[lp-wan] YANG security section
Laurent Toutain <laurent.toutain@imt-atlantique.fr> Thu, 02 June 2022 14:21 UTC
Return-Path: <laurent.toutain@imt-atlantique.fr>
X-Original-To: lp-wan@ietfa.amsl.com
Delivered-To: lp-wan@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06D91C14CF0C for <lp-wan@ietfa.amsl.com>; Thu, 2 Jun 2022 07:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=imt-atlantique.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8H6FTzsXmSWL for <lp-wan@ietfa.amsl.com>; Thu, 2 Jun 2022 07:21:12 -0700 (PDT)
Received: from zproxy120.enst.fr (zproxy120.enst.fr [IPv6:2001:660:330f:2::c1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98CD5C14CF06 for <lp-wan@ietf.org>; Thu, 2 Jun 2022 07:21:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by zproxy120.enst.fr (Postfix) with ESMTP id AED30814FF for <lp-wan@ietf.org>; Thu, 2 Jun 2022 16:21:00 +0200 (CEST)
Received: from zproxy120.enst.fr ([IPv6:::1]) by localhost (zproxy120.enst.fr [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id p42QeRQAXnLr for <lp-wan@ietf.org>; Thu, 2 Jun 2022 16:21:00 +0200 (CEST)
Received: from localhost (localhost [IPv6:::1]) by zproxy120.enst.fr (Postfix) with ESMTP id 5514281479 for <lp-wan@ietf.org>; Thu, 2 Jun 2022 16:21:00 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 zproxy120.enst.fr 5514281479
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=imt-atlantique.fr; s=50EA75E8-DE22-11E6-A6DE-0662BA474D24; t=1654179660; bh=yanouTmnLCBl9IrNcuPCg4FyjLgkt6lzU2JmoDK9aFs=; h=MIME-Version:From:Date:Message-ID:To; b=FEHh12LeZEJT1Hu7XawIdyHAzfY7jQLfxWgJwP1f8Ur75nx6T7cxcKWLi9M8hmJjr C8FH8TTnHYG64neE6HkKl3tAVGNHCWCYc2MkUOqoZ1G65HGyLJiMqb2PjrQwFDDAPI sVLy7yNFLAe2JlXfTs4dbTmPalnzJEqViWhEnkGI=
X-Virus-Scanned: amavisd-new at zproxy120.enst.fr
Received: from zproxy120.enst.fr ([IPv6:::1]) by localhost (zproxy120.enst.fr [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id FVGd2i1-X4FM for <lp-wan@ietf.org>; Thu, 2 Jun 2022 16:21:00 +0200 (CEST)
Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) by zproxy120.enst.fr (Postfix) with ESMTPSA id 32D5F8074F for <lp-wan@ietf.org>; Thu, 2 Jun 2022 16:21:00 +0200 (CEST)
Received: by mail-qt1-f169.google.com with SMTP id x7so3454507qta.6 for <lp-wan@ietf.org>; Thu, 02 Jun 2022 07:21:00 -0700 (PDT)
X-Gm-Message-State: AOAM530E7eTv7C93PL3D7Re7jET4dsHgroAr/sejWidmzX0qbEytQWSa AGBiM17OhX63KkGfuY1lw35baBTsoIspSDB4Umo=
X-Google-Smtp-Source: ABdhPJygrTYfodg5WNPOJFlYXO4ZVWke2SscVW4nDK3AezHZcZia0jHwLYjCrqwLXCGxGOzLvrSVexFHANkpjc5QPt8=
X-Received: by 2002:ac8:5a03:0:b0:2f9:2b31:b833 with SMTP id n3-20020ac85a03000000b002f92b31b833mr3703959qta.161.1654179659025; Thu, 02 Jun 2022 07:20:59 -0700 (PDT)
MIME-Version: 1.0
From: Laurent Toutain <laurent.toutain@imt-atlantique.fr>
Date: Thu, 02 Jun 2022 16:20:23 +0200
X-Gmail-Original-Message-ID: <CABONVQZ+eK9QMS-4CXmCnkRw4ui4u9Eu=4DPDXFVsy7=-OKuSw@mail.gmail.com>
Message-ID: <CABONVQZ+eK9QMS-4CXmCnkRw4ui4u9Eu=4DPDXFVsy7=-OKuSw@mail.gmail.com>
To: lp-wan <lp-wan@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8964c05e077b669"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lp-wan/4STCEU1-TWcZ8iwqyzqn4UzWSX8>
Subject: [lp-wan] YANG security section
X-BeenThere: lp-wan@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Low-Power Wide Area Networking \(LP-WAN\), also known as LPWA or Low-Rate WAN \(LR-WAN\)" <lp-wan.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lp-wan>, <mailto:lp-wan-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lp-wan/>
List-Post: <mailto:lp-wan@ietf.org>
List-Help: <mailto:lp-wan-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lp-wan>, <mailto:lp-wan-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 14:21:17 -0000
Hi lpwaners,
I'm working on the security section of the SCHC YANG draft. It is here a
first attempt to reflect what we discussed during the meeting.
----
# Security Considerations
The YANG module specified in this document defines a schema for data that
is designed to be accessed via network management protocols such as NETCONF
{{!RFC6241}} or RESTCONF {{!RFC8040}}. The lowest NETCONF layer is the
secure transport layer, and the mandatory-to-implement secure transport is
Secure Shell (SSH) {{!RFC6242}}. The lowest RESTCONF layer is HTTPS, and
the mandatory-to-implement secure transport is TLS
{{!RFC8446}}.
The Network Configuration Access Control Model (NACM) {{!RFC8341}} provides
the means to restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
This data model formalizes the rules elements described in {{RFC8724}} for
compression and fragmentation. As explained in the architecture document
{{I-D.ietf-lpwan-architecture}}, a rule can be read, created, updated or
deleted in response to a management request. These actions can be done
between two instances of SCHC or between a SCHC instance and a rule
repository.
~~~~~
create
(-------) read +=======+ *
( rules )<------->|Rule |<--|-------->
(-------) update |Manager| NETCONF, RESTCONF or CORECONF
. read delete +=======+ request
.
+-------+
<===| R & D |<===
===>| C & F |===>
+-------+
~~~~~
The rule contains some sensible informations such as the application IPv6
address. An attacker by changing a rule content may block the communication
or intercept the traffic. Therefore, the identity of the requester must be
validated. This can be done through certificates or access lists.
The full tree is sensible
----
We need also to discuss that point on the architecture draft.
Laurent
- [lp-wan] YANG security section Laurent Toutain