#opendaylight-meeting: Security Analysis Team, Introductory meeting.
Meeting started by icbts at 15:06:48 UTC
(full logs).
Meeting summary
-
- attendees introducing theirselves, and back
grounds (icbts,
15:07:20)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis
(icbts,
15:12:01)
- when to discuss meeting with TSC regarding team
activities (icbts,
15:13:39)
- 1. Document current security status
(icbts,
15:15:24)
- Platform Integrity. Develop recommendations for
adding security to build process (icbts,
15:18:23)
- discussed adding signatures/digests to release
artifacts (icbts,
15:18:53)
- Jamie - add documentation to wiki regarding how
projects use pgp to sign releases - Can ODL adopt a similar
procedure? (icbts,
15:19:53)
- Access between public and private build server
for releases (icbts,
15:20:23)
- Is pgp worth it? Is signed releases going to
help? (icbts,
15:22:16)
- log access to release system (icbts,
15:22:34)
- Whom built release and when (icbts,
15:22:48)
- OSGI Container Security: what kind of security
exists with in the framework (icbts,
15:23:36)
- Use OSGi spec level security. Currently ODL
uses Equinox and Virgo, we should explore what security
mechanism/best practices these frameworks recomment (icbts,
15:27:49)
- Cluster Protocol: Ensure cluster protocol and
communication is secure + recommendations (icbts,
15:28:22)
- infinband vs akka ? (icbts,
15:29:21)
- Need to develop expertise in this protocol
area, and investigate security areas (icbts,
15:30:23)
- OSGi Container Security: authorizing machine
users (icbts,
15:30:51)
- How do we handle machine access? (icbts,
15:31:10)
- authorizing additions to container (icbts,
15:31:37)
- Investigate deployment security - whom may
install into container (icbts,
15:33:13)
- authorized access to container, can they do
deployment (icbts,
15:33:41)
- security concern regarding hot deployment
folder (icbts,
15:33:54)
- Jamie - investigate, what does each OSGi
implementaion provide regarding security (icbts,
15:34:32)
- ie.Equinox vs Felix (icbts,
15:34:52)
- Susanta - investigate more into Cluster
Protocol (icbts,
15:36:09)
- Current status and recommendations (icbts,
15:36:44)
- Existing Security in North Bound and South
Bound APIs (icbts,
15:37:10)
- https://docs.google.com/presentation/d/1df-GMYVe1zGEU6DgKzFQ3xeceicqcGNRRsT5l5QNd_E/edit?pli=1#slide=id.g26bf015a9_2_42
(icbts,
15:37:45)
- Discussing what documentation exists for
securing components of ODL (icbts,
15:38:42)
- Create central page for locating all
documenation regarding securing ODL — possibly a table with
component — pages (icbts,
15:39:33)
- Need to review projects for current security
docs (icbts,
15:41:18)
- Mike — DFA (icbts,
15:41:59)
- Neutron — ? (icbts,
15:42:38)
- VTN Coordinator — ? (icbts,
15:42:59)
- attendees picking portions of ODL to
review (icbts,
15:45:34)
- Recommendations — trusted key storage
location (icbts,
15:46:00)
- Returning to discussion of authorization to
install bundles (icbts,
15:49:17)
- permissions in osgi :
http://securesoftwaredev.com/2012/11/19/permissions-in-osgi/
(Madhu,
15:50:26)
- Certificate Authroties : discussion of what is
available (icbts,
15:52:04)
- Application Authorization (icbts,
15:55:16)
- document RBAC on controller? (icbts,
15:56:28)
- IPv4 / IPv6 (icbts,
15:57:35)
- Access Authorization (icbts,
15:57:55)
- Madhu, current situation vs what we could have
in place (icbts,
15:59:58)
- Application Authorization needs App
Sandboxing (Madhu,
16:00:36)
- Java Core Permissions will help with App
Sandboxing (Madhu,
16:02:15)
- Java sandboxing with Policy privileges in
SecurityManager :
http://securesoftwaredev.com/2012/11/12/sandboxing-java-code/
(Madhu,
16:03:37)
- http://log.illsley.org/2010/11/29/osgi-java-security-manager-and-keeping-things-simple/
(icbts,
16:04:07)
- http://www.osgi.org/wiki/uploads/CommunityEvent2008/24_JahnGumbel.pdf
(icbts,
16:05:07)
- What can we use from OSGi framework & Java
security (icbts,
16:06:55)
- Securing the deploy folder (out side of scope,
but should be reviewed) (icbts,
16:09:54)
- App Sand boxing, access to resource
(icbts,
16:10:29)
- Arash, Madhu - sandbox (icbts,
16:10:51)
- Wojciech - concern over overlapping
reviews (icbts,
16:11:38)
- Sandboxing: collect information on
subject (icbts,
16:14:08)
- Controller Device Boot Strap, Authentication
Authoriazation (icbts,
16:16:17)
- Arash, discussing his thoughts on wiki
page (icbts,
16:16:41)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis
(icbts,
16:16:44)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#OpenDaylight_Controller_Security
(icbts,
16:17:08)
- Arash requests comments on his notes
(icbts,
16:23:20)
- on Vulnerability analysis there are available
tools which can be used (Madhu,
16:32:07)
- ACTION: controller to
device security needs to be reviewed and worked on (Madhu,
16:37:26)
- thank you Jamie for taking awesome notes
:) (Meenakshi,
16:39:51)
- plan is to make the security analysis meeting
recurring 8.30am PT (Madhu,
16:40:12)
Meeting ended at 16:42:24 UTC
(full logs).
Action items
- controller to device security needs to be reviewed and worked on
People present (lines said)
- icbts (71)
- Madhu (20)
- odl_meetbot (4)
- edwarnicke (2)
- AnthonyG (1)
- Meenakshi (1)
- madhu (0)
Generated by MeetBot 0.1.4.