Last Call Review of draft-ietf-eman-energy-aware-mib-15
review-ietf-eman-energy-aware-mib-15-secdir-lc-kent-2014-06-26-00

Request Review of draft-ietf-eman-energy-aware-mib
Requested rev. no specific revision (document currently at 17)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-06-30
Requested 2014-06-19
Draft last updated 2014-06-26
Completed reviews Genart Last Call review of -15 by Vijay Gurbani (diff)
Secdir Last Call review of -15 by Stephen Kent (diff)
Assignment Reviewer Stephen Kent
State Completed
Review review-ietf-eman-energy-aware-mib-15-secdir-lc-kent-2014-06-26
Reviewed rev. 15 (document currently at 17)
Review result Has Issues
Review completed: 2014-06-26

Review
review-ietf-eman-energy-aware-mib-15-secdir-lc-kent-2014-06-26



I
        reviewed this document as part of the security directorate's
        ongoing effort to
        review all IETF documents being processed by the IESG.

  

These comments were written
        primarily for the
        benefit of the security area directors.

 
        

Document editors and WG chairs should treat these
        comments just like any
        other last call comments. Since I am not a MIB expert, my
        comments are strictly
        related to the security-relevant aspects of this document.




 




This
        document, as its name
        implies, defines a MIB for energy management devices. Given
        increasing concern
        over security in the so-called “cyber-physical” realm, a MIB for
        such devices
        clearly merits scrutiny. Also, to the extent that such devices
        (e.g., meters)
        might be associated with residences, there are personal privacy
        issues that
        ought to be addressed, in the PERPASS era.




 




The document
        is clearly
        written; my compliments to the authors in that regard. The one
        odd thing I
        noted was that Sections 11.1 and 11.2 appear between Sections 6
        and 7! I think
        this was a cut and paste error that is easily remedied.




 




The Security
        Considerations section (7) is about one-half page in length. I
        have several
        concerns with the text here.




 




First, the
        text says “It
        is thus important to control even GET and/or NOTIFY access to
        these objects and
        possibly to even encrypt the values of these objects when
        sending them over the
        network via SNMP.” This seems to be an understatement. I’d like
        to see the text
        here RECOMMEND use of encryption to provide confidentiality.
        This would be
        supportive of personal privacy, in residential contexts, and
        physical security
        in residential and enterprise settings. I can imagine a movie in
        which burglars
        use a lack of encryption to gain critical information about
        building
        infrastructure from a an energy MIB 

J

.




 




The text
        later says “There
        are a number of management objects defined in these MIB modules
        with a
        MAX-ACCESS clause of read-write and/or read-create.

  

Such objects MAY be
        considered sensitive or
        vulnerable in some network environments.

 
        

The support for SET operations in a non-secure
        environment without
        proper protection can have a negative effect on network
        operations. Again, this
        strikes me as a significant understatement, i.e., the scope of
        the “negative
        effect” could be much broader that just a network. (Power
        outlets are cited as
        examples of objects, so anything plugged into an outlet could be
        effected,
        right?) 

 

There should be
        more emphasis on
        the need for access control.




 




The text
        later says “SNMP
        versions prior to SNMPv3 did not include adequate security. Even
        if the network
        itself is secure (for example, by using IPsec), there is still
        no secure
        control over who on the secure network is allowed to access and
        GET/SET 

(read/change/create/delete)
the
        objects in these MIB modules.” This is a misleading. IPsec
        natively
        provides access control. It would be accurate to say that the
        access controls
        offered by IPsec would only limit who could access the MIB. What
        the authors
        seem to suggest here is finer-grained access control, so that
        one can manage
        GET/SET privileges for the set of individuals who are authorized
        to connect to
        the MIB via the SMTP port, right?







 




The text
        discussing use of
        SNMPv3 security is a bit confusing.




It RECOMMENDS that implementers
      “consider”
      SMNPv3 security features, but then says deployment of SNMP
      versions prior to v3
      is NOT RECOMMENDED. The first paragraph discussing this topic
      deals with
      thinking about support (vs. use) of SNMPv3, while the second
      paragraph makes a
      much stronger statement about deployment. It would be more
      consistent to mandate
      support (MUST or SHOULD) for SNMPv3 in entities that incorporate
      this MIB.
      Separately the document can RECOMMEND enabling SNMPv3 security
      features in
      deployments, for the reasons cited.