Kathleen Moriarty has entered the following ballot position for
draft-ietf-netmod-syslog-model-23: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I agree with the SecDir review and thanks for responding to the review.  I have
one additional suggestion to make sure the points made from this review are
clear to the reader.  Thanks in advance!

SecDir Review text & response:
    Security Comments

    * I think almost all writable data nodes here are sensitive, because a
    network attacker's first move is to block any logging on the host, and many
    of the data nodes here can be used for this purpose.

[clw1] I will reword the security section to include all writeable nodes as
sensitive. [KMM]  Thank you, I think it would be helpful to also note the
reason is this case with an extra sentence or two.

Something to the effect of:
Logging in particular is used to assess the state of systems and can be used to
indicate a network compromise.  If logging were to be disabled through
malicious means, attacks may not be readily detectable.

    * Re: readable data nodes, I'm not
    sure which are sensitive, and the document should give an example or two
    rather than just say "some". Otherwise the security advice is not
    actionable. One example: "remote" sections leak information about other
    hosts in the network.

[clw1] This text was lifted from another model. I will review the readable
nodes and update. [KMM] Thanks

    * Write operations... can have a negative effect on network operations. - I
    would add "and on network security", because logs are often used to detect
    security breaches.

[clw1] I will add this phrase.

[KMM] I see this was added, thanks.  Please consider the above 2 sentences.

    * Also add an advice, similar to the one on "pattern match", that the
    private key used for signing log messages MUST NOT be used for any other
    purpose, and that the implementation of this data node must ensure this
    property (I'm not sure how). The rationale: if the TLS private key is used,
    for example, this could result in a signing oracle for TLS and eventually a
    MITM attack.

[clw1] I will add this advice.

[KMM] Thanks for adding this advice.


_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod

Reply via email to