IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-protocol-mib-03.txt

Sean Turner <turners@ieca.com> Wed, 28 November 2012 15:51 UTC

Return-Path: <turners@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E99821F8869 for <sidr@ietfa.amsl.com>; Wed, 28 Nov 2012 07:51:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.239
X-Spam-Level:
X-Spam-Status: No, score=-102.239 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6U6OylLBsi9 for <sidr@ietfa.amsl.com>; Wed, 28 Nov 2012 07:51:14 -0800 (PST)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [69.56.212.19]) by ietfa.amsl.com (Postfix) with ESMTP id 0E67221F849F for <sidr@ietf.org>; Wed, 28 Nov 2012 07:51:14 -0800 (PST)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id 7B73B9356F20F; Wed, 28 Nov 2012 09:51:13 -0600 (CST)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway01.websitewelcome.com (Postfix) with ESMTP id 5ED8D9356F193 for <sidr@ietf.org>; Wed, 28 Nov 2012 09:51:13 -0600 (CST)
Received: from [108.45.19.185] (port=64793 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1Tdjur-0000JE-2X for sidr@ietf.org; Wed, 28 Nov 2012 09:51:13 -0600
Message-ID: <50B632F0.8080006@ieca.com>
Date: Wed, 28 Nov 2012 10:51:12 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: sidr@ietf.org
References: <20121128141134.29910.77561.idtracker@ietfa.amsl.com>
In-Reply-To: <20121128141134.29910.77561.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.45.19.185]:64793
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 5
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-protocol-mib-03.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 15:51:14 -0000

The MIB doctors approved a change to MIB security considerations:

https://www.ietf.org/mail-archive/web/mib-doctors/current/msg01369.html
change here:
https://www.ietf.org/mail-archive/web/mib-doctors/current/msg01368.html

Need to make the following change in the security considerations:

OLD

  SNMP versions prior to SNMPv3 did not include adequate security.
  Even if the network itself is secure (for example by using IPsec),
  even then, there is no control as to who on the secure network is
  allowed to access and GET/SET (read/change/create/delete) the objects
  in this MIB module.

  It is RECOMMENDED that implementers consider the security features as
  provided by the SNMPv3 framework (see [RFC3410], section 8),
  including full support for the SNMPv3 cryptographic mechanisms (for
  authentication and privacy).

NEW

  SNMP versions prior to SNMPv3 did not include adequate security.
  Even if the network itself is secure (for example by using IPsec),
  there is no control as to who on the secure network is
  allowed to access and GET/SET (read/change/create/delete) the objects
  in this MIB module.

  Implementations MUST provide the security features described by the
  SNMPv3 framework (see [RFC3410]), including full support for
  authentication and privacy via the User-based Security Model (USM)
  [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
  MAY also provide support for the Transport Security Model (TSM)
  [RFC5591] in combination with a secure transport such as SSH
  [RFC5592] or TLS/DTLS [RFC6353].

and add some new informative references:

  [RFC3414] Blumenthal, U., and B. Wijnen,
            "User-based Security Model (USM) for version 3 of the
            Simple Network Management Protocol (SNMPv3)", RFC 3414,
            December 2002.

  [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie,
            "The Advanced Encryption Standard (AES) Cipher
            Algorithm in the SNMP User-based Security Model",
            RFC 3826, June 2004.

  [RFC5591] Harrington, D., and W. Hardaker,
            "Transport Security Model for the Simple Network
            Management Protocol (SNMP)", June 2009.

  [RFC5592] Harrington, D., Saloway, J., and W. Hardaker,
            "Secure Shell Transport Model for the Simple Network
            Management Protocol (SNMP)", June 2009.

  [RFC6353] W. Hardaker, "Transport Layer Security (TLS) Transport
            Model for the Simple Network Management Protocol (SNMP)",
            July 2011.

spt

v2.23.0 | Report a Bug | By Email