Re: [Last-Call] Secdir telechat review of draft-ietf-opsawg-service-assurance-architecture-12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Christian.

Regards, Benoit

On 12/20/2022 8:01 PM, Christian Huitema via Datatracker wrote:
Reviewer: Christian Huitema
Review result: Ready

My review of version 11 of this draft was making a number of suggestions. These
suggestions have largely been addressed in the version 12 of the draft:

* The risk caused by compromised agents are addressed by setting permissions
according to [I-D.ietf-opsawg-service-assurance-yang].

* The security section now includes a more precise description of the
permissions that should be granted to SAIN agents

* The authors added recommendation that service administrators only obtain the
information needed for building the assurance graph and no more, which somewhat
mitigates the risk of attackers using configuration data.

* The authors added a suggestion to compare reporting by multiple agents and
detect potential anomalies such as compromised agent mishbehaving, and
reasonably flag that as a point for further study.

* The risks caused by loss of access to NTP service are documented.

In addition to flagging the NTP risk, the authors could have suggested
mitigation for temporary loss of access to the NTP service. There might be ways
such as indicating the state of the clocks in the agents report, or estimating
potential clock drift based on quality of local clocks and delay since the last
NTP synchronization. However, this is  speculative and it would be sufficient
to flag it for further study.





--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux