AFAIK, most of dCache sites use xrootd proxies, so they are likely
affected, so is EOS, but fstreams have not been configured for Castor.
Is it sufficient that we encrypt the fstreams or do you want us not
to send the DNs at all?
Cheers,
Lukasz
On 09/01/2014 03:04 PM, Oliver Keeble wrote:
>
> This is not a DPM issue - it's the xrootd fstream which sends out this
> information so standard xrootd installations will also be affected.
> dCache may be different, I don't know if they implemented this
> themselves or not.
>
> On 01/09/14 13:48, Andrea Manzi wrote:
>> Hi Romain,
>> do you know if the problem affects only DPM-xrootd or all xrootd
>> deployments are affected ?
>> thanks
>> Andrea
>>
>> On 01 Sep 2014, at 11:41, Romain Wartel <[log in to unmask]
>> <mailto:[log in to unmask]>> wrote:
>>
>>> Domenico, Matevz,
>>>
>>> Just to close the loop; Please find the information below. The EGI
>>> CSIRT, as well as WLCG operations coordination are coordinating this
>>> issue.
>>> I expect you will be contacted "officially" by the EGI security
>>> vulnerability group (SVG) with an advisory before wednesday with all
>>> the details.
>>>
>>> Then we would need you to look into this asap and report back on what
>>> corrective actions can be taken.
>>>
>>> Cheers,
>>> Romain.
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> *From: *Romain Wartel <[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>> *Subject: **xrootd - user DN information*
>>>> *Date: *1 Sep 2014 10:46:21 GMT+2
>>>> *To: *Maria Alandes Pradillo <[log in to unmask]
>>>> <mailto:[log in to unmask]>>, Oliver Keeble
>>>> <[log in to unmask] <mailto:[log in to unmask]>>
>>>>
>>>> Maria, Oliver,
>>>>
>>>> Here is the information I have regarding the user DN usage for
>>>> monitoring in xrootd.
>>>>
>>>> I think the correct Indico link is
>>>> https://indico.cern.ch/event/197803/session/0/contribution/10/material/slides/0.pdf
>>>>
>>>>
>>>> Our policy on this topic is at
>>>> https://edms.cern.ch/file/855382/5/JobAccountingDataPolicy-v1.0.pdf
>>>>
>>>> "Each site is responsible for sending its accounting records on a
>>>> regular basis, e.g. daily, with at
>>>> least user DNs encrypted in transport, to a central data base defined
>>>> by the Grid. This database is
>>>> located at an Accounting Data Centre (ADC). The location of the ADC
>>>> needs to be chosen
>>>> carefully according to data privacy laws. "
>>>>
>>>> Cheers,
>>>> Romain.
>>>>
>>>> Begin forwarded message:
>>>>
>>>>> *From: *Sven Gabriel <[log in to unmask] <mailto:[log in to unmask]>>
>>>>> *Subject: **[Irtf] more atlas fun*
>>>>> *Date: *1 Sep 2014 08:14:12 GMT+2
>>>>> *To: *IRTF <[log in to unmask] <mailto:[log in to unmask]>>, David
>>>>> Groep <[log in to unmask] <mailto:[log in to unmask]>>
>>>>> *Reply-To: *Incident Response Task Force <[log in to unmask]
>>>>> <mailto:[log in to unmask]>>
>>>>>
>>>>> This is easy, .. here we have an violation of a couple of our
>>>>> policies on how
>>>>> th handle user privacy data.
>>>>>
>>>>> "....The xrootd monitoring infrastructure sends user DN information
>>>>> and
>>>>> all user actions in cleartext over UDP packets across to SLAC in the
>>>>> US for monitoring. They are even open about it: .."
>>>>>
>>>>> https://indico.cern.ch/event/197803/session/0/material/slides/0
>>>>>
>>>>> ... Mitigation can be done by blocking OUTBOUND UDP apckets on each
>>>>> DPM xrootd host, in particular the headnode, but this is obviously not
>>>>> done by default.
>>>>>
>>>>> DROP udp -- anywhere anywhere udp spt:53193
>>>>> DROP udp -- anywhere anywhere udp spt:55721
>>>>> DROP udp -- anywhere atl-prod05.slac.stanford.edu
>>>>> <http://atl-prod05.slac.stanford.edu/>
>>>>> ...."
>>>>>
>>>>> Does IRTF wants to send out an advisory to all sites to apply the
>>>>> same FW
>>>>> rules?
>>>>>
>>>>> Cheers,
>>>>> Sven
>>>>> --
>>>>> ========
>>>>> Sven Gabriel
>>>>>
>>>>> Nikhef, Dutch National Institute for Sub-atomic Physics
>>>>> Group Computer Technology / Room: H1.59
>>>>> Phone: +31 20 5925103
>>>>> Science Park 105 / 1098 XG Amsterdam / The
>>>>> Netherlands_______________________________________________
>>>>> Irtf mailing list
>>>>> [log in to unmask] <mailto:[log in to unmask]>
>>>>> https://mailman.egi.eu/mailman/listinfo/irtf
>>>>
>>>
>>>
>>>
>>> --
>>> Romain Wartel
>>> Security Officer
>>> Worldwide LHC Computing Grid
>>> CERN, IT Department
>>> CH-1211 Geneva 23, Switzerland
>>>
>>> http://www.cern.ch/LCG
>>> http://cern.ch/security
>>> <[log in to unmask] <mailto:[log in to unmask]>>
>>> <[log in to unmask] <mailto:[log in to unmask]>>
>>>
>>
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|