IETF Logo Mail Archive

Re: [i2rs] topo model use of NACM

Alexander Clemm <alexander.clemm@huawei.com> Thu, 16 February 2017 22:18 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5CB01294CF for <i2rs@ietfa.amsl.com>; Thu, 16 Feb 2017 14:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3sZllNwOAqz for <i2rs@ietfa.amsl.com>; Thu, 16 Feb 2017 14:18:26 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96B69129457 for <i2rs@ietf.org>; Thu, 16 Feb 2017 14:18:25 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml703-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DAT30617; Thu, 16 Feb 2017 22:18:22 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml703-cah.china.huawei.com (10.201.5.104) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 16 Feb 2017 22:18:21 +0000
Received: from SJCEML703-CHM.china.huawei.com ([169.254.5.69]) by SJCEML701-CHM.china.huawei.com ([169.254.3.132]) with mapi id 14.03.0235.001; Thu, 16 Feb 2017 14:18:15 -0800
From: Alexander Clemm <alexander.clemm@huawei.com>
To: Andy Bierman <andy@yumaworks.com>, Susan Hares <shares@ndzh.com>
Thread-Topic: [i2rs] topo model use of NACM
Thread-Index: AQHSiIcFMhe2D11fUkesxuPxtpMzeKFskAEAgAART4D//4okMA==
Date: Thu, 16 Feb 2017 22:18:13 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF809F1@SJCEML703-CHM.china.huawei.com>
References: <CABCOCHT6E=_ojQvDp+iSd3roShFn3E1VhAyP0dFcP3Q7SLNWag@mail.gmail.com> <054b01d2888d$7aa8e120$6ffaa360$@ndzh.com> <CABCOCHQ9QfZY09tWWhu9RhdrgJb3nPc40gj4Atq1EewK4wPfxQ@mail.gmail.com>
In-Reply-To: <CABCOCHQ9QfZY09tWWhu9RhdrgJb3nPc40gj4Atq1EewK4wPfxQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.18]
Content-Type: multipart/alternative; boundary="_000_644DA50AFA8C314EA9BDDAC83BD38A2E0DF809F1SJCEML703CHMchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0204.58A6252F.00F8, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.5.69, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2f658c86a068ad87196968b60352e9e9
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/nRTNeVeVz2sGIux0nO0UIWl5XNw>
Cc: "i2rs@ietf.org" <i2rs@ietf.org>
Subject: Re: [i2rs] topo model use of NACM
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 22:18:30 -0000

There are actually a number of interesting implications with regards to NACM.  NACM could indeed be a key to the solution if it provides sufficient flexibility with regards to articulating and enforcing authorization rules.  Regarding this, I have a number of questions/comments:


-          If a subtree contains objects that a client does not have write privileges for, will the client be prevented from locking the subtree? How about the case when the client does not even have read privileges?

The current NACM-bis draft states in section 3.7.2 that this is not the case – i.e. a client is able to lock an entire subtree, even in cases when there is not a single object in that subtree that the client actually has access privileges to.

To me, this does not seem right.  It just invites abuse.

Now, there is still the possibility to restrict access to the operation overall.  But again, this means that you have to give a users an all-or-nothing choice.  Too inflexible.  By the same token that partial locks were supported to avoid requiring anyone who needs the ability to conduct a transaction to lock down the entire server, there should be the ability to restrict access to the lock and partial-lock operation by targeted subtree.  However, this capability is currently missing.


-          Where can NACM rules originate from?   The current model seems to assume that rules will always be explicitly configured from an external client and constitute part of configuration. Now, what about the case when rules are to be enforced automatically by the server?   I think NACM should allow for that, and having a mix of both.  (The server-provided topologies are one potential example where this would be very useful.  In fact, if this capability were supported, I don’t think we would be having the server-provided discussion in the topology context – NACM would be all we need.  However, there are other use cases for this.  Think e.g. an intrusion protection component on the server, that you would not want to override by an external user administration client application that you would still want to allow as well.  Or cases when some authorizations get signaled, e.g. in the case of autonomic peer-to-peer type of applications.)

--- Alex

From: i2rs [mailto:i2rs-bounces@ietf.org] On Behalf Of Andy Bierman
Sent: Thursday, February 16, 2017 12:49 PM
To: Susan Hares <shares@ndzh.com>
Cc: i2rs@ietf.org
Subject: Re: [i2rs] topo model use of NACM

Hi,

I am most concerned about getting the architecture right.
We have ignored server-created nodes until now.
I am glad I2RS WG is trying to deal with the problem.
Just make sure we have a reusable solution.

Also concerned about tool automation.
There was some discussion of a 'server-created' extension at some point I think.
This would help, because the server-created leaf is not really deterministic.
It is just a convention.

e.g.


  container networks {
     list network {
         i2rs:server-created;
         ...
         leaf server-created { ... }
         ...
     }
  }


Andy


On Thu, Feb 16, 2017 at 11:47 AM, Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>> wrote:
Andy:
<chair hat off, individual contributor hat on>

AFAIK – I believe the revised data store model is right approach.   It is an important question to ask whether the ability to have a mixture of “server-provided” and “configured” is important for all topology models.  I hope Xufeng and other topology models will comment on this point.


Does the NETCONF data store in the revised data-store future include the control plane data stores? I thought the answer was “no” it does not.   Here’s some text from draft-ietf-netconf-rfc6536bis that leads me to believe that

On NACM, draft-ietf-netconf-rfc6536bis it says:

   It is necessary to control access to specific nodes and subtrees
   within the NETCONF datastore, regardless of which protocol operation,
   standard or proprietary, was used to access the datastore.

3.2<https://tools.ietf.org/html/draft-ietf-netconf-rfc6536bis-00#section-3.2>.  Datastore Access

   The same access control rules apply to all datastores, for example,

   the candidate configuration datastore or the running configuration

   datastore.



   Only the standard NETCONF datastores (candidate, running, and

   startup) are controlled by NACM.  Local or remote files or datastores

   accessed via the <url> parameter are not controlled by NACM.  A

   standalone RESTCONF server (i.e., not co-located with a NETCONF

   server) applies NACM rules to a conceptual datastore, since

   datastores are not supported in RESTCONF.


===========

The I2RS security environment actually looks at 3 policies on the server

Network Access <-----> server <-----> routing-system access
              (aka I2RS agent)
                    |<----> System access

It also looks at application access to the client

  Network access<----> client <----> application-access


The protocol only needs to consider the NACM Access, but the routing infrastructure need to consider the server to/from routing system, and server to/from system.  My understanding is that the Routing system access control module (RACM) and the system access control module (SACM) functions were not in NACM.

Thanks again for posting,

Sue

From: i2rs [mailto:i2rs-bounces@ietf.org<mailto:i2rs-bounces@ietf.org>] On Behalf Of Andy Bierman
Sent: Thursday, February 16, 2017 2:00 PM
To: i2rs@ietf.org<mailto:i2rs@ietf.org>
Subject: [i2rs] topo model use of NACM

Hi,

The use of NACM for server-provided data is under-specified (at best)


from sec. 4.1:


   Finally, there is an object "server-provided".  This object is state

   that indicates how the network came into being.  Network data can

   come into being in one of two ways.  In one way, network data is

   configured by client applications, for example in case of overlay

   networks that are configured by an SDN Controller application.  In

   annother way, it is populated by the server, in case of networks that

   can be discovered.



   If server-provided is set to false, the network was configured by a

   client application, for example in the case of an overlay network

   that is configured by a controller application.  If server-provided

   is set to true, the network was populated by the server itself,

   respectively an application on the server that is able to discover

   the network.  Client applications SHOULD NOT modify configurations of

   networks for which "server-provided" is true.  When they do, they

   need to be aware that any modifications they make are subject to be

   reverted by the server.  For servers that support NACM (Netconf

   Access Control Model), data node rules should ideally prevent write

   access by other clients to network instances for which server-

   provided is set to true.

The SHOULD NOT above is really odd, considering is not supported by YANG
or the NC/RC protocols.

"data node rules should ideally prevent"

s/should/SHOULD/

Ideally prevent?
Is that a new engineering term?
Either this new usage of NACM works or it doesn't.

Also, there is no guidance or examples of the NACM config that the
server is supposed to magically create for server-provided topology data.
There is nothing in NACM at all about server-created data rules.
This is not supported by NACM.

Does the I2RS text imply that the server-provided property extends
to the NACM sub-trees? They are also subject to replacement by the server?
The client SHOULD NOT change these NACM rules?

IMO the way this server-provided property is being done is a short-sighted
point solution, but this should be a fundamental part of the revised datastores work.
Is there something special about network topology such that
server-provided data for a different module will require a different
solution? If not, is the topo module solution reusable?


Andy

v2.23.0 | Report a Bug | By Email