Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 18 August 2015 18:43 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0775D1A002D; Tue, 18 Aug 2015 11:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fe1R9U_1zVE6; Tue, 18 Aug 2015 11:42:59 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99F331A002A; Tue, 18 Aug 2015 11:42:58 -0700 (PDT)
Received: by wicja10 with SMTP id ja10so116319118wic.1; Tue, 18 Aug 2015 11:42:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=GpQR9GnPAOYYET7nQZCtJwW1GkDLv0G0XCTRU/kiTfc=; b=bhK/NNp8mFFlSETqgFarUO4+pFqMlWwUhHpfliFXQ6jvPePP6yoMbTTGU8FTKJnanc 37SE/k4uLomahlVt4AZecbkQPLcM0370zld0sXH1p6x4ecYyr4bJ7nLWLKYY6P02i2dl uBJbEP0x4978Rsr3EZxv7ftwLLOBaqTzq56FGB0AUy8IrTxRPwlfa7um6yhBZw/bQDvG qlDLoce2ypB1lSisdQez2b2FBUuB563FkdIu8YuF2fZxr493b4q9tN7ZMbcT9MTyxg8t 4sv8F3RmwKn1KUMQJgYiSXRqZAIkEckNnViMlF/AmE/bmEi0htTJEQWV0vDrprMqqmGj YfjA==
MIME-Version: 1.0
X-Received: by 10.180.87.230 with SMTP id bb6mr44692543wib.36.1439923377292; Tue, 18 Aug 2015 11:42:57 -0700 (PDT)
Received: by 10.28.157.84 with HTTP; Tue, 18 Aug 2015 11:42:57 -0700 (PDT)
In-Reply-To: <D1F8B6B9.E22D3%dekumar@cisco.com>
References: <E79C135A-3020-4DE9-86A2-275AC76E7201@gmail.com> <D1ED54D2.E1671%dekumar@cisco.com> <CAF4+nEH9eVnLdBd5Bgpo6g_pNtqLCRZ1zokb5vsiRpiu9vOQMg@mail.gmail.com> <CAG4d1rfWGtn=wgAWp1L0tNHYegLzUf9L7pybQG9pkM-J7H39rQ@mail.gmail.com> <D1F2272D.E1A90%dekumar@cisco.com> <CAG4d1rci9QojrZQmpM1Jo8jVihEEXOjQ3kVQn45Nwsg0sq2hOQ@mail.gmail.com> <CAG4d1rdP2bX2ippyDTO0NVxNPb+ZgR8iD=zTxA2rcZsAVcKU7Q@mail.gmail.com> <D1F8B6B9.E22D3%dekumar@cisco.com>
Date: Tue, 18 Aug 2015 14:42:57 -0400
Message-ID: <CAHbuEH5aRUTGHwhgLrwLJCrvgE7SHFVDKYVG+PERUdQvg08iTw@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "Deepak Kumar (dekumar)" <dekumar@cisco.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ZQ6QV22mzW7pjaNuzbh_2hZ3oIM>
Cc: secdir <secdir@ietf.org>, "draft-ietf-trill-oam-mib.all@tools.ietf.org" <draft-ietf-trill-oam-mib.all@tools.ietf.org>, Tissa Senevirathne <tsenevir@gmail.com>, Alia Atlas <akatlas@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir Review for draft-ietf-trill-oam-mib-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 18:43:01 -0000

Deepak,

The improvements help a lot to better explain the security
considerations.  Let me know when this has been updated in the draft.

Thanks,
Kathleen

On Tue, Aug 18, 2015 at 1:18 PM, Deepak Kumar (dekumar)
<dekumar@cisco.com> wrote:
> Hi Yoav,
>
> Please review new draft text and provide comments.
>
> 8. Security Considerations
>
> This MIB relates to a system that will provide network connectivity and
> packet forwarding services. As such, improper manipulation of the objects
> represented by this MIB may result in denial of service to a large number of
> end-users.
>
> There are number of management objects defined in this MIB module with a
> MAX-ACCESS clause of read-create. Such objects may be considered sensitive
> or vulnerable in some network environments. The support for SET operations
> in a non-secure environment without proper protection can have negative
> effect on sensitivity/vulnerability:
>
> The following table and objects in the TRILL-OAM-MIB can be manipulated to
> to interfere with the operation of RBridges by causing cpu spike:
>
> o trillOamMepTransmitLbmReplyIp allows reply of Loopback message to be
> transmitted to Ip address in the TLV and thus allowing replies to be sent to
> any system or single single system to cause Denial of Service.
>
> o trillOamMepTransmitPtmReplyIp allows reply of Path Trace message to be
> transmitted to Ip address in the TLV and thus allowing replies to be sent to
> any system or single single system to cause Denial of Service.
>
> o trillOamMepTxPtmMessages allows generation of Ptm Messages and can be used
> to generate lots of cpu driven traffic.
>
> o trillOamMepTransmitMtvmReplyIp allows reply of Mtv message to be
> transmitted to Ip address in the TLV and thus allowing replies to be sent to
> any system or single single system to cause Denial of Service.
>
> o trillOamMepTxMtvmMessages allows generation of Mtv Messages and can be
> used to generate lots of cpu driven traffic.
>
> Some of the readable objects in this MIB module (i.e., objects with a
> MAX-ACCESS other than not-accessible) may be considered sensitive or
> vulnerable in some network environments. It is thus important to control GET
> and/or NOTIFY access to these objects and possibly to encrypt the values of
> these objects when sending them over the network via SNMP. For example, Path
> trace message expose unicast topology of network and Multi-destination Tree
> verification message expose multicast tree topology of network and this
> information should not be available to all users of the network.
>
> SNMP version prior to SNMPv3 did not include adequate security. Even if the
> network itself is secure(for example by using IPsec), there is no control as
> to who on the secure network is allowed to access and GET/SET
> (read/change/create/delete) the objects in this MIB module.
>
> Implementation should provide the security features described by SNMPv3
> framework (see [RFC3410]), and implementations claiming compliance to the
> SNMPv3 standard MUST include full support for authentication and privacy via
> the User-based Security Model (USM)[RFC3414] with the AES cipher algorithm
> [RFC3826]. Implementations MAY also provide support for the Transport
> Security Model (TSM) [RFC5591] in combination with a secure transport such
> as SSH [RFC5592] or TLS/DTLS [RFC6353].
>
> Further, deployment of SNMP version prior to SNMPv3 is NOT RECOMMENDED.
> Instead, deployment of SNMPv3 with cryptographic security enabled is
> RECOMMENDED. It is then a customer/operator responsibility to ensure that
> the SNMP entity giving access to an instance of this MIB module is properly
> configured to give only those principals (users) that have legitimate rights
> to indeed GET or SET (change/create/delete) them access to the objects.
>
> Thanks,
> Deepak
>
> From: Alia Atlas <akatlas@gmail.com>
> Date: Tuesday, August 18, 2015 at 8:29 AM
> To: dekumar <dekumar@cisco.com>
> Cc: "d3e3e3@gmail.com" <d3e3e3@gmail.com>om>,
> "draft-ietf-trill-oam-mib.all@tools.ietf.org"
> <draft-ietf-trill-oam-mib.all@tools.ietf.org>rg>, Tissa Senevirathne
> <tsenevir@gmail.com>om>, The IESG <iesg@ietf.org>rg>, Yoav Nir
> <ynir.ietf@gmail.com>om>, secdir <secdir@ietf.org>
>
> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06
>
> Are you updating the draft or does Kathleen have to put a Discuss in?
>
> Thanks,
> Alia
>
> On Thu, Aug 13, 2015 at 3:42 PM, Alia Atlas <akatlas@gmail.com> wrote:
>>
>> thanks - the IESG generally begins reading drafts for the telechat about
>> now - a week in advance.
>>
>> Regards,
>> Alia
>>
>> On Thu, Aug 13, 2015 at 1:52 PM, Deepak Kumar (dekumar)
>> <dekumar@cisco.com> wrote:
>>>
>>> Hi Alia,
>>>
>>> I will be able to take care of all comments  over weekend.
>>>
>>> Thanks,
>>> Deepak
>>>
>>> From: Alia Atlas <akatlas@gmail.com>
>>> Date: Thursday, August 13, 2015 at 10:44 AM
>>> To: "d3e3e3@gmail.com" <d3e3e3@gmail.com>
>>> Cc: dekumar <dekumar@cisco.com>om>,
>>> "draft-ietf-trill-oam-mib.all@tools.ietf.org"
>>> <draft-ietf-trill-oam-mib.all@tools.ietf.org>rg>, Tissa Senevirathne
>>> <tsenevir@gmail.com>om>, The IESG <iesg@ietf.org>rg>, Yoav Nir
>>> <ynir.ietf@gmail.com>om>, secdir <secdir@ietf.org>
>>> Subject: Re: SecDir Review for draft-ietf-trill-oam-mib-06
>>>
>>> Hi Deepak,
>>>
>>> Are you planning on publishing an updated draft today?
>>> I'd like to move the draft ahead to IESG Evaluation.
>>>
>>> Thanks,
>>> Alia
>>>
>>> On Mon, Aug 10, 2015 at 2:19 PM, Donald Eastlake <d3e3e3@gmail.com>
>>> wrote:
>>>>
>>>> HI Deepak,
>>>>
>>>> On Sun, Aug 9, 2015 at 10:07 PM, Deepak Kumar (dekumar)
>>>> <dekumar@cisco.com> wrote:
>>>> > Hi Yoav,
>>>> >
>>>> > Thanks for review and comments. Please advise if we need to fix the
>>>> > nits
>>>> > and comments and upload new version as I am not sure about procedure
>>>> > of
>>>> > fixing comments during last call.
>>>> >
>>>> > Tissa has moved out of Cisco and working in another Company, I don¹t
>>>> > have
>>>> > privy of his new contact so I will contact him to get new contact and
>>>> > update the document also.
>>>>
>>>> I've added Tissa to the cc list above. I believe that for now he wants
>>>> to be listed with "Consultant" as his affiliation and with email
>>>> address <tsenevir@gmail.com>om>.
>>>>
>>>> The IETF LC ends the 13th, in a few days. I suggest that you update
>>>> the contact info for Tissa, spell out OAM, and update the
>>>> MODULE-IDENTITY, since those don't seem like they would be
>>>> controversial. For any changes to the Security Considerations text, I
>>>> suggest you post proposed text in this thread before editing it in.
>>>>
>>>> Thanks,
>>>> Donald (Shepherd)
>>>> =============================
>>>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>>>  155 Beaver Street, Milford, MA 01757 USA
>>>>  d3e3e3@gmail.com
>>>>
>>>> > Thanks,
>>>> > Deepak
>>>> >
>>>> > On 8/8/15, 2:18 PM, "Yoav Nir" <ynir.ietf@gmail.com> wrote:
>>>> >
>>>> >>Hi.
>>>> >>
>>>> >>I have reviewed this document as part of the security directorate's
>>>> >>ongoing effort to review all IETF documents being processed by the
>>>> >> IESG.
>>>> >>These comments were written primarily for the benefit of the security
>>>> >>area directors.  Document editors and WG chairs should treat these
>>>> >>comments just like any other last call comments.
>>>> >>
>>>> >>TL;DR: The document is ready with nits.
>>>> >>
>>>> >>The document contains a MIB for operations, administration, and
>>>> >>maintenance (OAM) of TRILL. As is common for such documents, 34 of its
>>>> >> 45
>>>> >>pages is section 7 ("Definition of the TRILL OAM MIB module²). Being
>>>> >> an
>>>> >>expert on neither TRILL nor MIBs I have mostly skipped that section.
>>>> >>
>>>> >>Usually with MIB documents, the security considerations for the
>>>> >> protocol
>>>> >>(several TRILL RFCs in this case) are in the protocol documents, while
>>>> >>the security considerations for SNMP are in the SNMP document (RFC
>>>> >> 3410).
>>>> >>The MIB document only points data that is sensitive (in terms of
>>>> >> privacy
>>>> >>or information leakage), and data which is dangerous in the sense that
>>>> >>falsified or modified data could lead to damage.
>>>> >>
>>>> >>In this document the Security Considerations section does a good job
>>>> >> of
>>>> >>explaining that modified data can lead to changes in routing and
>>>> >>potentially to denial of service. The second paragraph is a little
>>>> >>hand-wavy for my taste:
>>>> >>
>>>> >>   There are number of management objects defined in this MIB module
>>>> >>   with a MAX-ACCESS clause of read-create. Such objects may be
>>>> >>   considered sensitive or vulnerable in some network environments.
>>>> >>
>>>> >>What network environment? Why in some but not in others? The third
>>>> >>paragraph is similar:
>>>> >>
>>>> >>   Some of the readable objects in this MIB module (objects with a
>>>> >> MAC-
>>>> >>   ACCESS other than not-accessible) may be considered sensitive or
>>>> >>   vulnerable in some network environments.
>>>> >>
>>>> >>The section concludes with text that looks very familiar from other
>>>> >> MIB
>>>> >>documents, basically saying that you should use SNMPv3 because it has
>>>> >>protections whereas earlier versions don¹t. It is also important to
>>>> >> have
>>>> >>proper access control rules. One nit is that the section says that the
>>>> >>cryptographic mechanisms in SNMPv3 provide ³privacy². As of late we
>>>> >> tend
>>>> >>to use that word for the protection of information about humans, not
>>>> >> so
>>>> >>much about link status.
>>>> >>
>>>> >>A few general nits:
>>>> >> - In most documents that I see, the content of sections 1-4 is in a
>>>> >>single section.
>>>> >> - OAM is not expanded before first use.
>>>> >> - The MODULE-IDENTITY has ³TBD² for ORGANIZATION and authors¹ names
>>>> >> in
>>>> >>CONTACT-INFO. looking at a few recent MIB documents, the working group
>>>> >> is
>>>> >>usually given as ORGANIZATION and its mailing list is given as contact
>>>> >>info.
>>>> >>
>>>> >>Yoav
>>>> >>
>>>> >
>>>>
>>>
>>
>



-- 

Best regards,
Kathleen