Re: [I2nsf] [Netconf] What kind of mechanisms have NETCONF specified to prevent illegitimate"Clients" or "Agent"?
Kent Watsen <kwatsen@juniper.net> Tue, 09 February 2016 00:20 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A4D1B3E1E; Mon, 8 Feb 2016 16:20:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ok_M7WE6_qkD; Mon, 8 Feb 2016 16:20:55 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0721.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::721]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17A111B3E20; Mon, 8 Feb 2016 16:20:51 -0800 (PST)
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1444.namprd05.prod.outlook.com (10.160.117.153) with Microsoft SMTP Server (TLS) id 15.1.403.16; Tue, 9 Feb 2016 00:20:32 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0403.017; Tue, 9 Feb 2016 00:20:32 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Linda Dunbar <linda.dunbar@huawei.com>, 'Netconf' <netconf@ietf.org>
Thread-Topic: [Netconf] What kind of mechanisms have NETCONF specified to prevent illegitimate"Clients" or "Agent"?
Thread-Index: AdFiv0TiE9T6VE7/TRiLhiatv3duJ///zQOA
Date: Tue, 09 Feb 2016 00:20:32 +0000
Message-ID: <ACD729F5-A4F6-4406-9F52-C7ED697B3623@juniper.net>
References: <4A95BA014132FF49AE685FAB4B9F17F657DE8236@dfweml701-chm>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657DE8236@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.160109
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.11]
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1444; 5:i/l6puIHi8r3NWf5epclJp8Oxg6J1Nn7xxMKBzehrOmYRMMxraTcgWHcnkccXqQ3HPtsW0SB8WDR3U+qlWWc8B9fLNNE6Jdi+H96DlgQhZMnfF1qWbvLt77Frpnx02sYNRMSn15rVZHfVXwx53VihQ==; 24:26HoRZzKHJlLylHjrjJ+RuqzIBBNqTjSapqHO9yFi9nliK0g5rZH4xQJ91y7Gh9xI4qOjMHhOKH75dIzdceVVQ0etPifcjhvj14wD4P8j84=
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42139001); SRVR:BN3PR0501MB1444;
x-ms-office365-filtering-correlation-id: f89452c2-1af3-437d-82ab-08d330e6d2e5
x-microsoft-antispam-prvs: <BN3PR0501MB1444AB9AE23BB409732B98DAA5D60@BN3PR0501MB1444.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:BN3PR0501MB1444; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1444;
x-forefront-prvs: 08476BC6EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(164054003)(51444003)(377454003)(50986999)(76176999)(92566002)(5002640100001)(3280700002)(36756003)(18717965001)(33656002)(16236675004)(19617315012)(83506001)(54356999)(82746002)(5001770100001)(19580395003)(19580405001)(4001350100001)(189998001)(5001960100002)(11100500001)(4326007)(2906002)(5004730100002)(19300405004)(3660700001)(1220700001)(1096002)(5008740100001)(6116002)(790700001)(3846002)(102836003)(586003)(83716003)(77096005)(122556002)(87936001)(15975445007)(10400500002)(40100003)(86362001)(2950100001)(2900100001)(19625215002)(99286002)(66066001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1444; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_ACD729F5A4F644069F52C7ED697B3623junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2016 00:20:32.6989 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1444
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/enA_F5G15qPL4VnGB8784LI8L_0>
X-Mailman-Approved-At: Tue, 09 Feb 2016 08:01:09 -0800
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>
Subject: Re: [I2nsf] [Netconf] What kind of mechanisms have NETCONF specified to prevent illegitimate"Clients" or "Agent"?
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 00:20:59 -0000
I think that this issue is shared by *all* remote management mechanisms - not VNFs, but knowing that the system hasn’t been compromised. NETCONF/RESTCONF rely on server authentication, using the server’s presented SSH host key or TLS server certificate. Only recently with draft-ietf-netconf-zerotouch is there a push to start using IDevID certificates that are bound to a TPM, but this only goes to show that the secure-tunnel termination point has access to the TPM and nothing else. That said, if the platform is certified to implement Secure Boot, which is a necessary precondition to supporting remote attestation, it seems that client can already be satisfied that it is communicating to an uncompromised system without need for remote attestation. However, Secure Boot only verifies that the platform is executing the right software stack, but does nothing to ensure the configuration files and the like haven’t been tweaked - this is where Trusted Boot (a.k.a. Measured Boot) comes in. But if the platform is known to be good (via Secure Boot), then any tweaking would be the result of unauthorized access (e.g., someone stole your login credentials), which needs a different solution. Sure, Trusted Boot can tell you something’s unexpected changed, but not what, when, who, etc.. Anyways, I think this is all well and good, but the issue has a scope that is beyond NETCONF. Related to VNFs in particular, my understanding as of late last year is that hypervisors still lacked support for Secure Boot. It seems like this draft might be getting ahead of what’s possible. PS: I’m not subscribed to the i2nsf list. Kent From: Netconf <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org>> on behalf of Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Date: Monday, February 8, 2016 at 5:23 PM To: "netconf@ietf.org<mailto:netconf@ietf.org>" <netconf@ietf.org<mailto:netconf@ietf.org>> Cc: "i2nsf@ietf.org<mailto:i2nsf@ietf.org>" <i2nsf@ietf.org<mailto:i2nsf@ietf.org>> Subject: [Netconf] What kind of mechanisms have NETCONF specified to prevent illegitimate"Clients" or "Agent"? NETCONF participants, Your Chair Mehmet suggested sending the following questions to the list. I2NSF has a draft on remote attestation (https://datatracker.ietf.org/doc/draft-pastor-i2nsf-vnsf-attestation/ ) which documented the following security threats between Client and Controller. I think those issues also face I2RS and NETCONF. Has NETCONF specified some mechanisms to address those issues? o An unknown/unauthorized user can try to impersonate another user that can legitimately access virtualized NSF services (or Network Services). This attack may lead to accessing the policies and applications of the attacked user or to generate network traffic outside a the security functions with a falsified identity. o An authorized user may misuse assigned privileges to alter the network traffic processing of other users in the virtualization platform. This can become especially serious when such a user has administration privileges granted by the virtualization provider, the ISP or the local network operator. o A user may try to install malformed elements (policy or application), trying to directly take the control of a NSF or virtualization platform (for example by exploiting a vulnerability on one of the functions or may try to intercept or modify the traffic of other users in the same platform. o A malicious virtualization provider can modify the software running on it (the operating system or a concrete vNSF) to alter the behaviour of the latter. This event has a high impact on all users accessing vNSFs as the virtualization provider has the highest level of privilege on the software in execution. o A user with physical access to the virtualization platform can modify the behavior of hardware components, or the components themselves. Furthermore, it can access a serial console (most devices offer this interface for maintenance reasons) to access the NSF software with the same level of privilege of the virtualization provider Thanks, Linda
- [I2nsf] What kind of mechanisms have NETCONF spec… Linda Dunbar
- Re: [I2nsf] [Netconf] What kind of mechanisms hav… Kent Watsen