Re: [netconf] Yangdoctors last call review of draft-ietf-netconf-tcp-client-server-09

Kent Watsen <kent@watsen.net> Thu, 22 April 2021 01:01 UTC

Return-Path: <01000178f7189888-4d8f72aa-7bf1-4875-af4c-ecde0f0d2ba5-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5A83A3DF3; Wed, 21 Apr 2021 18:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EjpMzoOTsJNn; Wed, 21 Apr 2021 18:01:29 -0700 (PDT)
Received: from a48-93.smtp-out.amazonses.com (a48-93.smtp-out.amazonses.com [54.240.48.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1636D3A3DBE; Wed, 21 Apr 2021 18:01:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1619053287; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=aGMsO2q3uIVXnvHonbnXT7OvyTAIs9ulr/5/dTn+EpI=; b=iB6XhgIjQFvCODb0jXMBTjKbRFiqi+ZUFq2Z13W+9DVuqUoAkRndFZSqYV6pkZYm fNuMd1TdbzV4LfnAvseqZrkafGBsNHCSWlb98GxfD02uBfzPRhdLH3M8AtX5XT5iO9Y SUOst0k7b4lhwsJxA0eCC6K5oTmkhLX2D5L5XYDU=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <87tuo1w2j2.fsf@nic.cz>
Date: Thu, 22 Apr 2021 01:01:27 +0000
Cc: YANG Doctors <yang-doctors@ietf.org>, draft-ietf-netconf-tcp-client-server.all@ietf.org, last-call@ietf.org, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <01000178f7189888-4d8f72aa-7bf1-4875-af4c-ecde0f0d2ba5-000000@email.amazonses.com>
References: <161796231010.8005.7390142571009530431@ietfa.amsl.com> <01000178ebd39133-87ef25f3-1047-4f02-b5fb-706e82e7c02a-000000@email.amazonses.com> <87tuo1w2j2.fsf@nic.cz>
To: Ladislav Lhotka <ladislav.lhotka@nic.cz>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.04.22-54.240.48.93
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/2LcbB9q64Emrfk44qHWNsSOT9LE>
Subject: Re: [netconf] Yangdoctors last call review of draft-ietf-netconf-tcp-client-server-09
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 01:01:32 -0000

Hi Lada,



>>> **** Comments
>>> 
>>> - Sections 2.1.4, 3.1.3, 4.1.3: the sentence 'The "..." module does not contain
>>> any protocol-accessible nodes.' is misleading in that the modules do define
>>> data nodes that are intended to be protocol accessible after the corresponding
>>> grouping is used. I know this is a part of the NETCONF/YANG lingo, but another
>>> formulation that clearly says what's going on might be preferable.
>> 
>> Fair enough.  How about this?
>> 
>>   The "ietf-tcp-..." module does not itself define
>>   any protocol-accessible nodes.  This module defines
>>   only "grouping" statements that are used by other
>>   modules to instantiate protocol-accessible nodes.
>> 
> 
> What about using just the last sentence? It says all.

Done.



>>> - Sections 2.2, 3.2 and 4.2: the XML snippets use document elements
>>> "tcp-common", "tcp-client" and "tcp-server", but these containers are not
>>> defined in the corresponding modules. This is confusing, my suggestion is to
>>> rewrite the examples in the JSON representation where no such top-level node is
>>> necessary.
>> 
>> Indeed, and my validation script even takes the special step to convert the groupings to containers in order for the validation to succeed.   In other modules, I created a “foobar-usage.yang” module to instantiate the grouping statements.
>> 
>> Hmmm, I was about to create the JSON, but realized that it would be easier to strip out the first-and0-last lines from the XML examples.  I understand that they're not a valid XML documents, but snippets have been used before…
>> 
>> FWIW, all the examples are still validated, so there’s otherwise no loss in correctness.
> 
> Maybe it is not necessary to validate these short fragments. In any case, a casual reader might be confused - where do these elements come from? As a minimum, some explanation should be added.

Done - the following XML-comment has been added just each such XML example:

    <!-- The outermost element below doesn't exist in the data model. -->
    <!--  It simulates if the "grouping" were a "container" instead.  -->


I think it critical to validate *every* example, as it’s too hard to maintain otherwise.  ;)



>>> - What is the purpose of "tcp-connection-grouping" if it only uses
>>> "tcp-common-grouping" and nothing else? Why cannot "tcp-common-grouping” be used directly?
>> 
>> I added this comment:
>> 
>>    Whilst this grouping appears to not add any value beyond that given
>>    by "tcp-common-grouping", it is defined so as to provide space for a
>>    future peer module (e.g., "tcp-system-grouping" that defines additional
>>    configuration nodes used to configure a TCP stack at an operating
>>    system level.
> 
> OK, so this new grouping could use equally well either "tcp-connection-grouping" or "tcp-common-grouping", and add more configuration nodes. Having two names for the same thing is confusing.

Removed, after reviewing the latest "draft-ietf-tcpm-yang-tcp” draft.



>>> - The "local-port" parameter defined in ietf-tcp-client seems dubious from the
>>> security viewpoint in that fixing the source port makes it easier for attackers
>>> to steal the connection (see RFC 6056).
>> 
>> Interesting read.  But note that the RFC regards primarily cleartext protocols.  An axiom in security circles is “obscurity is not security”, i.e., randomizing client ports to make off-path guessing harder is not much of a win.
> 
> I don't think this can be labelled as security by obscurity. Without cryptographic protection, it is basically the only available measure against traffic injection. In DNS, for example, source port numbers (and transaction IDs) with insufficient entropy are considered security issues.

Noted.


>>> If the feature
>>> "local-binding-supported" is needed at all, I'd suggest to mention this in
>>> Security Considerations.
>> 
>> “Needed” is an interesting take.  My feeling is that the model is
>> incomplete otherwise.  From a Security Considerations perspective,
> 
> I was thinking it might be needed for cases like NETCONF call home. Otherwise, it is not common to be able to configure the port for the side that performs active open.

Uncommon, but not unheard of, nor bad practice.

Ever since I worked at company developing FW/IDP devices and a NOC/SOC, I’ve always pushed for and advocated the ability to configure local address/ports.


>> I’d like to put something like:
>> 
>>   “Implementations are RECOMMENDED to implement the 'local-binding-supported’ feature for cryptographically-secure protocols so as to reduce to attack surface presented by firewalls.”
> 
> I don't understand what firewalls have to do with this issue.

Because knowing the source addr/port enables some of the 5-tuple numbers to move from an “any” value to specific values.  This benefits both the egress and ingress sides.


> On the other hand, I would also mention the reason why this is RECOMMENDED, and cite RFC 6056.

Done.


>> Is that what you had in mind?   If nothing else, having such a statement in the draft would certainly catch the eye of the SecDir reviewer.  Thoughts?
> 
> Of course, a SecDir review would be more authoritative here.
> 
> Cheers, Lada


K.