[OPSAWG] Secdir last call review of draft-ietf-opsawg-sbom-access-14

[Christian Huitema via Datatracker]

Reviewer: Christian Huitema
Review result: Ready

I have reviewed the changes between draft-09, which I reviewed in September
2022, and draft-14, the most recent version.

The main concern expressed in my review was that "defense at scale" might also
enable "attack at scale". The authors were not entirely convinced that this
applies to their draft, because they "are discussing a discovery mechanism, and
that the mechanism itself does not provide access to the underlying data." The
authors reinforced this point by stating in the introduction that "the model is
a discovery mechanism, and on its own provides no access to the underlying
data."

The other counter argument was that there is a lot do be gained by disclosing
vulnerabilities, and that for most devices vulnerabilities can be deduced from
very simple and well known properties, such as the version of OpenWRT that is
run by a Wi-Fi router. That is true, but  my main concern was that having
information available on the device itself was tantamount to flashing a "hack
me now" sign. And I was specially concerned by having that information
published by default by otherwise unconfigured devices. This, the author did
fix. The paragraph in the security section now says:

   SBOMs provide an inventory of software.  If software is available to
   an attacker, the attacker may well already be able to derive this
   very same software inventory.  When this information resides on the
   endpoint itself, the endpoint SHOULD NOT provide unrestricted access
   by default.  Other servers that offer the data MAY restrict access to
   SBOM information using appropriate authorization semantics within
   HTTP. (Followed by description of access control methods.)

The "SHOULD NOT" does address my recommendation, and also mitigates somewhat
the risk of having a server running on an open port on the device. I am also
happy that the ambiguous text about "some of the readable data nodes ...
considered sensitive or vulnerable in some network environments" has been
removed.

I am still concerned that the paragraph starting "SBOMs provide an inventory of
software", as written, only hints at the potential attack, without describing
it. But life is full of such little dissatisfaction...



___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] Call for presentation//FW: [116all] IETF 116 Preliminary Agenda

[Toerless Eckert]

Topic: draft-eckert-ietf-and-energy-overview
speaker: Toerless Eckert
time slot: 5 minutes

Warren proposed at IETF115 that i first should check with OPSAWG whether there 
is
interest to adopt this work as WG item before deciding to go to individual 
submission
track. So hereby wanted to bring this option up and quickly start the 
discussion /
raise interest to review / comment more by the WG.

(will post update before deadline).

Cheers
Toerless

On Mon, Feb 27, 2023 at 08:05:41AM +, Tianran Zhou wrote:
> Hi WG,
> 
> The IETF116 preliminary agenda is posted.
> The OPSAWG meeting is scheduled at 09:30 - 11:30 Tuesday Session I.
> We open the call for presentation on the meeting.
> Please send over your request with the topic, speaker, time slot to the 
> chairs.
> 
> Look forward to seeing you in Yokohama.
> 
> Cheers,
> Tianran
> 
> -Original Message-
> From: 116all [mailto:116all-boun...@ietf.org] On Behalf Of IETF Agenda
> Sent: Saturday, February 25, 2023 6:50 AM
> To: IETF Announcement List 
> Cc: i...@ietf.org; 116...@ietf.org
> Subject: [116all] IETF 116 Preliminary Agenda
> 
> IETF 116
> Yokohama, Japan
> March 25-31, 2023
> Hosted By: WIDE
> 
> 
> The IETF 116 Preliminary Agenda has been posted. The final agenda will be 
> published on Friday, March 3, 2023.
> 
> https://datatracker.ietf.org/meeting/116/agenda.html
> https://datatracker.ietf.org/meeting/116/agenda.txt
> 
> The preliminary agenda includes all planned WG, RG, and BoF sessions. 
> Information about side meetings will be available when the final agenda is 
> posted. 
> 
> IETF 116 Information: https://www.ietf.org/how/meetings/116/
> Register online at: https://registration.ietf.org/116/
> 
> Don’t forget to register for these exciting IETF 116 events!
> 
> 
> Social Event
> 
> The Osanbashi Pier's multipurpose hall will be transformed into a wonderful 
> social event location for IETF 116 attendees in Yokohama.
> 
> Attendees will be delighted by the music of internationally renowned artist 
> Kaoru Watanabe, delicious food and a Japanese sake corner introducing 
> attendees to sake from all thirteen sake breweries in Kanagawa Prefecture.
> 
> - Date: Thursday, March 30
> 
> - Start/End Times: 19:00 – 21:30
> 
> - Cost per ticket: $25 per ticket
> 
> - Limit of tickets per attendee: Two per attendee.
> 
> More information:
> https://www.ietf.org/how/meetings/116/social/
> https://ietf116.jp/social-event/ 
> 
> 
> Hackathon 
> 
> Onsite signup: https://registration.ietf.org/116/new/hackathon_onsite/
> Remote signup: https://registration.ietf.org/116/new/hackathon_remote/
> More information: 
> https://www.ietf.org/how/runningcode/hackathons/116-hackathon/
> Keep up to date by subscribing to: 
> https://www.ietf.org/mailman/listinfo/hackathon
> 
> 
> Code Sprint
> 
> More information and signups: https://notes.ietf.org/notes-ietf-116-tools#
> 
> -- 
> 116all mailing list
> 116...@ietf.org
> https://www.ietf.org/mailman/listinfo/116all

-- 
---
t...@cs.fau.de

___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

[OPSAWG] New revision of "Green Networking Metrics" (draft-cx-green-metrics)

[Alexander L Clemm]

Hi,

we just posted an updated revision of "Green Networking Metrics" 
(https://datatracker.ietf.org/doc/draft-cx-green-metrics/), including 
various editorial improvements and incorporating highly useful feedback 
and suggestions from a number of people including Eve Schooler, 
Alexandru Petrescu, and Michael Welzl.  The draft defines a set of 
"green" networking metrics that will be useful as basis for management 
and control applications that aim to reduce carbon footprint and hence 
require visibility into such metrics.


We believe that in terms of scope, this draft falls into the 
intersection of opsawg and nmrg interest and we hope to have the 
opportunity to present at IETF 116 in Yokohama, hence we are 
crossposting to both groups.  Personally I believe that opsawg may be 
the most suitable landing spot as the draft can be easily 
operationalized and is not as much concerned with open-ended research 
questions, but that is of course where we would appreciate feedback from 
the groups.  Once a decision is made for the proper landing spot, 
hopefully immediately following IETF 116, we will post a new revision 
under the respective working group.


FYI, here is the abstract of the draft:
This document explains the need for network instrumentation that allows 
to assess the power consumption, energy efficiency, and carbon footprint 
associated with a network, its equipment, and the services that are 
provided over it.  It also suggests a set of related metrics that, when 
provided visibility into, can help to optimize a network's energy 
efficiency and "greenness".


On behalf of the coauthors
--- Alex

___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] [recipe] And another new draft revision: Green Networking Metrics

[Alexander L Clemm]

Hello Eve,

thank you for your great feedback!  And apologies for the long delay in 
responding.  Please find my responses inline, below.  We will also be 
posting an update to the draft momentarily with your feedback 
incorporated (hence crossposting to opsawg)


Best

--- Alex

On 11/29/2022 11:53 PM, Schooler, Eve M wrote:

Hi Alex and co-authors,
Thanks for a very interesting read 
(https://datatracker.ietf.org/doc/draft-cx-green-metrics/)!
Here is some informal feedback on the latest version of the draft document.
Best regards,
Eve

Eve M. Schooler, PhD
Principal Engineer & Director
Intel | CSO & NEX | Emerging IoT Networks
2200 Mission College Blvd., Santa Clara, CA, USA  95054
+1 650.868.7369
-

Abstract:
In the abstract there is reference to "power consumption, energy efficiency and carbon 
footprint", for both network equipment and services provided over it - would be great to 
describe the relationship between these three attributes somewhere. In the Intro, language is also 
used re "environmental sustainability of networks", which may go beyond energy-related 
metrics.

Section 1. Intro
- Why cite the Telefonica Consolidated annual report vs Sustainability report?
 The consolidated report includes an extensive section on 
sustainability along with the data.  I am not aware of a separate 
sustainability report (although I am sure it must exist). 


Section 2. Definitions and Acronyms
- Include kWh

We have added it (and a few more) 

Section 3. Energy Metrics
- For each bullet, give examples of existing metrics.
- 3rd bullet references energy intensity. Is this a term commonly used? Does it 
need specific definition
- Either way, contrast this with carbon intensity.
 The term "energy intensity" has been removed.   We have also added 
further explanation on the relationship between carbon footprint, energy 
consumption, etc 


3.1.1 Energy consumption Metrics
- Any thoughts/precedent on how to separate the carbon footprint of a device 
from the networking aspects of the device?
 I am not sure what you mean here exactly.  Do you mean devices 
performing both compute and networking?  I think in general those would 
be difficult to separate.  I think if we can do a breakdown of the 
device to the component level (cards and ports), that may already be 
plenty. 

- Are we only gaging router power consumption, or other network HW elements? 
What about SW? Different parts of the stack?
 The focus is on network HW elements (section 3.1 "Metrics related 
to [networking] equipment").  It is probably difficult to attribute to 
software in itself, although section 3.1.3 talks about the attribution 
to functions realized as software ("Virtualization Considerations").  We 
also added discussion in section 3.1.2 regarding additional factors such 
as ""taxation" for unattributed energy use, for taking into account 
sustainability of energy sources (energy-aware vs pollution-aware), for 
potentially transposing those into CO2 emission factors, etc. 

- Love the reference to ATIS, which makes me wonder about certification of the 
numbers associated with the various device elements and the devices overall?
 I totally agree that certification is super important and we 
expanded on that aspect.  

- Re "The second set of metrics reflects the actual power being drawn during 
operation." What about embodied carbon, which for smaller devices such as phones is 
a dominating factor?
 This is an important point and discussion of this added in the 
section on "Holistic Perspective".  However, due to the myriads of 
factors at play here, we did not add specific metrics, just mention that 
corresponding metrics and discount factors (or pollution factors, 
depending on perspective) could be defined. 

- Odd to see the terms "kilooctet" and "gigaoctet"; why not simply kB or gB? 
Yes to pico Joules.

 Fixed it. 


3.1.2 Other Metrics
- A common sustainability rating of the power source is carbon intensity. A 
good publication to read, where carbon intensity is considered, but so is a 
waste metric to capture environmental impact beyond energy and carbon:
 + Hossain, Md. Mohaimenul, Georges, Jean-Phillippe, Rondeau, Eric, Divoux, 
Thierry. Energy, carbon and renewable energy: Candidate metrics for green-aware 
routing? Sensors, 19(13), Feb 2019.
- "It may be possible to obtain such a rating from the energy operation"
 + I really like that the document includes such a statement. It would be 
helpful for each of the metrics discussions to include: from whom the 
measurements for the metric might originate
- If deployment of the device is outside a Data Center (DC) and actually is in 
the wild, e.g., an RSU (road side unit), should the device be charged an energy 
tax for releasing its heat into the atmosphere?
 Thank you for the reference, indeed a great one!  We added some 
related discussion in Section 3.1.2 ("Green Metrics Beyond Energy 
Consumption").  However, we decided to not add the discussion about 
where m

[OPSAWG] Update on T+/TLS

[Joe Clarke (jclarke)]

Hello, authors.  I’m not sure if you’re planning to request a speaking slot for 
IETF 116, but we would like to get an update of the current state of this work 
(and author’s thoughts on next steps).  After publishing -01, there was a 
discussion on whether or not the obfuscation should be allowed within the TLS 
encap.  I don’t think that was concluded, though it seems like there is more 
support for NO.

Speaking as chair, I’d like to see this move forward, and perhaps it’s in or 
close to a state where we can do a WG LC?

Thanks.

Joe

___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg