15:32:10 <icbts> #startmeeting OpenDaylight Security Alaysis Team, second meeting 15:32:10 <odl_meetbot> Meeting started Fri May 9 15:32:10 2014 UTC. The chair is icbts. Information about MeetBot at http://ci.openstack.org/meetbot.html. 15:32:10 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:32:10 <odl_meetbot> The meeting name has been set to 'opendaylight_security_alaysis_team__second_meeting' 15:32:58 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis 15:34:37 <icbts> #info Original document and disccussion from first meeting consolidated into team wiki page 15:38:45 <icbts> #action build upon Bundle/Application Security section - research bundle authorization in OSGi 15:39:32 <icbts> #info RBAC for lifecycle operations vs perms for bundle wiring 15:40:25 <icbts> #info bundle signatures? 15:40:52 <icbts> #info At load time bundle signature verification 15:41:04 <icbts> #info At runtime authorization to bundles 15:41:22 <icbts> #info Certificate to run bundles — ?? 15:43:21 <icbts> #info gpg signatures for bundles 15:43:43 <icbts> #info We need to refine GPG signature vs certificates 15:44:27 <icbts> #info example: Apache uses GPG signatures to validate that bundles are from the community 15:44:53 <icbts> #info KEYS file contain public keys for user to validate bundles come from the community 15:45:30 <icbts> #info Would a certifcate be a viable mechanism? 15:46:01 <icbts> #info how to ensure that third parties can make vaild certs/signatures? 15:46:36 <icbts> #info Whom signs OpenDaylight releases? 15:46:49 <icbts> #info Current status - nothing is being signed 15:47:10 <icbts> #action out line some usage paramaters for signing releases 15:48:34 <icbts> #info foundation has cert? developers? Whom holds the keys? 15:48:47 <icbts> #info TSC / Committers / Release Manager? 15:49:31 <icbts> #info new topic: Export restrictions?? 15:50:07 <icbts> #chair Meenakshi_ 15:50:07 <odl_meetbot> Current chairs: Meenakshi_ icbts 15:50:42 <icbts> #chair Madhu 15:50:42 <odl_meetbot> Current chairs: Madhu Meenakshi_ icbts 15:51:29 <icbts> #info OpenDaylight Controllers PLugin Security 15:51:55 <icbts> #info General recommendation for the plugins is as follows 1:: DDoS attack protection on plugin expose ports 2:: Utilize a common crypto key storage 3:: Support a pluggable or built-in certificate authority 15:52:05 <icbts> #info are there more recommendations? 15:53:15 <icbts> #action add recommendations to plugin section 15:53:36 <icbts> #info How do we interact with other projects to communicate recommendations? 15:53:56 <icbts> #info TSC discussion for how recommendations to be shared 15:55:00 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Authorization_of_External_Users 15:55:27 <icbts> #info RBAC for external users? 15:56:02 <icbts> #info recommendations for external users 1:: Access protocol authorization: e.g. a user can only access via HTTPS 2:: Resource Authorization: e.g. what data in the URI tree can the user config/view 3:: Logging access/authorization: useful for incident response analysis. 15:57:07 <icbts> #info Discussion on #2 15:57:36 <icbts> #info Root Admin, admins of certain parts of controller 15:57:45 <icbts> #info Full vs partial access 15:57:56 <icbts> #info Role Based Access Control 15:58:36 <icbts> #info do all users have access to certain functions? 15:58:49 <icbts> #info Resources vs Services? 15:59:14 <icbts> #info can you make configurations? Which devices ? 15:59:40 <icbts> #info Resources/Services authorization 16:00:08 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Device.2FForwarding_Elements_BootStrap.2C_Authentication_and_Authorization 16:00:23 <icbts> #info Discovery of ODL controller and devices 16:00:55 <icbts> #info Back tracking …. Susanta: tenant isolation in Controller? 16:01:06 <icbts> #info Any tenant level roles? 16:01:30 <icbts> #info Super User for ACME ? 16:04:16 <icbts> #info Returning to Bootstrap topic 16:08:32 <icbts> #info controller vs device 16:09:15 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Controller_Availability.2FClustering_and_Security 16:09:19 <icbts> #info no updates 16:09:57 <icbts> #info Discussion of infinispan 16:10:36 <icbts> #info Susanta leading discussion of current ODL controller clustering 16:17:11 <icbts> #info people do unexpected things … more research required 16:17:39 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Overall_Recommendations 16:18:08 <icbts> #action on going discussion of security 16:18:51 <icbts> #info review of highlevel recommendations 16:19:13 <Madhu> sorry guys. have to drop off 16:19:24 <Madhu> icbts: Meenakshi_ thanks for capturing the notes. 16:21:05 <icbts> Madhu: no problem 16:23:50 <icbts> #info phone bridge issues encountered :S 16:28:15 <icbts> #info application isolation 16:28:40 <icbts> #info sandboxing 16:28:59 <icbts> #info see https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Bundle.2FApplication_Security 16:29:07 <icbts> #info for more on sandboxing issues 16:31:21 <icbts> #info should we capture everyone’s ID whom is working on Security? 16:32:28 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#References 16:32:36 <icbts> #info looking for link to article 16:33:19 <icbts> #info Comments?? 16:40:25 <icbts> #info role based actor? 16:40:42 <icbts> #info attributes vs user 16:41:41 <icbts> #info plan for a week to research then present to TSC 16:42:03 <icbts> #endmeeting