Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06

"Deepak Kumar (dekumar)" <dekumar@cisco.com> Tue, 18 August 2015 19:03 UTC

Return-Path: <dekumar@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616471A026E; Tue, 18 Aug 2015 12:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0KCg8JIFXRkP; Tue, 18 Aug 2015 12:03:56 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B8BA1A026A; Tue, 18 Aug 2015 12:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15022; q=dns/txt; s=iport; t=1439924636; x=1441134236; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=el+TDZOMwyAARXmHqMajajHpsOqk5J0jaXq512GBg8I=; b=iqR6/iuRVpLxqA1N7ex0CJwqD+jsJeZBHXQR7abus0eMDJofDWe9tTso ii0JSnngEZptC50/cffLvOSqLrzikaMvSOWwtxFyQT/BcpQh8zfPsLamL bqtAd2CkRHZ2d/anOPTRPtJmTVImkW5/F4BRz1Iw6GpjxIxXyU7N36R9Q A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ChAgDxgNNV/4wNJK1UBgODG4E9BoMerm+LdQEJh3ICHIEbOBQBAQEBAQEBgQqEIwEBAQQ0NwMLEAIBCBEDAQIBBCgCAh8RHQgCBA4FiBkDEp8AnRUGkEINhVcBAQEBAQEBAQEBAQEBAQEBAQEBAQEXgRyJNIEDgk+BWAcKATYLEAcGDIJRgUkFlHcGJAGKfoFtgUqELIMag36EcnmHNiaCDhyBU3EBgQ06gQQBAQE
X-IronPort-AV: E=Sophos;i="5.15,703,1432598400"; d="scan'208";a="21563165"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-5.cisco.com with ESMTP; 18 Aug 2015 19:03:55 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t7IJ3sk7015499 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 18 Aug 2015 19:03:55 GMT
Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 18 Aug 2015 14:03:54 -0500
Received: from xhc-rcd-x13.cisco.com (173.37.183.87) by xch-aln-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Tue, 18 Aug 2015 14:03:54 -0500
Received: from xmb-aln-x12.cisco.com ([169.254.7.85]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.03.0248.002; Tue, 18 Aug 2015 14:03:53 -0500
From: "Deepak Kumar (dekumar)" <dekumar@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: SecDir Review for draft-ietf-trill-oam-mib-06
Thread-Index: AQHQ0h/BcaAYUFPCqUSY/FTM3NEj9Z4EXU0AgAGEgQCABK0YAP//jO8AgACUH4CAB5TcgP//qTQAgACM9ID//5CDgA==
Date: Tue, 18 Aug 2015 19:03:53 +0000
Message-ID: <D1F8CCE4.E23E2%dekumar@cisco.com>
References: <E79C135A-3020-4DE9-86A2-275AC76E7201@gmail.com> <D1ED54D2.E1671%dekumar@cisco.com> <CAF4+nEH9eVnLdBd5Bgpo6g_pNtqLCRZ1zokb5vsiRpiu9vOQMg@mail.gmail.com> <CAG4d1rfWGtn=wgAWp1L0tNHYegLzUf9L7pybQG9pkM-J7H39rQ@mail.gmail.com> <D1F2272D.E1A90%dekumar@cisco.com> <CAG4d1rci9QojrZQmpM1Jo8jVihEEXOjQ3kVQn45Nwsg0sq2hOQ@mail.gmail.com> <CAG4d1rdP2bX2ippyDTO0NVxNPb+ZgR8iD=zTxA2rcZsAVcKU7Q@mail.gmail.com> <D1F8B6B9.E22D3%dekumar@cisco.com> <CAHbuEH5aRUTGHwhgLrwLJCrvgE7SHFVDKYVG+PERUdQvg08iTw@mail.gmail.com>
In-Reply-To: <CAHbuEH5aRUTGHwhgLrwLJCrvgE7SHFVDKYVG+PERUdQvg08iTw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.4.150722
x-originating-ip: [173.37.102.25]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <2F13780B22D7244E9BE20E2D8AFB0FDB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/KETBOKrbxqmpOPck75XL3O-wqaU>
Cc: secdir <secdir@ietf.org>, "draft-ietf-trill-oam-mib.all@tools.ietf.org" <draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne <tsenevir@gmail.com>, Alia Atlas <akatlas@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 19:03:59 -0000

Hi Kathleen,

I will update the draft tonight or by EOB tomorrow.

Thanks,
Deepak

On 8/18/15, 11:42 AM, "Kathleen Moriarty"
<kathleen.moriarty.ietf@gmail.com> wrote:

>Deepak,
>
>The improvements help a lot to better explain the security
>considerations.  Let me know when this has been updated in the draft.
>
>Thanks,
>Kathleen
>
>On Tue, Aug 18, 2015 at 1:18 PM, Deepak Kumar (dekumar)
><dekumar@cisco.com> wrote:
>> Hi Yoav,
>>
>> Please review new draft text and provide comments.
>>
>> 8. Security Considerations
>>
>> This MIB relates to a system that will provide network connectivity and
>> packet forwarding services. As such, improper manipulation of the
>>objects
>> represented by this MIB may result in denial of service to a large
>>number of
>> end-users.
>>
>> There are number of management objects defined in this MIB module with a
>> MAX-ACCESS clause of read-create. Such objects may be considered
>>sensitive
>> or vulnerable in some network environments. The support for SET
>>operations
>> in a non-secure environment without proper protection can have negative
>> effect on sensitivity/vulnerability:
>>
>> The following table and objects in the TRILL-OAM-MIB can be manipulated
>>to
>> to interfere with the operation of RBridges by causing cpu spike:
>>
>> o trillOamMepTransmitLbmReplyIp allows reply of Loopback message to be
>> transmitted to Ip address in the TLV and thus allowing replies to be
>>sent to
>> any system or single single system to cause Denial of Service.
>>
>> o trillOamMepTransmitPtmReplyIp allows reply of Path Trace message to be
>> transmitted to Ip address in the TLV and thus allowing replies to be
>>sent to
>> any system or single single system to cause Denial of Service.
>>
>> o trillOamMepTxPtmMessages allows generation of Ptm Messages and can be
>>used
>> to generate lots of cpu driven traffic.
>>
>> o trillOamMepTransmitMtvmReplyIp allows reply of Mtv message to be
>> transmitted to Ip address in the TLV and thus allowing replies to be
>>sent to
>> any system or single single system to cause Denial of Service.
>>
>> o trillOamMepTxMtvmMessages allows generation of Mtv Messages and can be
>> used to generate lots of cpu driven traffic.
>>
>> Some of the readable objects in this MIB module (i.e., objects with a
>> MAX-ACCESS other than not-accessible) may be considered sensitive or
>> vulnerable in some network environments. It is thus important to
>>control GET
>> and/or NOTIFY access to these objects and possibly to encrypt the
>>values of
>> these objects when sending them over the network via SNMP. For example,
>>Path
>> trace message expose unicast topology of network and Multi-destination
>>Tree
>> verification message expose multicast tree topology of network and this
>> information should not be available to all users of the network.
>>
>> SNMP version prior to SNMPv3 did not include adequate security. Even if
>>the
>> network itself is secure(for example by using IPsec), there is no
>>control as
>> to who on the secure network is allowed to access and GET/SET
>> (read/change/create/delete) the objects in this MIB module.
>>
>> Implementation should provide the security features described by SNMPv3
>> framework (see [RFC3410]), and implementations claiming compliance to
>>the
>> SNMPv3 standard MUST include full support for authentication and
>>privacy via
>> the User-based Security Model (USM)[RFC3414] with the AES cipher
>>algorithm
>> [RFC3826]. Implementations MAY also provide support for the Transport
>> Security Model (TSM) [RFC5591] in combination with a secure transport
>>such
>> as SSH [RFC5592] or TLS/DTLS [RFC6353].
>>
>> Further, deployment of SNMP version prior to SNMPv3 is NOT RECOMMENDED.
>> Instead, deployment of SNMPv3 with cryptographic security enabled is
>> RECOMMENDED. It is then a customer/operator responsibility to ensure
>>that
>> the SNMP entity giving access to an instance of this MIB module is
>>properly
>> configured to give only those principals (users) that have legitimate
>>rights
>> to indeed GET or SET (change/create/delete) them access to the objects.
>>
>> Thanks,
>> Deepak
>>
>> From: Alia Atlas <akatlas@gmail.com>
>> Date: Tuesday, August 18, 2015 at 8:29 AM
>> To: dekumar <dekumar@cisco.com>
>> Cc: "d3e3e3@gmail.com" <d3e3e3@gmail.com>om>,
>> "draft-ietf-trill-oam-mib.all@tools.ietf.org"
>> <draft-ietf-trill-oam-mib.all@tools.ietf.org>rg>, Tissa Senevirathne
>> <tsenevir@gmail.com>om>, The IESG <iesg@ietf.org>rg>, Yoav Nir
>> <ynir.ietf@gmail.com>om>, secdir <secdir@ietf.org>
>>
>> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06
>>
>> Are you updating the draft or does Kathleen have to put a Discuss in?
>>
>> Thanks,
>> Alia
>>
>> On Thu, Aug 13, 2015 at 3:42 PM, Alia Atlas <akatlas@gmail.com> wrote:
>>>
>>> thanks - the IESG generally begins reading drafts for the telechat
>>>about
>>> now - a week in advance.
>>>
>>> Regards,
>>> Alia
>>>
>>> On Thu, Aug 13, 2015 at 1:52 PM, Deepak Kumar (dekumar)
>>> <dekumar@cisco.com> wrote:
>>>>
>>>> Hi Alia,
>>>>
>>>> I will be able to take care of all comments  over weekend.
>>>>
>>>> Thanks,
>>>> Deepak
>>>>
>>>> From: Alia Atlas <akatlas@gmail.com>
>>>> Date: Thursday, August 13, 2015 at 10:44 AM
>>>> To: "d3e3e3@gmail.com" <d3e3e3@gmail.com>
>>>> Cc: dekumar <dekumar@cisco.com>om>,
>>>> "draft-ietf-trill-oam-mib.all@tools.ietf.org"
>>>> <draft-ietf-trill-oam-mib.all@tools.ietf.org>rg>, Tissa Senevirathne
>>>> <tsenevir@gmail.com>om>, The IESG <iesg@ietf.org>rg>, Yoav Nir
>>>> <ynir.ietf@gmail.com>om>, secdir <secdir@ietf.org>
>>>> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06
>>>>
>>>> Hi Deepak,
>>>>
>>>> Are you planning on publishing an updated draft today?
>>>> I'd like to move the draft ahead to IESG Evaluation.
>>>>
>>>> Thanks,
>>>> Alia
>>>>
>>>> On Mon, Aug 10, 2015 at 2:19 PM, Donald Eastlake <d3e3e3@gmail.com>
>>>> wrote:
>>>>>
>>>>> HI Deepak,
>>>>>
>>>>> On Sun, Aug 9, 2015 at 10:07 PM, Deepak Kumar (dekumar)
>>>>> <dekumar@cisco.com> wrote:
>>>>> > Hi Yoav,
>>>>> >
>>>>> > Thanks for review and comments. Please advise if we need to fix the
>>>>> > nits
>>>>> > and comments and upload new version as I am not sure about
>>>>>procedure
>>>>> > of
>>>>> > fixing comments during last call.
>>>>> >
>>>>> > Tissa has moved out of Cisco and working in another Company, I
>>>>>don¹t
>>>>> > have
>>>>> > privy of his new contact so I will contact him to get new contact
>>>>>and
>>>>> > update the document also.
>>>>>
>>>>> I've added Tissa to the cc list above. I believe that for now he
>>>>>wants
>>>>> to be listed with "Consultant" as his affiliation and with email
>>>>> address <tsenevir@gmail.com>om>.
>>>>>
>>>>> The IETF LC ends the 13th, in a few days. I suggest that you update
>>>>> the contact info for Tissa, spell out OAM, and update the
>>>>> MODULE-IDENTITY, since those don't seem like they would be
>>>>> controversial. For any changes to the Security Considerations text, I
>>>>> suggest you post proposed text in this thread before editing it in.
>>>>>
>>>>> Thanks,
>>>>> Donald (Shepherd)
>>>>> =============================
>>>>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>>>>  155 Beaver Street, Milford, MA 01757 USA
>>>>>  d3e3e3@gmail.com
>>>>>
>>>>> > Thanks,
>>>>> > Deepak
>>>>> >
>>>>> > On 8/8/15, 2:18 PM, "Yoav Nir" <ynir.ietf@gmail.com> wrote:
>>>>> >
>>>>> >>Hi.
>>>>> >>
>>>>> >>I have reviewed this document as part of the security directorate's
>>>>> >>ongoing effort to review all IETF documents being processed by the
>>>>> >> IESG.
>>>>> >>These comments were written primarily for the benefit of the
>>>>>security
>>>>> >>area directors.  Document editors and WG chairs should treat these
>>>>> >>comments just like any other last call comments.
>>>>> >>
>>>>> >>TL;DR: The document is ready with nits.
>>>>> >>
>>>>> >>The document contains a MIB for operations, administration, and
>>>>> >>maintenance (OAM) of TRILL. As is common for such documents, 34 of
>>>>>its
>>>>> >> 45
>>>>> >>pages is section 7 ("Definition of the TRILL OAM MIB module²).
>>>>>Being
>>>>> >> an
>>>>> >>expert on neither TRILL nor MIBs I have mostly skipped that
>>>>>section.
>>>>> >>
>>>>> >>Usually with MIB documents, the security considerations for the
>>>>> >> protocol
>>>>> >>(several TRILL RFCs in this case) are in the protocol documents,
>>>>>while
>>>>> >>the security considerations for SNMP are in the SNMP document (RFC
>>>>> >> 3410).
>>>>> >>The MIB document only points data that is sensitive (in terms of
>>>>> >> privacy
>>>>> >>or information leakage), and data which is dangerous in the sense
>>>>>that
>>>>> >>falsified or modified data could lead to damage.
>>>>> >>
>>>>> >>In this document the Security Considerations section does a good
>>>>>job
>>>>> >> of
>>>>> >>explaining that modified data can lead to changes in routing and
>>>>> >>potentially to denial of service. The second paragraph is a little
>>>>> >>hand-wavy for my taste:
>>>>> >>
>>>>> >>   There are number of management objects defined in this MIB
>>>>>module
>>>>> >>   with a MAX-ACCESS clause of read-create. Such objects may be
>>>>> >>   considered sensitive or vulnerable in some network environments.
>>>>> >>
>>>>> >>What network environment? Why in some but not in others? The third
>>>>> >>paragraph is similar:
>>>>> >>
>>>>> >>   Some of the readable objects in this MIB module (objects with a
>>>>> >> MAC-
>>>>> >>   ACCESS other than not-accessible) may be considered sensitive or
>>>>> >>   vulnerable in some network environments.
>>>>> >>
>>>>> >>The section concludes with text that looks very familiar from other
>>>>> >> MIB
>>>>> >>documents, basically saying that you should use SNMPv3 because it
>>>>>has
>>>>> >>protections whereas earlier versions don¹t. It is also important to
>>>>> >> have
>>>>> >>proper access control rules. One nit is that the section says that
>>>>>the
>>>>> >>cryptographic mechanisms in SNMPv3 provide ³privacy². As of late we
>>>>> >> tend
>>>>> >>to use that word for the protection of information about humans,
>>>>>not
>>>>> >> so
>>>>> >>much about link status.
>>>>> >>
>>>>> >>A few general nits:
>>>>> >> - In most documents that I see, the content of sections 1-4 is in
>>>>>a
>>>>> >>single section.
>>>>> >> - OAM is not expanded before first use.
>>>>> >> - The MODULE-IDENTITY has ³TBD² for ORGANIZATION and authors¹
>>>>>names
>>>>> >> in
>>>>> >>CONTACT-INFO. looking at a few recent MIB documents, the working
>>>>>group
>>>>> >> is
>>>>> >>usually given as ORGANIZATION and its mailing list is given as
>>>>>contact
>>>>> >>info.
>>>>> >>
>>>>> >>Yoav
>>>>> >>
>>>>> >
>>>>>
>>>>
>>>
>>
>
>
>
>-- 
>
>Best regards,
>Kathleen