IETF Logo Mail Archive

Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)

Andy Bierman <andy@yumaworks.com> Sun, 13 November 2016 06:10 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E541295EC for <netconf@ietfa.amsl.com>; Sat, 12 Nov 2016 22:10:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEcC0rnyPB8m for <netconf@ietfa.amsl.com>; Sat, 12 Nov 2016 22:10:43 -0800 (PST)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126401295AA for <netconf@ietf.org>; Sat, 12 Nov 2016 22:10:42 -0800 (PST)
Received: by mail-vk0-x22f.google.com with SMTP id w194so42788593vkw.2 for <netconf@ietf.org>; Sat, 12 Nov 2016 22:10:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UL4TV/yn12e6j/9Kr2xti0MnSDuOry48Bng2xQhbtY8=; b=RAgP+XrFafX43AhVmU+mcFf/8pR9XiPEeqknAGjNo89RCYeqgYZu0XRj3yxIMYviI2 C/KnjklVcd+i1vP8qnxOKkav6z10JcRisG41NBymZGB56BsyBjnokByXePhZjc7dDNjE bySZl+77dWyUOP+zvwalEcSKIOAyXE49vohKWjjvjl+2ol/W5lJx46/o/5ZQHkljFsI1 kqCwR59KmH3ic05ufmgiPVHKpPYQinCEBEQfKcjVGiPyAZgeC2U/YBSaToPmqiNYpOMC F0Pgb1AyLvH+LxN/SAZmuEsCxtI22B3UZxzS1Sr8VyI0AULfJfH81B23yiT5vkOCshHb vsAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UL4TV/yn12e6j/9Kr2xti0MnSDuOry48Bng2xQhbtY8=; b=jKjGyiaFi8VU6PXhtE0RGMe3A9gNj1bLtZy/aZVPxCPrEE+6DGHol5sVZ0ZsKKnXi+ P01h7Wlgx+i5FRfLfEwRcJK2E/LwSy41qMKM2lNHFXSmax4mqnRIPPXJ/Hca0A3Gz8u9 +NC65dtlYBV9+7bsowBcNt+wYMWAajAhWZ/RwmqpI8/MWo3+aBJp2R2BK0MOPNvrSmgS j5IkiXoj9DIhbMdQxQWJkTX/Uo+RVfvNEiqFLbOt9Nuzaz2DmpM865sLdGwXHMbd5LeS QMmhmHUwPnreXdZLelAIo+YYoPxEmLJyK7n+odeXHohakh0W7XzmyfmFiQO3pR59N3Mz n5vw==
X-Gm-Message-State: ABUngveJjnqNiF+Bk0LNWbOvSULcivZNcGfmjUJENA5g2z7dyJveRjtugv+OmW3j9MPyX5zjkLjjIE/GKobCSw==
X-Received: by 10.31.60.129 with SMTP id j123mr5618543vka.30.1479017441268; Sat, 12 Nov 2016 22:10:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.64.129 with HTTP; Sat, 12 Nov 2016 22:10:40 -0800 (PST)
In-Reply-To: <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com>
References: <147792772371.32484.10246456033559418730.idtracker@ietfa.amsl.com> <392E80E1-C6EC-4466-8327-A890145E6A06@gmail.com> <CABCOCHRqVoomQO-sa+HEVD5DpN5rBpwgWpG2R8+LXVBvgO6_Mg@mail.gmail.com> <CAHbuEH5c4bS5+Sh99uCYkFxRknCiQ8cnTfdegVq=bFDW9Yc5ZA@mail.gmail.com> <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com> <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com> <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Sat, 12 Nov 2016 22:10:40 -0800
Message-ID: <CABCOCHQr1b_9kCs28DvVwS_rF7T6-i9Vx3N8T1p3YhRaVG_kqw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a114381fc342890054128957d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Gea9ZwLMaM8rQuwMT2S0Vo9_ZVo>
Cc: draft-ietf-netconf-yang-patch@ietf.org, The IESG <iesg@ietf.org>, Netconf <netconf@ietf.org>, NETCONF Working Group <netconf-chairs@ietf.org>
Subject: Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 06:10:46 -0000

On Sat, Nov 12, 2016 at 4:45 PM, Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Hello,
>
> Thanks for your responses, inline.
>
> On Fri, Nov 11, 2016 at 12:08 PM, Andy Bierman <andy@yumaworks.com> wrote:
>
>>
>>
>> On Fri, Nov 11, 2016 at 6:04 AM, Mahesh Jethanandani <
>> mjethanandani@gmail.com> wrote:
>>
>>> Andy,
>>>
>>> I am looking at -13 version of the document and following up on all the
>>> DISCUSS on the document to make sure they have been addressed. In
>>> particular -
>>>
>>> On Nov 3, 2016, at 9:35 PM, Kathleen Moriarty <
>>> Kathleen.Moriarty.ietf@gmail.com> wrote:
>>>
>>> Hi Andy,
>>>
>>> Thanks for your response and sorry I didn't see it sooner.  Inline
>>>
>>> On Tue, Nov 1, 2016 at 5:21 PM, Andy Bierman <andy@yumaworks.com> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Nov 1, 2016 at 7:15 AM, Mahesh Jethanandani <mjethanandani@gm
>>>> ail.com> wrote:
>>>>
>>>>> Authors,
>>>>>
>>>>> Can we address Kathleen's comments?
>>>>>
>>>>> Mahesh Jethanandani
>>>>> mjethanandani@gmail.com
>>>>>
>>>>> > On Oct 31, 2016, at 8:28 AM, Kathleen Moriarty <
>>>>> Kathleen.Moriarty.ietf@gmail.com> wrote:
>>>>> >
>>>>> > Kathleen Moriarty has entered the following ballot position for
>>>>> > draft-ietf-netconf-yang-patch-12: Discuss
>>>>> >
>>>>> > When responding, please keep the subject line intact and reply to all
>>>>> > email addresses included in the To and CC lines. (Feel free to cut
>>>>> this
>>>>> > introductory paragraph, however.)
>>>>> >
>>>>> >
>>>>> > Please refer to https://www.ietf.org/iesg/s
>>>>> tatement/discuss-criteria.html
>>>>> > for more information about IESG DISCUSS and COMMENT positions.
>>>>> >
>>>>> >
>>>>> > The document, along with other ballot positions, can be found here:
>>>>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-yang-patch/
>>>>> >
>>>>> >
>>>>> >
>>>>> > ------------------------------------------------------------
>>>>> ----------
>>>>> > DISCUSS:
>>>>> > ------------------------------------------------------------
>>>>> ----------
>>>>> >
>>>>> > This should be easy to resolve through discussion or some text
>>>>> tweaks.
>>>>> > In the security considerations section, I see some text that hints
>>>>> at my
>>>>> > questions below, but isn't clear enough, so I'd like to discuss it
>>>>> to see
>>>>> > if these things are covered, or why they are not, and to see if we
>>>>> can
>>>>> > tweak the text a bit.
>>>>> >
>>>>> > The following text is helpful, is PATCH described in
>>>>> > [I-D.ietf-netconf-restconf]?
>>>>> >   This document defines edit processing
>>>>> >   instructions for a variant of the PATCH method, as used within the
>>>>> >   RESTCONF protocol.
>>>>> >
>>>>> > I see section 2.7 discusses error handling and validating the YANG
>>>>> > module, but is there a way that the hash (or some other mechanism)
>>>>> of the
>>>>> > patch could be validated to ensure the patch was not altered.  Is
>>>>> that
>>>>> > already described for PATCH?
>>>>>
>>>>
>>>> The YANG Patch requests are not signed.
>>>> These messages are sent within the RESTCONF protocol, which MUST use
>>>> TLS.
>>>>
>>>> Sec 1. says:
>>>>
>>>>    It may be possible to use YANG Patch with other protocols besides
>>>>    RESTCONF.  This is outside the scope of this document.  It may be
>>>>    possible to use YANG Patch with datastore types other than a
>>>>
>>>>        configuration datastore. This is outside the scope of this
>>>> document.
>>>>
>>>> The security requirements for protocols other than RESTCONF are not
>>>> discussed.
>>>> Should I add text somewhere to make it clear the document applies only
>>>> to RESTCONF use of YANG Patch?
>>>>
>>>
>>> Yes, that text would be good.  It might be good to mention that there is
>>> no capability to sign or validate patches with RESTCONF as well so this is
>>> clear in the considerations.
>>>
>>>
>>> Is this addressed somewhere? I looked at Section 1 and Security
>>> Considerations, but could not find any explicit mention.
>>>
>>
>> sec. 1, para 2:
>>
>> This document only specifies the use of
>>
>>    the YANG Patch media type with the RESTCONF protocol.
>>
>
> OK, could you make the point clear that answers my question specific to
> RESTCONF usage?  This would mean a little text added to clarify that there
> is no capability to validate the patch had not been altered from my
> original question.
>
>

sec 5, para 1

OLD:

   The YANG Patch media type does not introduce any significant new
   security threats, beyond what is described in
   [I-D.ietf-netconf-restconf].  This document defines edit processing
   instructions for a variant of the PATCH method, as used within the
   RESTCONF protocol.


NEW:

   The YANG Patch media type does not introduce any significant new
   security threats, beyond what is described in
   [I-D.ietf-netconf-restconf].  This document defines edit processing
   instructions for a variant of the PATCH method, as used within the
   RESTCONF protocol.  Message integrity is provided by the RESTCONF

   protocol.  There is no additional capability to validate that a

   patch has not been altered.


Is this OK?



Andy





>
>
>
>>
>>
>>>
>>>
>>>>
>>>> >
>>>>> > I also see this text in the security considerations section:
>>>>> >   It is important for RESTCONF server implementations to carefully
>>>>> >   validate all the edit request parameters in some manner.
>>>>> >
>>>>> > Is the source of the patch authenticated?  Can the client receiving
>>>>> the
>>>>> > patch be authenticated?  Is this handled through RESTCONF?  Since
>>>>> YANG
>>>>> > modules could add in write capabilities, unauthenticated patches
>>>>> could
>>>>> > result in opening backdoors or revealing information that was not
>>>>> > intended.  You are covering it with that statement, but it's not
>>>>> clear if
>>>>> > both ends can be authenticated and there are attacks if they are not
>>>>> > authenticated.
>>>>> >
>>>>> >
>>>>>
>>>>
>>>>
>>>> It is covered by RESTCONF. Both client and server are authenticated.
>>>>
>>>
>>> Great, can you re-word the sentence to make sure it is clear that this
>>> is done with RESTCONF, but maybe not other protocols?
>>>
>>>
>>> And this.
>>>
>>
>>
>> sec 5, para 3
>>
>>  For RESTCONF, both the client and server MUST be authenticated,
>>
>>    according to section 2 of [I-D.ietf-netconf-restconf
>> <https://tools.ietf.org/html/draft-ietf-netconf-yang-patch-13#ref-I-D.ietf-netconf-restconf>
>> ].
>>
>
> OK, thank you.
>
> Best regards,
> Kathleen
>
>
>>
>> Andy
>>
>>
>>
>>>
>>>
>>>
>>>>
>>>> However, security considerations sec. has this text
>>>> similar to sec. 1:
>>>>
>>>>   It may be possible to use YANG Patch with other protocols besides
>>>>
>>>>     RESTCONF, which is outside the scope of this document.
>>>>
>>>> Regarding this text:
>>>>
>>>> > Since YANG
>>>> > modules could add in write capabilities, unauthenticated patches could
>>>> > result in opening backdoors or revealing information that was not
>>>> > intended.
>>>>
>>>> I am not aware how YANG allows this vulnerability.
>>>> The patch represents instance data which is supposed to conform to
>>>> the schema nodes in the YANG modules advertised by the server.
>>>>
>>>
>>> RESTCONF doing server and client auth covers this.  Thank you.
>>>
>>>>
>>>>
>>>>
>>>>
>>>>> > ------------------------------------------------------------
>>>>> ----------
>>>>> > COMMENT:
>>>>> > ------------------------------------------------------------
>>>>> ----------
>>>>> >
>>>>> > Nit: In section 2.2
>>>>> >
>>>>> >   YANG Patch does not provide any access to specific datastores.  It
>>>>> is
>>>>> >   am implementation detail
>>>>> >
>>>>> > s/am/an/
>>>>>
>>>>
>>>> fixed
>>>>
>>>>
>>>>> >
>>>>> >
>>>>>
>>>>
>>>>
>>>> Andy
>>>>
>>>>
>>>
>>> Thank you!
>>>
>>>
>>> --
>>>
>>> Best regards,
>>> Kathleen
>>>
>>>
>>> Mahesh Jethanandani
>>> mjethanandani@gmail.com
>>>
>>>
>>>
>>>
>>
>
>
> --
>
> Best regards,
> Kathleen
>

v2.23.0 | Report a Bug | By Email