#opendaylight-meeting log

17:05:05 <phrobb> #startmeeting TWS 2014-06-16
17:05:05 <odl_meetbot> Meeting started Mon Jun 16 17:05:05 2014 UTC.  The chair is phrobb. Information about MeetBot at http://ci.openstack.org/meetbot.html.
17:05:05 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:05:05 <odl_meetbot> The meeting name has been set to 'tws_2014_06_16'
17:05:06 <colindixon> is the meeting running?
17:05:12 <phrobb> yes :-)
17:05:29 <phrobb> #topic OpenDaylight Security Analysis
17:05:54 <colindixon> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis going over this wiki page
17:06:11 <colindixon> #info was presented at the TSC on 5/29, then suggested as a TWS topic
17:11:22 <colindixon> #info goal of this document is to record the the current state security-related things in OpenDaylight and then recommendations as to ways to improve/change things
17:13:03 <colindixon> #info went over several considerations w.r.t. OSGi: chiefly (i) how to do bundle isolation/permissions and (ii) locking down remote access to the OSGi runtime with a focus on Karaf
17:15:44 <colindixon> #info review of controller plugins and their security, e.g., HTTP vs. HTTPS, TCP vs. TLS, etc.
17:18:01 <colindixon> #info colindixon asks are there good high-level statements we could make rather than (or in addition to) specific per-plugin transports
17:19:22 <colindixon> #info one suggestion is that we recommend: (i) encrypt all communication that leaves the controller and (ii) do bidirectional authentication, i.e., controller authenticates itself and the other end authenticates itself to the controller
17:20:01 <colindixon> #info edwarnicke also points out that the table of where we lie in terms of that is a good idea to track where we are with respect to each plugin (colindixon agrees strongly)
17:20:47 <alagalah> networkstatic: +1
17:21:18 <networkstatic> alagalah ur alive!
17:21:30 <alagalah> networkstatic: barely
17:22:08 <colindixon> #link https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support some information about adding TLS support OpenFlow Plugin
17:22:19 <alagalah> networkstatic: I think the expression is 10lbs of shit shoved into a 5lb bag
17:22:56 <networkstatic> ha, i hear u
17:23:13 <colindixon> #info networkstatic suggests (and colindixon and alagalah +1) that we should provide sample implementations of the “right” security stuff for commonly used stuff, e.g., JAX-RS and Netty
17:23:40 <colindixon> #info edwarnicke suggests that we try to get that implemented once so that others can reuse the same code rather than copy/pasting the samples
17:23:51 <alagalah> I back networkstatic implicitly
17:26:20 <colindixon> #info edwarnicke asks if there’s been any discussion of the tension between the ease of having default login/passwords for developers vs. how to make sure we don’t accidentally make it easy for real people to use it and leave default passwords as a security vulnerability
17:26:36 <colindixon> #info the answer is that it’s on their minds, but there’s no decision yet
17:27:25 <colindixon> #info edwarnicke suggests having a default password at launch, but require first login to reset it, that way if somebody discovers the default password doesn’t work, you know things are somehow bad
17:27:50 * edwarnicke horray for the AAA project! :)
17:28:09 <networkstatic> there was a log message added to OSGI somewhat recently saying, change passwd etc.
17:28:36 <edwarnicke> networkstatic: I've seen that too :)  Its goodness, but probably not enough goodness :)
17:28:53 <networkstatic> bah, plausible deniability
17:28:58 <networkstatic> we told you so
17:28:59 <networkstatic> :)
17:33:58 <edwarnicke> networkstatic: You have been warned! ;)
17:35:33 <edwarnicke> #info colindixon: zeroconf is hard
17:35:50 <edwarnicke> #info unidentifiedspeaker: But the IETF has a draft that may tell you how ;)
17:36:14 <colindixon> #info talking about secure bootstrap of the infrastructure: that is finding the devices and getting them attached to the controller (possibly through multiple hops) in a secure way
17:36:47 <colindixon> #info david lenrow asks if this is about infrastructure devices or other endpoints as welll
17:36:58 <colindixon> #info answer is that it’s about infrastructure for now and that will be made more clear
17:38:34 <colindixon> #info there is a discussion about how easy things are to classify as infrastructure and not infrastructure with respect to things like vSwitches and NFV; these difficulties are acknowledged, but the idea seems to be you first boot/discover the physical infrastructure and then you can boot/discover the virtual infrastructure
17:41:21 <colindixon> #info controller clustering: discussion of securing Infinispan/JGroups
17:42:01 <colindixon> #info colindixon points out that we will likely be using Akka in addition to this and we need to look into this (Jan Medved says we aren’t going to be using zeroMQ)
17:45:57 <colindixon> #info colindixon we should specify high-level intent of what we should be doing for all of these points, so that as the underlying technology changes we can do the right things
17:46:55 <colindixon> #info colindixon asks if we have a way to enumerate the ports we think OpenDaylight has open and what we think is listening on them and how we think it’s secured
17:47:36 <dfarrell07> #info NMap scans against port 6633, 1830 and 6640 (+1 more to be documented) cause exceptions/bad behavior, see bugs 1174-6
17:47:43 <colindixon> dfarrell07: thanks!
17:47:47 <dfarrell07> np :)
17:49:00 <colindixon> #info one way to build the list of ports would be using a combination of things like NMap and netstat, it would be great if we could automate building that list and then we could tell when/if it changes
17:51:34 <colindixon> #info somebody (I forget who) suggested that we make sure to do fuzz testing
17:52:29 <colindixon> #info somebody (I forget who) also suggested that we figure out if we want to recommend different security approaches for service providers vs. data centers, etc.
17:55:41 <cdub> colindixon: yes! (thank you, was about to say this)
17:57:32 <colindixon> #info the overall recommendations at the end of this document seem to mostly involve high-end (non-free) software to test things and provide vulnerability analysis
17:58:25 <colindixon> #info colindixon says some of this seems antithetical to open source software development and asks if there are different ways other open source projects do things
17:58:28 <cdub> #info we have coverity account for ODL
17:59:01 <colindixon> thanks cdub
17:59:53 <cdub> #info we need a general security vulnerability process
18:00:04 <cdub> #info we have security@lists.opendaylight.org as a starting point
18:00:06 <colindixon> cdub: didn’t we establish that?
18:00:08 <colindixon> ok
18:00:10 <colindixon> yeah
18:00:11 <cdub> #info we need an actual owner
18:00:42 <dfarrell07> It doesn't seem like the scurity group is still meeting, btw (per my recent refactoring of wiki/Meetings)
18:01:30 <cdub> edwarnicke: trhere is no contact other than security@lists.opendaylight.org
18:01:55 <dfarrell07> colindixon + whoever else that was: Thanks, I'll update wiki/Meetings to refect that
18:02:24 <edwarnicke> cdub: Thanks :)  I went looking for it on the lists.opendaylight.org and didn't see it... which I suspect is intentional
18:03:11 <cdub> edwarnicke: all very fuzzy in my memory as well
18:03:43 <edwarnicke> cdub: I remember it all seemed like a very good idea at the time... but all I remember are the warm fuzzies ;)
18:03:49 <cdub> heh
18:03:54 <edwarnicke> cdub: Not the idea itself :(
18:08:09 <phrobb> #stopmeeting
18:08:13 <colindixon> #endmeeting