#opendaylight-meeting: Security Analysis Team, Introductory meeting.

Meeting started by icbts at 15:06:48 UTC (full logs).

Meeting summary

    1. attendees introducing theirselves, and back grounds (icbts, 15:07:20)
    2. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis (icbts, 15:12:01)
    3. when to discuss meeting with TSC regarding team activities (icbts, 15:13:39)
    4. 1. Document current security status (icbts, 15:15:24)
    5. Platform Integrity. Develop recommendations for adding security to build process (icbts, 15:18:23)
    6. discussed adding signatures/digests to release artifacts (icbts, 15:18:53)
    7. Jamie - add documentation to wiki regarding how projects use pgp to sign releases - Can ODL adopt a similar procedure? (icbts, 15:19:53)
    8. Access between public and private build server for releases (icbts, 15:20:23)
    9. Is pgp worth it? Is signed releases going to help? (icbts, 15:22:16)
    10. log access to release system (icbts, 15:22:34)
    11. Whom built release and when (icbts, 15:22:48)
    12. OSGI Container Security: what kind of security exists with in the framework (icbts, 15:23:36)
    13. Use OSGi spec level security. Currently ODL uses Equinox and Virgo, we should explore what security mechanism/best practices these frameworks recomment (icbts, 15:27:49)
    14. Cluster Protocol: Ensure cluster protocol and communication is secure + recommendations (icbts, 15:28:22)
    15. infinband vs akka ? (icbts, 15:29:21)
    16. Need to develop expertise in this protocol area, and investigate security areas (icbts, 15:30:23)
    17. OSGi Container Security: authorizing machine users (icbts, 15:30:51)
    18. How do we handle machine access? (icbts, 15:31:10)
    19. authorizing additions to container (icbts, 15:31:37)
    20. Investigate deployment security - whom may install into container (icbts, 15:33:13)
    21. authorized access to container, can they do deployment (icbts, 15:33:41)
    22. security concern regarding hot deployment folder (icbts, 15:33:54)
    23. Jamie - investigate, what does each OSGi implementaion provide regarding security (icbts, 15:34:32)
    24. ie.Equinox vs Felix (icbts, 15:34:52)
    25. Susanta - investigate more into Cluster Protocol (icbts, 15:36:09)
    26. Current status and recommendations (icbts, 15:36:44)
    27. Existing Security in North Bound and South Bound APIs (icbts, 15:37:10)
    28. https://docs.google.com/presentation/d/1df-GMYVe1zGEU6DgKzFQ3xeceicqcGNRRsT5l5QNd_E/edit?pli=1#slide=id.g26bf015a9_2_42 (icbts, 15:37:45)
    29. Discussing what documentation exists for securing components of ODL (icbts, 15:38:42)
    30. Create central page for locating all documenation regarding securing ODL — possibly a table with component — pages (icbts, 15:39:33)
    31. Need to review projects for current security docs (icbts, 15:41:18)
    32. Mike — DFA (icbts, 15:41:59)
    33. Neutron — ? (icbts, 15:42:38)
    34. VTN Coordinator — ? (icbts, 15:42:59)
    35. attendees picking portions of ODL to review (icbts, 15:45:34)
    36. Recommendations — trusted key storage location (icbts, 15:46:00)
    37. Returning to discussion of authorization to install bundles (icbts, 15:49:17)
    38. permissions in osgi : http://securesoftwaredev.com/2012/11/19/permissions-in-osgi/ (Madhu, 15:50:26)
    39. Certificate Authroties : discussion of what is available (icbts, 15:52:04)
    40. Application Authorization (icbts, 15:55:16)
    41. document RBAC on controller? (icbts, 15:56:28)
    42. IPv4 / IPv6 (icbts, 15:57:35)
    43. Access Authorization (icbts, 15:57:55)
    44. Madhu, current situation vs what we could have in place (icbts, 15:59:58)
    45. Application Authorization needs App Sandboxing (Madhu, 16:00:36)
    46. Java Core Permissions will help with App Sandboxing (Madhu, 16:02:15)
    47. Java sandboxing with Policy privileges in SecurityManager : http://securesoftwaredev.com/2012/11/12/sandboxing-java-code/ (Madhu, 16:03:37)
    48. http://log.illsley.org/2010/11/29/osgi-java-security-manager-and-keeping-things-simple/ (icbts, 16:04:07)
    49. http://www.osgi.org/wiki/uploads/CommunityEvent2008/24_JahnGumbel.pdf (icbts, 16:05:07)
    50. What can we use from OSGi framework & Java security (icbts, 16:06:55)
    51. Securing the deploy folder (out side of scope, but should be reviewed) (icbts, 16:09:54)
    52. App Sand boxing, access to resource (icbts, 16:10:29)
    53. Arash, Madhu - sandbox (icbts, 16:10:51)
    54. Wojciech - concern over overlapping reviews (icbts, 16:11:38)
    55. Sandboxing: collect information on subject (icbts, 16:14:08)
    56. Controller Device Boot Strap, Authentication Authoriazation (icbts, 16:16:17)
    57. Arash, discussing his thoughts on wiki page (icbts, 16:16:41)
    58. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis (icbts, 16:16:44)
    59. https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#OpenDaylight_Controller_Security (icbts, 16:17:08)
    60. Arash requests comments on his notes (icbts, 16:23:20)
    61. on Vulnerability analysis there are available tools which can be used (Madhu, 16:32:07)
    62. ACTION: controller to device security needs to be reviewed and worked on (Madhu, 16:37:26)
    63. thank you Jamie for taking awesome notes :) (Meenakshi, 16:39:51)
    64. plan is to make the security analysis meeting recurring 8.30am PT (Madhu, 16:40:12)


Meeting ended at 16:42:24 UTC (full logs).

Action items

  1. controller to device security needs to be reviewed and worked on


People present (lines said)

  1. icbts (71)
  2. Madhu (20)
  3. odl_meetbot (4)
  4. edwarnicke (2)
  5. AnthonyG (1)
  6. Meenakshi (1)
  7. madhu (0)


Generated by MeetBot 0.1.4.