Re: [secdir] Secdir last call review of draft-ietf-netmod-syslog-model-21

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 20 February 2018 02:17 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81BA0126BF3; Mon, 19 Feb 2018 18:17:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.407
X-Spam-Level:
X-Spam-Status: No, score=-0.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q75Yrt6w6uDl; Mon, 19 Feb 2018 18:17:57 -0800 (PST)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B34B1243FE; Mon, 19 Feb 2018 18:17:57 -0800 (PST)
Received: by mail-pg0-x233.google.com with SMTP id y8so6563182pgr.9; Mon, 19 Feb 2018 18:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=T0uJ5I3ZkxWILYpcGW636VG16zpNV2elAKzNIASHxHo=; b=UbW6ZQcBhO1tiGsAnJ4Hy32mmivMHHrkfsKNEQo1kLVBuwm7ariaYd9lBeFQoUWYsi AxNt1mZigF1sz86KjwUwnGkZx7tqAGllKWh1/ro4/6AxnCKbK62SBAwmi4LqX6Wt0xRU 5YqljwBIXFobnOXuRrwGCx7vTRJRKy6uhkTqU5DY++zjTN57UcGmMz8PUAEs12QiN7FV z92R8GuChfPnlKVr50+EyFF84cv6YyiZ9i1LZNyCIH9TtbiMA9FF94PbHQaENbs9IVB2 yDcINuItDXXnb5AAo+tu6/GGurimsugpezdQbkZbx1ZD5MYYoRW1EBAEEXZCX4PTwVD0 eedA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=T0uJ5I3ZkxWILYpcGW636VG16zpNV2elAKzNIASHxHo=; b=efs/3nPa1xHGViEEKuonubYObxZlt5/6j16ExjNNQyScLQ7Q34Usk13lH2pNrgvQru McYLcv5gwy6SN2+XMNzasU31X7u35STYs6HYRbyIiuBGQov6rOkiKd9BiKIR3f7LQvwn Z9xVbRqvijy+1XZ9N3i1UiZa+irtjrUy1AlFRofffZ8rElRPMgK6rEpYpN8VS/Pz4p7E 5LJI06AmpPCbpS5VGuS7ZPVaTfna1v4vTX8jFgg9PGgsC94GcJszCz2fsgvklsxNtap2 udc6oRALtQZ0rONiDjrSMXlhj60HPdUoBp8tbpESV26DGw/9KCVf/Htac8N72u7i5h8K ulbw==
X-Gm-Message-State: APf1xPAAHYPQwpWnVT2tNVhAMYarUMiRLcckOyxqvaMKYtW70IeOzU6z /JGqR+N65j77McFbCoDwgpWubkxZ
X-Google-Smtp-Source: AH8x226ZwRLfSJNDj/b49Wz2K4LvjpdEoYbNF3BFqI+W/0ipK5YIdC9VFvmNbRfjpjrrnfZ1oTNgxw==
X-Received: by 10.98.103.136 with SMTP id t8mr11504724pfj.177.1519093076571; Mon, 19 Feb 2018 18:17:56 -0800 (PST)
Received: from [10.255.69.75] (c-67-180-23-75.hsd1.ca.comcast.net. [67.180.23.75]) by smtp.gmail.com with ESMTPSA id n17sm17354564pfj.67.2018.02.19.18.17.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Feb 2018 18:17:55 -0800 (PST)
To: "Clyde Wildes (cwildes)" <cwildes@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>
Cc: "draft-ietf-netmod-syslog-model.all@ietf.org" <draft-ietf-netmod-syslog-model.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>
References: <151896425742.27914.9664814474838013064@ietfa.amsl.com> <6E582464-6EDB-4D55-9E8B-BEC68929DF9A@cisco.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <4694018c-0be5-e78c-38ed-8745da01d019@gmail.com>
Date: Mon, 19 Feb 2018 14:55:56 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <6E582464-6EDB-4D55-9E8B-BEC68929DF9A@cisco.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/r9Ygkl65VKSvUDKQaJkgxzofUWg>
Subject: Re: [secdir] Secdir last call review of draft-ietf-netmod-syslog-model-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2018 02:17:58 -0000

Hi Clyde,

Thank you for responding to my comments. I am OK with all of your responses.

Best,
	Yaron

On 19/02/18 13:02, Clyde Wildes (cwildes) wrote:
> Yaron,
> 
> Thanks for your review. My answers are inline as [clw1].
> 
> On 2/18/18, 6:31 AM, "Yaron Sheffer" <yaronf.ietf@gmail.com>; wrote:
> 
>      Reviewer: Yaron Sheffer
>      Review result: Has Issues
>      
>      General Comments
>      
>      * The semantics of pattern matching is not clear: "and/or the message text" -
>      are there cases where you only match the text but not the facility/severity? *
>      
> [clw1] Yes. There are three cases: 1. Match on facility/severity; 2. Match on the regex pattern; 3. Match on both facility/severity and the regex pattern.
> 
>      It's very confusing to specify rollover in minutes, but retention in hours.
>      People are bound to get this one wrong.
> 
> [clw1] I will change the retention to minutes unless others object.
> 
>      * Interface selection: the feature
>      makes sense, but I think the description is incorrect. "This leaf sets the
>      source interface to be used to send messages to the remote syslog server. If
>      not set, messages sent to a remote syslog server will contain the IP address of
>      the interface the syslog message uses to exit the network element". AFAIK the
>      source IP will always correspond to the interface, but this feature allows you
>      to select a particular one.
> 
> [clw1] You are correct. I will modify the description to make this clearer. How about:
> 
> "This leaf sets the source interface to be used to send messages to the remote syslog server. If
> not set, messages can be sent on any interface."
> 
>      * Usage examples: the second example lists a
>      specific IPv6 address, but the Yang snippet shows a domain name.
> 
> [clw1] Thanks for catching this error. I will fix this in the next revision.
> 
>      * A generic
>      question (I am new to the Yang ecosystem): I understand most implementers will
>      use this module from
>      https://github.com/YangModels/yang/blob/master/standard/ietf/DRAFT/ietf-syslog.yang
>      - is this the expectation? If so, why not add a link from the RFC into the
>      repo, to make it easier for people to find?
> 
> [clw1] It is standard practice to include the model in the RFC AFAIK. I have not seen github links published in any other RFCs.
>      
>      Security Comments
>      
>      * I think almost all writable data nodes here are sensitive, because a network
>      attacker's first move is to block any logging on the host, and many of the data
>      nodes here can be used for this purpose.
> 
> [clw1] I will reword the security section to include all writeable nodes as sensitive.
> 
>      * Re: readable data nodes, I'm not
>      sure which are sensitive, and the document should give an example or two rather
>      than just say "some". Otherwise the security advice is not actionable. One
>      example: "remote" sections leak information about other hosts in the network.
> 
> [clw1] This text was lifted from another model. I will review the readable nodes and update.
> 
>      * Write operations... can have a negative effect on network operations. - I would
>      add "and on network security", because logs are often used to detect security
>      breaches.
> 
> [clw1] I will add this phrase.
> 
>      * Also add an advice, similar to the one on "pattern match", that the
>      private key used for signing log messages MUST NOT be used for any other
>      purpose, and that the implementation of this data node must ensure this
>      property (I'm not sure how). The rationale: if the TLS private key is used, for
>      example, this could result in a signing oracle for TLS and eventually a MITM
>      attack.
> 
> [clw1] I will add this advice.
> 
> Thanks,
> 
> Clyde
>      
>