IETF Logo Mail Archive

Re: [MIB-DOCTORS] Updates to the Guidelines of theSecurityConsiderations section of the MIB documents

"Romascanu, Dan (Dan)" <dromasca@avaya.com> Wed, 09 November 2011 13:21 UTC

Return-Path: <dromasca@avaya.com>
X-Original-To: mib-doctors@ietfa.amsl.com
Delivered-To: mib-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A798721F8AD1 for <mib-doctors@ietfa.amsl.com>; Wed, 9 Nov 2011 05:21:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.359
X-Spam-Level:
X-Spam-Status: No, score=-103.359 tagged_above=-999 required=5 tests=[AWL=0.240, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkpXf1D27bst for <mib-doctors@ietfa.amsl.com>; Wed, 9 Nov 2011 05:21:41 -0800 (PST)
Received: from co300216-co-outbound.net.avaya.com (co300216-co-outbound.net.avaya.com [198.152.13.100]) by ietfa.amsl.com (Postfix) with ESMTP id E06DE21F8AA8 for <mib-doctors@ietf.org>; Wed, 9 Nov 2011 05:21:40 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AooDAOh9uk6HCzI1/2dsb2JhbABCmieKBIRLgSeBBYFyAQEBAQMBAQEPHgo0FwQCAQgNAwEEAQEBCgYMBwQBBgEmHwkIAQEEARIIGodonBWcLgSCVoZGYwSZeYwf
X-IronPort-AV: E=Sophos;i="4.69,484,1315195200"; d="scan'208";a="313616679"
Received: from unknown (HELO p-us1-erheast.us1.avaya.com) ([135.11.50.53]) by co300216-co-outbound.net.avaya.com with ESMTP; 09 Nov 2011 08:21:39 -0500
Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.14]) by p-us1-erheast-out.us1.avaya.com with ESMTP; 09 Nov 2011 08:10:37 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 09 Nov 2011 14:21:37 +0100
Message-ID: <EDC652A26FB23C4EB6384A4584434A0404E02C22@307622ANEX5.global.avaya.com>
In-Reply-To: <4EB9A16A.3050503@ieca.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
thread-topic: [MIB-DOCTORS] Updates to the Guidelines of theSecurityConsiderations section of the MIB documents
thread-index: AcyeX4gHNccuM5j+Tj6jM7aToSMhiAAfuXEA
References: <4E8CA1F8.5040807@ieca.com> <20111005201335.GA48603@elstar.local><4E8CCCB5.9090501@ieca.com><EDC652A26FB23C4EB6384A4584434A0403BE90B0@307622ANEX5.global.avaya.com><4E8D7F85.6070106@ieca.com><EDC652A26FB23C4EB6384A4584434A04048EE355@307622ANEX5.global.avaya.com><002401cc9d7d$d97ca840$6b01a8c0@oemcomputer><EDC652A26FB23C4EB6384A4584434A0404E0274D@307622ANEX5.global.avaya.com><20111108102357.GA2559@elstar.local><001701cc9e35$bc4203c0$6b01a8c0@oemcomputer> <4EB9A16A.3050503@ieca.com>
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: Sean Turner <turners@ieca.com>, mib-doctors@ietf.org
Subject: Re: [MIB-DOCTORS] Updates to the Guidelines of theSecurityConsiderations section of the MIB documents
X-BeenThere: mib-doctors@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: MIB Doctors list <mib-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mib-doctors>
List-Post: <mailto:mib-doctors@ietf.org>
List-Help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 13:21:41 -0000

I think that we can declare consensus on the proposed change. 

We also need to add the following Informative References: 

   [RFC3414] Blumenthal, U., and B. Wijnen, 
             "User-based Security Model (USM) for version 3 of the
             Simple Network Management Protocol (SNMPv3)", RFC 3414,
             December 2002.

   [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie,
             "The Advanced Encryption Standard (AES) Cipher 
             Algorithm in the SNMP User-based Security Model",
             RFC 3826, June 2004.

   [RFC5591] Harrington, D., and W. Hardaker,
             "Transport Security Model for the Simple Network 
             Management Protocol (SNMP)", June 2009.

   [RFC5592] Harrington, D., Saloway, J., and W. Hardaker,
             "Secure Shell Transport Model for the Simple Network 
             Management Protocol (SNMP)", June 2009.

   [RFC6353] W. Hardaker, "Transport Layer Security (TLS) Transport 
             Model for the Simple Network Management Protocol (SNMP)",
             July 2011.

Dan

------------------------------------------------------------------------
--------


> -----Original Message-----
> From: mib-doctors-bounces@ietf.org [mailto:mib-doctors-
> bounces@ietf.org] On Behalf Of Sean Turner
> Sent: Tuesday, November 08, 2011 11:39 PM
> To: mib-doctors@ietf.org
> Subject: Re: [MIB-DOCTORS] Updates to the Guidelines of
> theSecurityConsiderations section of the MIB documents
> 
> On 11/8/11 11:44 AM, Randy Presuhn wrote:
> > Hi -
> >
> >> From: "Juergen Schoenwaelder"<j.schoenwaelder@jacobs-university.de>
> >> To: "Romascanu, Dan (Dan)"<dromasca@avaya.com>
> >> Cc: "Randy Presuhn"<randy_presuhn@mindspring.com>;<mib-
> doctors@ietf.org>
> >> Sent: Tuesday, November 08, 2011 2:23 AM
> >> Subject: Re: [MIB-DOCTORS] Updates to the Guidelines of
> theSecurityConsiderations section of the MIB documents
> > ...
> >> Do we also remove the 'even then,' from the previous paragraph? Can
> we
> >> also drop some of the 'at a minimum' phrases from the text
suggested
> >> by Randy? And why do we refer to section 8 of RFC 3410, which talks
> >> about standardization status and movement of SNMPv1 to historic? So
> >> summing up, I have:
> >>
> >> OLD
> >>
> >>     SNMP versions prior to SNMPv3 did not include adequate
security.
> >>     Even if the network itself is secure (for example by using
> IPsec),
> >>     even then, there is no control as to who on the secure network
> is
> >>     allowed to access and GET/SET (read/change/create/delete) the
> objects
> >>     in this MIB module.
> >>
> >>     It is RECOMMENDED that implementers consider the security
> features as
> >>     provided by the SNMPv3 framework (see [RFC3410], section 8),
> >>     including full support for the SNMPv3 cryptographic mechanisms
> (for
> >>     authentication and privacy).
> >>
> >> NEW
> >>
> >>     SNMP versions prior to SNMPv3 did not include adequate
security.
> >>     Even if the network itself is secure (for example by using
> IPsec),
> >>     there is no control as to who on the secure network is
> >>     allowed to access and GET/SET (read/change/create/delete) the
> objects
> >>     in this MIB module.
> >>
> >>     Implementations MUST provide the security features described by
> the
> >>     SNMPv3 framework (see [RFC3410]), including full support for
> >>     authentication and privacy via the User-based Security Model
> (USM)
> >>     [RFC3414] with the AES cipher algorithm [RFC3826].
> Implementations
> >>     MAY also provide support for the Transport Security Model (TSM)
> >>     [RFC5591] in combination with a secure transport such as SSH
> >>     [RFC5592] or TLS/DTLS [RFC6353].
> >>
> >> (I am not sure "described by" is the best wording but I happily
> leave
> >>   it to native speakers to figure this out.)
> >
> > Juergen's proposed text looks good to me.  (Definitely better than
> what
> > I sent out.)
> 
> +1
> 
> spt
> _______________________________________________
> MIB-DOCTORS mailing list
> MIB-DOCTORS@ietf.org
> https://www.ietf.org/mailman/listinfo/mib-doctors

v2.23.0 | Report a Bug | By Email