-----Original Message-----
From: Merike Kaeo [mailto:merike@doubleshotsecurity.com]
Sent: Saturday, August 12, 2006 12:59 AM
To: Romascanu, Dan (Dan)
Cc: Ross Callon; opsec@ops.ietf.org
Subject: Re: Begin Last Call on draft-ietf-opsec-current-practices-06
I can modify wording as pointed out in your comments 1 and 2 below.
For the third comment on SNMP, noone I talked to said
anything about using
SNMPv3 nor have any comments from ISPs mentioned it. Do you
think I need to put more explicit text in the main 2.2.2
section? Note that it was implied that SNMPv3 was not used in
the additional considerations section with the following paragraph:
" In instances where SNMP is used, some legacy devices only support
SNMPv1 which then requires the provider to mandate its
use across all
infrastructure devices for operational simplicity. SNMPv2 is
primarily deployed since it is easier to set up than v3."
Thanks.
- merike
On Aug 7, 2006, at 1:58 AM, Romascanu, Dan ((Dan)) wrote:
Here are a few comments:
1. Section 1.2
All of the threats in any
network infrastructure is an instantiation or combination of the
following:
I would rephrase to fix the syntax, and also to make the statement
less comprehensive (saying 'ALL of the threats in ANY network
infrastructure'
seems to be too strong)
2. Section 1.3
This is
possible if the attacker has control of a host in the
communications path between two victim machines or has
compromised
the routing infrastructure to specifically arrange
that traffic
pass through a compromised machine.
I would mention the case when the traffic is mirrored to a
compromised
machine.
Also
Thus, if an attack depends on being
able to receive data, off-path hosts must first subvert the
topology in order to place themselves on-path. This is by no
means impossible but is not necessarily trivial. [RFC3552]
Is ignoring the same potential threat of hijacking a
traffic mirroring
capability installed for debugging, performance monitoring or
accounting purposes and divert traffic to a host that
belongs to the
attacker without necessarily subverting the topology.
3. Section 2.2.2 - The two paragraphs that deal with SNMP refer to
community strings, thus they seem to be SNMPv1 and SNMPv2c
oriented.
The current standard version is SNMPv3, which has a
different security
framework. It's OK to refer to the older versions if this is the
current practice, but the text should explicitly mention this.
Regards,
Dan
-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On
Behalf Of
Ross Callon
Sent: Monday, July 31, 2006 10:01 PM
To: opsec@ops.ietf.org
Subject: Re: Begin Last Call on
draft-ietf-opsec-current-practices-06
We will extend this for another week, until August 15th (two weeks
from tomorrow), since I forgot to copy the last call to
Nanog (which
I just fixed).
Thanks, Ross
Date: Mon, 24 Jul 2006 17:01:58 -0400
To: opsec@ops.ietf.org
From: Ross Callon <rcallon@juniper.net>
Subject: Begin Last Call on draft-ietf-opsec-current-practices-06
This begins working group last call on
draft-ietf-opsec-current-practices-06
"Operational Security Current Practices". The last call
will terminate
two weeks from tomorrow (Tuesday August 8th).
Comments to the list please.
thanks, Ross