Re: [Netconf] Sean Turner's DISCUSS and COMMENT on draft-ietf-netconf-rfc4742bis-07
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 03 March 2011 11:09 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F19D3A677E; Thu, 3 Mar 2011 03:09:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyS2JBxso1jm; Thu, 3 Mar 2011 03:09:22 -0800 (PST)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 580453A659B; Thu, 3 Mar 2011 03:09:22 -0800 (PST)
Received: from [192.168.1.124] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TW93IwADLx1c@rufus.isode.com>; Thu, 3 Mar 2011 11:10:28 +0000
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <4D6F76FE.5000801@isode.com>
Date: Thu, 03 Mar 2011 11:09:50 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
References: <80A0822C5E9A4440A5117C2F4CD36A6401B572F8@DEMUEXC006.nsn-intra.net> <4D6E5A66.8080302@ieca.com> <80A0822C5E9A4440A5117C2F4CD36A6401B574CA@DEMUEXC006.nsn-intra.net> <4D6EBA46.5030905@ieca.com>
In-Reply-To: <4D6EBA46.5030905@ieca.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 03 Mar 2011 03:17:49 -0800
Cc: Netconf <netconf@ietf.org>, draft-ietf-netconf-4741bis@tools.ietf.org, Sean Turner <turners@ieca.com>, draft-ietf-netconf-rfc4742bis@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [Netconf] Sean Turner's DISCUSS and COMMENT on draft-ietf-netconf-rfc4742bis-07
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 11:09:24 -0000
Sean Turner wrote: > Mehemt, > > Normally, IESG members hold their discusses until either a) a new > draft is posted that incorporates the agreed changes or b) an RFC > editor's note is included in the IESG evaluation tab (by your AD). If > either of these happen, then I'll clear. It's most a double check > that you incorporate what you said you would (not picking on you we do > this to just about everybody). +1. (Not speaking specifically of your case) And I've seen multiple occasions when some changes were agreed on and then not applied. > spt > > On 3/2/11 3:21 PM, Ersue, Mehmet (NSN - DE/Munich) wrote: > >> Dear Sean, >> >> I interpreted your answer that your DISCUSS have been addressed. >> Is this correct? >> >> If yes, can you please clear your DISCUSS. >> If no, what can I do more? >> >> Thank you. >> >> Cheers, >> Mehmet >> >> >>> -----Original Message----- >>> From: ext Sean Turner [mailto:turners@ieca.com] >>> Sent: Wednesday, March 02, 2011 3:56 PM >>> To: Ersue, Mehmet (NSN - DE/Munich) >>> Cc: The IESG; ext Romascanu, Dan (Dan); bertietf@bwijnen.net; draft- >>> ietf-netconf-rfc4742bis@tools.ietf.org; draft-ietf-netconf- >>> 4741bis@tools.ietf.org; Netconf >>> Subject: Re: Sean Turner's DISCUSS and COMMENT on draft-ietf-netconf- >>> rfc4742bis-07 >>> >>> Mehmet, >>> >>> Responses inline. >>> >>> spt >>> >>> On 3/2/11 9:38 AM, Ersue, Mehmet (NSN - DE/Munich) wrote: >>> >>>> Hi Sean, >>>> >>>> I detected your DISCUSS in the draft tracker (see below). However, >>>> >>>> we, the WG chairs, did not get any alarm email. We were wondering >>>> >>>> whether sending an alarm should be the default case for the IESG >>> >>> tool. >>> >>> I think the problem was on my end. After we enter positions we can >> >> hit >> >>> save or save and send. I guess I only hit save. >>> >>>> DISCUSS #1: >>>> >>>>> #1) You state a max for chunk-size in 4.2 but I think you need a >>>> >>> MUST >>> >>>> for what >>>> >>>>> to do if a client or server sends something out-of-range (<=0 or >>>> >>>> >2^32-1). >>>> >>>>> The idea is to get implementers not to leave buffer overrun >>>> >>>> vulnerabilities around. >>>> >>>>> (Same thing for what to do if chunk-size does contain leading >>>> >>> zeros, or is >>> >>>> >>>>> negative perhaps.) >>>> >>>> >>>> Concerning the errors during the decoding process, which for sure >>> >>> includes >>> >>>> >>>> the case "chunk-size out-of-range", the draft says: >>>> >>>> OLD: >>>> >>>> "If an error occurs during the decoding process, the peer MUST >>>> >>>> terminate the NETCONF session by closing the corresponding SSH >>>> >>>> channel." >>>> >>>> I think it is OK toaddexplicitlythat the session is closed if an >>>> invalid-chunk size or >>>> >>>> invalid chunk-size value is received. >>>> >>>> NEW: >>>> >>>> "If the chunk-sizeandthe chunk-size valuerespectively areinvalid or >>> >>> an error >>> >>>> >>>> occurs during the decoding process, the peer MUST terminate the >>> >>> NETCONF >>> >>>> >>>> session by closing the corresponding SSH channel." >>>> >>>>> That may not be quite the same as saying "MUST terminate" at the >>>> >>> very >>> >>>> end of >>> >>> >>> That would work for me. >>> >>>>> 4.2 if someone didn't consider the chunk-size part of the >>>> >>>> >>>>> decoding process. >>>> >>>> >>>>> Lastly, as a bit of a mad corner-case, if I send a chunk that's >>>> >>> 2^32-2 >>> >>>> long (which >>>> >>>>> is allowed) and then another chunk that's 10 bytes, but both are >>>> >>> the >>> >>>> same XML >>>> >>>>> element, i.e. the "<rpc..." is in the 1st chunk and the 2nd chunk >>>> >>>> contains the closing >>>> >>>>> "</rpc>" then is a server or client expected to be able to handle >>>> >>> the >>> >>>> overall<rpc> >>>> >>>>> element that's 2^32+8 bytes long? >>>> >>>> >>>>> Maybe just add text that implementations SHOULD include an upper- >>>> >>> limit >>> >>>> that ensures >>>> >>>>> they're not vulnerable to buffer overruns or something. >>>> >>>> >>>> I think 4742bis document, as the NETCONF transport layer, shouldn't >>> >>> have >>> >>>> to handle >>>> >>>> with NETCONF message size (which is the size of the<rpc> element). >>> >>> But >>> >>>> I agree >>>> >>>> that the document should state that the implementation needs to >>> >> check >> >>>> for it to >>>> >>>> "ensure they're not vulnerable to buffer overruns". >>>> >>>> (including the text for the first part above) >>>> >>>> OLD: >>>> >>>> If an error occurs during the decoding process, the peer MUST >>>> >>>> terminate the NETCONF session by closing the corresponding SSH >>>> >>>> channel. >>>> >>>> NEW: >>>> >>>> "If the chunk-size or the chunk-size value is invalid or an error >>>> >>>> occurs during the decoding process, the peer MUST terminate the >>>> >>>> NETCONF session by closing the corresponding SSH channel. >>>> >>>> Implementations MUST ensure they are not vulnerable for a buffer >>>> >>>> overrun." >>>> >>>> Would this be sufficient for you to clear your DISCUSS? >>> >>> >>> Yes. >>> >>>> DISCUSS #2: >>>> >>>>> #2) There's a mix of upper and lower case in the security >>>> >>>> considerations was >>>> >>>>> this purposely done? Specifically, it says "should" only be used >>>> >>> with >>> >>>> >>>>> confidentiality. Maybe "SHOULD" is better there? Also why isn't >>>> >>> this a >>> >>>> MUST? >>>> >>>> This is actually just an explanation about the requirement for >>> >>> NETCONF. >>> >>>> The hard >>>> >>>> requirement statement is in 4741bis. However, you are right 4742bis >>>> shouldn't >>>> >>>> downgrade the requirement in 4741bis and shoulduse"required" >>>> orsomethingequal. >>>> >>>> OLD: >>>> >>>> "So, NETCONF should only be used overcommunications channels that >>> >>> provide >>> >>>> >>>> strong encryption for data privacy." >>>> >>>> NEW: >>>> >>>> "So, NETCONFrequirescommunications channels that provide strong >>> >>> encryption >>> >>>> >>>> for data privacy." >>>> >>>> Would this be sufficient for youto clear your DISCUSS? >>> >>> >>> Yes >>> >>>> Comment #1: >>>> >>>>> #1) Sec 3.1: 2nd para, 1st sentence: Should the "must" in the >>>> >> first >> >>>> paragraph be >>>> >>>>> a "MUST"? >>>> >>>> >>>> This is in the area of and a MUST statement in 4741bis. >>>> >>>> Comment #2) >>>> >>>>> Sec 4.2: Would any XML decoding error cause termination as stated >>>> >>> at >>> >>>> >>>>> the end of 4.2? E.g. some unknown xmlns value or something? >>>> >>>> >>>> Interpreting the XML document content is not done in the transport >>> >>> layer >>> >>>> (4742bis). >>>> >>>> 4741bis deals with this. There are a number of different error >>> >>> responses >>> >>>> if the XML >>>> >>>> message can't be understood or the XML message is not well-formed. >>>> >>>> takes care of it. >>>> >>>> 4741bis says: >>>> >>>> "All NETCONF messages MUST be well-formed XML, encoded in UTF-8. If >>> >> a >> >>>> >>>> peer receives an<rpc> message that is not well-formed XML or not >>>> >>>> encoded in UTF-8, it SHOULD reply with a "malformed-message" error. >>>> >>>> If a reply cannot be sent for any reason, the server MUST close the >>>> >>>> session." >>>> >>>> Regards, >>>> >>>> Mehmet >>>> >>>> (document shepherd) >>>> >>>> ------------------ >>>> >>>> *******Discuss (2011-03-01)*Picture (Device Independent Bitmap) >>>> >>>> #1) You state a max for chunk-size in 4.2 but I think you need a >>> >> MUST >> >>>> for what >>>> >>>> to do if a client or server sends something out-of-range (<=0 or >>>> >2^32-1). The >>>> >>>> idea is to get implementers not to leave buffer overrun >>> >>> vulnerabilities >>> >>>> around. >>>> >>>> (Same thing for what to do if chunk-size does contain leading zeros, >>> >>> or is >>> >>>> >>>> negative perhaps.) That may not be quite the same as saying "MUST >>>> terminate" at >>>> >>>> the very end of 4.2 if someone didn't consider the chunk-size part >>> >> of >> >>> the >>> >>>> >>>> decoding process. Lastly, as a bit of a mad corner-case, if I send a >>> >>> chunk >>> >>>> >>>> that's 2^32-2 long (which is allowed) and then another chunk that's >>> >>> 10 >>> >>>> bytes, >>>> >>>> but both are the same XML element, i.e. the "<rpc..." is in the 1st >>>> chunk and >>>> >>>> the 2nd chunk contains the closing "</rpc>" then is a server or >>> >>> client >>> >>>> expected >>>> >>>> to be able to handle the overall<rpc> element that's 2^32+8 bytes >>> >>> long? >>> >>>> Maybe >>>> >>>> just add text that implementations SHOULD include an upper-limit >>> >> that >> >>>> ensures >>>> >>>> they're not vulnerable to buffer overruns or something. >>>> >>>> #2) There's a mix of upper and lower case in the security >>> >>> considerations was >>> >>>> >>>> this purposely done? Specifically, it says "should" only be used >>> >> with >> >>>> >>>> confidentiality. Maybe "SHOULD" is better there? Also why isn't this >>> >>> a MUST? >>> >>>> >>>> *******Comment (2011-03-01)*Picture (Device Independent Bitmap) >>>> >>>> #1) Sec 3.1: 2nd para, 1st sentence: Should the "must" in the first >>>> paragraph be >>>> >>>> a "MUST"? >>>> >>>> #2) Sec 4.2: Would any XML decoding error cause termination as >>> >> stated >> >>> at >>> >>>> >>>> the end of 4.2? E.g. some unknown xmlns value or something? >>>> >>>> Cheers, >>>> Mehmet >>>> >> -- IETF Application Area Director, <http://www.ietf.org/iesg/members.html> Internet Messaging Team Lead, <http://www.isode.com> JID: same as my email address
- [Netconf] Sean Turner's DISCUSS and COMMENT on dr… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] Sean Turner's DISCUSS and COMMENT o… Sean Turner
- Re: [Netconf] Sean Turner's DISCUSS and COMMENT o… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] Sean Turner's DISCUSS and COMMENT o… Sean Turner
- Re: [Netconf] Sean Turner's DISCUSS and COMMENT o… Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] Sean Turner's DISCUSS and COMMENT o… Alexey Melnikov