IETF Logo Mail Archive

Re: [Lsr] Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26

"Acee Lindem (acee)" <acee@cisco.com> Fri, 23 August 2019 00:53 UTC

Return-Path: <acee@cisco.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C156C12013C; Thu, 22 Aug 2019 17:53:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=IAuogOyD; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Hjb0evKl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wB0yvm1O5af; Thu, 22 Aug 2019 17:53:23 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5D0F120113; Thu, 22 Aug 2019 17:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33117; q=dns/txt; s=iport; t=1566521602; x=1567731202; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=mUc5REAWmkWDyttKOB0pAoGUcbkvLYwgpc4pdJWqmqg=; b=IAuogOyDBuY3XuLT/rq8/vCwZxMAGYoNIWQCRIAGzXp9vRVul1pUxw4I 9YLcBhFYMk86nxBpJYGzujgtUaycK2ZO8BV2xKJVO2JNoTdG3G6qOF96D QapFZfmtGvTZwFQQTOqo4soA0A2zCsuuDucdm+GlFWJX71O0pwbvJubvn Q=;
IronPort-PHdr: 9a23:381s1RaB6Yw46mTK4jrpGkP/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20QKbRp3VvvRDjeee87vtX2AN+96giDgDa9QNHwQAld1QmgUhBMCfDkiuJfXnYgQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CMAACdOF9d/5JdJa1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBZ4EWL1ADbVUgBAsqhCCDRwOKboI3JYlejgiCUgNUCQEBAQwBASMKAgEBhD8CF4JIIzgTAgkBAQQBAQMBBgRthS0MhUoBAQEBAxIRHQEBNwEPAgEIDgMDAQEBIQcDAgICHxEUBgMIAgQBDQUigwABgR1NAx0BAgyhEgKBOIhhc4EygnsBAQWFIg0LghYDBoE0ihyBUxiBf4ERJwwTgkw+ghpHAoFBAQE+DQmCVTKCJo8YhQ8jiGKNdEAJAoIdhmmFAIRbg3kbgjGLSYpQgy+KMIdkgXyOMwIEAgQFAg4BAQWBZyFEgRRwFTsqAYJBgkKDcoUUhT9yDIEdiGqCQwEB
X-IronPort-AV: E=Sophos;i="5.64,419,1559520000"; d="scan'208,217";a="312781881"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Aug 2019 00:53:21 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x7N0rLnV009459 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Aug 2019 00:53:21 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 22 Aug 2019 19:53:20 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 22 Aug 2019 20:53:19 -0400
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 22 Aug 2019 19:53:19 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y23LC3XazB9zzZxgTyAb2ajT7WCdfaI8meJ65raGXYX0JeoobT3MgHGnWxRGYUZuODjN9teTrxh6fo2WbrJZp6PlFf3dtHTSa39m8NoaG7YMWOroDpwX031ArIxqmcd7O1JLQ7F6rxHT3auaodhlqq6Q/vudcv1NW8hAHIBZKf9Bg+y9fPDCOy2cwb1/iukt+ClnOAb7CVLJMEzLl8uj92ncpT6oGejN7C1nVz6sEAqiduZjNfoK0qyHRAZ5BD1EB6MizNonITlyc0tidYwDQ2Ygwvmddg8z8hL+JvBLcNx6ob3+dAdW77UXgyVf15Slre7ILToRR3TrWn8zfAd3UQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mUc5REAWmkWDyttKOB0pAoGUcbkvLYwgpc4pdJWqmqg=; b=AOBSQCOHGnnMWYa3j5jThAdKh/g4xhTWmyqrhBg8gmL0Fvf0YoiOujW32kWPVC6BpH50gHsDDlkpC+7YzpPO+e3ZQYo/WXi/b2vAJiq7HOwldb4xR7md+1P9dAicOiy7e2f2r5Z6zeB4f1MwwDkxYfYYEXqBTBFetkSm0ZpgOkpTakPIrAGmQf1d/Rlv/oaeE0ajsboH1ok/mfnHUvfP0Ka/5ZSbIm2aTx5SHyGE9aWWOF/QmIyDQLhE6MZ/QhMxGVwo/Wugtns0Xn6phLf/FkvGuILCHFh3GhegNg0poP+yzS4k0491nNkRjHM+ODkbDmTIc+Q8X8jaDPkgG0qsRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mUc5REAWmkWDyttKOB0pAoGUcbkvLYwgpc4pdJWqmqg=; b=Hjb0evKlEK29qlU87yQtHmqeh0yfTHk9EebIb808newQ9QQ/9O5V/KpRBg6K2cNRAAujjdTRKpxJsQDQNc2DNk1OXEUsIUhGioSDvowQrZQW1Zltgxv2k/EqTMoUYUztPWZjn6pegZTgPY8tvHj7iPNZy3oJNj4mHk7erXHwuc8=
Received: from MN2PR11MB4221.namprd11.prod.outlook.com (52.135.38.14) by MN2PR11MB4414.namprd11.prod.outlook.com (52.135.36.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.20; Fri, 23 Aug 2019 00:53:17 +0000
Received: from MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::859c:f271:3be2:74e0]) by MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::859c:f271:3be2:74e0%3]) with mapi id 15.20.2178.020; Fri, 23 Aug 2019 00:53:17 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Roman Danyliw <rdd@cert.org>, Alvaro Retana <aretana.ietf@gmail.com>, "draft-ietf-ospf-yang@ietf.org" <draft-ietf-ospf-yang@ietf.org>
CC: Stephane Litkowski <stephane.litkowski@orange.com>, "lsr-chairs@ietf.org" <lsr-chairs@ietf.org>, "lsr@ietf.org" <lsr@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26
Thread-Index: AQHVWDLCA0dMG1KrR0yv+3jHy3LViKcFnmWAgADs0YCAARujgA==
Date: Fri, 23 Aug 2019 00:53:17 +0000
Message-ID: <6C8DADE8-F27C-4843-AAF0-7605ACDA9385@cisco.com>
References: <CAMMESswWu7E+DHW+8t9y5BXTGn3tqYo=vTR+j536MXcdsNEpog@mail.gmail.com> <44866583-78BC-489A-91F8-EF0419F2DBA0@cisco.com> <359EC4B99E040048A7131E0F4E113AFC01B3439CF1@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B3439CF1@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [2001:420:c0c4:1007::de]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff665882-a3bc-4998-5956-08d72764494a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600166)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MN2PR11MB4414;
x-ms-traffictypediagnostic: MN2PR11MB4414:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MN2PR11MB4414691E1CDFA2237DD65546C2A40@MN2PR11MB4414.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 0138CD935C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(136003)(366004)(39860400002)(396003)(51914003)(189003)(199004)(25786009)(66476007)(4326008)(2501003)(14454004)(5660300002)(53546011)(476003)(2616005)(71200400001)(11346002)(446003)(33656002)(71190400001)(81166006)(486006)(76176011)(46003)(102836004)(6506007)(256004)(6116002)(66946007)(99286004)(36756003)(186003)(76116006)(14444005)(66446008)(6436002)(6306002)(53936002)(6246003)(236005)(6512007)(606006)(110136005)(966005)(316002)(81156014)(8936002)(86362001)(2906002)(66574012)(229853002)(7736002)(66556008)(6486002)(478600001)(54906003)(54896002)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4414; H:MN2PR11MB4221.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: oKKoWTdW/WVMSc6UUgQ5O+Ske/e+x0VNS0IawvlK2LX4xCWH/6GYBS56P1ImLEGEklnw3JK+FQEs4b8gponDUr1NQ9fb+FvFBjAt85YjkosfPme0aCZJylMNGWbleHP5451CJwKMJKBG57fZtB3mk4z7NI4wh9782sgHC5Bft5VbPICNZ6tVkW8qXJ+Ny4DGp4GxW49AsRhSTf63Ka9kmYuJ2LznGA6Gj7MR68g6jV9aJ39nh0h6orqjhgRmbfrETNFzGQkKeYMcxggDVCpVdFXn7XbOFdK45AAMMunmV0GAhgmGyFjuOu5d8/LhWtnSQtVlQCHaWk2DxNM90DxMBdj3mr1NQY6k46xmCmardbUIvzqzOnKQ/YP5c4ybOAlhIkc73yHNh4YY365e/T77ZwrE/A5289aN+od2XaIN0gM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_6C8DADE8F27C4843AAF07605ACDA9385ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ff665882-a3bc-4998-5956-08d72764494a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Aug 2019 00:53:17.4557 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FvApcz+fcr45QfBgA6/DAsR3mo9MMF8ib3mbmVoiQcDexFSX6w9O1JSKJgyjgNJy
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4414
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.29, xch-aln-019.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/HXVfnWv22_8q25k5wsbk2KZblpc>
Subject: Re: [Lsr] Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 00:53:26 -0000

Hi Roman, Benjamin, Alvaro,
I included most of the corrections and clarifications in the -27 version of the draft. I’m going to improve the “Security Considerations” in the -28 version.
Thanks,
Acee

From: Roman Danyliw <rdd@cert.org>
Date: Wednesday, August 21, 2019 at 11:58 PM
To: Acee Lindem <acee@cisco.com>, Alvaro Retana <aretana.ietf@gmail.com>, "draft-ietf-ospf-yang@ietf.org" <draft-ietf-ospf-yang@ietf.org>
Cc: Stephane Litkowski <stephane.litkowski@orange.com>, "lsr-chairs@ietf.org" <lsr-chairs@ietf.org>, "lsr@ietf.org" <lsr@ietf.org>, The IESG <iesg@ietf.org>
Subject: RE: Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26

Hi Acee!

Thanks for the explanation.  More inline …

From: Acee Lindem (acee) [mailto:acee@cisco.com]
Sent: Wednesday, August 21, 2019 1:51 PM
To: Alvaro Retana <aretana.ietf@gmail.com>; draft-ietf-ospf-yang@ietf.org
Cc: Roman Danyliw <rdd@cert.org>; Stephane Litkowski <stephane.litkowski@orange.com>; lsr-chairs@ietf.org; lsr@ietf.org; The IESG <iesg@ietf.org>
Subject: Re: Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26

Hi Roman,

Discussion on discuss.

From: Alvaro Retana <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>
Date: Wednesday, August 21, 2019 at 11:11 AM
To: "draft-ietf-ospf-yang@ietf.org<mailto:draft-ietf-ospf-yang@ietf.org>" <draft-ietf-ospf-yang@ietf.org<mailto:draft-ietf-ospf-yang@ietf.org>>
Cc: Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>, Stephane Litkowski <stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>>, "lsr-chairs@ietf.org<mailto:lsr-chairs@ietf.org>" <lsr-chairs@ietf.org<mailto:lsr-chairs@ietf.org>>, "lsr@ietf.org<mailto:lsr@ietf.org>" <lsr@ietf.org<mailto:lsr@ietf.org>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>
Subject: Roman Danyliw’s DISCUSS on draft-ietf-ospf-yang-26
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: Yingzhen Qu <yingzhen.ietf@gmail.com<mailto:yingzhen.ietf@gmail.com>>, Christian Hopps <chopps@chopps.org<mailto:chopps@chopps.org>>, Acee Lindem <acee@cisco.com<mailto:acee@cisco.com>>
Resent-Date: Wednesday, August 21, 2019 at 11:08 AM

[It looks like the datatracker didn’t send out the text to Roman’s DISCUSS.  I didn’t receive it, nor do I see it in the mail archive.  So I’m pasting it here. — Alvaro.]

- - - - - - - - - - -
DISCUSS
- - - - - - - - - - -

A “discuss to discuss”.  Per the convention outlined in https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, thank you for clearly noting the implication of not securing these nodes properly.

Furthermore, following the convention, I would have expected Section 4 to have enumerated the sensitive writeable/creatable/deletable data nodes; and the sensitive readable nodes individually.  For a model this large, I can imagine that individual enumeration would be a long list.

It doesn’t make sense to talk about every configurable leaf so the section describes the general problems that can ensue if OSPF protocol configuration is compromised. We could go into classes of writeable nodes but I question what benefit that would actually have.

[Roman]  It was thinking this would be the case.  I don’t think we need the specificity.


In the case of read operations, the text opens with saying that “some of the readable data nodes ...” and later says “The exposure of the ... LSDB will expose the detailed topology ...”.  Can you help me understand which part of ietf-ospf.yang is the LSDB and which parts refer to “some of the readable nodes”?  Is there are a difference, or is this text asserting that all parts of the modules are sensitive and need access control?

The LSDB refers to the instance, area, virtual link, sham-link, and interface Link State DataBases (LSDB).

             /ospf/database
            /ospf/areas/area[area-id]/database
            /ospf/virtual-links/virtual-link[transit-area-id router-id]/database
            /ospf/areas/area[area-id]/interfaces/interface[name]/database
            /ospf/area/area[area-id]/sham-links/sham-link[local-id remote-id]/database

[Roman] Thanks for this clarification.  IMO, it wouldn’t hurt to enumerate this list as being part of the LSDB (this is not DISCUS-level feedback)

All parts are sensitive. The LSDB is more so since it gives visibility beyond the network device itself.

[Roman]  I agree with “all parts are sensitive” assessment without enumerating the individual nodes of the model.  The conflict for me is that the opening sentence of this discussion is a much weaker statement of “Some of the readable data nodes in the ietf-ospf.yang module may be considered sensitive or vulnerable in some network environments.  It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes.”  Would it be a problem to say something on the order of “The readable data nodes in the ietf-ospf.yang module are sensitive. Thus, it is thus important to control read access … to them.”?  This edit make clear that “all parts are sensitive”.

A related line of questioning for the write operation.  The text opens with saying that “There are a number of data nodes defined in ietf-ospf.yang ... [and that] [w]rite operations ... to these nodes without proper protection can have a negative effect on the network operations ... [and] ... the ability to modify OSPF configuration” is problematic.  Can you help me understand which parts of the text is the “OSPF configuration” vs. “there are number of data nodes ...”?  If there isn’t a different, is the text asserting that all parts of the modules are sensitive and need access control?

This is alludes to the “config true” nodes which comprise OSPF configuration. I guess this is a repeat of your first comment.

[Roman] Exactly.  The text wasn’t clear on whether you meant part of all of the model should have access control  Would a similar approach to the above be possible here too – say deleting the sentence “These data nodes may be considered sensitive of vulnerable in some network environments.”  By making this edit, the text will then read that all of the write operations are sensitive.

Regards,
Roman

Thanks,
Acee


- - - - - - - - - - -
COMMENT
- - - - - - - - - - -

(1) Idnits returned a seemingly valid few reference issues:

  ** Downref: Normative reference to an Experimental RFC: RFC 1765

  ** Downref: Normative reference to an Experimental RFC: RFC 4973

(2) Editorial
-- Section 4.  Isn’t RFC8341, “the Network Configuration Access Control Model” rather than the “NETCONF access control model”?

-- Section 4.  Typo.  s/specificationn/specification/

-- Section 4.  Remove the duplicate instance of the phrase “for legacy implementations that do not support key-chains”.

-- Section 4.  Typo.  s/The OSPF YANG module support/the OSPF YANG module supports/

Alvaro Retana

v2.23.0 | Report a Bug | By Email