Re: [secdir] Review of draft-ietf-opsawg-syslog-alarm-02

"Sharon Chisholm" <schishol@nortel.com> Thu, 27 August 2009 16:15 UTC

Return-Path: <SCHISHOL@nortel.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A72D33A68EB; Thu, 27 Aug 2009 09:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.413
X-Spam-Level:
X-Spam-Status: No, score=-6.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJge01xlfJkm; Thu, 27 Aug 2009 09:15:11 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 5DBF73A6BB6; Thu, 27 Aug 2009 09:15:11 -0700 (PDT)
Received: from zcarhxm2.corp.nortel.com (zcarhxm2.corp.nortel.com [47.129.230.99]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n7RGD2Q22174; Thu, 27 Aug 2009 16:13:02 GMT
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 27 Aug 2009 12:15:09 -0400
Message-ID: <713043CE8B8E1348AF3C546DBE02C1B41A6CA365@zcarhxm2.corp.nortel.com>
In-Reply-To: <20090825163013.B6A8440C5@orodruin.hactrn.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Review of draft-ietf-opsawg-syslog-alarm-02
Thread-Index: AcomPpkXTZuVHYX3Qamtd2NC4O2elgA8mdGQ
References: <20090825163013.B6A8440C5@orodruin.hactrn.net>
From: "Sharon Chisholm" <schishol@nortel.com>
To: "Rob Austein" <sra@hactrn.net>, <iesg@ietf.org>, <secdir@ietf.org>
X-Mailman-Approved-At: Thu, 27 Aug 2009 09:40:08 -0700
Cc: draft-ietf-opsawg-syslog-alarm@tools.ietf.org, opsawg-chairs@tools.ietf.org
Subject: Re: [secdir] Review of draft-ietf-opsawg-syslog-alarm-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2009 16:15:12 -0000

Hi

Thanks for the review.

Rate limiting alarms is an interesting point and agree when you said
"A sentence or two in the security considerations section of this draft
mentioning the alarm flooding issue and giving a more explicit reference
to the rate limiting discussion in RFC 5424 would suffice"
We can add that.

I'm at a bit of a loss as to how better to represent 'conditional
mandatory' fields. Suggestions welcome.

Sharon

-----Original Message-----
From: Rob Austein [mailto:sra@hactrn.net] 
Sent: Tuesday, August 25, 2009 12:30 PM
To: iesg@ietf.org; secdir@ietf.org
Cc: draft-ietf-opsawg-syslog-alarm@tools.ietf.org;
opsawg-chairs@tools.ietf.org
Subject: Review of draft-ietf-opsawg-syslog-alarm-02

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft proposes an encoding of certain elements from the RFC 3877
Alarm MIB as "structed data" within the (IETF-flavored RFC 5424) syslog
protocol, in effect using syslog as a transport for data semantically
equivilent to SNMP traps.  This draft only documents encodings for a
small subset of the data available in the Alarm MIB, presumably this was
not accidental (the Alarm MIB is a complex beast).

The security considerations section of this draft covers the obvious
issue (potential disclosure of sensitive information to unknown
parties), but does not discuss rate limiting except by reference to RFC
5424's security considerations.  The discussion of alarm throttling in
the Alarm MIB may be relevant here: it requires a two second gap between
repeated traps of the same type to reduce the risk of alarm flooding,
and warns that even with this restriction there's still a risk of alarm
flooding when multiple alarms of different types are active.  A sentence
or two in the security considerations section of this draft mentioning
the alarm flooding issue and giving a more explicit reference to the
rate limiting discussion in RFC 5424 would suffice, although a more
detailed treatment would not be a bad thing if the WG has something more
to say on the topic.

Minor editorial note: I found the repeated phrasing "MUST be
implemented" confusing when used in reference to optional fields.  I
understand the difference between "MUST be implemented" and "MUST be
used," but the intent wasn't obvious until I re-read the normative text
after reading the examples.