Re: [secdir] SecDir review of draft-ietf-ipfix-structured-data-05
Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 18 April 2011 13:56 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id E63B6E0703; Mon, 18 Apr 2011 06:56:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=1.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DR45EvaSevNm; Mon, 18 Apr 2011 06:56:08 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfc.amsl.com (Postfix) with ESMTP id 7E3BAE06F7; Mon, 18 Apr 2011 06:56:08 -0700 (PDT)
Received: by wyb29 with SMTP id 29so4454651wyb.31 for <multiple recipients>; Mon, 18 Apr 2011 06:56:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=0ZONwNcZ7/ATAw1sNrJ8BbQWU4dhXckOz6GLYexJni8=; b=U4f827cxaAgzq2de4i0Arc7o/4dRk/b2H1lT2v9FRMgNwQRwwTXpMYOtiqBLmvqUJ0 i+gfGF65BXY10v2c1Sl4jv9mMVMvU5qX+kqQ9GZs+of90qr2EovUXmy0znu0YQdxcEA2 3Y64oFdW+PMfwKNJUqf9/F9wBsE4/pI95hXIM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=XWGzPkLTvYV/FsgePjkMZsnsIOJ5mfFt4hsIq5TuoNLPYEvz9Q/pVDPop8OOVspblu uUQrShNMlwnOzelxhTCOZU7DHBuCE4PP2DsfX3c2DbhAKJltIl39Uk1wGAagteks4UFH 807HlRDUKkyx3L/ULku7hQkrCRIasn3dfjwgU=
Received: by 10.227.196.207 with SMTP id eh15mr2570577wbb.145.1303134967611; Mon, 18 Apr 2011 06:56:07 -0700 (PDT)
Received: from [10.0.0.1] (bzq-79-178-30-144.red.bezeqint.net [79.178.30.144]) by mx.google.com with ESMTPS id p5sm3283644wbg.11.2011.04.18.06.56.03 (version=SSLv3 cipher=OTHER); Mon, 18 Apr 2011 06:56:06 -0700 (PDT)
Message-ID: <4DAC42F1.4080509@gmail.com>
Date: Mon, 18 Apr 2011 16:56:01 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: Benoit Claise <bclaise@cisco.com>
References: <4D7F1516.6080401@gmail.com> <4D7F20B2.3070102@cisco.com> <4DAC3387.8030306@cisco.com>
In-Reply-To: <4DAC3387.8030306@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-ipfix-structured-data.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-structured-data-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2011 13:56:13 -0000
Hi Benoit, the new text is fine with me. Thanks, Yaron On 04/18/2011 03:50 PM, Benoit Claise wrote: > Hi Yaron, > > Discussing with the other authors, we propose: > > OLD: > > 12. Security Considerations > > The same security considerations as for the IPFIX Protocol > [RFC5101 <http://tools.ietf.org/html/rfc5101>] and the IPFIX > information model [RFC5102 <http://tools.ietf.org/html/rfc5102>] apply. > > > NEW: > > 12. Security Considerations > > The addition of complex data types necessarily complicates the > implementation of the Collector. This could easily result in new > security vulnerabilities (e.g., buffer overflows); this creates > additional risk in cases where either DTLS is not used, or if the > Observation Point and Collector belong to different trust domains. > Otherwise, the same security considerations as for the IPFIX Protocol > [RFC5101 <http://tools.ietf.org/html/rfc5101>] and the IPFIX > information model [RFC5102 <http://tools.ietf.org/html/rfc5102>] apply. > > Regards, Benoit. >> Hi Yaron, >> >> Thanks for your feedback. >> Sure we should add your proposed sentence. >> >> Regards, Benoit. >>> I have reviewed this document as part of the security directorate's >>> ongoing effort to review all IETF documents being processed by the IESG. >>> These comments were written primarily for the benefit of the security >>> area directors. Document editors and WG chairs should treat these >>> comments just like any other last call comments. >>> >>> IPFIX is a structured information model and protocol for transmitting >>> information about data flows. This document extends the model with >>> structured data, basically several types of lists. >>> >>> I have not reviewed the document in full, rather I have looked at the >>> security aspects only. The Security Considerations refer the reader >>> to the IPFIX protocol and data model RFCs, and I mostly agree, with >>> one exception. I suggest to add text similar to the next paragraph: >>> >>> The addition of complex data types necessarily complicates the >>> implementation of the Collector. This could easily result in new >>> security vulnerabilities (e.g., buffer overflows); this creates >>> additional risk in cases where either DTLS is not used, or if the >>> Observation Point and Collector belong to different trust domains. >>> >>> Thanks, >>> Yaron >
- [secdir] SecDir review of draft-ietf-ipfix-struct… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-ipfix-st… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-st… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-st… Yaron Sheffer