IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-ipsecme-mib-iptfs-05

Don Fedyk <dfedyk@labn.net> Thu, 13 October 2022 12:14 UTC

Return-Path: <dfedyk@labn.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27AE9C14F73B; Thu, 13 Oct 2022 05:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=labn.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zShQHPjbbMr2; Thu, 13 Oct 2022 05:13:59 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1anam02on2106.outbound.protection.outlook.com [40.107.96.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E361FC14F6EC; Thu, 13 Oct 2022 05:13:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BLE3lEJE4fMO0bFXE+vwJHVyahOpk/FLtJ2PIOqGADjaHrmUYIgL6H8K+yGFmcfQlnlWl1/Sfa+NKK8IZBFqJgBmGe5xMvXoh85EcePwx7/OABGjf0wxmBygqaUYVRNw/rop1fiT8o8fNz8Ax7SAWxXOgoSrF7DA2ZyAseIOYu00SEaS+WZ6nkjQ2RLQ9YNDonMjuz8wRdWsb/FFaySn1FlK265N8UZ2UK1cNgpS7dhjGxafQ2SR/5psDi0qoDQa7uzVXHkrwKVU4hexI5ISsFd7y0fktKh2dPIvJKzZ9UTQh07eTLX9166hrOerNw0Xqml6uOR1TID0DdDkYrpObg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FhbiQ3yS2cauHyqJqGk1nYcKVE4iIHV38jUdnU9nHJw=; b=EO+cUWBb1RhofQ7wT1O8ovs3KAJ4BmiuQMT5U4SViiQe13Us3wdKkXDyl4VTpbZp/9mh8pPgXjDwvbZrQY/ettnoZzt1cGAg6Yh/KLPBgNMF8zNXpjI3T3TRlAlMGTseDdxF48N3EMLEaVLKlePRIGk4jZRalAmo5klejpcXuycuv5IroLBSumvq2cx+jIDx4FH44iDwnpS092u2klHgMLbKqRwEy87ghSBEp27DRrRYwLzJKXpg4M31hYTunmWg1aT/zHCeB14w32gmuoZBbeHR2uWhE6akW08GKXcFfO//zo4gK50lb5VyzpjLIeRBnRlFYv0YHpchknVh+COzyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=labn.net; dmarc=pass action=none header.from=labn.net; dkim=pass header.d=labn.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=labn.onmicrosoft.com; s=selector2-labn-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FhbiQ3yS2cauHyqJqGk1nYcKVE4iIHV38jUdnU9nHJw=; b=Nia/zuyQMvBeMO8PA1Nk7zboD/YEWr5uPI77IqJWl+A1ddYqnIKQhqxdZb0V7ZK/lC4F4ztyYKzt7sgktL/0Ec6g4rc2uQFjiGxxTrm10yZ3vxWyeWH+jNwzPv7CgsdTpGgdVjprt8Ukx/tl8+fCOPcOYXXQ+AMHQlwX47ECGWw=
Received: from PH7PR14MB5368.namprd14.prod.outlook.com (2603:10b6:510:133::11) by PH0PR14MB4277.namprd14.prod.outlook.com (2603:10b6:510::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.26; Thu, 13 Oct 2022 12:13:48 +0000
Received: from PH7PR14MB5368.namprd14.prod.outlook.com ([fe80::c285:9424:a2db:84b5]) by PH7PR14MB5368.namprd14.prod.outlook.com ([fe80::c285:9424:a2db:84b5%5]) with mapi id 15.20.5676.028; Thu, 13 Oct 2022 12:13:48 +0000
From: Don Fedyk <dfedyk@labn.net>
To: Ivaylo Petrov <ivaylo@ackl.io>, "draft-ietf-ipsecme-mib-iptfs.all@ietf.org" <draft-ietf-ipsecme-mib-iptfs.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-ipsecme-mib-iptfs-05
Thread-Index: AQHY3noX/4p1upZtpk6xeG29+06Rs64MOQ9w
Date: Thu, 13 Oct 2022 12:13:48 +0000
Message-ID: <PH7PR14MB5368E485C91AD3A5892F9734BB259@PH7PR14MB5368.namprd14.prod.outlook.com>
References: <CAJFkdRy4rG3Xody0FSU_KXtN4+oi1yexQj54p=7CHP8VihnPNQ@mail.gmail.com>
In-Reply-To: <CAJFkdRy4rG3Xody0FSU_KXtN4+oi1yexQj54p=7CHP8VihnPNQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=labn.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR14MB5368:EE_|PH0PR14MB4277:EE_
x-ms-office365-filtering-correlation-id: 61598da6-dbbb-4e25-910a-08daad146222
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HhLJ5+pBBeTM0ZPCSYE+iqslEWVEBq//V/XBJPQlsO2BvmKVwVFKtlxg3+XqQlB3E0LVLRkg+MaDVHrb193EeZ7jHyBNE+QGkETYsZtkv5/mSVpIkacb4w57Mo5kSPiTsTi60fI+mY0g4FW8PdcO8suOpRF1Lsc+B2uc2Gg4/cvqdhEyZ64YzLAMtbO2yBVpc5UUmR0a70/fT4HSU8R75C5tR8wnsFcvyob1/khdJsDKKUoFsE1mMaS7j1Z5Sav6rrYUN7Ul2qYewjWRgxGV6Dc4d69eYt4hJqVZiG3QrGWMHirXMMtM0fHQXYVVGq1MzcGXrtgQjUqtk98ePZNXyqwdDgT007ZFzV3HJPpWhB7cE2eiqe3lIBLLNCaFbzgj6WvivO1i/HRi13niU7+BJYYA2Tyy4e5IRY9B1gh+fP8gKYUFUK4K0wbQsPVlmkbmD1aFZuFFGC4DTaEWYV/SsNC7ywMwVVrb1KvC8ggMfjNW8dxzOwhgi2DcxwIJEhP0n1eDKGje07wnlkJxRMqP/HnPXfiEZFP+4OdN0+SrK/kpjK3DDhPwvXF25zmwm8PlZlnwOPVDogyJ19tSWubkNEzyjFT+gB302SK4oWTApsTgF13y2CyDzacoOaalwF3gD+bAQRCcv75UsSX9aEFb/k7puwv0QHB1y/mf700K5rScG8DcpSokga8Vh7g7i8Hx
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR14MB5368.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(376002)(39830400003)(366004)(396003)(136003)(346002)(451199015)(66899015)(83380400001)(33656002)(110136005)(316002)(52536014)(66446008)(66556008)(66946007)(86362001)(76116006)(64756008)(450100002)(8676002)(8936002)(66476007)(41300700001)(186003)(9686003)(122000001)(2906002)(55016003)(26005)(53546011)(38100700002)(71200400001)(5660300002)(38070700005)(7696005)(6506007)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cjfUa8zL8sReKBjngOwZm0hGpp8NJXX49FJsbxpOOi9mYkJ7q6b4loq2di7y/cqjH2C3J30aXuxVeRiXrQg0KtNwYA9VI5OP/ZTFB6Fm+8yOu6mQUx11aA2KAHFXesTv8XjUStey7xXj8h8d62RPVi8Lt4EsXzkLmWWsbnfSxjyBZ1m4FRXA1+3F2hxeGDaIkVm3tphWI0PTpakuaW8VQVOwMn99HUZpDs1uRFAHuM5TpCYrCYSKQ2Xh8eZ3Oy7EdWvgRlqS0QMXDVH8FJX4QXfbww9rY2WxvHGPZ1+bTm61Is+4SkWdCwlbXZ8AJ0Ti1AP3RbM/5xqtXDYNurL1MQn+ZS9yIWWBRFdLLhhQWq9KmmtURe0d3XVdEa1GqWzjynzVJdJaUv3o4I1NXQj/MAfb4iUQFI1iHCvcibDJEZk=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: labn.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR14MB5368.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 61598da6-dbbb-4e25-910a-08daad146222
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2022 12:13:48.3573 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: eb60ac54-2184-4344-9b60-40c8b2b72561
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 011cTuWUeOGNKGj2Z1YF5So7Kpar10Apf4SFxib0OPOHACP3n8RZHHI0RM5xFws3emFTkMVkhgF8T0+XmY5TxA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR14MB4277
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cKsaXECBtPtx8OG2-sYfCnMFdV4>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ipsecme-mib-iptfs-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 12:14:04 -0000

Hi Ivaylo

These paragraphs were added as part of Ipsecme WG last call and implicitly refer to the prior paragraph that states:

      Access to IP inner
      and outer traffic flow security statistics can provide information
      that IP traffic flow security obscures such as the true activity
      of the flows using IP traffic flow security. 

If we turn these paragraphs into a bullet list introduced like this:

To prevent unauthorized access to SNMP including access to IP-TFS 
sensitive objects: 

 * Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].

 * Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

  
Does that satisfy your nit?

Thanks
Don 

-----Original Message-----
From: Ivaylo Petrov <ivaylo@ackl.io> 
Sent: Wednesday, October 12, 2022 4:34 PM
To: draft-ietf-ipsecme-mib-iptfs.all@ietf.org; secdir@ietf.org; The IESG <iesg@ietf.org>
Subject: Secdir last call review of draft-ietf-ipsecme-mib-iptfs-05

Reviewer: Ivaylo Petrov
Review result: Has Nits

Hi,

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

When seeing SHOULD, RECOMMEND or MAY in the security considerations, I would always like to see some information about what are possible issues if I don't follow the recommendations or what do I gain by implementing them. My reading of the security considerations section left me wanting more such details specifically in the following
paragrams:

   Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

Regards,
Ivaylo

v2.23.0 | Report a Bug | By Email