Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-ssh-client-server-38: (with DISCUSS and COMMENT)
Kent Watsen <kent@watsen.net> Wed, 28 February 2024 18:13 UTC
Return-Path: <0100018df0eb6f35-6b47ea92-28a3-4041-aea0-a4a15fe0ee12-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E72E1C14F5F4; Wed, 28 Feb 2024 10:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGFTVc9XessK; Wed, 28 Feb 2024 10:12:59 -0800 (PST)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 209D2C14F5F9; Wed, 28 Feb 2024 10:12:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1709143977; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=7g2SA9Usd24jxoBoBbS6toLDOn66LY+Cd3XDMAKZ6vU=; b=gXZgJVtAiwofYlgJRaNQGtHS+mkdfDIZFZv3Wa3f00MaSsba7GsfEKER98BRdLzj 76+4+FvOqvZO6THOr70PgcqIDOuWew8/Lvz5kPFPneN/oiVWYjHGpGeliCTV51V/qHZ FzyNcRhbA695RtceiScITwLaecq2YOnGXNeXx7YU=
From: Kent Watsen <kent@watsen.net>
Message-ID: <0100018df0eb6f35-6b47ea92-28a3-4041-aea0-a4a15fe0ee12-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_08BE7476-9037-4096-A8BF-B5AE98C9971F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Wed, 28 Feb 2024 18:12:57 +0000
In-Reply-To: <170906316523.59504.6213641304185326185@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-ssh-client-server@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
To: Roman Danyliw <rdd@cert.org>
References: <170906316523.59504.6213641304185326185@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.28-54.240.48.92
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/8Td9-jaASZpMTvNYCuc_MV5MHEQ>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-ssh-client-server-38: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 18:13:04 -0000
Hi Roman, Thank you for your valuable comments. Please find responses below. Kent // author > On Feb 27, 2024, at 2:46 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-netconf-ssh-client-server-38: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-ssh-client-server/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I struggle to understand when it is assumed that the security considerations of > the imported modules apply, and when they will be surfaced as issues in the > module that is using them. With that confusion in mind: I empathize with your confusion ;) > ** Section 5.7. The ietf-ssh-server module is described as having no readable > data nodes that are sensitive. Consider the example in Section 4.2. Wouldn’t > enumerating the list of users for which there is a client-authentication > configuration be sensitive? Per my other response just moments ago wrt the tcp-client-server draft, I’m also struggling with determining where to draw the line. My possibly wrong thinking is that the nam:default-deny-all flag is reserved for truly sensitive (effectively secret) information that normal authenticated clients should never have access to. For instance, cleartext passwords and cleartext private-keys. In my other email, I suggest that the problem might be that NACM “fails open” rather than “fail close”. I suggest that it might be better if all YANG nodes in all YANG modules were “nacm:default-deny-all”, forcing explicit authorizations to be made by operators. IDK how to "draw the line”, but consistent with the thought in the previous paragraph, perhaps an easy fix is to put “nacm:default-deny-all” on most all nodes, in all nine drafts, since the entire suite of drafts are heavily Security-oriented. Thoughts? Too much? > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ** Section 5.1, 5.2, 5.3 and 5.4? > The protocol-accessible read-only node for the algorithms supported > by a server is mildly sensitive, but not to the extent that special > NACM annotations are needed to prevent read-access to regular > authenticated administrators. > > What is meant by “mildly sensitive” to call it out? Good catch, “mildly” is too informal for an RFC. That said, I must first apologize as a recent change moved the “supported-algorithms” node from the IANA-maintained modules to the "ietf-ssh-common" module. This is to say, these four paragraphs should've been moved to a single paragraph in Section 5.5 entitled "Considerations for the "ietf-ssh-common" YANG Module”. I have deleted these four paragraphs (and a similar one in the tls-client-server draft) in my local copy. Now the question is, what to add to Section 5.5? Let me first explain my thinking and then perhaps you can provide guidance? At stake is where an authenticated client can see what SSH algorithms a server implements. Knowing this information alone isn’t very useful, as it only aids in generating private keys and/or setting configuration, which has the “nacm:default-deny-write” flag set. Furthermore, what algorithms a server supports is accessible to *unauthenticated” users when trying to establish an SSH (or TLS) connection to the server, as the algorithms are typically present in the handshake. For right now, I’m not adding any paragraph to Section 5.5, relying on the existing paragraph: None of the readable data nodes defined in this YANG module are considered sensitive or vulnerable in network environments. The NACM "default-deny-all" extension has not been set for any data nodes defined in this module. That said, per our ongoing DISCUSS above and elsewhere, I’m happy to convert all these to nacm:default-deny-all if you think it’s best. > ** Section 5.5. Does this section need a disclaimer that there are groupings > that importing modules need to fully consider in their own Security > Considerations? Same as in draft-ietf-netconf-tcp-client-server? Yes it does - added (thanks!) > ** Appendix A. Please provide an informative reference to Python for this > non-normative (?) section. Done! - Added "This section is not Normative.” as the first line in the section. - Added an `eref` to "https://www.python.org”. - I did this to the tis-client-server draft also. As an aside, it is unclear if the Python script should be removed by the RFC Editor. I seems that IANA would be the only reader of the published document that would care about the script... PS: already there is an “Note to Editor” at the top of the document to remove the four generated YANG modules, as they are only present to aid the IETF-review process and, per rfc8407bis, SHOULD NOT be in the published document. Kent
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen