#opendaylight-meeting log

15:32:10 <icbts> #startmeeting OpenDaylight Security Alaysis Team, second meeting
15:32:10 <odl_meetbot> Meeting started Fri May  9 15:32:10 2014 UTC.  The chair is icbts. Information about MeetBot at http://ci.openstack.org/meetbot.html.
15:32:10 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:32:10 <odl_meetbot> The meeting name has been set to 'opendaylight_security_alaysis_team__second_meeting'
15:32:58 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis
15:34:37 <icbts> #info Original document and disccussion from first meeting consolidated into team wiki page
15:38:45 <icbts> #action build upon Bundle/Application Security section - research bundle authorization in OSGi
15:39:32 <icbts> #info RBAC for lifecycle operations vs perms for bundle wiring
15:40:25 <icbts> #info bundle signatures?
15:40:52 <icbts> #info At load time bundle signature verification
15:41:04 <icbts> #info At runtime authorization to bundles
15:41:22 <icbts> #info Certificate to run bundles — ??
15:43:21 <icbts> #info gpg signatures for bundles
15:43:43 <icbts> #info  We need to refine GPG signature vs certificates
15:44:27 <icbts> #info example: Apache uses GPG signatures to validate that bundles are from the community
15:44:53 <icbts> #info KEYS file contain public keys for user to validate bundles come from the community
15:45:30 <icbts> #info Would a certifcate be a viable mechanism?
15:46:01 <icbts> #info how to ensure that third parties can make vaild certs/signatures?
15:46:36 <icbts> #info Whom signs OpenDaylight releases?
15:46:49 <icbts> #info Current status - nothing is being signed
15:47:10 <icbts> #action out line some usage paramaters for signing releases
15:48:34 <icbts> #info foundation has cert? developers? Whom holds the keys?
15:48:47 <icbts> #info TSC / Committers / Release Manager?
15:49:31 <icbts> #info new topic: Export restrictions??
15:50:07 <icbts> #chair Meenakshi_
15:50:07 <odl_meetbot> Current chairs: Meenakshi_ icbts
15:50:42 <icbts> #chair Madhu
15:50:42 <odl_meetbot> Current chairs: Madhu Meenakshi_ icbts
15:51:29 <icbts> #info OpenDaylight Controllers PLugin Security
15:51:55 <icbts> #info General recommendation for the plugins is as follows 1:: DDoS attack protection on plugin expose ports 2:: Utilize a common crypto key storage 3:: Support a pluggable or built-in certificate authority
15:52:05 <icbts> #info are there more recommendations?
15:53:15 <icbts> #action add recommendations to plugin section
15:53:36 <icbts> #info How do we interact with other projects to communicate recommendations?
15:53:56 <icbts> #info TSC discussion for how recommendations to be shared
15:55:00 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Authorization_of_External_Users
15:55:27 <icbts> #info RBAC for external users?
15:56:02 <icbts> #info recommendations for external users 1:: Access protocol authorization: e.g. a user can only access via HTTPS 2:: Resource Authorization: e.g. what data in the URI tree can the user config/view 3:: Logging access/authorization: useful for incident response analysis.
15:57:07 <icbts> #info Discussion on #2
15:57:36 <icbts> #info Root Admin, admins of certain parts of controller
15:57:45 <icbts> #info Full vs partial access
15:57:56 <icbts> #info Role Based Access Control
15:58:36 <icbts> #info do all users have access to certain functions?
15:58:49 <icbts> #info Resources vs Services?
15:59:14 <icbts> #info can you make configurations? Which devices ?
15:59:40 <icbts> #info Resources/Services authorization
16:00:08 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Device.2FForwarding_Elements_BootStrap.2C_Authentication_and_Authorization
16:00:23 <icbts> #info Discovery of ODL controller and devices
16:00:55 <icbts> #info Back tracking …. Susanta: tenant isolation in Controller?
16:01:06 <icbts> #info Any tenant level roles?
16:01:30 <icbts> #info Super User for ACME ?
16:04:16 <icbts> #info Returning to Bootstrap topic
16:08:32 <icbts> #info controller vs device
16:09:15 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Controller_Availability.2FClustering_and_Security
16:09:19 <icbts> #info no updates
16:09:57 <icbts> #info Discussion of infinispan
16:10:36 <icbts> #info Susanta leading discussion of current ODL controller clustering
16:17:11 <icbts> #info people do unexpected things … more research required
16:17:39 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Overall_Recommendations
16:18:08 <icbts> #action on going discussion of security
16:18:51 <icbts> #info review of highlevel recommendations
16:19:13 <Madhu> sorry guys. have to drop off
16:19:24 <Madhu> icbts: Meenakshi_ thanks for capturing the notes.
16:21:05 <icbts> Madhu: no problem
16:23:50 <icbts> #info phone bridge issues encountered :S
16:28:15 <icbts> #info application isolation
16:28:40 <icbts> #info sandboxing
16:28:59 <icbts> #info see https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Bundle.2FApplication_Security
16:29:07 <icbts> #info for more on sandboxing issues
16:31:21 <icbts> #info should we capture everyone’s ID whom is working on Security?
16:32:28 <icbts> #link https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#References
16:32:36 <icbts> #info looking for link to article
16:33:19 <icbts> #info Comments??
16:40:25 <icbts> #info role based actor?
16:40:42 <icbts> #info attributes vs user
16:41:41 <icbts> #info plan for a week to research then present to TSC
16:42:03 <icbts> #endmeeting