Re: [secdir] secdir review of draft-ietf-ospf-ospfv3-mib.txt
Acee Lindem <acee@redback.com> Wed, 10 June 2009 15:06 UTC
Return-Path: <prvs=4051f18fa=acee@redback.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 910F028C1CA; Wed, 10 Jun 2009 08:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GJ91U+uWonk; Wed, 10 Jun 2009 08:06:26 -0700 (PDT)
Received: from mgate.redback.com (mgate.redback.com [155.53.3.41]) by core3.amsl.com (Postfix) with ESMTP id 96F503A6BC0; Wed, 10 Jun 2009 08:06:26 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.41,341,1241420400"; d="scan'208";a="2328867"
Received: from prattle.redback.com ([155.53.12.9]) by mgate.redback.com with ESMTP; 10 Jun 2009 08:06:33 -0700
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id 924571C9B43; Wed, 10 Jun 2009 08:06:33 -0700 (PDT)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16969-02; Wed, 10 Jun 2009 08:06:33 -0700 (PDT)
Received: from [IPv6???1] (svilogin-1.sj.us.am.ericsson.se [155.53.154.39]) by prattle.redback.com (Postfix) with ESMTP id C6FE41C9B42; Wed, 10 Jun 2009 08:06:31 -0700 (PDT)
In-Reply-To: <20090610133954.GC6346@elstar.local>
References: <20090610133954.GC6346@elstar.local>
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <72DEC793-5666-4441-BFD7-05F03956E065@redback.com>
Content-Transfer-Encoding: 7bit
From: Acee Lindem <acee@redback.com>
Date: Wed, 10 Jun 2009 11:06:30 -0400
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.753.1)
Cc: ospf-chairs@tools.ietf.org, secdir@ietf.org, iesg@ietf.org, vishwas@ipinfusion.com, djoyal@nortel.com
Subject: Re: [secdir] secdir review of draft-ietf-ospf-ospfv3-mib.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2009 15:09:00 -0000
Juergen, You refer to an an attached boiler plate for MIB security considerations but I don't see any attachments. In the future, I'd hope the secdir could register their comments earlier in the process. We have taken this document all the way through the IESG and MIB doctors reviews and are not one day away from the end of the IETF last call. Thanks, Acee - OSPF Co-Chair. On Jun 10, 2009, at 9:39 AM, Juergen Schoenwaelder wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The document defines a MIB module and I have not spent time reviewing > the MIB module itself. Instead, I have been focusing on the security > considerations section and I believe the security considerations > section needs some improvement in order to comply to RFC 4181 section > 3.4 and the current MIB module security template. Let me go through > the security considerations in draft-ietf-ospf-ospfv3-mib-13.txt: > > 6. Security Considerations > > There are a number of management objects defined in this MIB that > have a MAX-ACCESS clause of read-write and/or read-create. Such > objects may be considered sensitive or vulnerable in some network > environments. The support for SET operations in a non-secure > environment without proper protection can have a negative > effect on > network operations. > > Up to here, this is standard boilerplate text. What is missing is next > is the discussion of the sensitivity / vulnerability of the objects / > tables. See RFC 4181 section 3.4 and the boilerplate text posted at > <http://www.ops.ietf.org/mib-security.html>. > > It is recommended that attention be specifically given to > implementing the MAX-ACCESS clause in objects in scenarios > that DO NOT use SNMPv3 strong security (i.e. authentication and > encryption). Extreme caution must be used to minimize the risk of > cascading security vulnerabilities when SNMPv3 strong security is > not used. When SNMPv3 strong security is not used, these objects > should have access of read-only, not read-create. > > This is new text and I dislike it because it recommends to not > implement objects as writable objects. I believe this is not what we > want to achieve; we want writable objects implemented since we want > operators to decide via access control configuration rules which > objects are accessible to whom. Having the implementors take the > decision by implemting them read-only makes it impossible for > operators to do what they might want to do. > > SNMPv1 by itself is not a secure environment. Even if the network > itself is secure (for example by using IPsec), even then, > there is > no control as to who on the secure network is allowed to > access and > GET/SET (read/change/create/delete) the objects in this MIB. > > It is recommended that the implementers consider the security > features as provided by the SNMPv3 framework. Specifically, > the use > of the User-based Security Model RFC 3414 [RFC3414] and the > View-based Access Control Model RFC 3415 [RFC3415] is > recommended. > > It is then a customer/user responsibility to ensure that the SNMP > entity giving access to an instance of this MIB, is properly > configured to give access to the objects only to those principals > (users) that have legitimate rights to indeed GET or SET > (change/create/delete) them. > > The text in these three paragraphs does not match the current > boilerplate and I think it is also wrong since it ignores SNMPv2c and > SNMPv3 in noAuth/noPriv mode. This text is also misleading since you > can have access control with SNMPv1 - all you miss in that scenario is > a secure binding to an authenticated principal. So I suggest to use > the current boilerplate text. > > I am attaching a boilerplate template generated by smidump. Since the > MIB module is large, you end up with a long list of objects and it > likely makes sense to group them and to discuss things at the level of > table rows instead of individual objects or so (smidump is currently > not smart enough to do this). Take this as a starting point if you > want. > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [secdir] secdir review of draft-ietf-ospf-ospfv3-… Juergen Schoenwaelder
- Re: [secdir] secdir review of draft-ietf-ospf-osp… Acee Lindem
- Re: [secdir] secdir review of draft-ietf-ospf-osp… Juergen Schoenwaelder
- Re: [secdir] secdir review of draft-ietf-ospf-osp… Acee Lindem