[secdir] secdir review of draft-ietf-ospf-ospfv3-mib.txt
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 10 June 2009 13:39 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A98AE3A6841; Wed, 10 Jun 2009 06:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QtfkfWiWS7vW; Wed, 10 Jun 2009 06:39:52 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 6E3163A6E83; Wed, 10 Jun 2009 06:39:52 -0700 (PDT)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 79B7FC0018; Wed, 10 Jun 2009 15:39:58 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id vxPk9UNzBn2l; Wed, 10 Jun 2009 15:39:56 +0200 (CEST)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 6A30FC000A; Wed, 10 Jun 2009 15:39:56 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id E0752B36E96; Wed, 10 Jun 2009 15:39:54 +0200 (CEST)
Date: Wed, 10 Jun 2009 15:39:54 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: djoyal@nortel.com, vishwas@ipinfusion.com
Message-ID: <20090610133954.GC6346@elstar.local>
Mail-Followup-To: djoyal@nortel.com, vishwas@ipinfusion.com, iesg@ietf.org, secdir@ietf.org, ospf-chairs@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.19 (2009-01-05)
Cc: ospf-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: [secdir] secdir review of draft-ietf-ospf-ospfv3-mib.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2009 13:39:58 -0000
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
The document defines a MIB module and I have not spent time reviewing
the MIB module itself. Instead, I have been focusing on the security
considerations section and I believe the security considerations
section needs some improvement in order to comply to RFC 4181 section
3.4 and the current MIB module security template. Let me go through
the security considerations in draft-ietf-ospf-ospfv3-mib-13.txt:
6. Security Considerations
There are a number of management objects defined in this MIB that
have a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations.
Up to here, this is standard boilerplate text. What is missing is next
is the discussion of the sensitivity / vulnerability of the objects /
tables. See RFC 4181 section 3.4 and the boilerplate text posted at
<http://www.ops.ietf.org/mib-security.html>.
It is recommended that attention be specifically given to
implementing the MAX-ACCESS clause in objects in scenarios
that DO NOT use SNMPv3 strong security (i.e. authentication and
encryption). Extreme caution must be used to minimize the risk of
cascading security vulnerabilities when SNMPv3 strong security is
not used. When SNMPv3 strong security is not used, these objects
should have access of read-only, not read-create.
This is new text and I dislike it because it recommends to not
implement objects as writable objects. I believe this is not what we
want to achieve; we want writable objects implemented since we want
operators to decide via access control configuration rules which
objects are accessible to whom. Having the implementors take the
decision by implemting them read-only makes it impossible for
operators to do what they might want to do.
SNMPv1 by itself is not a secure environment. Even if the network
itself is secure (for example by using IPsec), even then, there is
no control as to who on the secure network is allowed to access and
GET/SET (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security
features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 3414 [RFC3414] and the
View-based Access Control Model RFC 3415 [RFC3415] is recommended.
It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET
(change/create/delete) them.
The text in these three paragraphs does not match the current
boilerplate and I think it is also wrong since it ignores SNMPv2c and
SNMPv3 in noAuth/noPriv mode. This text is also misleading since you
can have access control with SNMPv1 - all you miss in that scenario is
a secure binding to an authenticated principal. So I suggest to use
the current boilerplate text.
I am attaching a boilerplate template generated by smidump. Since the
MIB module is large, you end up with a long list of objects and it
likely makes sense to group them and to discuss things at the level of
table rows instead of individual objects or so (smidump is currently
not smart enough to do this). Take this as a starting point if you
want.
/js
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [secdir] secdir review of draft-ietf-ospf-ospfv3-… Juergen Schoenwaelder
- Re: [secdir] secdir review of draft-ietf-ospf-osp… Acee Lindem
- Re: [secdir] secdir review of draft-ietf-ospf-osp… Juergen Schoenwaelder
- Re: [secdir] secdir review of draft-ietf-ospf-osp… Acee Lindem