Re: Begin Last Call on draft-ietf-opsec-current-practices-06

[Merike Kaeo <merike@doubleshotsecurity.com>]

I can modify wording as pointed out in your comments 1 and 2 below.

For the third comment on SNMP, noone I talked to said anything about  
using
SNMPv3 nor have any comments from ISPs mentioned it.  Do you think I  
need to
put more explicit text in the main 2.2.2 section? Note that it was  
implied that SNMPv3
was not used in the additional considerations section with the  
following paragraph:

" In instances where SNMP is used, some legacy devices only support
   SNMPv1 which then requires the provider to mandate its use across  
all
   infrastructure devices for operational simplicity.  SNMPv2 is
   primarily deployed since it is easier to set up than v3."

Thanks.

- merike

On Aug 7, 2006, at 1:58 AM, Romascanu, Dan ((Dan)) wrote:

> Here are a few comments:
>
> 1. Section 1.2
>
> > All of the threats in any
>    network infrastructure is an instantiation or combination of the
>    following:
>
> I would rephrase to fix the syntax, and also to make the statement  
> less
> comprehensive (saying 'ALL of the threats in ANY network  
> infrastructure'
> seems to be too strong)
>
> 2. Section 1.3
>
> > This is
>       possible if the attacker has control of a host in the
>       communications path between two victim machines or has  
> compromised
>       the routing infrastructure to specifically arrange that traffic
>       pass through a compromised machine.
>
> I would mention the case when the traffic is mirrored to a compromised
> machine.
>
> Also
>
> > Thus, if an attack depends on being
>       able to receive data, off-path hosts must first subvert the
>       topology in order to place themselves on-path.  This is by no
>       means impossible but is not necessarily trivial.  [RFC3552]
>
> Is ignoring the same potential threat of hijacking a traffic mirroring
> capability installed for debugging, performance monitoring or  
> accounting
> purposes and divert traffic to a host that belongs to the attacker
> without necessarily subverting the topology.
>
> 3. Section 2.2.2 - The two paragraphs that deal with SNMP refer to
> community strings, thus they seem to be SNMPv1 and SNMPv2c  
> oriented. The
> current standard version is SNMPv3, which has a different security
> framework. It's OK to refer to the older versions if this is the  
> current
> practice, but the text should explicitly mention this.
>
> Regards,
>
> Dan
>
>
>
>
>
>
>
> > -----Original Message-----
> > From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On
> > Behalf Of Ross Callon
> > Sent: Monday, July 31, 2006 10:01 PM
> > To: opsec@ops.ietf.org
> > Subject: Re: Begin Last Call on draft-ietf-opsec-current-practices-06
> >
> > We will extend this for another week, until August 15th (two
> > weeks from tomorrow), since I forgot to copy the last call to
> > Nanog (which I just fixed).
> >
> > Thanks, Ross
> >
> > > Date: Mon, 24 Jul 2006 17:01:58 -0400
> > > To: opsec@ops.ietf.org
> > > From: Ross Callon <rcallon@juniper.net>
> > > Subject: Begin Last Call on draft-ietf-opsec-current-practices-06
> > >
> > > This begins working group last call on
> > > draft-ietf-opsec-current-practices-06
> > > "Operational Security Current Practices".  The last call
> > will terminate
> > > two weeks from tomorrow (Tuesday August 8th).
> > >
> > > Comments to the list please.
> > >
> > > thanks, Ross