Re: [secdir] Review of draft-ietf-opsawg-syslog-alarm-02
"Sharon Chisholm" <schishol@nortel.com> Thu, 27 August 2009 16:15 UTC
Return-Path: <SCHISHOL@nortel.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A72D33A68EB; Thu, 27 Aug 2009 09:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.413
X-Spam-Level:
X-Spam-Status: No, score=-6.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJge01xlfJkm; Thu, 27 Aug 2009 09:15:11 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 5DBF73A6BB6; Thu, 27 Aug 2009 09:15:11 -0700 (PDT)
Received: from zcarhxm2.corp.nortel.com (zcarhxm2.corp.nortel.com [47.129.230.99]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n7RGD2Q22174; Thu, 27 Aug 2009 16:13:02 GMT
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 27 Aug 2009 12:15:09 -0400
Message-ID: <713043CE8B8E1348AF3C546DBE02C1B41A6CA365@zcarhxm2.corp.nortel.com>
In-Reply-To: <20090825163013.B6A8440C5@orodruin.hactrn.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Review of draft-ietf-opsawg-syslog-alarm-02
Thread-Index: AcomPpkXTZuVHYX3Qamtd2NC4O2elgA8mdGQ
References: <20090825163013.B6A8440C5@orodruin.hactrn.net>
From: Sharon Chisholm <schishol@nortel.com>
To: Rob Austein <sra@hactrn.net>, iesg@ietf.org, secdir@ietf.org
X-Mailman-Approved-At: Thu, 27 Aug 2009 09:40:08 -0700
Cc: draft-ietf-opsawg-syslog-alarm@tools.ietf.org, opsawg-chairs@tools.ietf.org
Subject: Re: [secdir] Review of draft-ietf-opsawg-syslog-alarm-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2009 16:15:12 -0000
Hi Thanks for the review. Rate limiting alarms is an interesting point and agree when you said "A sentence or two in the security considerations section of this draft mentioning the alarm flooding issue and giving a more explicit reference to the rate limiting discussion in RFC 5424 would suffice" We can add that. I'm at a bit of a loss as to how better to represent 'conditional mandatory' fields. Suggestions welcome. Sharon -----Original Message----- From: Rob Austein [mailto:sra@hactrn.net] Sent: Tuesday, August 25, 2009 12:30 PM To: iesg@ietf.org; secdir@ietf.org Cc: draft-ietf-opsawg-syslog-alarm@tools.ietf.org; opsawg-chairs@tools.ietf.org Subject: Review of draft-ietf-opsawg-syslog-alarm-02 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft proposes an encoding of certain elements from the RFC 3877 Alarm MIB as "structed data" within the (IETF-flavored RFC 5424) syslog protocol, in effect using syslog as a transport for data semantically equivilent to SNMP traps. This draft only documents encodings for a small subset of the data available in the Alarm MIB, presumably this was not accidental (the Alarm MIB is a complex beast). The security considerations section of this draft covers the obvious issue (potential disclosure of sensitive information to unknown parties), but does not discuss rate limiting except by reference to RFC 5424's security considerations. The discussion of alarm throttling in the Alarm MIB may be relevant here: it requires a two second gap between repeated traps of the same type to reduce the risk of alarm flooding, and warns that even with this restriction there's still a risk of alarm flooding when multiple alarms of different types are active. A sentence or two in the security considerations section of this draft mentioning the alarm flooding issue and giving a more explicit reference to the rate limiting discussion in RFC 5424 would suffice, although a more detailed treatment would not be a bad thing if the WG has something more to say on the topic. Minor editorial note: I found the repeated phrasing "MUST be implemented" confusing when used in reference to optional fields. I understand the difference between "MUST be implemented" and "MUST be used," but the intent wasn't obvious until I re-read the normative text after reading the examples.
- [secdir] Review of draft-ietf-opsawg-syslog-alarm… Rob Austein
- Re: [secdir] Review of draft-ietf-opsawg-syslog-a… Sharon Chisholm