Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06
"Deepak Kumar (dekumar)" <dekumar@cisco.com> Tue, 18 August 2015 19:03 UTC
Return-Path: <dekumar@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616471A026E; Tue, 18 Aug 2015 12:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0KCg8JIFXRkP; Tue, 18 Aug 2015 12:03:56 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B8BA1A026A; Tue, 18 Aug 2015 12:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15022; q=dns/txt; s=iport; t=1439924636; x=1441134236; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=el+TDZOMwyAARXmHqMajajHpsOqk5J0jaXq512GBg8I=; b=iqR6/iuRVpLxqA1N7ex0CJwqD+jsJeZBHXQR7abus0eMDJofDWe9tTso ii0JSnngEZptC50/cffLvOSqLrzikaMvSOWwtxFyQT/BcpQh8zfPsLamL bqtAd2CkRHZ2d/anOPTRPtJmTVImkW5/F4BRz1Iw6GpjxIxXyU7N36R9Q A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ChAgDxgNNV/4wNJK1UBgODG4E9BoMerm+LdQEJh3ICHIEbOBQBAQEBAQEBgQqEIwEBAQQ0NwMLEAIBCBEDAQIBBCgCAh8RHQgCBA4FiBkDEp8AnRUGkEINhVcBAQEBAQEBAQEBAQEBAQEBAQEBAQEXgRyJNIEDgk+BWAcKATYLEAcGDIJRgUkFlHcGJAGKfoFtgUqELIMag36EcnmHNiaCDhyBU3EBgQ06gQQBAQE
X-IronPort-AV: E=Sophos;i="5.15,703,1432598400"; d="scan'208";a="21563165"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-5.cisco.com with ESMTP; 18 Aug 2015 19:03:55 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t7IJ3sk7015499 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 18 Aug 2015 19:03:55 GMT
Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 18 Aug 2015 14:03:54 -0500
Received: from xhc-rcd-x13.cisco.com (173.37.183.87) by xch-aln-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Tue, 18 Aug 2015 14:03:54 -0500
Received: from xmb-aln-x12.cisco.com ([169.254.7.85]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.03.0248.002; Tue, 18 Aug 2015 14:03:53 -0500
From: "Deepak Kumar (dekumar)" <dekumar@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: SecDir Review for draft-ietf-trill-oam-mib-06
Thread-Index: AQHQ0h/BcaAYUFPCqUSY/FTM3NEj9Z4EXU0AgAGEgQCABK0YAP//jO8AgACUH4CAB5TcgP//qTQAgACM9ID//5CDgA==
Date: Tue, 18 Aug 2015 19:03:53 +0000
Message-ID: <D1F8CCE4.E23E2%dekumar@cisco.com>
References: <E79C135A-3020-4DE9-86A2-275AC76E7201@gmail.com> <D1ED54D2.E1671%dekumar@cisco.com> <CAF4+nEH9eVnLdBd5Bgpo6g_pNtqLCRZ1zokb5vsiRpiu9vOQMg@mail.gmail.com> <CAG4d1rfWGtn=wgAWp1L0tNHYegLzUf9L7pybQG9pkM-J7H39rQ@mail.gmail.com> <D1F2272D.E1A90%dekumar@cisco.com> <CAG4d1rci9QojrZQmpM1Jo8jVihEEXOjQ3kVQn45Nwsg0sq2hOQ@mail.gmail.com> <CAG4d1rdP2bX2ippyDTO0NVxNPb+ZgR8iD=zTxA2rcZsAVcKU7Q@mail.gmail.com> <D1F8B6B9.E22D3%dekumar@cisco.com> <CAHbuEH5aRUTGHwhgLrwLJCrvgE7SHFVDKYVG+PERUdQvg08iTw@mail.gmail.com>
In-Reply-To: <CAHbuEH5aRUTGHwhgLrwLJCrvgE7SHFVDKYVG+PERUdQvg08iTw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.4.150722
x-originating-ip: [173.37.102.25]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <2F13780B22D7244E9BE20E2D8AFB0FDB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/KETBOKrbxqmpOPck75XL3O-wqaU>
Cc: secdir <secdir@ietf.org>, "draft-ietf-trill-oam-mib.all@tools.ietf.org" <draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne <tsenevir@gmail.com>, Alia Atlas <akatlas@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 19:03:59 -0000
Hi Kathleen, I will update the draft tonight or by EOB tomorrow. Thanks, Deepak On 8/18/15, 11:42 AM, "Kathleen Moriarty" <kathleen.moriarty.ietf@gmail.com> wrote: >Deepak, > >The improvements help a lot to better explain the security >considerations. Let me know when this has been updated in the draft. > >Thanks, >Kathleen > >On Tue, Aug 18, 2015 at 1:18 PM, Deepak Kumar (dekumar) ><dekumar@cisco.com> wrote: >> Hi Yoav, >> >> Please review new draft text and provide comments. >> >> 8. Security Considerations >> >> This MIB relates to a system that will provide network connectivity and >> packet forwarding services. As such, improper manipulation of the >>objects >> represented by this MIB may result in denial of service to a large >>number of >> end-users. >> >> There are number of management objects defined in this MIB module with a >> MAX-ACCESS clause of read-create. Such objects may be considered >>sensitive >> or vulnerable in some network environments. The support for SET >>operations >> in a non-secure environment without proper protection can have negative >> effect on sensitivity/vulnerability: >> >> The following table and objects in the TRILL-OAM-MIB can be manipulated >>to >> to interfere with the operation of RBridges by causing cpu spike: >> >> o trillOamMepTransmitLbmReplyIp allows reply of Loopback message to be >> transmitted to Ip address in the TLV and thus allowing replies to be >>sent to >> any system or single single system to cause Denial of Service. >> >> o trillOamMepTransmitPtmReplyIp allows reply of Path Trace message to be >> transmitted to Ip address in the TLV and thus allowing replies to be >>sent to >> any system or single single system to cause Denial of Service. >> >> o trillOamMepTxPtmMessages allows generation of Ptm Messages and can be >>used >> to generate lots of cpu driven traffic. >> >> o trillOamMepTransmitMtvmReplyIp allows reply of Mtv message to be >> transmitted to Ip address in the TLV and thus allowing replies to be >>sent to >> any system or single single system to cause Denial of Service. >> >> o trillOamMepTxMtvmMessages allows generation of Mtv Messages and can be >> used to generate lots of cpu driven traffic. >> >> Some of the readable objects in this MIB module (i.e., objects with a >> MAX-ACCESS other than not-accessible) may be considered sensitive or >> vulnerable in some network environments. It is thus important to >>control GET >> and/or NOTIFY access to these objects and possibly to encrypt the >>values of >> these objects when sending them over the network via SNMP. For example, >>Path >> trace message expose unicast topology of network and Multi-destination >>Tree >> verification message expose multicast tree topology of network and this >> information should not be available to all users of the network. >> >> SNMP version prior to SNMPv3 did not include adequate security. Even if >>the >> network itself is secure(for example by using IPsec), there is no >>control as >> to who on the secure network is allowed to access and GET/SET >> (read/change/create/delete) the objects in this MIB module. >> >> Implementation should provide the security features described by SNMPv3 >> framework (see [RFC3410]), and implementations claiming compliance to >>the >> SNMPv3 standard MUST include full support for authentication and >>privacy via >> the User-based Security Model (USM)[RFC3414] with the AES cipher >>algorithm >> [RFC3826]. Implementations MAY also provide support for the Transport >> Security Model (TSM) [RFC5591] in combination with a secure transport >>such >> as SSH [RFC5592] or TLS/DTLS [RFC6353]. >> >> Further, deployment of SNMP version prior to SNMPv3 is NOT RECOMMENDED. >> Instead, deployment of SNMPv3 with cryptographic security enabled is >> RECOMMENDED. It is then a customer/operator responsibility to ensure >>that >> the SNMP entity giving access to an instance of this MIB module is >>properly >> configured to give only those principals (users) that have legitimate >>rights >> to indeed GET or SET (change/create/delete) them access to the objects. >> >> Thanks, >> Deepak >> >> From: Alia Atlas <akatlas@gmail.com> >> Date: Tuesday, August 18, 2015 at 8:29 AM >> To: dekumar <dekumar@cisco.com> >> Cc: "d3e3e3@gmail.com" <d3e3e3@gmail.com>, >> "draft-ietf-trill-oam-mib.all@tools.ietf.org" >> <draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne >> <tsenevir@gmail.com>, The IESG <iesg@ietf.org>, Yoav Nir >> <ynir.ietf@gmail.com>, secdir <secdir@ietf.org> >> >> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06 >> >> Are you updating the draft or does Kathleen have to put a Discuss in? >> >> Thanks, >> Alia >> >> On Thu, Aug 13, 2015 at 3:42 PM, Alia Atlas <akatlas@gmail.com> wrote: >>> >>> thanks - the IESG generally begins reading drafts for the telechat >>>about >>> now - a week in advance. >>> >>> Regards, >>> Alia >>> >>> On Thu, Aug 13, 2015 at 1:52 PM, Deepak Kumar (dekumar) >>> <dekumar@cisco.com> wrote: >>>> >>>> Hi Alia, >>>> >>>> I will be able to take care of all comments over weekend. >>>> >>>> Thanks, >>>> Deepak >>>> >>>> From: Alia Atlas <akatlas@gmail.com> >>>> Date: Thursday, August 13, 2015 at 10:44 AM >>>> To: "d3e3e3@gmail.com" <d3e3e3@gmail.com> >>>> Cc: dekumar <dekumar@cisco.com>, >>>> "draft-ietf-trill-oam-mib.all@tools.ietf.org" >>>> <draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne >>>> <tsenevir@gmail.com>, The IESG <iesg@ietf.org>, Yoav Nir >>>> <ynir.ietf@gmail.com>, secdir <secdir@ietf.org> >>>> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06 >>>> >>>> Hi Deepak, >>>> >>>> Are you planning on publishing an updated draft today? >>>> I'd like to move the draft ahead to IESG Evaluation. >>>> >>>> Thanks, >>>> Alia >>>> >>>> On Mon, Aug 10, 2015 at 2:19 PM, Donald Eastlake <d3e3e3@gmail.com> >>>> wrote: >>>>> >>>>> HI Deepak, >>>>> >>>>> On Sun, Aug 9, 2015 at 10:07 PM, Deepak Kumar (dekumar) >>>>> <dekumar@cisco.com> wrote: >>>>> > Hi Yoav, >>>>> > >>>>> > Thanks for review and comments. Please advise if we need to fix the >>>>> > nits >>>>> > and comments and upload new version as I am not sure about >>>>>procedure >>>>> > of >>>>> > fixing comments during last call. >>>>> > >>>>> > Tissa has moved out of Cisco and working in another Company, I >>>>>don¹t >>>>> > have >>>>> > privy of his new contact so I will contact him to get new contact >>>>>and >>>>> > update the document also. >>>>> >>>>> I've added Tissa to the cc list above. I believe that for now he >>>>>wants >>>>> to be listed with "Consultant" as his affiliation and with email >>>>> address <tsenevir@gmail.com>. >>>>> >>>>> The IETF LC ends the 13th, in a few days. I suggest that you update >>>>> the contact info for Tissa, spell out OAM, and update the >>>>> MODULE-IDENTITY, since those don't seem like they would be >>>>> controversial. For any changes to the Security Considerations text, I >>>>> suggest you post proposed text in this thread before editing it in. >>>>> >>>>> Thanks, >>>>> Donald (Shepherd) >>>>> ============================= >>>>> Donald E. Eastlake 3rd +1-508-333-2270 (cell) >>>>> 155 Beaver Street, Milford, MA 01757 USA >>>>> d3e3e3@gmail.com >>>>> >>>>> > Thanks, >>>>> > Deepak >>>>> > >>>>> > On 8/8/15, 2:18 PM, "Yoav Nir" <ynir.ietf@gmail.com> wrote: >>>>> > >>>>> >>Hi. >>>>> >> >>>>> >>I have reviewed this document as part of the security directorate's >>>>> >>ongoing effort to review all IETF documents being processed by the >>>>> >> IESG. >>>>> >>These comments were written primarily for the benefit of the >>>>>security >>>>> >>area directors. Document editors and WG chairs should treat these >>>>> >>comments just like any other last call comments. >>>>> >> >>>>> >>TL;DR: The document is ready with nits. >>>>> >> >>>>> >>The document contains a MIB for operations, administration, and >>>>> >>maintenance (OAM) of TRILL. As is common for such documents, 34 of >>>>>its >>>>> >> 45 >>>>> >>pages is section 7 ("Definition of the TRILL OAM MIB module²). >>>>>Being >>>>> >> an >>>>> >>expert on neither TRILL nor MIBs I have mostly skipped that >>>>>section. >>>>> >> >>>>> >>Usually with MIB documents, the security considerations for the >>>>> >> protocol >>>>> >>(several TRILL RFCs in this case) are in the protocol documents, >>>>>while >>>>> >>the security considerations for SNMP are in the SNMP document (RFC >>>>> >> 3410). >>>>> >>The MIB document only points data that is sensitive (in terms of >>>>> >> privacy >>>>> >>or information leakage), and data which is dangerous in the sense >>>>>that >>>>> >>falsified or modified data could lead to damage. >>>>> >> >>>>> >>In this document the Security Considerations section does a good >>>>>job >>>>> >> of >>>>> >>explaining that modified data can lead to changes in routing and >>>>> >>potentially to denial of service. The second paragraph is a little >>>>> >>hand-wavy for my taste: >>>>> >> >>>>> >> There are number of management objects defined in this MIB >>>>>module >>>>> >> with a MAX-ACCESS clause of read-create. Such objects may be >>>>> >> considered sensitive or vulnerable in some network environments. >>>>> >> >>>>> >>What network environment? Why in some but not in others? The third >>>>> >>paragraph is similar: >>>>> >> >>>>> >> Some of the readable objects in this MIB module (objects with a >>>>> >> MAC- >>>>> >> ACCESS other than not-accessible) may be considered sensitive or >>>>> >> vulnerable in some network environments. >>>>> >> >>>>> >>The section concludes with text that looks very familiar from other >>>>> >> MIB >>>>> >>documents, basically saying that you should use SNMPv3 because it >>>>>has >>>>> >>protections whereas earlier versions don¹t. It is also important to >>>>> >> have >>>>> >>proper access control rules. One nit is that the section says that >>>>>the >>>>> >>cryptographic mechanisms in SNMPv3 provide ³privacy². As of late we >>>>> >> tend >>>>> >>to use that word for the protection of information about humans, >>>>>not >>>>> >> so >>>>> >>much about link status. >>>>> >> >>>>> >>A few general nits: >>>>> >> - In most documents that I see, the content of sections 1-4 is in >>>>>a >>>>> >>single section. >>>>> >> - OAM is not expanded before first use. >>>>> >> - The MODULE-IDENTITY has ³TBD² for ORGANIZATION and authors¹ >>>>>names >>>>> >> in >>>>> >>CONTACT-INFO. looking at a few recent MIB documents, the working >>>>>group >>>>> >> is >>>>> >>usually given as ORGANIZATION and its mailing list is given as >>>>>contact >>>>> >>info. >>>>> >> >>>>> >>Yoav >>>>> >> >>>>> > >>>>> >>>> >>> >> > > > >-- > >Best regards, >Kathleen
- [secdir] SecDir Review for draft-ietf-trill-oam-m… Yoav Nir
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Yoav Nir
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Deepak Kumar (dekumar)
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Donald Eastlake
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Alia Atlas
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Deepak Kumar (dekumar)
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Alia Atlas
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Kathleen Moriarty
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Alia Atlas
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Deepak Kumar (dekumar)
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Kathleen Moriarty
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Deepak Kumar (dekumar)
- Re: [secdir] SecDir Review for draft-ietf-trill-o… Yoav Nir