Re: [core] Roman Danyliw's Discuss on draft-ietf-core-sid-22: (with DISCUSS and COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 26 October 2023 19:42 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1443C170600; Thu, 26 Oct 2023 12:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNpzdnRMKDzH; Thu, 26 Oct 2023 12:42:28 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54660C170601; Thu, 26 Oct 2023 12:42:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 23FB31800F; Thu, 26 Oct 2023 15:42:26 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6jEqVDd5eNT4; Thu, 26 Oct 2023 15:42:25 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 60B0A1800C; Thu, 26 Oct 2023 15:42:25 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1698349345; bh=Cs12XHIk/q9VajOlbHdCVTKVPo1BZuDkbl8bi+UBMbQ=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=FBDMNpVuuJeAuoPteHGz1kD2PPnRoO4uR22QkhTgXpw0Gmy25H7tu3Izl4gEWcmQk n8ku5UbhvCsERqnDggKhAyHHPKCChRPotXVA9jLnUTCD82ZzqXYumQMUWtqViObu+G 2mHCeXxAQyVpl/qJBr139Y2tyNGBeGTvfkkfYxDjw2Izg/n5R5U+t9vmYAzqivKxzN GnJp+LjfLF25nIqp0MWAGaCYGz+fcPl4xXbU0+jOKPrR1lfHKZb+Yh7Euu7N0YBGnS IWWZ1VdrYi7pap3UIfl17CceSZ7vNkf1nYEVyXlQce9oBYsquC6z2NCUxcWCmx1Qi/ suyNmYeYodmkQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 58BF7157; Thu, 26 Oct 2023 15:42:25 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Roman Danyliw <rdd@cert.org>
cc: The IESG <iesg@ietf.org>, draft-ietf-core-sid@ietf.org, core-chairs@ietf.org, core@ietf.org
In-Reply-To: <169833143199.10921.3629900073692762292@ietfa.amsl.com>
References: <169833143199.10921.3629900073692762292@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 26 Oct 2023 15:42:25 -0400
Message-ID: <17416.1698349345@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/_ooHZWOyRk0Rih2D0X5Xysvt66A>
Subject: Re: [core] Roman Danyliw's Discuss on draft-ietf-core-sid-22: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2023 19:42:32 -0000
Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > ** Section 5. > Conceptually, SID files could be processed by less-constrained target > systems such as network management systems. Such systems need to > take extra care to make sure that they are only processing SID files > from authoritative sources, as authoritative as the YANG modules that > they are using. > Thanks for flagging this as a security consideration. Rob Wilton also > mentioned it in his ballot. I’m a puzzled by this use case. Is this > suggesting that “less constrained … systems” would download SID files based on > some kind of real-time input? If so, this seems highly problematic because (a) > it could leak information to an outside party; and (b) seems like it could > cause a DDoS on the distributor of the SID files or even the system itself > (depending on the caching strategy). Is the use case here that the SID file > would be distributed “offline” by the system vendor or operator through > configuration making it more akin to the developer use case mentioned > previously? I appreciate that CBOR is intended to be self-describing, but I’m > not sure how a network management system would be parsing arbitrary formats. I think that there are several things in this. 1) yeah, a network management system could download the SID files from a central repo (iana.org/yangcatalog if necessary) when first interacting with some new device for the first time using CORECONF. 2) Yes, this could leak information to the logs of yangcatalog about who asked for what, when. It would be better if the NMS vendor distributed things in some concentrated form, like tgz or zip. Or rsync. 3) Yes, this could be a DDoS against the SID file hosting service. They are static files though, and it's over HTTPS, so I think that this is not a particularly new concern. 4) The NMS system won't be parsing abitrary CBOR: yang-cbor/RFC9254 defines some pretty regular CBOR that encodes things. Okay, it's CBOR maps (with a few arrays) all the way down, but there isn't much more than that. The keys are all integers with delta encoding. It's morally equivalent to JSON or XML. The SID files just let the NMS make sense of the resulting uint63s. Yes, one could construct some very deeping nested CBOR which might blow up a stack, but that's always a problem with all of these formats. } ** Section 6.5.3 } After Working Group Adoption, any modification of a ".sid" file is } expected to be discussed on the mailing list of the appropriate } Working Groups. SPECIFIC ATTENTION SHOULD BE PAID TO IMPLEMENTERS' } OPINION AFTER WORKING GROUP LAST CALL IF A SID VALUE IS TO CHANGE ITS } MEANING. In all cases, a ".sid" file and the SIDs associated with it } are subject to change before the publication of an internet draft as } an RFC. > This text is here to bring clarity to an important issue, but it isn’t clear to > me what it is. The text appears to be describing what is true for any > significant change to a WG document. Upper-cased the specific concern. Since SID numbers generally are baked into target system code, any change to them might disrupt people's "running code". But there are a bunch of changes that actually don't affect things. For instance, one can change the YANG leaf name without actually affecting the meaning or SID number :-) One thing that a WG probably wants to do at WGLC (or just before it), is to throw away all "unstable" allocations, and reallocate them so that they are in a contiguous group/range. This definitely has affects on running code, so it should be done *once*. The reason they might not be contiguous is because during the WG discussion leaves have been added/removed or had their types changed. > ** Section 6.5.3 > Due to the difficulty in changing SID values during IETF document > processing, it is expected that most documents will ask for SID > allocations using Early Allocations [BCP100]. The details of the > Early Allocation should be included in any Working Group Adoption > call. > ... > In all cases, a ".sid" file and the SIDs associated with it > are subject to change before the publication of an internet draft as > an RFC. > -- I have no experience with early allocation of an IANA code point happening > concurrent with a WG adoption of a document. Is that common? I have seen it done, although I can't exactly name it. I know that we asked for certain numbers in ANIMA to be allocated when it became clear that the WG was going to do this work. We needed those numbers to do interoperation of running code, and WG adoption was the earliest we were allowed to ask for that. > -- What difficulty is expected in changing SID values? > -- Why is early allocation happening if the draft is not stable (which seems > unlikely at adoption time)? running code. We expect that those writing running code understand that they might have to revise their running code *adhoc*. But, as a WG, we do need to manage the process or people waste time debugging mis-matches. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [core] Roman Danyliw's Discuss on draft-ietf-core… Roman Danyliw via Datatracker
- Re: [core] Roman Danyliw's Discuss on draft-ietf-… Carsten Bormann
- Re: [core] Roman Danyliw's Discuss on draft-ietf-… Michael Richardson