:16:34 -0800 (PST)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A0E51B2BBF for <secdir@ietf.org>; Wed, 18 Nov 2015 02:16:34 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 0C93013CD; Wed, 18 Nov 2015 11:16:33 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id v_KpW5lV9D65; Wed, 18 Nov 2015 11:16:31 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Wed, 18 Nov 2015 11:16:28 +0100 (CET)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id AB87820091; Wed, 18 Nov 2015 11:13:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 7RFzfuwnCzGW; Wed, 18 Nov 2015 11:13:45 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id D11CB20089; Wed, 18 Nov 2015 11:13:44 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 72B1B38E1F15; Wed, 18 Nov 2015 11:13:42 +0100 (CET)
Date: Wed, 18 Nov 2015 11:13:41 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Warren Kumari <warren@kumari.net>
Message-ID: <20151118101339.GA17028@elstar.local>
Mail-Followup-To: Warren Kumari <warren@kumari.net>, IETF Security Directorate <secdir@ietf.org>, draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org
References: <CAHw9_i+qp7Y1Eu8YiJj6AOUG22NMz=1PCK3k=BkHoxPgxR-8rw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHw9_i+qp7Y1Eu8YiJj6AOUG22NMz=1PCK3k=BkHoxPgxR-8rw@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/G6ovXEWSpRxhaPhKUu_iG9KgnYs>
Cc: draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org, IETF Security Directorate <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export.
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2015 10:16:36 -0000

On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote:
> Be ye not afraid...
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting
> MIB Variables using the IPFIX Protocol
> 
> Summary:
> LGTM, Security AD attention not required, modulo questions below.
> 
> I'm not quite sure what:
> "However if the exporter is a client of an SNMP engine on the same
>  device it MUST abide by existing SNMP security rules." is supposed to
> mean. What exactly are "existing SNMP security rules"? Those defined
> in RFCs? Configured on the device?

I agree that this statement is a bit confusing. In the SNMP world, a
client must authenticate against the agent and then the agent uses the
clients authenticated identity to apply access control rules. This text
talks about a client of an "SNMP engine", which is a bit confusing.

Perhaps the sentence was meant to say this:

     However, if the exporter is implemented as an SNMP manager
     accessing an SNMP agent, it MUST authenticate itself to the SNMP
     agent and the SNMP agent MUST enforce SNMP access control rules
     as it would for any other SNMP manager.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>