IETF Logo Mail Archive

Re: [lmap] AD evaluation: draft-ietf-lmap-yang-10

Alissa Cooper <alissa@cooperw.in> Tue, 07 February 2017 15:31 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: lmap@ietfa.amsl.com
Delivered-To: lmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FEC6129CD2 for <lmap@ietfa.amsl.com>; Tue, 7 Feb 2017 07:31:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cooperw.in header.b=0Ne7uAdn; dkim=pass (1024-bit key) header.d=messagingengine.com header.b=MaR3T5/+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37QhGByk6z3z for <lmap@ietfa.amsl.com>; Tue, 7 Feb 2017 07:31:23 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ACCF129CCD for <lmap@ietf.org>; Tue, 7 Feb 2017 07:31:20 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 928C920AD8; Tue, 7 Feb 2017 10:31:19 -0500 (EST)
Received: from frontend1 ([10.202.2.160]) by compute7.internal (MEProxy); Tue, 07 Feb 2017 10:31:19 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=9ycgbwZ8b7lTlBI GyluoCg+2XWA=; b=0Ne7uAdnrL0RTsl/EYaXkASKEnyPWMShyLwHyKxXtEQOqyh b+1W0yuBhmPy9eEA+RAR+RT9fNBmqwBcAzlFq/wfM6nxRz2M1nDTKdWF4rKKMOX1 YTt+Af+3/ABHNQgLl3wkTdIS4sDqRhx73BN+dspYVyzZyNxMkWxcBgAUEk9g=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= smtpout; bh=9ycgbwZ8b7lTlBIGyluoCg+2XWA=; b=MaR3T5/+CLnASxUPXuzh K1jFYe0t4wwdT8RKGLCwCZP9w0vEdegNcYdX93Aj5v5EEZPUiQuTHhuz7Q4DcqAQ byH4NWAlsiK5/b2EGVmav74jReV9rR3EbcUxmn1cyoBHVDI9Mfcfj7GdUwaXB15H xps/7SD7tyu8UWyhn1yJjCM=
X-ME-Sender: <xms:R-iZWC7lWnGZvw8wHKLzv6EhWy9JQtSDHRWV7mAcCIw9F6To_WiNEQ>
X-Sasl-enc: QYMdyD1HfTR0Dyz5ANtpM8FpC9/Ma+Fm6tz8tWhtN1d/ 1486481479
Received: from sjc-alcoop-8812.cisco.com (unknown [128.107.241.162]) by mail.messagingengine.com (Postfix) with ESMTPA id C2EF47E34E; Tue, 7 Feb 2017 10:31:18 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <20170126101706.GD43055@elstar.local>
Date: Tue, 07 Feb 2017 10:31:17 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <D6E49B78-0B0A-4DBD-A854-895B293493AD@cooperw.in>
References: <49AB42C1-3DE5-4289-9B32-173B69C191DC@cooperw.in> <20170124202305.GA38068@elstar.local> <E2346FCD-B119-4385-BBF8-B97207DFB693@cooperw.in> <20170126101706.GD43055@elstar.local>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lmap/NfyLWMG8wB7BxrH25nm9TTqczOU>
Cc: lmap@ietf.org
Subject: Re: [lmap] AD evaluation: draft-ietf-lmap-yang-10
X-BeenThere: lmap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Large Scale Measurement of Access network Performance <lmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lmap>, <mailto:lmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lmap/>
List-Post: <mailto:lmap@ietf.org>
List-Help: <mailto:lmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lmap>, <mailto:lmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 15:31:25 -0000

> On Jan 26, 2017, at 5:17 AM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> 
> Trimming things down...
> 
> On Wed, Jan 25, 2017 at 01:25:26PM -0500, Alissa Cooper wrote:
>>> 
>>>> (4) "A queue is internally used to pass
>>>>                 results to another schedule."
>>>> 
>>>> I thought it was up to the implementation to decide how to implement this?
>>> 
>>> OK. I meanwhile understand that the word 'queue' has too many
>>> connotations. Is 'buffer' a less problematic term? The key here is
>>> that the data producer and the data consumer are in general not
>>> running at the time and hence data needs to be stored temporarily
>>> somewhere.
>> 
>> Isn’t this implied though? Even with “buffer” it still seems like specifying an implementation detail. I’d prefer to see something like your last sentence above instead.
> 
> So I will replace 'buffer' with 'somewhere'. Oh boy. Here is the
> new text:
> 
>               A set of schedules receiving the output produced
>               by this action. The output is stored temporarily
>               somewhere since the destination schedules will in
>               general not be running when output is passed to
>               them. The behaviour of an action passing data to
>               its own schedule is implementation specific.

I don’t think you need to say “somewhere.” The output is temporarily stored since the destination ...

> 
>>> I will replace queue with buffer for now.
>>> 
>>>> (5) I don't understand why the 'program' elements are included in the task configurations and capabilities. It doesn't seem wise to allow the controller to tell the MA which program it needs to use to complete a task, and I don't understand why the MA would need to communicate that information to the controller either. I thought the recent list discussion indicated that if an MA was not capable of performing an action, that action would simply fail, which seems like all that is needed.
>>> 
>>> There are multiple things:
>>> 
>>> (a) How do I tell which task I want to have executed? The information
>>>   model assumes that this can be done with the help of a registry.
>>>   The YANG data model, in addition, allows to use a simple 'program
>>>   name'. Note that this is a choice, i.e., you either use a registry
>>>   or a program name, but not both.
>>> 
>>>   The registry at the end is just some level of indirection - but
>>>   this indirection also requires to have tasks registered in a
>>>   registry. Right now, the implementation I know of only supports
>>>   program names.
>>> 
>>> (b) The task list in the capabilities branch serves as an inventory,
>>>   i.e., it tells the controller which tasks are supported by a given
>>>   implementation. The other task list defined options that are used
>>>   when a certain task is invoked (the Task Configuration in the
>>>   information model). If a controller configures a task that the
>>>   agent does support (i.e., it is not listed in the capability
>>>   tasks), it will not be executed.
>>> 
>>> Note that a capability task name 'traceroute' exposed by the LMAP
>>> agent does not necessarily mean that there is a program called
>>> traceroute at the operating system level. In fact, an implementation
>>> could choose to run traceroute internally without an explicit system
>>> level process (like RIPE Atlas did everything in a big event loop, not
>>> sure whether this is still the case).
>> 
>> Ok, I can understand that under circumstances where there is no registry, there needs to be some identifier to indicate which task to run, and which tasks the MA is capable of running. But the examples seem to imply that ‘program’ is the path and file name of the actual executable on the MA, which is what seems dangerous and unnecessary to me.
> 
> I can take out the path if that helps.

Yes.

> 
> Why would the controller necessarily even know where such executables reside on the file system? And I know there are a lot of things that could go wrong if a Controller gets compromised, but it just seems like making it so trivial for an MA implementation to literally just run the executable name specified by the Controller creates unnecessary risk.
> 
> Perhaps we need to add more explicit text to /tasks/task saying that a
> configured LMAP task MUST resolve to a task listed in the capabilities.
> This is in my view what matters most.

Agree.

> 
>> If the task name on its own is not sufficient for the MA to be able to figure out which program is suitable to run, why not have the additional field defined as ‘program-name’ with some guidance about how to populate it, so that, e.g., what you end up with in that field is “mtr” or “fping” instead of "/usr/bin/mtr” or "/usr/bin/fping”?
> 
> I do not really see the logic here. An implementation that blindly
> executes a program called 'mtr' by search a search PATH may actually
> be worse than an implementation that executes /some/path/mtr.

But at least that leaves it up to the implementation to be implemented safely, rather than building an attack vector directly into the data model design.

> 
>>>> Nits and minor comments:
>>> 
>>>> (2) "Implementers MUST taken care that
>>>>  option names and values are passed literally to programs.  In
>>>>  particular, it MUST be avoided that any shell expansions are
>>>>  performed that may alter the option names and values."
>>>> 
>>>> This text strikes me as a bit odd. Surely there are a whole selection of good programming practices that are necessary to ensure that things don't go haywire when implementing LMAP -- why call out these two with normative recommendations? Why does this guidance only apply to options? I would recommend having this text be non-normative, but if you do keep it I would suggest the following:
>>>> 
>>>> Implementers MUST take care that
>>>>  option names and values are passed literally to programs.  In
>>>>  particular, shell expansions that may alter the option names and values MUST NOT be performed.
>>> 
>>> I have no strong opinion on MUST vs must here and I usually happily
>>> follow the advice of IESG members on RFC 2119 keywords. ;-)
>> 
>> Ok, my suggestion is to use non-normative “ought to” rather than 2119 MUST.
> 
> Seriously?

Yes, this comes up all the time in IESG eval and I would be willing to bet that another AD will comment on the use of lowercase must.

> I have left the 'must' in (there are other occurances of
> must) and I leave it to the discretion of the IESG to discuss this if
> needed - and then I do whatever comes out of it.

Ok.

Alissa

> 
> /js
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email