IETF Logo Mail Archive

Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)

kathleen.moriarty.ietf@gmail.com Sun, 13 November 2016 10:52 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C467B1296CD; Sun, 13 Nov 2016 02:52:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FRjTd2i2Rq5; Sun, 13 Nov 2016 02:52:50 -0800 (PST)
Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5DE1294D0; Sun, 13 Nov 2016 02:42:55 -0800 (PST)
Received: by mail-pg0-x241.google.com with SMTP id p66so6167846pga.2; Sun, 13 Nov 2016 02:42:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Rx3ly4TTzJGk3xjRNCuF2jrt+/u7qZFUFH3rlJdPcRU=; b=ljh66WzTqdbHWedagK2U4RohEoFLn0j0ATgbqO3AggnsP1A+7Tc2VKRmcIIPi7QnB+ N32ChSXGRT63ZjvktQJR8/0TWlK5TGzTnebhwXOhyCqgPtl9YDO2cVku6eBuXjoTmDDd qbfG1R2UUO3Hp/cNWNpG9swWJRDSPevrXbKK9Mciv40puMY8C+6EuRmeMfKqAG8ZfVGB ggawxqTw/CQ97tKU410q7zfAiiBz5lMl3cAnXZUjgW1Gs5SUrdMYnpZ71nwWgTNWlY3Z DbL5/FUIgXi0yfL9bauVnV0X4hP265fc6fU6O2+LcVEHPCNMYM6w+Mu9VQstwj9tcvRq mgFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Rx3ly4TTzJGk3xjRNCuF2jrt+/u7qZFUFH3rlJdPcRU=; b=iJEU1Hsw7/mSjeXPuI9k6rG0lLVEcfbKWbXAvHcolnzr7m70+QLyzJ59KW9Arq9Nbo hGuOI4IaMJFYC8j0yqDhpNCVvl0vvXwVhl6xn2WOhSPiD2iPJXvixZpBthsZ7yQ7l4Jp TwlBdzkZIr51Fex3Fce43H7AmC+2RnoWgiOvzrXkK/1JeIjHq7JgtruY/DrH+bBjiRVV bLG2YdBHbr8KhUlVxez80ZhaVfzHAdmtdU0lTEnnO+mr2ir6IFNziWTPLzoNB4T+z/Q9 w2NCFbP/+CsoQX2IScioQu65qjGt4Xa8HBFtc8pQY4TPm8kugOjmXSyQA+KI+czxn1WK /EfA==
X-Gm-Message-State: ABUngvf2gHfdVSLhuLPrLMXTyJDRz+cai2lrXYqQQLCWaN53IWeLo8Xddc9314rV9IGzIA==
X-Received: by 10.99.245.21 with SMTP id w21mr3930713pgh.5.1479033774670; Sun, 13 Nov 2016 02:42:54 -0800 (PST)
Received: from [31.133.144.135] (dhcp-9087.meeting.ietf.org. [31.133.144.135]) by smtp.gmail.com with ESMTPSA id p62sm27435415pfb.42.2016.11.13.02.42.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 13 Nov 2016 02:42:54 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-E2FF4DA6-11B3-44D1-BBD2-E70CDA53F540"
Mime-Version: 1.0 (1.0)
From: kathleen.moriarty.ietf@gmail.com
X-Mailer: iPhone Mail (14B100)
In-Reply-To: <CABCOCHQr1b_9kCs28DvVwS_rF7T6-i9Vx3N8T1p3YhRaVG_kqw@mail.gmail.com>
Date: Sun, 13 Nov 2016 19:42:51 +0900
Content-Transfer-Encoding: 7bit
Message-Id: <0D24FC4A-072D-436F-BAC0-2703CB4C036F@gmail.com>
References: <147792772371.32484.10246456033559418730.idtracker@ietfa.amsl.com> <392E80E1-C6EC-4466-8327-A890145E6A06@gmail.com> <CABCOCHRqVoomQO-sa+HEVD5DpN5rBpwgWpG2R8+LXVBvgO6_Mg@mail.gmail.com> <CAHbuEH5c4bS5+Sh99uCYkFxRknCiQ8cnTfdegVq=bFDW9Yc5ZA@mail.gmail.com> <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com> <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com> <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com> <CABCOCHQr1b_9kCs28DvVwS_rF7T6-i9Vx3N8T1p3YhRaVG_kqw@mail.gmail.com>
To: Andy Bierman <andy@yumaworks.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/E_v2s2rtwj1sch8kwg7SB_J-EyI>
Cc: draft-ietf-netconf-yang-patch@ietf.org, The IESG <iesg@ietf.org>, Netconf <netconf@ietf.org>, NETCONF Working Group <netconf-chairs@ietf.org>
Subject: Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 10:52:52 -0000


Please excuse typos, sent from handheld device 

> On Nov 13, 2016, at 3:10 PM, Andy Bierman <andy@yumaworks.com> wrote:
> 
> 
> 
>> On Sat, Nov 12, 2016 at 4:45 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>> Hello,
>> 
>> Thanks for your responses, inline.
>> 
>>> On Fri, Nov 11, 2016 at 12:08 PM, Andy Bierman <andy@yumaworks.com> wrote:
>>> 
>>> 
>>>> On Fri, Nov 11, 2016 at 6:04 AM, Mahesh Jethanandani <mjethanandani@gmail.com> wrote:
>>>> Andy,
>>>> 
>>>> I am looking at -13 version of the document and following up on all the DISCUSS on the document to make sure they have been addressed. In particular - 
>>>> 
>>>>> On Nov 3, 2016, at 9:35 PM, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> wrote:
>>>>> 
>>>>> Hi Andy,
>>>>> 
>>>>> Thanks for your response and sorry I didn't see it sooner.  Inline
>>>>> 
>>>>>> On Tue, Nov 1, 2016 at 5:21 PM, Andy Bierman <andy@yumaworks.com> wrote:
>>>>>> 
>>>>>> 
>>>>>>> On Tue, Nov 1, 2016 at 7:15 AM, Mahesh Jethanandani <mjethanandani@gmail.com> wrote:
>>>>>>> Authors,
>>>>>>> 
>>>>>>> Can we address Kathleen's comments?
>>>>>>> 
>>>>>>> Mahesh Jethanandani
>>>>>>> mjethanandani@gmail.com
>>>>>>> 
>>>>>>> > On Oct 31, 2016, at 8:28 AM, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> wrote:
>>>>>>> >
>>>>>>> > Kathleen Moriarty has entered the following ballot position for
>>>>>>> > draft-ietf-netconf-yang-patch-12: Discuss
>>>>>>> >
>>>>>>> > When responding, please keep the subject line intact and reply to all
>>>>>>> > email addresses included in the To and CC lines. (Feel free to cut this
>>>>>>> > introductory paragraph, however.)
>>>>>>> >
>>>>>>> >
>>>>>>> > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>>> > for more information about IESG DISCUSS and COMMENT positions.
>>>>>>> >
>>>>>>> >
>>>>>>> > The document, along with other ballot positions, can be found here:
>>>>>>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-yang-patch/
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > ----------------------------------------------------------------------
>>>>>>> > DISCUSS:
>>>>>>> > ----------------------------------------------------------------------
>>>>>>> >
>>>>>>> > This should be easy to resolve through discussion or some text tweaks.
>>>>>>> > In the security considerations section, I see some text that hints at my
>>>>>>> > questions below, but isn't clear enough, so I'd like to discuss it to see
>>>>>>> > if these things are covered, or why they are not, and to see if we can
>>>>>>> > tweak the text a bit.
>>>>>>> >
>>>>>>> > The following text is helpful, is PATCH described in
>>>>>>> > [I-D.ietf-netconf-restconf]?
>>>>>>> >   This document defines edit processing
>>>>>>> >   instructions for a variant of the PATCH method, as used within the
>>>>>>> >   RESTCONF protocol.
>>>>>>> >
>>>>>>> > I see section 2.7 discusses error handling and validating the YANG
>>>>>>> > module, but is there a way that the hash (or some other mechanism) of the
>>>>>>> > patch could be validated to ensure the patch was not altered.  Is that
>>>>>>> > already described for PATCH?
>>>>>> 
>>>>>> The YANG Patch requests are not signed.
>>>>>> These messages are sent within the RESTCONF protocol, which MUST use TLS.
>>>>>> 
>>>>>> Sec 1. says:
>>>>>> 
>>>>>>    It may be possible to use YANG Patch with other protocols besides
>>>>>>    RESTCONF.  This is outside the scope of this document.  It may be
>>>>>>    possible to use YANG Patch with datastore types other than a 
>>>>>>        configuration datastore. This is outside the scope of this document.
>>>>>> 
>>>>>> The security requirements for protocols other than RESTCONF are not discussed.
>>>>>> Should I add text somewhere to make it clear the document applies only
>>>>>> to RESTCONF use of YANG Patch?
>>>>> 
>>>>> Yes, that text would be good.  It might be good to mention that there is no capability to sign or validate patches with RESTCONF as well so this is clear in the considerations. 
>>>> 
>>>> Is this addressed somewhere? I looked at Section 1 and Security Considerations, but could not find any explicit mention.
>>> 
>>> sec. 1, para 2:
>>> 
>>> This document only specifies the use of 
>>>    the YANG Patch media type with the RESTCONF protocol.
>> 
>> OK, could you make the point clear that answers my question specific to RESTCONF usage?  This would mean a little text added to clarify that there is no capability to validate the patch had not been altered from my original question.
>> 
> 
> 
> sec 5, para 1
> 
> OLD:
> 
>    The YANG Patch media type does not introduce any significant new
>    security threats, beyond what is described in
>    [I-D.ietf-netconf-restconf].  This document defines edit processing
>    instructions for a variant of the PATCH method, as used within the
>    RESTCONF protocol.
> 
> NEW:
> 
>    The YANG Patch media type does not introduce any significant new
>    security threats, beyond what is described in
>    [I-D.ietf-netconf-restconf].  This document defines edit processing
>    instructions for a variant of the PATCH method, as used within the
>    RESTCONF protocol.  Message integrity is provided by the RESTCONF
>    protocol.  There is no additional capability to validate that a
>    patch has not been altered.
> 
> Is this OK?

Yes, thank you.  That will at least make some aware of this possibility.  Please let me know when you post the updated version.

Best regards,
Kathleen 
> 
> 
> Andy
> 
> 
>  
>> 
>>  
>>>  
>>>> 
>>>>>> 
>>>>>> 
>>>>>>> >
>>>>>>> > I also see this text in the security considerations section:
>>>>>>> >   It is important for RESTCONF server implementations to carefully
>>>>>>> >   validate all the edit request parameters in some manner.
>>>>>>> >
>>>>>>> > Is the source of the patch authenticated?  Can the client receiving the
>>>>>>> > patch be authenticated?  Is this handled through RESTCONF?  Since YANG
>>>>>>> > modules could add in write capabilities, unauthenticated patches could
>>>>>>> > result in opening backdoors or revealing information that was not
>>>>>>> > intended.  You are covering it with that statement, but it's not clear if
>>>>>>> > both ends can be authenticated and there are attacks if they are not
>>>>>>> > authenticated.
>>>>>>> >
>>>>>>> >
>>>>>> 
>>>>>> 
>>>>>> It is covered by RESTCONF. Both client and server are authenticated.
>>>>> 
>>>>> Great, can you re-word the sentence to make sure it is clear that this is done with RESTCONF, but maybe not other protocols?
>>>> 
>>>> And this.
>>> 
>>> 
>>> sec 5, para 3
>>> 
>>>  For RESTCONF, both the client and server MUST be authenticated, 
>>>    according to section 2 of [I-D.ietf-netconf-restconf]. 
>> 
>> OK, thank you.
>> 
>> Best regards,
>> Kathleen
>> 
>>> 
>>> 
>>> Andy
>>> 
>>>  
>>>> 
>>>>>   
>>>>>> 
>>>>>> However, security considerations sec. has this text
>>>>>> similar to sec. 1:
>>>>>> 
>>>>>>   It may be possible to use YANG Patch with other protocols besides 
>>>>>>     RESTCONF, which is outside the scope of this document.
>>>>>> 
>>>>>> Regarding this text:
>>>>>> 
>>>>>> > Since YANG
>>>>>> > modules could add in write capabilities, unauthenticated patches could
>>>>>> > result in opening backdoors or revealing information that was not
>>>>>> > intended.  
>>>>>> 
>>>>>> I am not aware how YANG allows this vulnerability.
>>>>>> The patch represents instance data which is supposed to conform to
>>>>>> the schema nodes in the YANG modules advertised by the server.
>>>>> 
>>>>> RESTCONF doing server and client auth covers this.  Thank you. 
>>>>>> 
>>>>>> 
>>>>>>  
>>>>>>> > ----------------------------------------------------------------------
>>>>>>> > COMMENT:
>>>>>>> > ----------------------------------------------------------------------
>>>>>>> >
>>>>>>> > Nit: In section 2.2
>>>>>>> >
>>>>>>> >   YANG Patch does not provide any access to specific datastores.  It is
>>>>>>> >   am implementation detail
>>>>>>> >
>>>>>>> > s/am/an/
>>>>>> 
>>>>>> fixed
>>>>>>  
>>>>>>> >
>>>>>>> >
>>>>>> 
>>>>>> 
>>>>>> Andy
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Thank you!
>>>>> 
>>>>> 
>>>>> -- 
>>>>> 
>>>>> Best regards,
>>>>> Kathleen
>>>> 
>>>> Mahesh Jethanandani
>>>> mjethanandani@gmail.com
>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>> 
>> -- 
>> 
>> Best regards,
>> Kathleen
>

v2.23.0 | Report a Bug | By Email