[secdir] SECDIR review of draft-ietf-ccamp-pc-and-sc-reqs-06
Jeffrey Hutzelman <jhutz@cmu.edu> Wed, 11 February 2009 18:12 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0182A3A6935; Wed, 11 Feb 2009 10:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.773
X-Spam-Level:
X-Spam-Status: No, score=-3.773 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-4, SARE_SUB_OBFU_Q1=0.227]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHpD5xw4bvMR; Wed, 11 Feb 2009 10:12:49 -0800 (PST)
Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id EC8933A6904; Wed, 11 Feb 2009 10:12:48 -0800 (PST)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n1BICUS4004703 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Feb 2009 13:12:30 -0500 (EST)
Date: Wed, 11 Feb 2009 13:12:30 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: iesg@ietf.org, secdir@ietf.org, ccamp-chairs@tools.ietf.org, diego.caviglia@ericsson.com, dino.bramanti@ericsson.com, dan.li@huawei.com, dave.mcdysan@verizon.com
Message-ID: <29CB4AF52E418956F8DAC191@minbar.fac.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.201.16
Subject: [secdir] SECDIR review of draft-ietf-ccamp-pc-and-sc-reqs-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2009 18:12:50 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes requirements for a procedure to be used within a GMPLS network to convert a permanent connection, which is provisioned throughout the network, into a soft permanent connection, which is provisioned at the edges but set up by the control plane in the middle, and back, without interrupting the flow of data. As a requirements document, this document does not directly create any new security considerations, but does raise some points which must be addressed by any solution. Overall, I think this document is fine. I also asked David Harrington <ietfdbh@comcast.net> to take a look at a paragraph referring to SNMP, which seemed to me to make too many assumptions about which pieces would "always" be used together. David had the following to add: > OK. It is incorrect to reference to MIBs as SNMP MIBs. MIBs are > defined indepednently from SNMP. MIBs can theoretically be used by > other protocols. > > There is standard boilerplate for MIB documents. Since this document > does not contain a MIB module, most of it does not directly apply. > However, the boilerplate discusses using a secure protocol and access > control. I recommend that these authors use that section of the > boilerplate text: > > <full boilerplate> > SNMP versions prior to SNMPv3 did not include adequate security. > Even if the network itself is secure (for example by using IPsec), > even then, there is no control as to who on the secure network is > allowed to access and GET/SET (read/change/create/delete) the > objects > in this MIB module. > > It is RECOMMENDED that implementers consider the security features > as > provided by the SNMPv3 framework (see [RFC3410], section 8), > including full support for the SNMPv3 cryptographic mechanisms (for > authentication and privacy). > > Further, deployment of SNMP versions prior to SNMPv3 is NOT > RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to > enable cryptographic security. It is then a customer/operator > responsibility to ensure that the SNMP entity giving access to an > instance of this MIB module is properly configured to give access > to > the objects only to those principals (users) that have legitimate > rights to indeed GET or SET (change/create/delete) them. > <boilerplate> > > This could be as simple as > > If SNMP is used for configuration, then it is RECOMMENDED > that implementers consider the security features as > provided by the SNMPv3 framework (see [RFC3410], section 8), > including full support for the SNMPv3 cryptographic mechanisms (for > authentication and privacy). > > As the IETF is moving toward a multi-protocol approach to network > management, I would change the paragraph to encompass a wider > approach: > > "Any protocol used to configure a device should support > authentication, encryption, integrity checking, and control of access > to the configuration parameters. It is RECOMMENDED to deploy an IETF > standard protocol for secure configuration, such as Netconf [RFC4741] > or SNMPv3 [RFC3410]. Operators SHOULD enable cryptographic security > and ensure that the entity giving access to configuration parameters > is properly configured to give access only to those principals (users) > that have legitimate rights to read/create/change/delete the > parameters." > > I have asked the OPS and Security ADs to comment on this last > paragraph as a proposed new boilerplate regarding secure management. My only other comment is regarding the abstract. A document and its abstract should each stand on their own, independently. In particular, it should not be necessary to read the abstract in order to understand the document, and the abstract should contain only a brief description of what the document is about, intended to be read by someone trying to determine whether the document is of interest. In the case of this document, text invoking RFC2119 does not belong in the abstract; rather, it belongs in the main document body. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu> Carnegie Mellon University - Pittsburgh, PA
- [secdir] SECDIR review of draft-ietf-ccamp-pc-and… Jeffrey Hutzelman
- Re: [secdir] SECDIR review of draft-ietf-ccamp-pc… Adrian Farrel
- Re: [secdir] SECDIR review of draft-ietf-ccamp-pc… Jeffrey Hutzelman