IETF Logo Mail Archive

Re: [Gen-art] Gen-art Telechat review: draft-mm-netconf-time-capability-08

Tal Mizrahi <talmi@marvell.com> Wed, 16 September 2015 06:29 UTC

Return-Path: <talmi@marvell.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188591B36FE; Tue, 15 Sep 2015 23:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqWAS_aGwW3P; Tue, 15 Sep 2015 23:29:13 -0700 (PDT)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390B41B375C; Tue, 15 Sep 2015 23:29:13 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id t8G6OS8Z005512; Tue, 15 Sep 2015 23:29:10 -0700
Received: from il-exch02.marvell.com ([199.203.130.102]) by mx0a-0016f401.pphosted.com with ESMTP id 1wvhdgb183-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 15 Sep 2015 23:29:10 -0700
Received: from IL-EXCH01.marvell.com (10.4.102.220) by IL-EXCH02.marvell.com (10.4.102.221) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 16 Sep 2015 09:29:06 +0300
Received: from IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a]) by IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a%20]) with mapi id 15.00.1044.021; Wed, 16 Sep 2015 09:29:06 +0300
From: Tal Mizrahi <talmi@marvell.com>
To: Robert Sparks <rjsparks@nostrum.com>
Thread-Topic: Gen-art Telechat review: draft-mm-netconf-time-capability-08
Thread-Index: AQHQ8EfgWKtmR3MRi06tbkxsp9LGAJ4+rzqw
Date: Wed, 16 Sep 2015 06:29:03 +0000
Message-ID: <5911d7105231452db5a4ded868c64961@IL-EXCH01.marvell.com>
References: <55F72E83.3060703@nostrum.com> <1124441332.163295.1442384464109.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <1124441332.163295.1442384464109.JavaMail.yahoo@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.4.102.210]
Content-Type: multipart/alternative; boundary="_000_5911d7105231452db5a4ded868c64961ILEXCH01marvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-09-16_02:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1509160107
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/4c2wfvkbHHTyRMhbwtaMUGQMmOc>
Cc: "joel jaeggli (joelja@bogus.com)" <joelja@bogus.com>, General Area Review Team <gen-art@ietf.org>, "draft-mm-netconf-time-capability.all@ietf.org" <draft-mm-netconf-time-capability.all@ietf.org>
Subject: Re: [Gen-art] Gen-art Telechat review: draft-mm-netconf-time-capability-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 06:29:17 -0000

Hi Robert,

> The document doesn't reflect the email discussion we had around how
> certain 3rd parties can cancel commands. I encourage adding at least a
> sentence reminding implementers and experimenting operators to remember
> that they can.

Based on this email discussion we have added the last paragraph of Section 6.2 (see below). Please let us know if you believe this issue should be discussed further.


   This YANG module defines the <cancel-schedule> RPC. This RPC may be
   considered sensitive or vulnerable in some network environments.
   Since the value of the <schedule-id> is known to all the clients that
   are subscribed to notifications from the server, the <cancel-
   schedule> RPC may be used maliciously to attack servers by canceling
   their pending RPCs. This attack is addressed in two layers: (i)
   security at the transport layer, limiting the attack only to clients
  that have successfully initiated a secure session with the server,
   and (ii) the authorization level required to cancel an RPC should be
   the same as the level required to schedule it, limiting the attack
   only to attackers with an authorization level that is equal to or
   higher than that of the client that initiated the scheduled RPC.


Thanks,
Tal.




From: Tal Mizrahi [mailto:deweastern@yahoo.com]
Sent: Wednesday, September 16, 2015 9:21 AM
To: Tal Mizrahi
Subject: Fw: Gen-art Telechat review: draft-mm-netconf-time-capability-08


----- Forwarded Message -----
From: Robert Sparks <rjsparks@nostrum.com<mailto:rjsparks@nostrum.com>>
To: General Area Review Team <gen-art@ietf.org<mailto:gen-art@ietf.org>>; "ietf@ietf.org<mailto:ietf@ietf.org>" <ietf@ietf.org<mailto:ietf@ietf.org>>; draft-mm-netconf-time-capability.all@ietf.org<mailto:draft-mm-netconf-time-capability.all@ietf.org>
Sent: Monday, September 14, 2015 11:30 PM
Subject: Gen-art Telechat review: draft-mm-netconf-time-capability-08

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please wait for direction from your
document shepherd or AD before posting a new version of the draft.

For more information, please see the FAQ at

<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-mm-netconf-time-capability-08
Reviewer: Robert Sparks
Review Date: 14 Sep 2015
IETF LC End Date: past
IESG Telechat date: 17 Sep 2015

Summary: Ready for publication as an Experimental RFC

The changes since -05 address my concerns with allowing cancels to be
scheduled, and dealing with cancels not being processed in time.

The added discussion on how to choose a max-sched-future value is good.
I still would have preferred a hard limit for this experimental period.

The addition of cancelling all pending commands when the submitters
connection closes is a good one.

The document doesn't reflect the email discussion we had around how
certain 3rd parties can cancel commands. I encourage adding at least a
sentence reminding implementers and experimenting operators to remember
that they can.

RjS


On 7/8/15 4:39 PM, Robert Sparks wrote:
> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
>
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please resolve these comments along with any other Last Call comments
> you may receive.
>
> Document: draft-mm-netconf-time-capability-05
> Reviewer: Robert Sparks
> Review Date: 8 Jul 2015
> IETF LC End Date: 29 Jul 2015
> IESG Telechat date: not yet scheduled
>
> Summary: This draft has open issues to address before publication
>
> This draft adds two separable concepts to netconf
> * Asking for and receiving knowledge of when a command was executed
> * Requesting that a command be executed at a particular time
>
> The utility of the first is obvious, and I have no problems with the
> specification of that part of this extension. Would it be better to
> pull these apart and progress them separately?
>
> The utility of the second would be more obvious if the draft didn't
> limit the time to be "near future scheduling". It punts on most of the
> hard problems with scheduling things outside a very tight range (15
> seconds in the future by default), without motivating the advantages
> of saying "wait until 5 seconds from now before you do this".
>
> So:
>
> Why was 15 seconds chosen? Could you add a motivating example that
> shows why being able to say "now is not good, but 5 seconds from now
> is better" is useful? (Something like having a series of things happen
> as close to simultaneously without the network delay of sending the
> requests impacting how they are separated perhaps?)
>
> Given the punt, why isn't there a statement that sched-max-future MUST
> NOT be configured for more than some small value (twice the default,
> or 30 seconds, perhaps), especially while this is targeted for
> Experimental? Without something like that, I think the document needs
> to talk about more of the issues it is trying to avoid with longer
> term scheduling, even if it doesn't solve those issues. (If I have a
> fast pipe, I can make a server keep a lot of queued requests, eating a
> lot of state, even if the window is only 15 seconds. Pointing to how
> netconf protects against state-exhaustion abuse might be useful).
>
> The security considerations section talks about malicious parties
> attempting to cause sched-max-future to be configured to "a small
> value". Could you more clearly characterize  "small", given that the
> default is 15 seconds?
>
> Even with the near-future limit, there are issues to discuss
> introduced with the ability to cancel a request:
>
> * What prevents a 3rd party from cancelling a request? I think it's
> only that the 3rd party would have to obtain the right id to put in
> the cancel message. If so, the document should talk about how you keep
> eavesdroppers from seeing those ids, and that the servers that
> generate them should make ids that are hard to guess.
>
> * Especially given the near-future limitation, you run a high risk
> that the cancel arrives after the identified request has been
> executed. It's not clear in the current text what the server should
> do. I assume you want the server to reply to the cancel with a "I
> couldn't cancel that" rather than to do something like try to undo the
> request. The document should be explicit.
>
> * The document should explicitly disallow adding <scheduled-time> to
> <cancel-schedule>
>
> One editorial comment: It would help to move the concept of the
> near-future limitation much earlier in the document, perhaps even into
> the introduction and abstract.
>
> And for the shepherding AD: The document has no shepherd or shepherd
> writeup. While a writeup is not required, one would have been useful
> in this case to discuss the history of (lack of) discussion of the
> document on the group's list and the group's reaction to progressing
> as Experimental as an Individual Submission.

v2.23.0 | Report a Bug | By Email