Re: [secdir] SecDir review of draft-ietf-netlmm-pmipv6-mib-05
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Mon, 11 April 2011 14:06 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 29F353A6A18; Mon, 11 Apr 2011 07:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.193
X-Spam-Level:
X-Spam-Status: No, score=-103.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcGBvRVcpvk1; Mon, 11 Apr 2011 07:06:26 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id E3D9028B23E; Mon, 11 Apr 2011 07:06:25 -0700 (PDT)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 85BF0C0023; Mon, 11 Apr 2011 16:06:25 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id UP7MfTz+xZlf; Mon, 11 Apr 2011 16:06:24 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 228EDC0019; Mon, 11 Apr 2011 16:06:23 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id D5C86176140B; Mon, 11 Apr 2011 16:06:19 +0200 (CEST)
Date: Mon, 11 Apr 2011 16:06:19 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Vincent Roca <vincent.roca@inrialpes.fr>
Message-ID: <20110411140619.GA91679@elstar.local>
Mail-Followup-To: Vincent Roca <vincent.roca@inrialpes.fr>, IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-netlmm-pmipv6-mib.all@tools.ietf.org
References: <A76FCDEF-42DA-421B-95F1-202A076682C4@inrialpes.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A76FCDEF-42DA-421B-95F1-202A076682C4@inrialpes.fr>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: draft-ietf-netlmm-pmipv6-mib.all@tools.ietf.org, IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-netlmm-pmipv6-mib-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2011 14:06:27 -0000
On Mon, Apr 11, 2011 at 03:50:47PM +0200, Vincent Roca wrote: > ** Clarification needed: > It is said: > "Even if the network itself is secure (for example by using IPsec), > even then, there is no control as to who on the secure network is > allowed to access and GET/SET (read/change/create/delete) the objects > in this MIB module." > I'm rather surprised that no ACL (or similar) functionality > be available. If IPsec is enabled, then hosts are authenticated > (using one of several techniques) and it's no longer a big deal > to check the authorizations associated to the peer. So that's > surprising. > > BTW, you can maybe remove the redundant "even then," in above > sentence. This is boilerplate text reflecting agreements reached between the SEC ADs and the OPS ADs at that time and used since then (including the somewhat irritating "even then,". > ** Wrong reference: > It is said: > "It is RECOMMENDED that implementers consider the security features as > provided by the SNMPv3 framework (see [RFC3410], section 8) [...]" > Section is not the section of interest as it only focuses > on the standardization status. More interesting sections in RFC3410 > are: > - section 6.3 "SNMPv3 security and administration", and in particular > - section 7, in particular section 7.8 "user based security model". > > NB: RFC3410 is from Dec 2002. At that time using MD5/DES was not an > issue, now it is. The last sentence of RFC3410/section 7.8 mentions > on-going work on using AES in the user-based security model. If this > work gave birth to an RFC, that's probably a good document to refer > too. RFC 3826 details how to use AES with SNMPv3. Again, this never made it into the boilerplate. Perhaps some new enthusiastic ADs get engaged to revise the boilerplate? ;-) > ** Obscur: > The last sentence of this section: > "It is then a customer/operator... them." > could easily be improved (split the sentence, please). As such it > remains rather obscure. Again, this is what the boilerplate says. Here is the pointer: http://ops.ietf.org/mib-security.html /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [secdir] SecDir review of draft-ietf-netlmm-pmipv… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Jari Arkko
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Sri Gundavelli
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Glenn M. Keeni