Re: [secdir] secdir review of draft-ietf-ipfix-ie-doctors-03

Brian Trammell <trammell@tik.ee.ethz.ch> Tue, 18 September 2012 14:53 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F28C21F85E7; Tue, 18 Sep 2012 07:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hW1CVC1bSp7D; Tue, 18 Sep 2012 07:53:16 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id 8787021F847F; Tue, 18 Sep 2012 07:53:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id D2ABAD930D; Tue, 18 Sep 2012 16:53:15 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ABoN7P-ez3hY; Tue, 18 Sep 2012 16:53:15 +0200 (MEST)
Received: from pb-10243.ethz.ch (pb-10243.ethz.ch [82.130.102.152]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id A27B1D9309; Tue, 18 Sep 2012 16:53:15 +0200 (MEST)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Brian Trammell <trammell@tik.ee.ethz.ch>
In-Reply-To: <82F50D2E-18BC-42DF-9F5C-3B04FBB55180@checkpoint.com>
Date: Tue, 18 Sep 2012 16:53:15 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8F7FACED-F39B-4E38-8828-981F87EE87AE@tik.ee.ethz.ch>
References: <56C143E9-A517-4DDE-8CCC-3C4E1B0FF17F@checkpoint.com> <82F50D2E-18BC-42DF-9F5C-3B04FBB55180@checkpoint.com>
To: Yoav Nir <ynir@checkpoint.com>
X-Mailer: Apple Mail (2.1278)
X-Mailman-Approved-At: Tue, 18 Sep 2012 08:10:59 -0700
Cc: "draft-ietf-ipfix-ie-doctors.all@tools.ietf.org" <draft-ietf-ipfix-ie-doctors.all@tools.ietf.org>, "iesg@ietf.org IESG" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-ipfix-ie-doctors-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2012 14:53:17 -0000

Hi, Yoav,

Many thanks for the review (and the summary, which did indeed make it easier to read)... I believe that revision -04 of the document addresses these.

Best regards,

Brian

On Jul 12, 2012, at 7:50 AM, Yoav Nir wrote:

> Reading my own review again, I think it's missing a summary.
> 
> The draft does a good job of describing the need to review new information elements for the security implications of sending them in IPFIX.  I'm missing two things:
> 
> 1. A list of security and privacy issues to consider (PII, actual data leakage, traffic flow data)
> 2. A clear statement that the IE doctors need to make these considerations. That would be clearer if the security stuff (that is part of the review process) was not in the "Security Considerations" section, but could be made clear with a clarifying sentence.
> 
> Yoav
> 
> On Jul 11, 2012, at 2:27 PM, Yoav Nir wrote:
> 
>> Hi
>> 
>> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
>> 
>> The document defines the criteria by which the "Information Element Doctors" - experts to be appointed by the IESG - should evaluate requests for assignment in the IANA registry for IPFIX information elements. The registry has the "expert review" procedure, and these IE doctors are the designated experts. 
>> 
>> The target audience for this document are two groups: the IE doctors themselves, and the people who request assignments in the registry. The document itself does not define any new protocol or information elements.
>> 
>> The documents has a lot of advice about meaningful names, about avoiding having >1 IEs with the same or similar semantics, and what registry applications should look like.
>> 
>> The Security Considerations section is used in a surprising way. It does not specify how to securely implement this document (as this document specifies no protocol), but it specifies what to consider when evaluating a request for assignment. This is important information, and the section is well-written. IMO there are a few issues with it:
>> 
>> - The section says that you should "not give a potential attacker too much information". It would be better to explicitly list the kinds of threats that leaking too much information may lead to: breach of privacy, vulnerability to traffic analysis, and leaking actual data.
>> 
>> - The section also talks about what should be included in the Internet Draft that specifies the new information element. That I-D would have its own security considerations sections, which would be reviewed in due course, but writing an I-D is not required. Section 9 says that "When a new application is complex enough to require additional clarification or specification as to the use of the defined Information Elements, this may be given in an Internet-Draft." This language is not strong enough to make anything with potential security concerns go though the I-D route. IEs may still be submitted directly to IANA, with the security concerns only mentioned in the IE description. 
>> 
>> I think this document should explicitly state that it is part of the task of IE doctors to consider the security aspects of new IEs, as well as to give guidelines about what they should look for.
>> 
>> Yoav Nir
>>