Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 13 November 2016 00:45 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21A812953C; Sat, 12 Nov 2016 16:45:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9M42Edmn6BH; Sat, 12 Nov 2016 16:45:46 -0800 (PST)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D7EF12949A; Sat, 12 Nov 2016 16:45:46 -0800 (PST)
Received: by mail-vk0-x231.google.com with SMTP id w194so40367778vkw.2; Sat, 12 Nov 2016 16:45:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=M8JvE6lZYpc545wTcLmB9ltJTuytYQw3txaREYgycwI=; b=HvpdkcpGC0Fm8mTJ8o+iFECOyo45A+BCSS6UrgFEb6YaBZ5nV/vjfIUHG2+sVZ3Yil 5tt7hFIk38pZEejSvME8bNUuNKVrlbGyuszlO0N4cw1k2vYxti0ulDOHr1zTvvwIzdg+ H1XC+yD1ONyST1X8RWmbfAts+6JY8/mqjE+rdnh/+1JD9NeuNTC0kEzElRv/LgzrB8NL 4u3T5bC7WNeVwiYDV6nYzd7Gn8Sn96zz/1v7kLi76cFGwGFX2Sxj3XacLjbzmhBrOxVm by4F4YXYdSs4hfxaDhk9CV0HwYZbk2+kkyq40y9FebbbJsB5qZQhW9XZtPdU22USTN7q wWrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=M8JvE6lZYpc545wTcLmB9ltJTuytYQw3txaREYgycwI=; b=GdyxZ240ULSA0NVwvyf7ilT2Yp4lcSJPXCEyqaXPLiaIrHZ5lHneTjMx5npWjRZ174 Ohuk0modTsxttopYbbU1g7hJJc2CwJgleA1casxhUj0SGXssRgCAbqGoUApOZpvae3AL T4leh0Gc5/VuBeaBQGUdWK6pcR2girKSgyrWkzcwsRF/n1Tzv7FUpQRxFP71gFPQ8WAB +/zTTk1wd5mHlAuRQj1+0e9n2FBWAm2QLf/b+ffydCjWzQLlZmJ7XVGLzmhPPmuLpn2d ji9/yf2txH8Z3c3VvXqb69FZCDDfgnXoqkxDRHUf0R/+o6xrAOZ0nbIm5H65fvR697Nt rPWA==
X-Gm-Message-State: ABUngvcO3DlprbwdTD9C6eIpQY81eIcw62kxZxZnTyET/C9XzAzCkp9zuZQXvMQ1JzZAAqgSoSUg6UDZ8HgeBQ==
X-Received: by 10.31.160.214 with SMTP id j205mr6205597vke.92.1478997945079; Sat, 12 Nov 2016 16:45:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Sat, 12 Nov 2016 16:45:44 -0800 (PST)
In-Reply-To: <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com>
References: <147792772371.32484.10246456033559418730.idtracker@ietfa.amsl.com> <392E80E1-C6EC-4466-8327-A890145E6A06@gmail.com> <CABCOCHRqVoomQO-sa+HEVD5DpN5rBpwgWpG2R8+LXVBvgO6_Mg@mail.gmail.com> <CAHbuEH5c4bS5+Sh99uCYkFxRknCiQ8cnTfdegVq=bFDW9Yc5ZA@mail.gmail.com> <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com> <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Sat, 12 Nov 2016 19:45:44 -0500
Message-ID: <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com>
To: Andy Bierman <andy@yumaworks.com>
Content-Type: multipart/alternative; boundary="001a11429b2e23dc840541240bfe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/6SBKLgf10qsNAWTwoKFhfcL2hmk>
Cc: draft-ietf-netconf-yang-patch@ietf.org, The IESG <iesg@ietf.org>, Netconf <netconf@ietf.org>, NETCONF Working Group <netconf-chairs@ietf.org>
Subject: Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 00:45:48 -0000
Hello, Thanks for your responses, inline. On Fri, Nov 11, 2016 at 12:08 PM, Andy Bierman <andy@yumaworks.com> wrote: > > > On Fri, Nov 11, 2016 at 6:04 AM, Mahesh Jethanandani < > mjethanandani@gmail.com> wrote: > >> Andy, >> >> I am looking at -13 version of the document and following up on all the >> DISCUSS on the document to make sure they have been addressed. In >> particular - >> >> On Nov 3, 2016, at 9:35 PM, Kathleen Moriarty < >> Kathleen.Moriarty.ietf@gmail.com> wrote: >> >> Hi Andy, >> >> Thanks for your response and sorry I didn't see it sooner. Inline >> >> On Tue, Nov 1, 2016 at 5:21 PM, Andy Bierman <andy@yumaworks.com> wrote: >> >>> >>> >>> On Tue, Nov 1, 2016 at 7:15 AM, Mahesh Jethanandani <mjethanandani@gm >>> ail.com> wrote: >>> >>>> Authors, >>>> >>>> Can we address Kathleen's comments? >>>> >>>> Mahesh Jethanandani >>>> mjethanandani@gmail.com >>>> >>>> > On Oct 31, 2016, at 8:28 AM, Kathleen Moriarty < >>>> Kathleen.Moriarty.ietf@gmail.com> wrote: >>>> > >>>> > Kathleen Moriarty has entered the following ballot position for >>>> > draft-ietf-netconf-yang-patch-12: Discuss >>>> > >>>> > When responding, please keep the subject line intact and reply to all >>>> > email addresses included in the To and CC lines. (Feel free to cut >>>> this >>>> > introductory paragraph, however.) >>>> > >>>> > >>>> > Please refer to https://www.ietf.org/iesg/s >>>> tatement/discuss-criteria.html >>>> > for more information about IESG DISCUSS and COMMENT positions. >>>> > >>>> > >>>> > The document, along with other ballot positions, can be found here: >>>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-yang-patch/ >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------ >>>> ---------- >>>> > DISCUSS: >>>> > ------------------------------------------------------------ >>>> ---------- >>>> > >>>> > This should be easy to resolve through discussion or some text tweaks. >>>> > In the security considerations section, I see some text that hints at >>>> my >>>> > questions below, but isn't clear enough, so I'd like to discuss it to >>>> see >>>> > if these things are covered, or why they are not, and to see if we can >>>> > tweak the text a bit. >>>> > >>>> > The following text is helpful, is PATCH described in >>>> > [I-D.ietf-netconf-restconf]? >>>> > This document defines edit processing >>>> > instructions for a variant of the PATCH method, as used within the >>>> > RESTCONF protocol. >>>> > >>>> > I see section 2.7 discusses error handling and validating the YANG >>>> > module, but is there a way that the hash (or some other mechanism) of >>>> the >>>> > patch could be validated to ensure the patch was not altered. Is that >>>> > already described for PATCH? >>>> >>> >>> The YANG Patch requests are not signed. >>> These messages are sent within the RESTCONF protocol, which MUST use TLS. >>> >>> Sec 1. says: >>> >>> It may be possible to use YANG Patch with other protocols besides >>> RESTCONF. This is outside the scope of this document. It may be >>> possible to use YANG Patch with datastore types other than a >>> >>> configuration datastore. This is outside the scope of this >>> document. >>> >>> The security requirements for protocols other than RESTCONF are not >>> discussed. >>> Should I add text somewhere to make it clear the document applies only >>> to RESTCONF use of YANG Patch? >>> >> >> Yes, that text would be good. It might be good to mention that there is >> no capability to sign or validate patches with RESTCONF as well so this is >> clear in the considerations. >> >> >> Is this addressed somewhere? I looked at Section 1 and Security >> Considerations, but could not find any explicit mention. >> > > sec. 1, para 2: > > This document only specifies the use of > > the YANG Patch media type with the RESTCONF protocol. > OK, could you make the point clear that answers my question specific to RESTCONF usage? This would mean a little text added to clarify that there is no capability to validate the patch had not been altered from my original question. > > >> >> >>> >>> > >>>> > I also see this text in the security considerations section: >>>> > It is important for RESTCONF server implementations to carefully >>>> > validate all the edit request parameters in some manner. >>>> > >>>> > Is the source of the patch authenticated? Can the client receiving >>>> the >>>> > patch be authenticated? Is this handled through RESTCONF? Since YANG >>>> > modules could add in write capabilities, unauthenticated patches could >>>> > result in opening backdoors or revealing information that was not >>>> > intended. You are covering it with that statement, but it's not >>>> clear if >>>> > both ends can be authenticated and there are attacks if they are not >>>> > authenticated. >>>> > >>>> > >>>> >>> >>> >>> It is covered by RESTCONF. Both client and server are authenticated. >>> >> >> Great, can you re-word the sentence to make sure it is clear that this is >> done with RESTCONF, but maybe not other protocols? >> >> >> And this. >> > > > sec 5, para 3 > > For RESTCONF, both the client and server MUST be authenticated, > > according to section 2 of [I-D.ietf-netconf-restconf > <https://tools.ietf.org/html/draft-ietf-netconf-yang-patch-13#ref-I-D.ietf-netconf-restconf> > ]. > OK, thank you. Best regards, Kathleen > > Andy > > > >> >> >> >>> >>> However, security considerations sec. has this text >>> similar to sec. 1: >>> >>> It may be possible to use YANG Patch with other protocols besides >>> >>> RESTCONF, which is outside the scope of this document. >>> >>> Regarding this text: >>> >>> > Since YANG >>> > modules could add in write capabilities, unauthenticated patches could >>> > result in opening backdoors or revealing information that was not >>> > intended. >>> >>> I am not aware how YANG allows this vulnerability. >>> The patch represents instance data which is supposed to conform to >>> the schema nodes in the YANG modules advertised by the server. >>> >> >> RESTCONF doing server and client auth covers this. Thank you. >> >>> >>> >>> >>> >>>> > ------------------------------------------------------------ >>>> ---------- >>>> > COMMENT: >>>> > ------------------------------------------------------------ >>>> ---------- >>>> > >>>> > Nit: In section 2.2 >>>> > >>>> > YANG Patch does not provide any access to specific datastores. It >>>> is >>>> > am implementation detail >>>> > >>>> > s/am/an/ >>>> >>> >>> fixed >>> >>> >>>> > >>>> > >>>> >>> >>> >>> Andy >>> >>> >> >> Thank you! >> >> >> -- >> >> Best regards, >> Kathleen >> >> >> Mahesh Jethanandani >> mjethanandani@gmail.com >> >> >> >> > -- Best regards, Kathleen
- [Netconf] Kathleen Moriarty's Discuss on draft-ie… Kathleen Moriarty
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Mahesh Jethanandani
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Andy Bierman
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Mahesh Jethanandani
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Andy Bierman
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Andy Bierman
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… kathleen.moriarty.ietf