Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx
Tal Mizrahi <talmi@marvell.com> Thu, 30 July 2015 06:44 UTC
Return-Path: <talmi@marvell.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 136FC1A8A47; Wed, 29 Jul 2015 23:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeNKks0xoKEt; Wed, 29 Jul 2015 23:44:30 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5441A88A0; Wed, 29 Jul 2015 23:44:30 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id t6U6ZNkH015227; Wed, 29 Jul 2015 23:44:28 -0700
Received: from il-exch02.marvell.com ([199.203.130.102]) by mx0b-0016f401.pphosted.com with ESMTP id 1vv9yp5qxm-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 29 Jul 2015 23:44:28 -0700
Received: from IL-EXCH01.marvell.com (10.4.102.220) by IL-EXCH02.marvell.com (10.4.102.221) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 30 Jul 2015 09:44:26 +0300
Received: from IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a]) by IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a%20]) with mapi id 15.00.1044.021; Thu, 30 Jul 2015 09:44:26 +0300
From: Tal Mizrahi <talmi@marvell.com>
To: Olafur Gudmundsson <ogud@ogud.com>, ietf <ietf@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, "draft-mm-netconf-time-capability.all@ietf.org" <draft-mm-netconf-time-capability.all@ietf.org>
Thread-Topic: [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx
Thread-Index: AQHQykPII6R5rilafEWsJYafMYxlJp3zkXSQ
Date: Thu, 30 Jul 2015 06:44:26 +0000
Message-ID: <0bde13a98445401fb9a19a1c950f77f2@IL-EXCH01.marvell.com>
References: <B1C78188-0906-48BC-8E94-52B42442CABF@ogud.com>
In-Reply-To: <B1C78188-0906-48BC-8E94-52B42442CABF@ogud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.4.102.210]
Content-Type: multipart/alternative; boundary="_000_0bde13a98445401fb9a19a1c950f77f2ILEXCH01marvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-07-30_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1506180000 definitions=main-1507300120
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/IlLKpxbC7QcbdIsiJc9p1YkgQqI>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 06:44:32 -0000
Hi Olafur, Thanks for the feedback. >This capability allows an attacker once it has gained access to schedule events in the future even >though attackers access has been detected and revoked. We will add a paragraph that describes this potential threat to the next version of the draft. Thanks, Tal. From: Netconf [mailto:netconf-bounces@ietf.org] On Behalf Of Olafur Gudmundsson Sent: Thursday, July 30, 2015 12:16 AM To: ietf; netconf@ietf.org; draft-mm-netconf-time-capability.all@ietf.org Cc: secdir@ietf.org Subject: [Netconf] Sec-Dir Review: draft-mm-netconf-time-capability-05.tx I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is ready for publication The document is well written. The security considerations are clear and accurate. I would like highlight one omission though. This capability allows an attacker once it has gained access to schedule events in the future even though attackers access has been detected and revoked. Olafur
- Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-n… Andy Bierman
- [secdir] Sec-Dir Review: draft-mm-netconf-time-ca… Olafur Gudmundsson
- Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-n… Tal Mizrahi
- Re: [secdir] [Netconf] Sec-Dir Review: draft-mm-n… Tal Mizrahi