#opendaylight-meeting: OpenDaylight Security Alaysis Team, second meeting

Meeting started by icbts at 15:32:10 UTC (full logs).

Meeting summary

    1. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis (icbts, 15:32:58)
    2. Original document and disccussion from first meeting consolidated into team wiki page (icbts, 15:34:37)
    3. ACTION: build upon Bundle/Application Security section - research bundle authorization in OSGi (icbts, 15:38:45)
    4. RBAC for lifecycle operations vs perms for bundle wiring (icbts, 15:39:32)
    5. bundle signatures? (icbts, 15:40:25)
    6. At load time bundle signature verification (icbts, 15:40:52)
    7. At runtime authorization to bundles (icbts, 15:41:04)
    8. Certificate to run bundles — ?? (icbts, 15:41:22)
    9. gpg signatures for bundles (icbts, 15:43:21)
    10. We need to refine GPG signature vs certificates (icbts, 15:43:43)
    11. example: Apache uses GPG signatures to validate that bundles are from the community (icbts, 15:44:27)
    12. KEYS file contain public keys for user to validate bundles come from the community (icbts, 15:44:53)
    13. Would a certifcate be a viable mechanism? (icbts, 15:45:30)
    14. how to ensure that third parties can make vaild certs/signatures? (icbts, 15:46:01)
    15. Whom signs OpenDaylight releases? (icbts, 15:46:36)
    16. Current status - nothing is being signed (icbts, 15:46:49)
    17. ACTION: out line some usage paramaters for signing releases (icbts, 15:47:10)
    18. foundation has cert? developers? Whom holds the keys? (icbts, 15:48:34)
    19. TSC / Committers / Release Manager? (icbts, 15:48:47)
    20. new topic: Export restrictions?? (icbts, 15:49:31)
    21. OpenDaylight Controllers PLugin Security (icbts, 15:51:29)
    22. General recommendation for the plugins is as follows 1:: DDoS attack protection on plugin expose ports 2:: Utilize a common crypto key storage 3:: Support a pluggable or built-in certificate authority (icbts, 15:51:55)
    23. are there more recommendations? (icbts, 15:52:05)
    24. ACTION: add recommendations to plugin section (icbts, 15:53:15)
    25. How do we interact with other projects to communicate recommendations? (icbts, 15:53:36)
    26. TSC discussion for how recommendations to be shared (icbts, 15:53:56)
    27. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Authorization_of_External_Users (icbts, 15:55:00)
    28. RBAC for external users? (icbts, 15:55:27)
    29. recommendations for external users 1:: Access protocol authorization: e.g. a user can only access via HTTPS 2:: Resource Authorization: e.g. what data in the URI tree can the user config/view 3:: Logging access/authorization: useful for incident response analysis. (icbts, 15:56:02)
    30. Discussion on #2 (icbts, 15:57:07)
    31. Root Admin, admins of certain parts of controller (icbts, 15:57:36)
    32. Full vs partial access (icbts, 15:57:45)
    33. Role Based Access Control (icbts, 15:57:56)
    34. do all users have access to certain functions? (icbts, 15:58:36)
    35. Resources vs Services? (icbts, 15:58:49)
    36. can you make configurations? Which devices ? (icbts, 15:59:14)
    37. Resources/Services authorization (icbts, 15:59:40)
    38. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Device.2FForwarding_Elements_BootStrap.2C_Authentication_and_Authorization (icbts, 16:00:08)
    39. Discovery of ODL controller and devices (icbts, 16:00:23)
    40. Back tracking …. Susanta: tenant isolation in Controller? (icbts, 16:00:55)
    41. Any tenant level roles? (icbts, 16:01:06)
    42. Super User for ACME ? (icbts, 16:01:30)
    43. Returning to Bootstrap topic (icbts, 16:04:16)
    44. controller vs device (icbts, 16:08:32)
    45. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Controller_Availability.2FClustering_and_Security (icbts, 16:09:15)
    46. no updates (icbts, 16:09:19)
    47. Discussion of infinispan (icbts, 16:09:57)
    48. Susanta leading discussion of current ODL controller clustering (icbts, 16:10:36)
    49. people do unexpected things … more research required (icbts, 16:17:11)
    50. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Overall_Recommendations (icbts, 16:17:39)
    51. ACTION: on going discussion of security (icbts, 16:18:08)
    52. review of highlevel recommendations (icbts, 16:18:51)
    53. phone bridge issues encountered :S (icbts, 16:23:50)
    54. application isolation (icbts, 16:28:15)
    55. sandboxing (icbts, 16:28:40)
    56. see https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Bundle.2FApplication_Security (icbts, 16:28:59)
    57. for more on sandboxing issues (icbts, 16:29:07)
    58. should we capture everyone’s ID whom is working on Security? (icbts, 16:31:21)
    59. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#References (icbts, 16:32:28)
    60. looking for link to article (icbts, 16:32:36)
    61. Comments?? (icbts, 16:33:19)
    62. role based actor? (icbts, 16:40:25)
    63. attributes vs user (icbts, 16:40:42)
    64. plan for a week to research then present to TSC (icbts, 16:41:41)


Meeting ended at 16:42:03 UTC (full logs).

Action items

  1. build upon Bundle/Application Security section - research bundle authorization in OSGi
  2. out line some usage paramaters for signing releases
  3. add recommendations to plugin section
  4. on going discussion of security


People present (lines said)

  1. icbts (69)
  2. odl_meetbot (5)
  3. Madhu (2)
  4. Meenakshi_ (0)


Generated by MeetBot 0.1.4.