Re: [secdir] SecDir review of draft-ietf-netlmm-pmipv6-mib-05
Sri Gundavelli <sgundave@cisco.com> Tue, 12 April 2011 14:36 UTC
Return-Path: <sgundave@cisco.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 8FB58E07D3; Tue, 12 Apr 2011 07:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Level:
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IbvnvMWhh5CF; Tue, 12 Apr 2011 07:36:16 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by ietfc.amsl.com (Postfix) with ESMTP id 77320E07A0; Tue, 12 Apr 2011 07:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=sgundave@cisco.com; l=3132; q=dns/txt; s=iport; t=1302618976; x=1303828576; h=date:subject:from:to:cc:message-id:in-reply-to: mime-version:content-transfer-encoding; bh=9x/cYZWiBzfmAAKAyfpG7rJo2zr2aiHbxlmtauW+BMI=; b=aaaIbJ2lI6UIefMzsEtVy5QdIlZYYjwy5H7lvTwUw/ngDey8+qBNQQXY GEQcHOD+STs03JLWXhdwst+6NXE/BjI/LRxFlMiQWALLZL+/N1J5SJl/O 0j98VrSpsPcmf5HooBbGGvkuMMB1JDwqBanI1Gd5rkGLiuHj1smABtL8p g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEABpipE2tJV2Z/2dsb2JhbACmK3eIepw+nQOFbgSFW4gHg3U
X-IronPort-AV: E=Sophos;i="4.64,195,1301875200"; d="scan'208";a="294568782"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by sj-iport-3.cisco.com with ESMTP; 12 Apr 2011 14:36:14 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by rcdn-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p3CEaDUf002645; Tue, 12 Apr 2011 14:36:14 GMT
Received: from xmb-sjc-214.amer.cisco.com ([171.70.151.145]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 12 Apr 2011 07:36:13 -0700
Received: from 10.32.246.213 ([10.32.246.213]) by xmb-sjc-214.amer.cisco.com ([171.70.151.145]) with Microsoft Exchange Server HTTP-DAV ; Tue, 12 Apr 2011 14:36:13 +0000
User-Agent: Microsoft-Entourage/12.28.0.101117
Date: Tue, 12 Apr 2011 07:36:34 -0700
From: Sri Gundavelli <sgundave@cisco.com>
To: Jari Arkko <jari.arkko@piuha.net>, Vincent Roca <vincent.roca@inrialpes.fr>
Message-ID: <C9C9B182.16592%sgundave@cisco.com>
Thread-Topic: SecDir review of draft-ietf-netlmm-pmipv6-mib-05
Thread-Index: Acv5HwVlLZzxOvgU6UqBCS/yMQdE0w==
In-Reply-To: <4DA440ED.8000809@piuha.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 12 Apr 2011 14:36:13.0781 (UTC) FILETIME=[F957D850:01CBF91E]
X-Mailman-Approved-At: Tue, 12 Apr 2011 08:06:44 -0700
Cc: draft-ietf-netlmm-pmipv6-mib.all@tools.ietf.org, IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-netlmm-pmipv6-mib-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 14:36:17 -0000
Hi Jari, We will address these comments. Thanks Vincent for the review. Regards Sri On 4/12/11 5:09 AM, "Jari Arkko" <jari.arkko@piuha.net> wrote: > Thanks for your review, Vincent. Authors, any comments? > > Jari > > Vincent Roca kirjoitti: >> Hello, >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> >> Globally, the "Security Considerations" section is well >> written and provides details for the associated risks. >> It clearly RECOMMENDs the use of SNMPv3, which should not come >> as a surprise given the risks associated to previous versions. >> This "Security Considerations" section is globally similar >> to that of RFC4295 (MIPv6 MIB). >> >> A few comments: >> >> ** What about the completeness of the two lists provided in >> section 6? >> For instance the MIB defines the pmip6Capabilities object with >> attribute MAX-ACCESS read-only (see p. 13). However this object >> is not listed in the security considerations sections. Is it >> a mistake? If yes, then does anything miss (I didn't check)? >> >> >> ** Clarification needed: >> It is said: >> "Even if the network itself is secure (for example by using IPsec), >> even then, there is no control as to who on the secure network is >> allowed to access and GET/SET (read/change/create/delete) the objects >> in this MIB module." >> I'm rather surprised that no ACL (or similar) functionality >> be available. If IPsec is enabled, then hosts are authenticated >> (using one of several techniques) and it's no longer a big deal >> to check the authorizations associated to the peer. So that's >> surprising. >> >> BTW, you can maybe remove the redundant "even then," in above >> sentence. >> >> >> ** Wrong reference: >> It is said: >> "It is RECOMMENDED that implementers consider the security features as >> provided by the SNMPv3 framework (see [RFC3410], section 8) [...]" >> Section is not the section of interest as it only focuses >> on the standardization status. More interesting sections in RFC3410 >> are: >> - section 6.3 "SNMPv3 security and administration", and in particular >> - section 7, in particular section 7.8 "user based security model". >> >> NB: RFC3410 is from Dec 2002. At that time using MD5/DES was not an >> issue, now it is. The last sentence of RFC3410/section 7.8 mentions >> on-going work on using AES in the user-based security model. If this >> work gave birth to an RFC, that's probably a good document to refer >> too. >> >> >> ** Obscur: >> The last sentence of this section: >> "It is then a customer/operator... them." >> could easily be improved (split the sentence, please). As such it >> remains rather obscure. >> >> >> I hope this is useful. >> Cheers, >> >> Vincent >> >> >
- [secdir] SecDir review of draft-ietf-netlmm-pmipv… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Jari Arkko
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Sri Gundavelli
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-netlmm-p… Glenn M. Keeni