IETF Logo Mail Archive

[secdir] secdir review of draft-ietf-lisp-mib

Warren Kumari <warren@kumari.net> Thu, 20 June 2013 18:26 UTC

Return-Path: <warren@kumari.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D249321F8793; Thu, 20 Jun 2013 11:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.314
X-Spam-Level:
X-Spam-Status: No, score=-102.314 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3DzNaWSCU5uH; Thu, 20 Jun 2013 11:26:00 -0700 (PDT)
Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C4EF21F871D; Thu, 20 Jun 2013 11:25:59 -0700 (PDT)
Received: from [192.168.1.153] (unknown [66.84.81.90]) by vimes.kumari.net (Postfix) with ESMTPSA id 2713A1B40A72; Thu, 20 Jun 2013 14:25:59 -0400 (EDT)
From: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 20 Jun 2013 14:25:58 -0400
Message-Id: <E9464C32-048E-4455-A596-CC7DB98477BD@kumari.net>
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-lisp-mib.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)
Subject: [secdir] secdir review of draft-ietf-lisp-mib
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 18:26:04 -0000

Be ye not afraid….

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft defines a MIB for monitoring LISP devices. 
This set off the standard "Nooooo… SNMP Write… Noooo…." alarm bells, but then I skipped down to the Security Considerations section and saw that authors had anticipated my shrieks of despair and that the draft says that there are no read-write / read-create objects.

The Security Considerations section seems well written and complete. It makes a suggestion that SNMPv3, with crypto goodness, be used to access this MIB.
It also claims that there is no exposed objects in the MIB that are considered sensitive. I don't LISP, and so don't know what all might be considered sensitive, but from reading most of the descriptions, and applying some common-sense the claim seems reasonable.

-----------

Two questions / nits:
1: The DESCRIPTION for 'lispMIBTuningParametersGroup' says: "A collection of writeable objects used to…" but these seem Read-only. It is possible I misunderstand the description.

2: The Security Considerations section points out that SNMP prior to V3 doesn't have adequate security, and that there is no control who can GET/**SET**  things (emphasis mine). I suspect that this was lifted verbatim from e.g http://tools.ietf.org/html/rfc5834.

As there is no set / write in this MIB I think that removing the mention of setting things would be clearer.
s/to access and GET/SET (read/change/create/delete) the objects/to access the objects/ 


Apologies for how late this review is. I was filtering the SecDir assignments into an incorrect folder and so missed it completely.

W




--
Some people are like Slinkies......Not really good for anything but they still bring a smile to your face when you push them down the stairs.

v2.23.0 | Report a Bug | By Email