[secdir] secdir review of draft-ietf-sipclf-problem-statement-09
Richard L. Barnes <rbarnes@bbn.com> Fri, 30 December 2011 21:32 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF06121F8450; Fri, 30 Dec 2011 13:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKD3T-wb8FdX; Fri, 30 Dec 2011 13:32:03 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id DA24A21F843A; Fri, 30 Dec 2011 13:32:03 -0800 (PST)
Received: from [128.89.254.178] (port=51782 helo=[192.168.1.3]) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1Rgk3W-000Blp-Qh; Fri, 30 Dec 2011 16:32:03 -0500
From: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 30 Dec 2011 16:32:02 -0500
Message-Id: <F90C5759-3B65-4472-A543-9851B35F6AAD@bbn.com>
To: secdir@ietf.org, The IESG <iesg@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] secdir review of draft-ietf-sipclf-problem-statement-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2011 21:32:04 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document provides a set of goals and a data model for a "common logging format" for SIP, in analogy to the widely-used Apache log format for HTTP. As the document correctly notes, the primary concern for this document is the protection of potentially private data protected in such logs. I do not think that the document misses any serious security considerations. A couple of relatively minor comments: Section 5.1: s/of a B2BUA/or a B2BUA/ Section 6: It seems to me that the document would read better if this section were swapped with Section 5. Section 6: You mention training anomaly-detection systems based on SIPCLF logs. It seems to me that this approach could be much more limited for SIP than it is for HTTP, both because of the greater inherent diversity in SIP and because of SIPCLF does not have visibility into the media path. So it could be good to comment on what these systems would and would not detect, either here or in the Security Considerations. Are you aware of any existing anomaly detection systems that would be able to use SIPCLF data? Section 8.1, Source-Address / Destination-Address: These definitions are a little ambiguous. I assume you mean the address of the source/destination for a particular UDP/DTLS datagram or TCP/TLS connection, as opposed to an address for a SIP-layer recipient. For example, for an INVITE in the following topology... UAC -> ProxyA -> ProxyB -> UAS ... If ProxyB were logging in SIPCLF, then the inbound invite would have Source-Address=IP(ProxyA) and Destination-Address=IP(ProxyB). Section 9.1: It would be helpful to have SIP messages to refer to here, either by including them in this document, or by referring to a document containing them, such as RFC 3665. Section 10: It seems important to note here that both operators and users have private information at stake here -- topology mapping vs. identity correlators and calling patterns. Section 10: With regard to transmitting logs over the Internet, the reference to RFC 3552 is not very useful. More concrete examples would be better, e.g., HTTPS, SSH. Might it also be possible/useful to convey SIPCLF messages over Syslog?
- [secdir] secdir review of draft-ietf-sipclf-probl… Richard L. Barnes