Re: [secdir] SECDIR review: draft-ietf-ipfix-mib-08

Love Hörnquist Åstrand <lha@apple.com> Wed, 02 December 2009 15:51 UTC

Return-Path: <lha@apple.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FB573A698C; Wed, 2 Dec 2009 07:51:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.298
X-Spam-Level:
X-Spam-Status: No, score=-106.298 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeXXb9WAGNtR; Wed, 2 Dec 2009 07:51:22 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 182213A6811; Wed, 2 Dec 2009 07:51:22 -0800 (PST)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out3.apple.com (Postfix) with ESMTP id 525757B67F62; Wed, 2 Dec 2009 07:51:14 -0800 (PST)
X-AuditID: 11807136-b7bafae000000e8d-13-4b168cf243cc
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay15.apple.com (Apple SCV relay) with SMTP id 99.ED.03725.2FC861B4; Wed, 2 Dec 2009 07:51:14 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_RdRFHq0WKjLHWZmu3SgKyg)"
Received: from [17.151.93.129] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KU100HXU81DNA20@elliott.apple.com>; Wed, 02 Dec 2009 07:51:14 -0800 (PST)
From: =?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?= <lha@apple.com>
In-reply-to: <547F018265F92642B577B986577D671CF6707E@VENUS.office>
Date: Wed, 02 Dec 2009 16:51:13 +0100
Message-id: <FE613FF0-C56A-488F-9859-FE3018027F1E@apple.com>
References: <56A9F347-A2C5-41BA-B9AB-03647388ED02@apple.com> <547F018265F92642B577B986577D671CF6707E@VENUS.office>
To: Thomas Dietz <Thomas.Dietz@nw.neclab.eu>
X-Mailer: Apple Mail (2.1128)
X-Brightmail-Tracker: AAAAAQAAAZE=
X-Mailman-Approved-At: Thu, 03 Dec 2009 01:49:46 -0800
Cc: akoba@nttv6.net, Security-Directorat Directorat <secdir@ietf.org>, ipfix-chairs@tools.ietf.org, IESG - <iesg@ietf.org>, muenz@net.in.tum.de, bclaise@cisco.com
Subject: Re: [secdir] SECDIR review: draft-ietf-ipfix-mib-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 15:51:23 -0000

Thomas,

Sorry, I think I really was after ipfixSelectorFunctions

           Since IPFIX does not define any Selector Function (except
           selecting every packet) this is a placeholder for future
           use and a guideline for implementing enterprise specific
           Selector Function objects.

but lost myself in the indirection between ipfixSelectionProcessTable and ipfixSelectionFunctions.

Since ipfixSelectionFunctions is part of security consideration I was just confused and you can disregard my mail.

Love


2 dec 2009 kl. 16:30 skrev Thomas Dietz:

> Dear Love,
> 
> thank you for your review of our draft. Unfortunately I do not get your
> point. The ipfixSelectionProcessTable is well defined in the IPFIX MIB. We
> don't see any security implications in exposing the objects defined within
> this table. They should not contain any sensitive data. Thus, we did not
> explicitly mention this table in the security consideration section. Could
> you please explain your concern in greater detail?
> 
> Best Regards,
> 
> Thomas
> 
> -- 
> Thomas Dietz                 E-mail: Thomas.Dietz@nw.neclab.eu
> NEC Europe Ltd.              Phone:  +49 6221 4342-128
> NEC Laboratories Europe      Fax:    +49 6221 4342-155
> Network Research Division
> Kurfuersten-Anlage 36
> 69115 Heidelberg, Germany    http://www.nw.neclab.eu
> 
> NEC Europe Limited           Registered in England 2832014
> Registered Office: NEC House, 1 Victoria Road, London W3 6BL
> 
>> -----Original Message-----
>> From: Love Hörnquist Åstrand [mailto:lha@apple.com]
>> Sent: Mittwoch, 2. Dezember 2009 08:07
>> To: muenz@net.in.tum.de; bclaise@cisco.com; akoba@nttv6.net; Thomas
>> Dietz
>> Cc: IESG -; Security-Directorat Directorat; ipfix-chairs@tools.ietf.org
>> Subject: SECDIR review: draft-ietf-ipfix-mib-08
>> 
>> Hello all,
>> 
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>> 
>> ipfixSelectionProcessTable is left undefined, so it could possibly
>> contain parameters that should not be exposed.
>> 
>> Other then that I didn't find any problems.
>> 
>> Love
>> 
>