Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
Mahesh Jethanandani <mjethanandani@gmail.com> Thu, 18 January 2024 20:13 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8183C14CF0C; Thu, 18 Jan 2024 12:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvm-g8tEGh03; Thu, 18 Jan 2024 12:13:00 -0800 (PST)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF389C14CF09; Thu, 18 Jan 2024 12:12:59 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id 41be03b00d2f7-5bdbe2de25fso29954a12.3; Thu, 18 Jan 2024 12:12:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705608779; x=1706213579; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=JmWJS0WMSriXxgqcclZ6Ychu4RNn1lRcfO8HByvGRoU=; b=aQoR9hkppeUuoUcOY0amox2rfLdFD4FenAD4AcHpb7EAUUv8YGhAjNbXCdWC8ngd39 AqR6RvZZhKaM0BC9wNWYllxArCZaj5fQNgKEuQJ658hi/Ed2Xqit1+NIjIq7h9WVkRR9 yoPhpgVT/eoaeQljzJr8Ujbu3GVQZevUB0AWY+NO5zMIEBsAJSokyOyJ8fJu1ZrSLx7N URtElB3H517JjWafuPvhRGAWrAwFQ67Xn/0BCcLdPuSITqGvMSp2CNdUmVU/tczmmYx3 6KV5CCn0rjkFD2Ee9ORAkDyisx80LQI+dPSisksuA7lZvO4w5Y6zukH4/R2ou8gXC+pR Apyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705608779; x=1706213579; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JmWJS0WMSriXxgqcclZ6Ychu4RNn1lRcfO8HByvGRoU=; b=WyQjv+zuj/dbQIKbxvH0fmeOHqlNU5Mvr8YCbQWsQ71XxPxoDGFIvnQ/Q4/rZh0qDl DR7unfalxXEB0XdoJxZNEve23Qfg0L0e+kcWFFZ4PFZn+qH0KtreX30JBQDDT84z1soN 8Wbh/RF0Ou4icuiLDEsnsb5xNsZNV2gJOIxf8bEKyxwjuiU00n8vy1ijZYl22XyRdhl7 rrgL71A8egyn7N9zfV29VFUscPaJeIplaopUt6kZVvTMwwK3UMr70jQKKCllAtJBEXY4 a0lImVIsru+ZIDfKUR4Ah214mc2Te7W723baNTtSDTAQqIvqqrht50fTic+7/NhslFl/ luwA==
X-Gm-Message-State: AOJu0YwByL1C7B+0/CwHsGQayQBqG3vX28NHrWCqm3zwdFy2EiwEucKY 6bhV6yhKtTjhkp+7G1Jdf7wFSiNPxmn1/CeuMWxT7j2mwJLtd6apWOPgD3oz4M8=
X-Google-Smtp-Source: AGHT+IFYAkSGTtPljZg2p6t2w3b+/e7je/jDyiCAjy2VywGfd4aP0IlTkTVST3J84Ku9gj3SIqQn/g==
X-Received: by 2002:a17:90a:fe14:b0:28f:f7b6:b473 with SMTP id ck20-20020a17090afe1400b0028ff7b6b473mr1289781pjb.90.1705608779102; Thu, 18 Jan 2024 12:12:59 -0800 (PST)
Received: from smtpclient.apple ([70.234.233.187]) by smtp.gmail.com with ESMTPSA id px7-20020a17090b270700b0028ffc524086sm2338128pjb.24.2024.01.18.12.12.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jan 2024 12:12:58 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <ABB4A517-6605-444B-92BD-BD23903D5404@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A32CFFBC-7FA1-4DD4-B624-3B0567FA77B1"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Date: Thu, 18 Jan 2024 12:12:57 -0800
In-Reply-To: <195915E8-B487-4780-909D-27143BC88469@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-https-notif@ietf.org, netconf-chairs <netconf-chairs@ietf.org>, netconf <netconf@ietf.org>, maqiufang1@huawei.com
To: Roman Danyliw <rdd@cert.org>
References: <167096607866.46389.13136814861583410871@ietfa.amsl.com> <195915E8-B487-4780-909D-27143BC88469@gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/1x-Vbf3bQFx00Vr4htE2dbwu9L8>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 20:13:03 -0000
Hi Roman, We just posted a -14 version of the draft that incorporates the suggested text below. Let us know if it addresses your concerns. Thanks. > On Nov 21, 2023, at 6:37 PM, Mahesh Jethanandani <mjethanandani@gmail.com> wrote: > > Hi Roman, > > Sorry for taking the time to get back to this. Thanks for providing review comments. Please see inline. > >> On Dec 13, 2022, at 1:14 PM, Roman Danyliw via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote: >> >> Roman Danyliw has entered the following ballot position for >> draft-ietf-netconf-https-notif-13: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ <https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/> >> for more information about how to handle DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/ <https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/> >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> ** Section 6.2 >> >> container receiver-identity { >> if-feature receiver-identity; >> description >> "Maps the receiver's TLS certificate to a local identity >> enabling access control to be applied to filter out >> notifications that the receiver may not be authorized >> to view."; >> container cert-maps { >> uses x509c2n:cert-to-name; >> description >> "The cert-maps container is used by a TLS-based HTTP >> server to map the HTTPS client's presented X.509 >> certificate to a 'local' username. If no matching and >> valid cert-to-name list entry is found, the publisher >> MUST close the connection, and MUST NOT send any >> notifications over it."; > >> >> The ietf-x509-cert-to-name module exposes many certificate fields. What >> specific fields need to be matched from this module and the local identity >> value? > > How about this update to the description field: > > description > "The cert-maps container is used by a TLS-based HTTP > server to map the HTTPS client's presented X.509 > certificate to a 'local' username. Specifically, the > 'name' field within the module is used to along with > 'specified' identity to perform the match. If no > matching and valid cert-to-name list entry is found, > the publisher MUST close the connection, and MUST > NOT send any notifications over it.”; > >> >> ** Unsafe TLS configurations seem possible. >> >> (a) Section 6.2. >> grouping https-receiver-grouping { >> description >> "A grouping that may be used by other modules wishing to >> configure HTTPS-based notifications without using RFC 8639."; >> uses httpc:http-client-stack-grouping { >> >> (b) Section 7 >> The YANG modules in this document make use of grouping that are >> defined in YANG Groupings for HTTP Clients and HTTP Servers >> [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP >> Configuration [RFC7407]. Please see the Security Considerations >> section of those documents for considerations related to sensitivity >> and vulnerability of the data nodes defined in them. >> >> Per (a) “grouping https-receiver-grouping” seems to reference >> draft-ietf-netconf-netconf-client-server which in turn seems to reference >> draft-ietf-netconf-tls-client-server. >> >> Per (b), the Security Considerations for >> draft-ietf-ietf-netconf-http-client-server say none of the modules are read or >> write sensitive. Draft-ietf-netconf-tls-client-server’s Security >> Considerations (not referenced here) do note that write access could alter the >> security policy. >> >> Please provide a declarative caution here about writing to >> https-receiver-group. Additionally, are any TLS parameters in >> transport/tls/tls/http/client-parameters acceptable? Should they conform to >> draft-ietf-uta-rfc7525bis? > > Ok. I have updated that paragraph as follows > > OLD: > > The YANG modules in this document make use of grouping that are > defined in YANG Groupings for HTTP Clients and HTTP Servers > [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP > Configuration [RFC7407]. Please see the Security Considerations > section of those documents for considerations related to sensitivity > and vulnerability of the data nodes defined in them. > > NEW: > > The YANG modules in this document make use of grouping that are > defined in YANG Groupings for HTTP Clients and HTTP Servers > [I-D.ietf-netconf-http-client-server], YANG Groupings for TLS Clients > and TLS Servers [I-D.ietf-netconf-tls-client-server], and A YANG > Data Model for SNMP Configuration [RFC7407]. Please see the > Security Considerations section of those documents for considerations > related to sensitivity and vulnerability of the data nodes defined in them. > Additionally, the parameters defined in the tls-client-grouping in the > ietf-tls-client module should follow the recommendations specified in > Recommendations for Secure Use of Transport Layer Security (TLS) > and Datagram Transport Layer Security (DTLS) [RFC9325]. > >> >> ** Section 10. >> * The "path" node in "ietf-subscribed-notif-receivers" module can be >> modified by a malicious user to point to an invalid URI. >> >> It could be worse than that. An attacker could direct the to a URL of their >> choosing which could (a) serve an exploit against a vulnerable client; or (b) >> assuming redirects are followed, track usage. > > I have added text that pretty much reflects these comments. > >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thank you to Leif Johansson for the SECDIR review >> >> I support Lars Eggert’s and Éric Vyncke’s related DISCUSS position. >> >> Editorially, due to the module imports, it was difficulty to read the YANG tree >> view in Section 6.1 and reconcile it with the module in Section 6.2. > > Would adding a complete tree diagram in the Appendix help? > > Thanks. >> >> >> > > > Mahesh Jethanandani > mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> Mahesh Jethanandani mjethanandani@gmail.com
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Mahesh Jethanandani
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Mahesh Jethanandani