IETF Logo Mail Archive

Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 13 November 2016 00:45 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21A812953C; Sat, 12 Nov 2016 16:45:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9M42Edmn6BH; Sat, 12 Nov 2016 16:45:46 -0800 (PST)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D7EF12949A; Sat, 12 Nov 2016 16:45:46 -0800 (PST)
Received: by mail-vk0-x231.google.com with SMTP id w194so40367778vkw.2; Sat, 12 Nov 2016 16:45:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=M8JvE6lZYpc545wTcLmB9ltJTuytYQw3txaREYgycwI=; b=HvpdkcpGC0Fm8mTJ8o+iFECOyo45A+BCSS6UrgFEb6YaBZ5nV/vjfIUHG2+sVZ3Yil 5tt7hFIk38pZEejSvME8bNUuNKVrlbGyuszlO0N4cw1k2vYxti0ulDOHr1zTvvwIzdg+ H1XC+yD1ONyST1X8RWmbfAts+6JY8/mqjE+rdnh/+1JD9NeuNTC0kEzElRv/LgzrB8NL 4u3T5bC7WNeVwiYDV6nYzd7Gn8Sn96zz/1v7kLi76cFGwGFX2Sxj3XacLjbzmhBrOxVm by4F4YXYdSs4hfxaDhk9CV0HwYZbk2+kkyq40y9FebbbJsB5qZQhW9XZtPdU22USTN7q wWrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=M8JvE6lZYpc545wTcLmB9ltJTuytYQw3txaREYgycwI=; b=GdyxZ240ULSA0NVwvyf7ilT2Yp4lcSJPXCEyqaXPLiaIrHZ5lHneTjMx5npWjRZ174 Ohuk0modTsxttopYbbU1g7hJJc2CwJgleA1casxhUj0SGXssRgCAbqGoUApOZpvae3AL T4leh0Gc5/VuBeaBQGUdWK6pcR2girKSgyrWkzcwsRF/n1Tzv7FUpQRxFP71gFPQ8WAB +/zTTk1wd5mHlAuRQj1+0e9n2FBWAm2QLf/b+ffydCjWzQLlZmJ7XVGLzmhPPmuLpn2d ji9/yf2txH8Z3c3VvXqb69FZCDDfgnXoqkxDRHUf0R/+o6xrAOZ0nbIm5H65fvR697Nt rPWA==
X-Gm-Message-State: ABUngvcO3DlprbwdTD9C6eIpQY81eIcw62kxZxZnTyET/C9XzAzCkp9zuZQXvMQ1JzZAAqgSoSUg6UDZ8HgeBQ==
X-Received: by 10.31.160.214 with SMTP id j205mr6205597vke.92.1478997945079; Sat, 12 Nov 2016 16:45:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Sat, 12 Nov 2016 16:45:44 -0800 (PST)
In-Reply-To: <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com>
References: <147792772371.32484.10246456033559418730.idtracker@ietfa.amsl.com> <392E80E1-C6EC-4466-8327-A890145E6A06@gmail.com> <CABCOCHRqVoomQO-sa+HEVD5DpN5rBpwgWpG2R8+LXVBvgO6_Mg@mail.gmail.com> <CAHbuEH5c4bS5+Sh99uCYkFxRknCiQ8cnTfdegVq=bFDW9Yc5ZA@mail.gmail.com> <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com> <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Sat, 12 Nov 2016 19:45:44 -0500
Message-ID: <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com>
To: Andy Bierman <andy@yumaworks.com>
Content-Type: multipart/alternative; boundary="001a11429b2e23dc840541240bfe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/6SBKLgf10qsNAWTwoKFhfcL2hmk>
Cc: draft-ietf-netconf-yang-patch@ietf.org, The IESG <iesg@ietf.org>, Netconf <netconf@ietf.org>, NETCONF Working Group <netconf-chairs@ietf.org>
Subject: Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 00:45:48 -0000

Hello,

Thanks for your responses, inline.

On Fri, Nov 11, 2016 at 12:08 PM, Andy Bierman <andy@yumaworks.com> wrote:

>
>
> On Fri, Nov 11, 2016 at 6:04 AM, Mahesh Jethanandani <
> mjethanandani@gmail.com> wrote:
>
>> Andy,
>>
>> I am looking at -13 version of the document and following up on all the
>> DISCUSS on the document to make sure they have been addressed. In
>> particular -
>>
>> On Nov 3, 2016, at 9:35 PM, Kathleen Moriarty <
>> Kathleen.Moriarty.ietf@gmail.com> wrote:
>>
>> Hi Andy,
>>
>> Thanks for your response and sorry I didn't see it sooner.  Inline
>>
>> On Tue, Nov 1, 2016 at 5:21 PM, Andy Bierman <andy@yumaworks.com> wrote:
>>
>>>
>>>
>>> On Tue, Nov 1, 2016 at 7:15 AM, Mahesh Jethanandani <mjethanandani@gm
>>> ail.com> wrote:
>>>
>>>> Authors,
>>>>
>>>> Can we address Kathleen's comments?
>>>>
>>>> Mahesh Jethanandani
>>>> mjethanandani@gmail.com
>>>>
>>>> > On Oct 31, 2016, at 8:28 AM, Kathleen Moriarty <
>>>> Kathleen.Moriarty.ietf@gmail.com> wrote:
>>>> >
>>>> > Kathleen Moriarty has entered the following ballot position for
>>>> > draft-ietf-netconf-yang-patch-12: Discuss
>>>> >
>>>> > When responding, please keep the subject line intact and reply to all
>>>> > email addresses included in the To and CC lines. (Feel free to cut
>>>> this
>>>> > introductory paragraph, however.)
>>>> >
>>>> >
>>>> > Please refer to https://www.ietf.org/iesg/s
>>>> tatement/discuss-criteria.html
>>>> > for more information about IESG DISCUSS and COMMENT positions.
>>>> >
>>>> >
>>>> > The document, along with other ballot positions, can be found here:
>>>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-yang-patch/
>>>> >
>>>> >
>>>> >
>>>> > ------------------------------------------------------------
>>>> ----------
>>>> > DISCUSS:
>>>> > ------------------------------------------------------------
>>>> ----------
>>>> >
>>>> > This should be easy to resolve through discussion or some text tweaks.
>>>> > In the security considerations section, I see some text that hints at
>>>> my
>>>> > questions below, but isn't clear enough, so I'd like to discuss it to
>>>> see
>>>> > if these things are covered, or why they are not, and to see if we can
>>>> > tweak the text a bit.
>>>> >
>>>> > The following text is helpful, is PATCH described in
>>>> > [I-D.ietf-netconf-restconf]?
>>>> >   This document defines edit processing
>>>> >   instructions for a variant of the PATCH method, as used within the
>>>> >   RESTCONF protocol.
>>>> >
>>>> > I see section 2.7 discusses error handling and validating the YANG
>>>> > module, but is there a way that the hash (or some other mechanism) of
>>>> the
>>>> > patch could be validated to ensure the patch was not altered.  Is that
>>>> > already described for PATCH?
>>>>
>>>
>>> The YANG Patch requests are not signed.
>>> These messages are sent within the RESTCONF protocol, which MUST use TLS.
>>>
>>> Sec 1. says:
>>>
>>>    It may be possible to use YANG Patch with other protocols besides
>>>    RESTCONF.  This is outside the scope of this document.  It may be
>>>    possible to use YANG Patch with datastore types other than a
>>>
>>>        configuration datastore. This is outside the scope of this
>>> document.
>>>
>>> The security requirements for protocols other than RESTCONF are not
>>> discussed.
>>> Should I add text somewhere to make it clear the document applies only
>>> to RESTCONF use of YANG Patch?
>>>
>>
>> Yes, that text would be good.  It might be good to mention that there is
>> no capability to sign or validate patches with RESTCONF as well so this is
>> clear in the considerations.
>>
>>
>> Is this addressed somewhere? I looked at Section 1 and Security
>> Considerations, but could not find any explicit mention.
>>
>
> sec. 1, para 2:
>
> This document only specifies the use of
>
>    the YANG Patch media type with the RESTCONF protocol.
>

OK, could you make the point clear that answers my question specific to
RESTCONF usage?  This would mean a little text added to clarify that there
is no capability to validate the patch had not been altered from my
original question.




>
>
>>
>>
>>>
>>> >
>>>> > I also see this text in the security considerations section:
>>>> >   It is important for RESTCONF server implementations to carefully
>>>> >   validate all the edit request parameters in some manner.
>>>> >
>>>> > Is the source of the patch authenticated?  Can the client receiving
>>>> the
>>>> > patch be authenticated?  Is this handled through RESTCONF?  Since YANG
>>>> > modules could add in write capabilities, unauthenticated patches could
>>>> > result in opening backdoors or revealing information that was not
>>>> > intended.  You are covering it with that statement, but it's not
>>>> clear if
>>>> > both ends can be authenticated and there are attacks if they are not
>>>> > authenticated.
>>>> >
>>>> >
>>>>
>>>
>>>
>>> It is covered by RESTCONF. Both client and server are authenticated.
>>>
>>
>> Great, can you re-word the sentence to make sure it is clear that this is
>> done with RESTCONF, but maybe not other protocols?
>>
>>
>> And this.
>>
>
>
> sec 5, para 3
>
>  For RESTCONF, both the client and server MUST be authenticated,
>
>    according to section 2 of [I-D.ietf-netconf-restconf
> <https://tools.ietf.org/html/draft-ietf-netconf-yang-patch-13#ref-I-D.ietf-netconf-restconf>
> ].
>

OK, thank you.

Best regards,
Kathleen


>
> Andy
>
>
>
>>
>>
>>
>>>
>>> However, security considerations sec. has this text
>>> similar to sec. 1:
>>>
>>>   It may be possible to use YANG Patch with other protocols besides
>>>
>>>     RESTCONF, which is outside the scope of this document.
>>>
>>> Regarding this text:
>>>
>>> > Since YANG
>>> > modules could add in write capabilities, unauthenticated patches could
>>> > result in opening backdoors or revealing information that was not
>>> > intended.
>>>
>>> I am not aware how YANG allows this vulnerability.
>>> The patch represents instance data which is supposed to conform to
>>> the schema nodes in the YANG modules advertised by the server.
>>>
>>
>> RESTCONF doing server and client auth covers this.  Thank you.
>>
>>>
>>>
>>>
>>>
>>>> > ------------------------------------------------------------
>>>> ----------
>>>> > COMMENT:
>>>> > ------------------------------------------------------------
>>>> ----------
>>>> >
>>>> > Nit: In section 2.2
>>>> >
>>>> >   YANG Patch does not provide any access to specific datastores.  It
>>>> is
>>>> >   am implementation detail
>>>> >
>>>> > s/am/an/
>>>>
>>>
>>> fixed
>>>
>>>
>>>> >
>>>> >
>>>>
>>>
>>>
>>> Andy
>>>
>>>
>>
>> Thank you!
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>>
>>
>> Mahesh Jethanandani
>> mjethanandani@gmail.com
>>
>>
>>
>>
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email