[secdir] SecDir review of draft-ietf-ipfix-mib-variable-export.
Warren Kumari <warren@kumari.net> Fri, 13 November 2015 17:17 UTC
Return-Path: <warren@kumari.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E3F1B2CF0 for <secdir@ietfa.amsl.com>; Fri, 13 Nov 2015 09:17:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IN9WzaMzRwZW for <secdir@ietfa.amsl.com>; Fri, 13 Nov 2015 09:17:21 -0800 (PST)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F011B2CEF for <secdir@ietf.org>; Fri, 13 Nov 2015 09:17:21 -0800 (PST)
Received: by ykfs79 with SMTP id s79so157963241ykf.1 for <secdir@ietf.org>; Fri, 13 Nov 2015 09:17:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari_net.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=dFhnATy8F/0nXfHh7OxEsl+t3X+XoeXCM5pR7hwAdTI=; b=FZZ7wLSQY2s1EtPdeezL5S5PtDuQVy8jOzmchmY3ypZrgI9KekjDTNOln5G4S3/CwY b904LX+epz3dOMm+O2UXfMJU+t8P7YufLn91/qV2NzXSjlFYVYptOM2BmLcRD8o4hnJ6 pLtwjw2pfTc/rV9+5CMT7MgWL3HdJP+NIiHSN4SvTaq0LVmEfHxiQaDhrSS/fSkw0dN+ jrWuW6jpuP6xaDAqEXRKrrOefPNLM0e2WE2mhEs1XfIlAb7eja2DMAOilXXgOVxwUGuQ U19w/7LFoctcveNL73lirmVmwW84JO62GxI0AhqPgV8pCApT4mHk7x5XpESaaOyxk/KY lD1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=dFhnATy8F/0nXfHh7OxEsl+t3X+XoeXCM5pR7hwAdTI=; b=ZyaOJV4+DYLTVdqAIu7EGg+gJtsxGr4+W/DEW5+0c63lAxZ4YRvO+JYhFUcpKevJbk 4yo4FjsCrxKQvMgy3D8Xx+89YiJzpq0YrvTnanGpb2mY7W3/UMA/JSlP6qA4RorNK/A3 DQAxtpiyV5voGSzmU7RUWXKQmHpR009zrP62JdkRdzrMFXJlYyh7UzUqHXfqsNfRyhUy TWbjyX8agWGhDV2O4bad1Ayd7lhPFvVgXotvxTp7yvvLrEPWbYVQ8ahGvc5zX8ui0+fj n50GS8pAP0n2kIdS4krVRf++4cqgDTiba62H2bztv9ZNmjT0mL+AAGajqhXrp+kiuVLq 7m2A==
X-Gm-Message-State: ALoCoQmF83OBVOv81e8ZDNexdOvNHHDL8dM7X2AzhYwmeJ8gu2Rd5NN8cZB/Qo3buamv6uvxxaIP
MIME-Version: 1.0
X-Received: by 10.13.194.193 with SMTP id e184mr16377629ywd.203.1447435040463; Fri, 13 Nov 2015 09:17:20 -0800 (PST)
Received: by 10.37.202.11 with HTTP; Fri, 13 Nov 2015 09:17:20 -0800 (PST)
Date: Sat, 14 Nov 2015 02:17:20 +0900
Message-ID: <CAHw9_i+qp7Y1Eu8YiJj6AOUG22NMz=1PCK3k=BkHoxPgxR-8rw@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: IETF Security Directorate <secdir@ietf.org>, draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/KJN30ec7DoxjoJhBljkbSXG6BVs>
Subject: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export.
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 17:17:22 -0000
Be ye not afraid... I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting MIB Variables using the IPFIX Protocol Summary: LGTM, Security AD attention not required, modulo questions below. I'm not quite sure what: "However if the exporter is a client of an SNMP engine on the same device it MUST abide by existing SNMP security rules." is supposed to mean. What exactly are "existing SNMP security rules"? Those defined in RFCs? Configured on the device? Also: "Network operators should take care that the only MIB objects which are included in IPFIX Data Records are ones which the receiving flow collector is allowed to receive." It may be worth mentioning that multiple users may have access to the data from the flow collector. I don't think that this is a major issue, as the sorts of data that are likely to be exported are not (in my wild-ass guess) likely to be sensitive. I suspect that the MIB Doctors should review this (if they haven't already) - while not a MIB, they will probably have useful input. W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [secdir] SecDir review of draft-ietf-ipfix-mib-va… Warren Kumari
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Paul Aitken
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Paul Aitken
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Warren Kumari