Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
Andy Bierman <andy@yumaworks.com> Sun, 13 November 2016 06:10 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E541295EC for <netconf@ietfa.amsl.com>; Sat, 12 Nov 2016 22:10:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEcC0rnyPB8m for <netconf@ietfa.amsl.com>; Sat, 12 Nov 2016 22:10:43 -0800 (PST)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126401295AA for <netconf@ietf.org>; Sat, 12 Nov 2016 22:10:42 -0800 (PST)
Received: by mail-vk0-x22f.google.com with SMTP id w194so42788593vkw.2 for <netconf@ietf.org>; Sat, 12 Nov 2016 22:10:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UL4TV/yn12e6j/9Kr2xti0MnSDuOry48Bng2xQhbtY8=; b=RAgP+XrFafX43AhVmU+mcFf/8pR9XiPEeqknAGjNo89RCYeqgYZu0XRj3yxIMYviI2 C/KnjklVcd+i1vP8qnxOKkav6z10JcRisG41NBymZGB56BsyBjnokByXePhZjc7dDNjE bySZl+77dWyUOP+zvwalEcSKIOAyXE49vohKWjjvjl+2ol/W5lJx46/o/5ZQHkljFsI1 kqCwR59KmH3ic05ufmgiPVHKpPYQinCEBEQfKcjVGiPyAZgeC2U/YBSaToPmqiNYpOMC F0Pgb1AyLvH+LxN/SAZmuEsCxtI22B3UZxzS1Sr8VyI0AULfJfH81B23yiT5vkOCshHb vsAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UL4TV/yn12e6j/9Kr2xti0MnSDuOry48Bng2xQhbtY8=; b=jKjGyiaFi8VU6PXhtE0RGMe3A9gNj1bLtZy/aZVPxCPrEE+6DGHol5sVZ0ZsKKnXi+ P01h7Wlgx+i5FRfLfEwRcJK2E/LwSy41qMKM2lNHFXSmax4mqnRIPPXJ/Hca0A3Gz8u9 +NC65dtlYBV9+7bsowBcNt+wYMWAajAhWZ/RwmqpI8/MWo3+aBJp2R2BK0MOPNvrSmgS j5IkiXoj9DIhbMdQxQWJkTX/Uo+RVfvNEiqFLbOt9Nuzaz2DmpM865sLdGwXHMbd5LeS QMmhmHUwPnreXdZLelAIo+YYoPxEmLJyK7n+odeXHohakh0W7XzmyfmFiQO3pR59N3Mz n5vw==
X-Gm-Message-State: ABUngveJjnqNiF+Bk0LNWbOvSULcivZNcGfmjUJENA5g2z7dyJveRjtugv+OmW3j9MPyX5zjkLjjIE/GKobCSw==
X-Received: by 10.31.60.129 with SMTP id j123mr5618543vka.30.1479017441268; Sat, 12 Nov 2016 22:10:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.64.129 with HTTP; Sat, 12 Nov 2016 22:10:40 -0800 (PST)
In-Reply-To: <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com>
References: <147792772371.32484.10246456033559418730.idtracker@ietfa.amsl.com> <392E80E1-C6EC-4466-8327-A890145E6A06@gmail.com> <CABCOCHRqVoomQO-sa+HEVD5DpN5rBpwgWpG2R8+LXVBvgO6_Mg@mail.gmail.com> <CAHbuEH5c4bS5+Sh99uCYkFxRknCiQ8cnTfdegVq=bFDW9Yc5ZA@mail.gmail.com> <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com> <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com> <CAHbuEH5ps_1djdv7-ObrzF+iuPdwHcY+BZogcVw5SXGAptJ1Yw@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Sat, 12 Nov 2016 22:10:40 -0800
Message-ID: <CABCOCHQr1b_9kCs28DvVwS_rF7T6-i9Vx3N8T1p3YhRaVG_kqw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a114381fc342890054128957d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Gea9ZwLMaM8rQuwMT2S0Vo9_ZVo>
Cc: draft-ietf-netconf-yang-patch@ietf.org, The IESG <iesg@ietf.org>, Netconf <netconf@ietf.org>, NETCONF Working Group <netconf-chairs@ietf.org>
Subject: Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 06:10:46 -0000
On Sat, Nov 12, 2016 at 4:45 PM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Hello, > > Thanks for your responses, inline. > > On Fri, Nov 11, 2016 at 12:08 PM, Andy Bierman <andy@yumaworks.com> wrote: > >> >> >> On Fri, Nov 11, 2016 at 6:04 AM, Mahesh Jethanandani < >> mjethanandani@gmail.com> wrote: >> >>> Andy, >>> >>> I am looking at -13 version of the document and following up on all the >>> DISCUSS on the document to make sure they have been addressed. In >>> particular - >>> >>> On Nov 3, 2016, at 9:35 PM, Kathleen Moriarty < >>> Kathleen.Moriarty.ietf@gmail.com> wrote: >>> >>> Hi Andy, >>> >>> Thanks for your response and sorry I didn't see it sooner. Inline >>> >>> On Tue, Nov 1, 2016 at 5:21 PM, Andy Bierman <andy@yumaworks.com> wrote: >>> >>>> >>>> >>>> On Tue, Nov 1, 2016 at 7:15 AM, Mahesh Jethanandani <mjethanandani@gm >>>> ail.com> wrote: >>>> >>>>> Authors, >>>>> >>>>> Can we address Kathleen's comments? >>>>> >>>>> Mahesh Jethanandani >>>>> mjethanandani@gmail.com >>>>> >>>>> > On Oct 31, 2016, at 8:28 AM, Kathleen Moriarty < >>>>> Kathleen.Moriarty.ietf@gmail.com> wrote: >>>>> > >>>>> > Kathleen Moriarty has entered the following ballot position for >>>>> > draft-ietf-netconf-yang-patch-12: Discuss >>>>> > >>>>> > When responding, please keep the subject line intact and reply to all >>>>> > email addresses included in the To and CC lines. (Feel free to cut >>>>> this >>>>> > introductory paragraph, however.) >>>>> > >>>>> > >>>>> > Please refer to https://www.ietf.org/iesg/s >>>>> tatement/discuss-criteria.html >>>>> > for more information about IESG DISCUSS and COMMENT positions. >>>>> > >>>>> > >>>>> > The document, along with other ballot positions, can be found here: >>>>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-yang-patch/ >>>>> > >>>>> > >>>>> > >>>>> > ------------------------------------------------------------ >>>>> ---------- >>>>> > DISCUSS: >>>>> > ------------------------------------------------------------ >>>>> ---------- >>>>> > >>>>> > This should be easy to resolve through discussion or some text >>>>> tweaks. >>>>> > In the security considerations section, I see some text that hints >>>>> at my >>>>> > questions below, but isn't clear enough, so I'd like to discuss it >>>>> to see >>>>> > if these things are covered, or why they are not, and to see if we >>>>> can >>>>> > tweak the text a bit. >>>>> > >>>>> > The following text is helpful, is PATCH described in >>>>> > [I-D.ietf-netconf-restconf]? >>>>> > This document defines edit processing >>>>> > instructions for a variant of the PATCH method, as used within the >>>>> > RESTCONF protocol. >>>>> > >>>>> > I see section 2.7 discusses error handling and validating the YANG >>>>> > module, but is there a way that the hash (or some other mechanism) >>>>> of the >>>>> > patch could be validated to ensure the patch was not altered. Is >>>>> that >>>>> > already described for PATCH? >>>>> >>>> >>>> The YANG Patch requests are not signed. >>>> These messages are sent within the RESTCONF protocol, which MUST use >>>> TLS. >>>> >>>> Sec 1. says: >>>> >>>> It may be possible to use YANG Patch with other protocols besides >>>> RESTCONF. This is outside the scope of this document. It may be >>>> possible to use YANG Patch with datastore types other than a >>>> >>>> configuration datastore. This is outside the scope of this >>>> document. >>>> >>>> The security requirements for protocols other than RESTCONF are not >>>> discussed. >>>> Should I add text somewhere to make it clear the document applies only >>>> to RESTCONF use of YANG Patch? >>>> >>> >>> Yes, that text would be good. It might be good to mention that there is >>> no capability to sign or validate patches with RESTCONF as well so this is >>> clear in the considerations. >>> >>> >>> Is this addressed somewhere? I looked at Section 1 and Security >>> Considerations, but could not find any explicit mention. >>> >> >> sec. 1, para 2: >> >> This document only specifies the use of >> >> the YANG Patch media type with the RESTCONF protocol. >> > > OK, could you make the point clear that answers my question specific to > RESTCONF usage? This would mean a little text added to clarify that there > is no capability to validate the patch had not been altered from my > original question. > > sec 5, para 1 OLD: The YANG Patch media type does not introduce any significant new security threats, beyond what is described in [I-D.ietf-netconf-restconf]. This document defines edit processing instructions for a variant of the PATCH method, as used within the RESTCONF protocol. NEW: The YANG Patch media type does not introduce any significant new security threats, beyond what is described in [I-D.ietf-netconf-restconf]. This document defines edit processing instructions for a variant of the PATCH method, as used within the RESTCONF protocol. Message integrity is provided by the RESTCONF protocol. There is no additional capability to validate that a patch has not been altered. Is this OK? Andy > > > >> >> >>> >>> >>>> >>>> > >>>>> > I also see this text in the security considerations section: >>>>> > It is important for RESTCONF server implementations to carefully >>>>> > validate all the edit request parameters in some manner. >>>>> > >>>>> > Is the source of the patch authenticated? Can the client receiving >>>>> the >>>>> > patch be authenticated? Is this handled through RESTCONF? Since >>>>> YANG >>>>> > modules could add in write capabilities, unauthenticated patches >>>>> could >>>>> > result in opening backdoors or revealing information that was not >>>>> > intended. You are covering it with that statement, but it's not >>>>> clear if >>>>> > both ends can be authenticated and there are attacks if they are not >>>>> > authenticated. >>>>> > >>>>> > >>>>> >>>> >>>> >>>> It is covered by RESTCONF. Both client and server are authenticated. >>>> >>> >>> Great, can you re-word the sentence to make sure it is clear that this >>> is done with RESTCONF, but maybe not other protocols? >>> >>> >>> And this. >>> >> >> >> sec 5, para 3 >> >> For RESTCONF, both the client and server MUST be authenticated, >> >> according to section 2 of [I-D.ietf-netconf-restconf >> <https://tools.ietf.org/html/draft-ietf-netconf-yang-patch-13#ref-I-D.ietf-netconf-restconf> >> ]. >> > > OK, thank you. > > Best regards, > Kathleen > > >> >> Andy >> >> >> >>> >>> >>> >>>> >>>> However, security considerations sec. has this text >>>> similar to sec. 1: >>>> >>>> It may be possible to use YANG Patch with other protocols besides >>>> >>>> RESTCONF, which is outside the scope of this document. >>>> >>>> Regarding this text: >>>> >>>> > Since YANG >>>> > modules could add in write capabilities, unauthenticated patches could >>>> > result in opening backdoors or revealing information that was not >>>> > intended. >>>> >>>> I am not aware how YANG allows this vulnerability. >>>> The patch represents instance data which is supposed to conform to >>>> the schema nodes in the YANG modules advertised by the server. >>>> >>> >>> RESTCONF doing server and client auth covers this. Thank you. >>> >>>> >>>> >>>> >>>> >>>>> > ------------------------------------------------------------ >>>>> ---------- >>>>> > COMMENT: >>>>> > ------------------------------------------------------------ >>>>> ---------- >>>>> > >>>>> > Nit: In section 2.2 >>>>> > >>>>> > YANG Patch does not provide any access to specific datastores. It >>>>> is >>>>> > am implementation detail >>>>> > >>>>> > s/am/an/ >>>>> >>>> >>>> fixed >>>> >>>> >>>>> > >>>>> > >>>>> >>>> >>>> >>>> Andy >>>> >>>> >>> >>> Thank you! >>> >>> >>> -- >>> >>> Best regards, >>> Kathleen >>> >>> >>> Mahesh Jethanandani >>> mjethanandani@gmail.com >>> >>> >>> >>> >> > > > -- > > Best regards, > Kathleen >
- [Netconf] Kathleen Moriarty's Discuss on draft-ie… Kathleen Moriarty
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Mahesh Jethanandani
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Andy Bierman
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Mahesh Jethanandani
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Andy Bierman
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… Andy Bierman
- Re: [Netconf] Kathleen Moriarty's Discuss on draf… kathleen.moriarty.ietf