Hi, Documents containing MIB modules must include a discussion of the sensitivity of the tables/objects in the MIB module. This includes the possible impact to the managed technologies that could be caused by an unauthorized or misguided change to a configuration, for example. Certainly the potential impact of using MIB objects to change the relative priority of a managed technology's sessions would need to be included in the read-write security considerations of the MIB module. See https://svn.tools.ietf.org/area/ops/trac/wiki/mib-security Using AVPs in Diameter to affect a similar change to the relative priority of a managed technology's sessions warrants a similar consideration of the sensitivity of the specific AVPs. David Harrington Director, IETF Transport Area Member of SECDIR, OPSDIR, and MIB Doctors directorates ietfdbh@xxxxxxxxxxx (preferred for ietf) dbharrington@xxxxxxxxxxxxxxxxxx +1 603 828 1401 (cell) > -----Original Message----- > From: secdir-bounces@xxxxxxxx > [mailto:secdir-bounces@xxxxxxxx] On Behalf Of carlberg@xxxxxxxxxx > Sent: Tuesday, July 26, 2011 7:24 AM > To: Stephen Hanna > Cc: lionel.morand@xxxxxxxxxxxxxxxxxx; > draft-ietf-dime-priority-avps.all@xxxxxxxxxxxxxx; > ietf@xxxxxxxx; secdir@xxxxxxxx > Subject: Re: [secdir] secdir review of > draft-ietf-dime-priority-avps-04 > > Steve, > > > Quoting Stephen Hanna <shanna@xxxxxxxxxxx>: > > > Thanks for your response, Ken. > > > > Removing the last sentence that you quoted would make things worse. > > Readers of this draft should definitely familiarize themselves with > > the security considerations related to priority. We should make that > > easier, not harder. The fact that those considerations also apply to > > other RFCs does not remove the fact that they apply to this > one also. > > but those considerations do not directly apply to DIAMETER. > > > You cannot publish a document whose security considerations section > > says (as this one effectively does today), "There are lots > of security > > considerations related to this document. To understand them, please > > dig through all the referenced documents and figure it out > yourself." > > Doing that digging and analysis is the job of the document editors. > > agreed, speaking in the general sense. But again, the security > considerations of these other protocols do not apply to the > operation > of Diameter. > > > In order to ease the burden on you, I think a reasonable compromise > > would be for YOU to review the documents referenced and decide which > > have the most relevant security considerations. Then you could list > > those explicitly in the last paragraph of the Security > Considerations. > > I'm concerned about the implications of your recommendation. If we > extend this position to other work in the IETF, then efforts like > defining MIBs would mean that each MIB draft would need to perform a > security considerations analysis of each protocol that an objects > refers to in the context of SNMP. And one can extend the argument > that each protocol operating on top of TCP (and/or UDP) and IP would > need to perform an analysis on how TCP/UDP and IP may affect > the upper > layer protocol. We don't do that today. > > cheers, > > -ken > > > _______________________________________________ > secdir mailing list > secdir@xxxxxxxx > https://www.ietf.org/mailman/listinfo/secdir > _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf