Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
Robert Wilton <rwilton@cisco.com> Tue, 27 March 2018 10:05 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4D3612D93E for <netconf@ietfa.amsl.com>; Tue, 27 Mar 2018 03:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.8
X-Spam-Level:
X-Spam-Status: No, score=-6.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: DNS error: SERVFAIL)" header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eax4Q5XZnbr7 for <netconf@ietfa.amsl.com>; Tue, 27 Mar 2018 03:05:44 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E693612D88D for <netconf@ietf.org>; Tue, 27 Mar 2018 03:05:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5387; q=dns/txt; s=iport; t=1522145144; x=1523354744; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=u3NfyLPXes9Qe4UG26lZA8PdNCecLp9HAO6WzFm68ZY=; b=C5mRqSDoLfhtBfzgGxfIE8GixczTIhjwT489uyiYNPLu5Wg66qTbIbO8 vY8JqII+H9E024ri7ArDhyOaRzvP0KKJflfIH2J1aDzg74PTyv54RnxQL 2VvuGndxtQql/8pdCArqfu1SdLfbP1xSovybFnoHfV9auSPIAsw+8nAmQ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CaAABWFrpa/xbLJq1dGQEBAQEBAQEBAQEBAQcBAQEBAYMSgRBwKINciABfjgEIIYEPiw2HRIIDCx+EZQKEITQYAQIBAQEBAQECayiFJgEFIwQLAQU0AggDEAsOCgICJgICVwYBDAYCAQGEcgMVrDSBazWDeAFfgjUagR+CF4EIhDIEg25AgQwiDIJZgUGDMoMBglQDhygbhVKKLQiFU4haBoEwOYMfgjoihFiKYIUdgSUcOIFSMxoIGxUZIYJDCYIkjW0BNj4wkAsBAQ
X-IronPort-AV: E=Sophos;i="5.48,366,1517875200"; d="scan'208";a="2800267"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Mar 2018 10:05:41 +0000
Received: from [10.63.23.169] (dhcp-ensft1-uk-vla370-10-63-23-169.cisco.com [10.63.23.169]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id w2RA5fZG002327; Tue, 27 Mar 2018 10:05:41 GMT
To: Kent Watsen <kwatsen@juniper.net>, Ignas Bagdonas <ibagdona@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>, "mrw@painless-security.com" <mrw@painless-security.com>, "warren@kumari.net" <warren@kumari.net>, "mjethanandani@gmail.com" <mjethanandani@gmail.com>
Cc: "fanhycd@qq.com" <fanhycd@qq.com>, "netconf@ietf.org" <netconf@ietf.org>
References: <20180326061924.377B7B82685@rfc-editor.org> <a40115f9-48e5-804e-4683-887e242e565a@gmail.com> <9abc7c13-dcf4-b26c-0599-25d690e7198f@cisco.com> <D7C6AB10-9B2F-4024-BF11-88A89DCE9214@juniper.net>
From: Robert Wilton <rwilton@cisco.com>
Message-ID: <07a3383d-db50-0112-fb75-1e000e4008f8@cisco.com>
Date: Tue, 27 Mar 2018 11:05:41 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <D7C6AB10-9B2F-4024-BF11-88A89DCE9214@juniper.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KJUza25d2xPep7RWPjcc_czo1Ss>
Subject: Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 10:05:50 -0000
I think of the security considerations section of an RFC as outlining what the security issues might be present if care isn't taken when implementing the specification or deploying the technology associated with it. Not being able to access a device because it is blocked by a firewall seems like a functionality issue rather than a security issue. Normally you would expect this to be spotted during deployment, and hence I'm not convinced that additional text is required to cover this case. However, unwittingly opening up your device to a new attack vector does seem to be a security issue, and this is what the text is describing today. So, I'm still not convinced, that any change or erratum is required. Thanks, Rob On 27/03/2018 00:09, Kent Watsen wrote: > I think both texts are correct, it completely depends on the firewall > policy in place. In some cases, it may inadvertently grant access > and, in other it may inadvertently block access. As I see it, the > current text is technically accurate, it just doesn't tell the whole > story. So I'd reject the errata as presented, but might consider > one that more accurately reflects the whole story. > > K. > > ===== original message ===== > > I also think that the existing RFC text looks right. > > My reading of the text is that it is suggesting that allowing netconf > access over other port numbers is a good idea, but care needs to be > taken to ensure that this doesn't result in unauthorized access to the > netconf/ssh subsystem. > > Thanks, > Rob > > > On 26/03/2018 17:07, Ignas Bagdonas wrote: >> Hi there, >> >> This paragraph taken out as stand-alone seems to have somewhat >> different meaning than if read together with the previous one in the >> document. If NETCONF is used over default port, it is explicitly >> required to be controlled by security policy, but there is no such >> requirement when used over non-default port, and the quoted paragraph >> mentions precisely this non-default port case. Therefore it seems that >> the text in the document is correct. >> >> The other aspect is the operational practice of security policies for >> network elements - generally it should be deny all allow what is >> needed, but that is not what the document is focusing on. >> >> Any opinions? >> >> Thank you, >> >> Ignas >> >> >> >> On 26/03/2018 07:19, RFC Errata System wrote: >>> The following errata report has been submitted for RFC6242, >>> "Using the NETCONF Protocol over Secure Shell (SSH)". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rfc-2Deditor.org_errata_eid5305&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=DiWeU-wyrNi7M183Zqrwk2er1MZS4MaIRqDJGXfI8CQ&s=EOfMENEtZKJI8OgKPlj-d_eAd8KPvVUehrS4w2JQBrs&e= >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: HengyingFan <fanhycd@qq.com> >>> >>> Section: 6 >>> >>> Original Text >>> ------------- >>> This document also recommends that SSH servers be configurable to >>> allow access to the "netconf" SSH subsystem over other ports. >>> Use of >>> that configuration option without corresponding changes to firewall >>> or network device configuration may unintentionally result in the >>> ability for nodes outside of the firewall or other administrative >>> boundaries to gain access to the "netconf" SSH subsystem. >>> >>> >>> Corrected Text >>> -------------- >>> This document also recommends that SSH servers be configurable to >>> allow access to the "netconf" SSH subsystem over other ports. >>> Use of >>> that configuration option without corresponding changes to firewall >>> or network device configuration may unintentionally result in the >>> inability for nodes outside of the firewall or other administrative >>> boundaries to gain access to the "netconf" SSH subsystem. >>> >>> >>> Notes >>> ----- >>> ability -> inability >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". If necessary, please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> can log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC6242 (draft-ietf-netconf-rfc4742bis-08) >>> -------------------------------------- >>> Title : Using the NETCONF Protocol over Secure Shell (SSH) >>> Publication Date : June 2011 >>> Author(s) : M. Wasserman >>> Category : PROPOSED STANDARD >>> Source : Network Configuration >>> Area : Operations and Management >>> Stream : IETF >>> Verifying Party : IESG >> _______________________________________________ >> Netconf mailing list >> Netconf@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=DiWeU-wyrNi7M183Zqrwk2er1MZS4MaIRqDJGXfI8CQ&s=sMVpoddABtHDrtsSxGnxZF3r8ZbCAGl0CZpXLnYycRw&e= >> . >> > >
- [Netconf] [Technical Errata Reported] RFC6242 (53… RFC Errata System
- Re: [Netconf] [Technical Errata Reported] RFC6242… Ignas Bagdonas
- Re: [Netconf] [Technical Errata Reported] RFC6242… Mahesh Jethanandani
- Re: [Netconf] [Technical Errata Reported] RFC6242… Robert Wilton
- Re: [Netconf] [Technical Errata Reported] RFC6242… Kent Watsen
- Re: [Netconf] [Technical Errata Reported] RFC6242… Margaret Cullen
- Re: [Netconf] [Technical Errata Reported] RFC6242… Robert Wilton
- Re: [Netconf] 回复: [Technical Errata Reported] RFC… Ignas Bagdonas