Re: [savi] SAVI FCFS & Logging
"Joel M. Halpern" <jmh@joelhalpern.com> Sat, 05 March 2011 16:45 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F0503A6AA1 for <savi@core3.amsl.com>; Sat, 5 Mar 2011 08:45:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.409
X-Spam-Level:
X-Spam-Status: No, score=-102.409 tagged_above=-999 required=5 tests=[AWL=0.190, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWzUmmv5Ewhi for <savi@core3.amsl.com>; Sat, 5 Mar 2011 08:45:28 -0800 (PST)
Received: from hgblob.out.tigertech.net (hgblob.out.tigertech.net [74.114.88.71]) by core3.amsl.com (Postfix) with ESMTP id 8EC023A6A8C for <savi@ietf.org>; Sat, 5 Mar 2011 08:45:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id 076E23244927; Sat, 5 Mar 2011 08:46:38 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net
Received: from [10.10.10.101] (pool-71-161-51-81.clppva.btas.verizon.net [71.161.51.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id EB977324410A; Sat, 5 Mar 2011 08:46:36 -0800 (PST)
Message-ID: <4D7268E9.8000202@joelhalpern.com>
Date: Sat, 05 Mar 2011 11:46:33 -0500
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110221 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: draft-ietf-savi-fcfs@tools.ietf.org, SAVI Mailing List <savi@ietf.org>
References: <4D71CDE6.1000707@joelhalpern.com> <4D71FF5A.8040800@it.uc3m.es>
In-Reply-To: <4D71FF5A.8040800@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [savi] SAVI FCFS & Logging
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2011 16:45:29 -0000
I asked the SAVI FCFS the question below. In response they quite reasonably asked that I provide text. Following the note excerpt is the suggestion on placement and text. THe text could include a reference to the savi threats document. I was not sure if that would be helpful, so I left it out. Also, as logging is basically an internal activity, I have written this suggestion as non-normative text. > El 05/03/11 6:45, Joel M. Halpern escribió: >> Looking at the traceability issues we raise in the threats document, >> and looking at the uses I see people wanting to make of SAVI for >> SLAAC, should we put some descriptive (not normative) text into SAVI >> FCFS that talks about loggin? >> >> I wanted to check with you folks directly before raising this on the >> list. >> >> Thank you, >> Joel I would suggest adding a section between 2.4 and 2.5 (i.e., it would be 2.5, and the current 2.5 SAVI enforcement perimeter would become 2.6.) --------- 2.x SAVI Logging While the primary goal of SAVI is simply to prevent improper use of IP addresses, a secondary goal is to assist in traceability for determining who an imp-roper actor is. For example, if a remote site reports that a DoS (or component of a DDoS) is coming from the SAVI site, SAVI enforcement can be a useful component in a response. In order to support these and other similar activities, it is a good idea if SAVI devices perform logging of the creation, modification, or removal of address bindings. Any protocol support, such as SYSLOG support for sending those logs to a common server, would be a topic for a future separate document. ----- If instead we want to make that normative, we could put a SHOULD in and put this in section 3.2.6 instead. In addition, it would seem useful to add a short paragraph in the security considerations section. (If Denial of service attacks and Residual threats were 4.1 and 4.2, then I would would att this as 4.3 Security Logging) ------------- In order to improve the integration of SAVI into an overall security environment, and enable response to additional indirect security issues which SAVI can help ameliorate, it is helpful if SAVI systems log the creation, modification, and deletion of binding entries. --------- I realize this basically duplicates the 2.x text. I think it deserves mention in the security considerations, because it is a security consideration. But I don't think that should be the first occurrence. If the duplication is bothersome, then just use the 2.x text. Thank you, Joel
- Re: [savi] SAVI FCFS & Logging Joel M. Halpern
- Re: [savi] SAVI FCFS & Logging Jean-Michel Combes
- Re: [savi] SAVI FCFS & Logging Eric Levy-Abegnoli
- Re: [savi] SAVI FCFS & Logging Jean-Michel Combes