[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Updating the MIB security guidelines
Thanks for the input, inline comments
> -----Original Message-----
> From: Randy Presuhn [mailto:rpresuhn@dorothy.bmc.com]
> Sent: zaterdag 28 december 2002 2:01
> To: mibs@ops.ietf.org
> Subject: Re: Updating the MIB security guidelines
>
>
> Hi -
>
> > Message-ID:
> <7D5D48D2CAA3D84C813F5B154F43B15583D6D3@nl0006exch001u.nl.lucent.com>
> > From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
> > To: mibs@ops.ietf.org
> > Subject: Updating the MIB security guidelines
> > Date: Sat, 28 Dec 2002 00:35:55 +0100
> ...
> > So based on the latest discussion between Mike Heard and myself and
> > also taking some earlier input into consideration, how about this?
> ...
>
> I think there should also be some mention of accessible-for-notify
> objects and of notification types.
>
> 1) sensitivity of notifications and their payloads
>
Mmm.. that is data that is contained in a "readable object" no?
So I think we have that covered, except that we speak of controlling
GET access and not NOTIFY access. Sometimes I wonder if we have to
spell out every thing in every detail. Oh well
> 2) DoS attacks (as described in some of the ADSL MIBs'
> security considerations sections) based on the
> conditions under which notifications are generated.
>
Mmm... I wonder... in the end it depends on
- having proper access control to those objects that control/limit the
sending of notifications (for example access to the tables in RFC3413).
- ensuring that no notification flooding will take place.
That I guess depends on proper mib design and the MIB doctors should be
looking for such issues. I don't think it is OK to just say that DoS
attacks are possible. Better to build in controls to prevent it.
And once you do so, you ought to say something about it in the security
section I guess, but I think that falls inder the description that
describes the security considerations (either read or write) for those
notification control objects, no?
Bert