Re: [secdir] Secdir review of draft-ietf-opsawg-vmm-mib-02
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Sat, 23 May 2015 06:13 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA6051A90E8; Fri, 22 May 2015 23:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.86
X-Spam-Level:
X-Spam-Status: No, score=-3.86 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKRWJHwWkBBO; Fri, 22 May 2015 23:13:45 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19FCF1A90D7; Fri, 22 May 2015 23:13:44 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 7E26B158D; Sat, 23 May 2015 08:13:42 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id eKiAy3PDVbV7; Sat, 23 May 2015 08:13:27 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Sat, 23 May 2015 08:13:41 +0200 (CEST)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 2BC592002B; Sat, 23 May 2015 08:13:41 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 9Kwva2Xy9W3k; Sat, 23 May 2015 08:13:40 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id E7C5120013; Sat, 23 May 2015 08:13:39 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 7354933554BC; Sat, 23 May 2015 08:13:35 +0200 (CEST)
Date: Sat, 23 May 2015 08:13:35 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Christian Huitema <huitema@huitema.net>
Message-ID: <20150523061335.GA58453@elstar.local>
Mail-Followup-To: Christian Huitema <huitema@huitema.net>, 'The IESG' <iesg@ietf.org>, secdir@ietf.org, draft-ietf-opsawg-vmm-mib.all@tools.ietf.org
References: <00bb01d08df0$8d92f3f0$a8b8dbd0$@huitema.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <00bb01d08df0$8d92f3f0$a8b8dbd0$@huitema.net>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Z1fV5Frl5MsfxIUJxxZbZ4JAUZ4>
Cc: draft-ietf-opsawg-vmm-mib.all@tools.ietf.org, 'The IESG' <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-opsawg-vmm-mib-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 06:13:49 -0000
Christian, thanks for the review. I am not sure if anything needs changes. The draft largely follows the security considerations template for MIB modules. And there is explicit text about GET access: [...] Moreover, the objects in the vmTable, vmCpuTable, vmCpuAffinityTable, vmStorageTable and vmNetworkTable list information about the virtual machines and their virtual resource allocation. Some may wish not to disclose to others how many and what virtual machines they are operating. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. Is this text not already covering your concerns? Below the quoted text, there is the general boilerplate recommendation to avoid SNMPv1 and to use SNMPv3 instead. /js On Wed, May 13, 2015 at 07:49:05PM -0700, Christian Huitema wrote: > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > For the security area directions, I consider this document to be "Ready with > nits". > > This document specifies objects (MIB) for managing virtual machines > controlled by a hypervisor (a.k.a. virtual machine monitor) using SNMP. > > The security section is thoroughly written, points out the operational risk > if some management variables can be SET, and the privacy or other security > risks if hostile parties can read some of the objects. The essential > recommendation is to use SNMPv3 strong security, or when that strong > security is not available, to disable the "SET" capabilities. > > There is an aggravating factor not mentioned in the security section. In > many large data centers, some virtual machines will not be under the direct > control of the data center manager. They may have been rented to third > parties, or they may have been subverted. These potentially hostile virtual > machines will have direct network connectivity with the hypervisor, and > potentially with other hypervisors in the same subnet. Attackers in control > of these machines can gain advantage of even read-only access to hypervisor > state variables. One wonders whether even GET access should be allowed in > the absence of authentication through SNMPv3. Attempting to support even GET > operations with prior versions of SNMP appears risky. > > -- Christian Huitema > > > > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [secdir] Secdir review of draft-ietf-opsawg-vmm-m… Christian Huitema
- Re: [secdir] Secdir review of draft-ietf-opsawg-v… Juergen Schoenwaelder
- Re: [secdir] Secdir review of draft-ietf-opsawg-v… Christian Huitema
- Re: [secdir] Secdir review of draft-ietf-opsawg-v… Juergen Schoenwaelder
- Re: [secdir] Secdir review of draft-ietf-opsawg-v… Michael MacFaden