Re: [secdir] SecDir review of draft-ietf-netlmm-pmipv6-mib-05
Vincent Roca <vincent.roca@inrialpes.fr> Mon, 11 April 2011 14:29 UTC
Return-Path: <vincent.roca@inrialpes.fr>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BDF928C0F5; Mon, 11 Apr 2011 07:29:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.114
X-Spam-Level:
X-Spam-Status: No, score=-10.114 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TP2R023ZxqoZ; Mon, 11 Apr 2011 07:29:43 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) by core3.amsl.com (Postfix) with ESMTP id 0FC923A6A1A; Mon, 11 Apr 2011 07:29:42 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.63,339,1299452400"; d="scan'208";a="80585436"
Received: from geve.inrialpes.fr ([194.199.24.116]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES128-SHA; 11 Apr 2011 16:29:42 +0200
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Vincent Roca <vincent.roca@inrialpes.fr>
In-Reply-To: <20110411140619.GA91679@elstar.local>
Date: Mon, 11 Apr 2011 16:29:42 +0200
Content-Transfer-Encoding: 7bit
Message-Id: <FE9DB221-29A3-4BF4-B826-90FAF0C3D2C2@inrialpes.fr>
References: <A76FCDEF-42DA-421B-95F1-202A076682C4@inrialpes.fr> <20110411140619.GA91679@elstar.local>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.1084)
Cc: draft-ietf-netlmm-pmipv6-mib.all@tools.ietf.org, IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-netlmm-pmipv6-mib-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2011 14:29:45 -0000
Hi Juergen, I was not aware of the existence of this boilerplate. Of course, it changes a lot the situation. Thanks for the pointer. Concerning AES in SNMPv3, I guess that today no SEC AD would object if you add RFC3826 as an additional reference, even if not (yet!) in the official boilerplate ;-) Cheers, Vincent On Apr. 11 2011, 16:06, Juergen Schoenwaelder wrote: > On Mon, Apr 11, 2011 at 03:50:47PM +0200, Vincent Roca wrote: > >> ** Clarification needed: >> It is said: >> "Even if the network itself is secure (for example by using IPsec), >> even then, there is no control as to who on the secure network is >> allowed to access and GET/SET (read/change/create/delete) the objects >> in this MIB module." >> I'm rather surprised that no ACL (or similar) functionality >> be available. If IPsec is enabled, then hosts are authenticated >> (using one of several techniques) and it's no longer a big deal >> to check the authorizations associated to the peer. So that's >> surprising. >> >> BTW, you can maybe remove the redundant "even then," in above >> sentence. > > This is boilerplate text reflecting agreements reached between the SEC > ADs and the OPS ADs at that time and used since then (including the > somewhat irritating "even then,". > >> ** Wrong reference: >> It is said: >> "It is RECOMMENDED that implementers consider the security features as >> provided by the SNMPv3 framework (see [RFC3410], section 8) [...]" >> Section is not the section of interest as it only focuses >> on the standardization status. More interesting sections in RFC3410 >> are: >> - section 6.3 "SNMPv3 security and administration", and in particular >> - section 7, in particular section 7.8 "user based security model". >> >> NB: RFC3410 is from Dec 2002. At that time using MD5/DES was not an >> issue, now it is. The last sentence of RFC3410/section 7.8 mentions >> on-going work on using AES in the user-based security model. If this >> work gave birth to an RFC, that's probably a good document to refer >> too. > > RFC 3826 details how to use AES with SNMPv3. Again, this never made it > into the boilerplate. Perhaps some new enthusiastic ADs get engaged to > revise the boilerplate? ;-) > >> ** Obscur: >> The last sentence of this section: >> "It is then a customer/operator... them." >> could easily be improved (split the sentence, please). As such it >> remains rather obscure. > > Again, this is what the boilerplate says. Here is the pointer: > > http://ops.ietf.org/mib-security.html > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [secdir] SecDir review of draft-ietf-netlmm-pmipv… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Jari Arkko
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Sri Gundavelli
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Glenn M. Keeni