Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export.
Benoit Claise <bclaise@cisco.com> Thu, 19 November 2015 17:05 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87901B2CD9 for <secdir@ietfa.amsl.com>; Thu, 19 Nov 2015 09:05:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.086
X-Spam-Level:
X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJdROfd4iNVw for <secdir@ietfa.amsl.com>; Thu, 19 Nov 2015 09:05:55 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8636D1B2CDE for <secdir@ietf.org>; Thu, 19 Nov 2015 09:05:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5000; q=dns/txt; s=iport; t=1447952754; x=1449162354; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=I1rDZyYvH6bsWJ++UcjzkotXLTq4vkN65nHuCENUEWc=; b=mYTEGaJQFmgYnILUv/OKFk7ZJa7sMpKI0owmD9jX/fX1z6WN3pzTLU9L UW/V0lhmDwnHv9jZPG6QsZq3w1zBo8tcEPnz4gmrGfFsXWgJxhqfK9FvO YpCAu/XvJJOTSokAw/KTwGhdFHYjdMcQq0LPFU8XqI3NBzn48g8YmKT/7 M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DuAQCTAE5W/xbLJq1VCcNwAQ2BZYM9glICggYUAQEBAQEBAYEKhDUBAQQ4QBELDgQGCRYPCQMCAQIBNw4GAQwIAQGIKsA+AQEBAQEBAQECAQEBAQEBHYZUhH6EIBGFCAEEhU6QfogVgmGCOIkdkyofAQFChAU9hBOBQQEBAQ
X-IronPort-AV: E=Sophos;i="5.20,318,1444694400"; d="scan'208";a="612882057"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Nov 2015 17:05:52 +0000
Received: from [10.60.67.93] (ams-bclaise-89112.cisco.com [10.60.67.93]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id tAJH5qYY018609; Thu, 19 Nov 2015 17:05:52 GMT
To: Paul Aitken <paitken@brocade.com>, Warren Kumari <warren@kumari.net>, IETF Security Directorate <secdir@ietf.org>, draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org
References: <CAHw9_i+qp7Y1Eu8YiJj6AOUG22NMz=1PCK3k=BkHoxPgxR-8rw@mail.gmail.com> <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> <564DE0BE.5080200@brocade.com> <20151119153417.GB3518@elstar.local>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <564E0170.7010908@cisco.com>
Date: Thu, 19 Nov 2015 18:05:52 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151119153417.GB3518@elstar.local>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/taOSdUrOy5avFfYWsupuk4gizDE>
Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export.
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 17:05:56 -0000
On 11/19/2015 4:34 PM, Juergen Schoenwaelder wrote: > See my latest suggestion which adds a bunch of references to the third > paragraph - which was the original request of the security directorate > reviewer. > > However, if the exporter is implemented as an SNMP manager > accessing an SNMP agent, it MUST authenticate itself to the SNMP > agent [RFC3414], [RFC5591], [RFC5592], RFC6353] and the SNMP agent > MUST enforce SNMP access control rules [RFC3415] as required by > the SNMP architecture [RFC 3411]. > > The additional sentence is somewhat unclear: > > [...] An Exporter MUST NOT bypass SNMP access control rules to > export a MIB object for which it is not granted access. > > Does this apply to any exporter or only to an exporter implemented as > an SNMP manager accessing an SNMP agent? In the later case, I would > say this sentence is not needed since the sentence before already says > that the SNMP agent MUST enforce SNMP access control rules (and this > is the entity that has knowledge about the access control rules). Agreed. > In > the former case, more information would be needed since in order to > apply SNMP access control rules, you need to have an authenticated > identity to work with. Note that this not part of Stephen's DISCUSS. Regards, Benoit > > /js > > On Thu, Nov 19, 2015 at 02:46:22PM +0000, Paul Aitken wrote: >> I've updated section 10 to capture both of these comments. >> >> Note that I haven't yet addressed Sephen Farrell's comment on privacy, >> which will also be in this section. >> >> >> 10. Security Considerations >> >> For this extension to the IPFIX protocol, the same security >> considerations as for the IPFIX protocol apply [RFC7011]. >> >> If the exporter is generating or capturing the field values itself, >> e.g. using the MIB objects only as an encoding or type mechanism, >> there are no extra security considerations beyond standard IPFIX. >> >> However, if the exporter is implemented as an SNMP manager accessing >> an SNMP agent, it MUST authenticate itself to the SNMP agent and the >> SNMP agent MUST enforce SNMP access control rules as it would for any >> other SNMP manager. An Exporter MUST NOT bypass SNMP access control >> rules to export a MIB object for which it is not granted access. >> >> The access to particular MIB objects is controlled by the >> configuration of the IPFIX exporter. This is consistent with the way >> IPFIX controls access to other Information Elements in general. >> >> The configuration of an IPFIX Exporter determines which MIB objects >> are included in IPFIX Data Records sent to certain collectors. >> Network operators should take care that the only MIB objects which >> are included in IPFIX Data Records are ones which the receiving flow >> collector is allowed to receive. >> >> P. >> >> On 18/11/15 16:06, Benoit Claise wrote: >>> On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: >>>> On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: >>>>> Be ye not afraid... >>>>> I have reviewed this document as part of the security directorate's >>>>> ongoing effort to review all IETF documents being processed by the >>>>> IESG. These comments were written primarily for the benefit of the >>>>> security area directors. Document editors and WG chairs should treat >>>>> these comments just like any other last call comments. >>>>> >>>>> Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting >>>>> MIB Variables using the IPFIX Protocol >>>>> >>>>> Summary: >>>>> LGTM, Security AD attention not required, modulo questions below. >>>>> >>>>> I'm not quite sure what: >>>>> "However if the exporter is a client of an SNMP engine on the same >>>>> device it MUST abide by existing SNMP security rules." is supposed to >>>>> mean. What exactly are "existing SNMP security rules"? Those defined >>>>> in RFCs? Configured on the device? >>>> I agree that this statement is a bit confusing. In the SNMP world, a >>>> client must authenticate against the agent and then the agent uses the >>>> clients authenticated identity to apply access control rules. This text >>>> talks about a client of an "SNMP engine", which is a bit confusing. >>>> >>>> Perhaps the sentence was meant to say this: >>>> >>>> However, if the exporter is implemented as an SNMP manager >>>> accessing an SNMP agent, it MUST authenticate itself to the SNMP >>>> agent and the SNMP agent MUST enforce SNMP access control rules >>>> as it would for any other SNMP manager. >>> Yes, that was the meaning. >>> For example, we can't export via IPFIX a MIB object for which we're >>> not granted access, completely bypassing the SNMP access control rules >>> >>> Regards, Benoit (as a document author) >>>> /js >>>>
- [secdir] SecDir review of draft-ietf-ipfix-mib-va… Warren Kumari
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Paul Aitken
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Juergen Schoenwaelder
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Benoit Claise
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Paul Aitken
- Re: [secdir] SecDir review of draft-ietf-ipfix-mi… Warren Kumari