IETF Logo Mail Archive

Re: [Netconf] Sean Turner's DISCUSS and COMMENT on draft-ietf-netconf-rfc4742bis-07

Sean Turner <turners@ieca.com> Wed, 02 March 2011 21:43 UTC

Return-Path: <turners@ieca.com>
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D1903A68D1 for <netconf@core3.amsl.com>; Wed, 2 Mar 2011 13:43:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.518
X-Spam-Level:
X-Spam-Status: No, score=-102.518 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CyX2C67Jc3mx for <netconf@core3.amsl.com>; Wed, 2 Mar 2011 13:43:37 -0800 (PST)
Received: from nm25.bullet.mail.sp2.yahoo.com (nm25.bullet.mail.sp2.yahoo.com [98.139.91.95]) by core3.amsl.com (Postfix) with SMTP id 5A4633A68CB for <netconf@ietf.org>; Wed, 2 Mar 2011 13:43:37 -0800 (PST)
Received: from [98.139.91.62] by nm25.bullet.mail.sp2.yahoo.com with NNFMP; 02 Mar 2011 21:44:41 -0000
Received: from [98.139.91.10] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 02 Mar 2011 21:44:41 -0000
Received: from [127.0.0.1] by omp1010.mail.sp2.yahoo.com with NNFMP; 02 Mar 2011 21:44:41 -0000
X-Yahoo-Newman-Id: 729854.52831.bm@omp1010.mail.sp2.yahoo.com
Received: (qmail 75755 invoked from network); 2 Mar 2011 21:44:41 -0000
Received: from thunderfish.local (turners@96.241.2.32 with plain) by smtp113.biz.mail.sp1.yahoo.com with SMTP; 02 Mar 2011 13:44:40 -0800 PST
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: 0OjngqQVM1lgRYFZI4GEYwms7dXXRhC7PRgaVHROLbuUo5h P2HB1mFGg9WaemdELApYxxVrodUg_Oij3Yz6s339AZbnn7WEtid2NhsqzBiD gNRXXfwmPe_Ua9_IuaXYkH45Qc1.TDUkQuqHpa6MsCN3bubX3rVYExQonGAL TS_7ewtDHrZChDSAa.bGOs_DxReWaMMUzHY5vT2Zy_q4fMxKCqcpDUnJmXia LWF5seBNd70JbUtyrTHyU8Peg_GqS8ONztGbpR2PQFm559sRMkxmN23YEy3u vpifKjZwu6z3vfEgY1WfsAutXSGI-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4D6EBA46.5030905@ieca.com>
Date: Wed, 02 Mar 2011 16:44:38 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110221 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
References: <80A0822C5E9A4440A5117C2F4CD36A6401B572F8@DEMUEXC006.nsn-intra.net> <4D6E5A66.8080302@ieca.com> <80A0822C5E9A4440A5117C2F4CD36A6401B574CA@DEMUEXC006.nsn-intra.net>
In-Reply-To: <80A0822C5E9A4440A5117C2F4CD36A6401B574CA@DEMUEXC006.nsn-intra.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Netconf <netconf@ietf.org>, draft-ietf-netconf-4741bis@tools.ietf.org, draft-ietf-netconf-rfc4742bis@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [Netconf] Sean Turner's DISCUSS and COMMENT on draft-ietf-netconf-rfc4742bis-07
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2011 21:43:38 -0000

Mehemt,

Normally, IESG members hold their discusses until either a) a new draft 
is posted that incorporates the agreed changes or b) an RFC editor's 
note is included in the IESG evaluation tab (by your AD).  If either of 
these happen, then I'll clear.  It's most a double check that you 
incorporate what you said you would (not picking on you we do this to 
just about everybody).

spt

On 3/2/11 3:21 PM, Ersue, Mehmet (NSN - DE/Munich) wrote:
> Dear Sean,
>
> I interpreted your answer that your DISCUSS have been addressed.
> Is this correct?
>
> If yes, can you please clear your DISCUSS.
> If no, what can I do more?
>
> Thank you.
>
> Cheers,
> Mehmet
>
>
>> -----Original Message-----
>> From: ext Sean Turner [mailto:turners@ieca.com]
>> Sent: Wednesday, March 02, 2011 3:56 PM
>> To: Ersue, Mehmet (NSN - DE/Munich)
>> Cc: The IESG; ext Romascanu, Dan (Dan); bertietf@bwijnen.net; draft-
>> ietf-netconf-rfc4742bis@tools.ietf.org; draft-ietf-netconf-
>> 4741bis@tools.ietf.org; Netconf
>> Subject: Re: Sean Turner's DISCUSS and COMMENT on draft-ietf-netconf-
>> rfc4742bis-07
>>
>> Mehmet,
>>
>> Responses inline.
>>
>> spt
>>
>> On 3/2/11 9:38 AM, Ersue, Mehmet (NSN - DE/Munich) wrote:
>>> Hi Sean,
>>>
>>> I detected your DISCUSS in the draft tracker (see below). However,
>>>
>>> we, the WG chairs, did not get any alarm email. We were wondering
>>>
>>> whether sending an alarm should be the default case for the IESG
>> tool.
>>
>> I think the problem was on my end.  After we enter positions we can
> hit
>> save or save and send.  I guess I only hit save.
>>
>>> DISCUSS #1:
>>>
>>>>   #1) You state a max for chunk-size in 4.2 but I think you need a
>> MUST
>>> for what
>>>
>>>>   to do if a client or server sends something out-of-range (<=0 or
>>>   >2^32-1).
>>>
>>>>   The idea is to get implementers not to leave buffer overrun
>>> vulnerabilities around.
>>>
>>>>   (Same thing for what to do if chunk-size does contain leading
>> zeros, or is
>>>
>>>>   negative perhaps.)
>>>
>>> Concerning the errors during the decoding process, which for sure
>> includes
>>>
>>> the case "chunk-size out-of-range", the draft says:
>>>
>>> OLD:
>>>
>>> "If an error occurs during the decoding process, the peer MUST
>>>
>>> terminate the NETCONF session by closing the corresponding SSH
>>>
>>> channel."
>>>
>>> I think it is OK toaddexplicitlythat the session is closed if an
>>> invalid-chunk size or
>>>
>>> invalid chunk-size value is received.
>>>
>>> NEW:
>>>
>>> "If the chunk-sizeandthe chunk-size valuerespectively areinvalid or
>> an error
>>>
>>> occurs during the decoding process, the peer MUST terminate the
>> NETCONF
>>>
>>> session by closing the corresponding SSH channel."
>>>
>>>>   That may not be quite the same as saying "MUST terminate" at the
>> very
>>> end of
>>
>> That would work for me.
>>
>>>>   4.2 if someone didn't consider the chunk-size part of the
>>>
>>>>   decoding process.
>>>
>>>>   Lastly, as a bit of a mad corner-case, if I send a chunk that's
>> 2^32-2
>>> long (which
>>>
>>>>   is allowed) and then another chunk that's 10 bytes, but both are
>> the
>>> same XML
>>>
>>>>   element, i.e. the "<rpc..." is in the 1st chunk and the 2nd chunk
>>> contains the closing
>>>
>>>>   "</rpc>" then is a server or client expected to be able to handle
>> the
>>> overall<rpc>
>>>
>>>>   element that's 2^32+8 bytes long?
>>>
>>>>   Maybe just add text that implementations SHOULD include an upper-
>> limit
>>> that ensures
>>>
>>>>   they're not vulnerable to buffer overruns or something.
>>>
>>> I think 4742bis document, as the NETCONF transport layer, shouldn't
>> have
>>> to handle
>>>
>>> with NETCONF message size (which is the size of the<rpc>  element).
>> But
>>> I agree
>>>
>>> that the document should state that the implementation needs to
> check
>>> for it to
>>>
>>> "ensure they're not vulnerable to buffer overruns".
>>>
>>> (including the text for the first part above)
>>>
>>> OLD:
>>>
>>> If an error occurs during the decoding process, the peer MUST
>>>
>>> terminate the NETCONF session by closing the corresponding SSH
>>>
>>> channel.
>>>
>>> NEW:
>>>
>>> "If the chunk-size or the chunk-size value is invalid or an error
>>>
>>> occurs during the decoding process, the peer MUST terminate the
>>>
>>> NETCONF session by closing the corresponding SSH channel.
>>>
>>> Implementations MUST ensure they are not vulnerable for a buffer
>>>
>>> overrun."
>>>
>>> Would this be sufficient for you to clear your DISCUSS?
>>
>> Yes.
>>
>>> DISCUSS #2:
>>>
>>>>   #2) There's a mix of upper and lower case in the security
>>> considerations was
>>>
>>>>   this purposely done? Specifically, it says "should" only be used
>> with
>>>
>>>>   confidentiality. Maybe "SHOULD" is better there? Also why isn't
>> this a
>>> MUST?
>>>
>>> This is actually just an explanation about the requirement for
>> NETCONF.
>>> The hard
>>>
>>> requirement statement is in 4741bis. However, you are right 4742bis
>>> shouldn't
>>>
>>> downgrade the requirement in 4741bis and shoulduse"required"
>>> orsomethingequal.
>>>
>>> OLD:
>>>
>>> "So, NETCONF should only be used overcommunications channels that
>> provide
>>>
>>> strong encryption for data privacy."
>>>
>>> NEW:
>>>
>>> "So, NETCONFrequirescommunications channels that provide strong
>> encryption
>>>
>>> for data privacy."
>>>
>>> Would this be sufficient for youto clear your DISCUSS?
>>
>> Yes
>>
>>> Comment #1:
>>>
>>>>   #1) Sec 3.1: 2nd para, 1st sentence: Should the "must" in the
> first
>>> paragraph be
>>>
>>>>   a "MUST"?
>>>
>>> This is in the area of and a MUST statement in 4741bis.
>>>
>>> Comment #2)
>>>
>>>>   Sec 4.2: Would any XML decoding error cause termination as stated
>> at
>>>
>>>>   the end of 4.2? E.g. some unknown xmlns value or something?
>>>
>>> Interpreting the XML document content is not done in the transport
>> layer
>>> (4742bis).
>>>
>>> 4741bis deals with this. There are a number of different error
>> responses
>>> if the XML
>>>
>>> message can't be understood or the XML message is not well-formed.
>>>
>>> takes care of it.
>>>
>>> 4741bis says:
>>>
>>> "All NETCONF messages MUST be well-formed XML, encoded in UTF-8. If
> a
>>>
>>> peer receives an<rpc>  message that is not well-formed XML or not
>>>
>>> encoded in UTF-8, it SHOULD reply with a "malformed-message" error.
>>>
>>> If a reply cannot be sent for any reason, the server MUST close the
>>>
>>> session."
>>>
>>> Regards,
>>>
>>> Mehmet
>>>
>>> (document shepherd)
>>>
>>> ------------------
>>>
>>> *******Discuss (2011-03-01)*Picture (Device Independent Bitmap)
>>>
>>> #1) You state a max for chunk-size in 4.2 but I think you need a
> MUST
>>> for what
>>>
>>> to do if a client or server sends something out-of-range (<=0 or
>>>   >2^32-1). The
>>>
>>> idea is to get implementers not to leave buffer overrun
>> vulnerabilities
>>> around.
>>>
>>> (Same thing for what to do if chunk-size does contain leading zeros,
>> or is
>>>
>>> negative perhaps.) That may not be quite the same as saying "MUST
>>> terminate" at
>>>
>>> the very end of 4.2 if someone didn't consider the chunk-size part
> of
>> the
>>>
>>> decoding process. Lastly, as a bit of a mad corner-case, if I send a
>> chunk
>>>
>>> that's 2^32-2 long (which is allowed) and then another chunk that's
>> 10
>>> bytes,
>>>
>>> but both are the same XML element, i.e. the "<rpc..." is in the 1st
>>> chunk and
>>>
>>> the 2nd chunk contains the closing "</rpc>" then is a server or
>> client
>>> expected
>>>
>>> to be able to handle the overall<rpc>  element that's 2^32+8 bytes
>> long?
>>> Maybe
>>>
>>> just add text that implementations SHOULD include an upper-limit
> that
>>> ensures
>>>
>>> they're not vulnerable to buffer overruns or something.
>>>
>>> #2) There's a mix of upper and lower case in the security
>> considerations was
>>>
>>> this purposely done? Specifically, it says "should" only be used
> with
>>>
>>> confidentiality. Maybe "SHOULD" is better there? Also why isn't this
>> a MUST?
>>>
>>> *******Comment (2011-03-01)*Picture (Device Independent Bitmap)
>>>
>>> #1) Sec 3.1: 2nd para, 1st sentence: Should the "must" in the first
>>> paragraph be
>>>
>>> a "MUST"?
>>>
>>> #2) Sec 4.2: Would any XML decoding error cause termination as
> stated
>> at
>>>
>>> the end of 4.2? E.g. some unknown xmlns value or something?
>>>
>>> Cheers,
>>> Mehmet
>>>
>

v2.23.0 | Report a Bug | By Email