IETF Logo Mail Archive

Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)

Kent Watsen <kwatsen@juniper.net> Mon, 26 March 2018 23:10 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1A5126C25 for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 16:10:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRiRdZ3BtTRt for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 16:10:03 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DAB126C0F for <netconf@ietf.org>; Mon, 26 Mar 2018 16:10:03 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2QN9koB024848; Mon, 26 Mar 2018 16:09:58 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=FakQ8P8oqlHSNxROUhmUPdgir0jmNB6rNVyZTmnfG5c=; b=vt6s0Plo70qE7ME4yaQw8UKMKDmM2qQE3KCJk0XLlMRLzfpx5k3rbk2k8jE6uJlYgeiE RLgIFTkiU1T9KQKmUYVNLnmXShonL4wUQDDPOHidcHskvb+y0IkPckpLB875OiViipuU MMMcpuAUg01bT3ub9b6NQ8Ylnq4pYIW5bEBvnR5qZFw0JMZYflmtlIcERjeAXrzFuxN0 aE13mU7QNi+ZtXYfnXvjtoepD8mchkGYd8G9bW9SAzERntvB21JWD6swk9rmkLQxdKnE mvyeJVH6iVrmuCr3bviWzHQoX7ZGvqyW8V0wOclNHYiaFFl/TrUgq1pQ8g+QvpHKPk12 Nw==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp0048.outbound.protection.outlook.com [216.32.180.48]) by mx0b-00273201.pphosted.com with ESMTP id 2gy4fqrk9x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Mar 2018 16:09:58 -0700
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3531.namprd05.prod.outlook.com (10.174.242.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.631.5; Mon, 26 Mar 2018 23:09:54 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::b4fc:6452:9a69:d135]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::b4fc:6452:9a69:d135%2]) with mapi id 15.20.0631.009; Mon, 26 Mar 2018 23:09:54 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Robert Wilton <rwilton@cisco.com>, Ignas Bagdonas <ibagdona@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>, "mrw@painless-security.com" <mrw@painless-security.com>, "warren@kumari.net" <warren@kumari.net>, "mjethanandani@gmail.com" <mjethanandani@gmail.com>
CC: "fanhycd@qq.com" <fanhycd@qq.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] [Technical Errata Reported] RFC6242 (5305)
Thread-Index: AQHTxMpvyw8BNRVhFU6kIvoQEmpUTqPir4aAgAAGYgCAACyNgA==
Date: Mon, 26 Mar 2018 23:09:54 +0000
Message-ID: <D7C6AB10-9B2F-4024-BF11-88A89DCE9214@juniper.net>
References: <20180326061924.377B7B82685@rfc-editor.org> <a40115f9-48e5-804e-4683-887e242e565a@gmail.com> <9abc7c13-dcf4-b26c-0599-25d690e7198f@cisco.com>
In-Reply-To: <9abc7c13-dcf4-b26c-0599-25d690e7198f@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3531; 7:j3ihgISvymkZh4djt1DkcbWb4CGLSB4H7AfTWdREAxjEnDh6u2hWzO7O0UFLbiE8WWIAJp+A1uGwBKC6khKMi0ccexO6HU9Gi8pEKv6VLZOrdVwvnfZJ9Th3xBatK6P3klu4GbqrKP3ABeKHa8hyKRLzR1irO3d4YkZcNfAC5qxSrN1GTGxCVzq/7p2R9QbFBmp2i3Nyd0EbIdu1heoYMlmga4uPUDESaZdc7SDhFPUoFDqJXPNhRK6yyywwT9aP
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0a2fe34d-0df1-401d-8bdd-08d5936eaf75
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR05MB3531;
x-ms-traffictypediagnostic: DM5PR05MB3531:
x-microsoft-antispam-prvs: <DM5PR05MB3531BB91B9B5CBF3C8CFDB7AA5AD0@DM5PR05MB3531.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(192374486261705)(131327999870524)(125752637963717);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR05MB3531; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3531;
x-forefront-prvs: 06237E4555
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(396003)(346002)(39380400002)(366004)(15404003)(189003)(199004)(2501003)(53936002)(2201001)(106356001)(53546011)(54906003)(110136005)(58126008)(83716003)(478600001)(66066001)(86362001)(2906002)(575784001)(25786009)(5660300001)(7736002)(966005)(6512007)(68736007)(2616005)(486005)(486005)(316002)(36756003)(97736004)(305945005)(6436002)(39060400002)(2900100001)(14454004)(6306002)(76176011)(6116002)(446003)(6246003)(4326008)(3846002)(6506007)(186003)(59450400001)(105586002)(102836004)(11346002)(3280700002)(82746002)(26005)(99286004)(3660700001)(8936002)(229853002)(81156014)(5250100002)(8676002)(81166006)(6486002)(33656002)(476003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3531; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0RE9wB45OoQ7J+M03BYKBJHCmb3fJWx7qu9DIVmf6VUi1b1rm6gzKmsaFFuYCRmFdz+rLRoNljXNV1UuOpbvpocm1RZwSJkV1dmJeMRrWMJQBMM9RCgTRTg0cB2UAUAkAroO7bH/ivmecmVgONhvsrXC5iXlcLEJy+IuPD3DRDAy77/ggf3ztfKv59CZjWBGiB4qxxcfM0XCMtLFcnBvCr4p+pmpCUq++E4oDIRzJh21B9VXpGLTEyUwPfGEXb1h7sWLHRcY1vRlLfuGsoKeqIL8Cvr6Cah4x2evB/OwWrano2PgTXuxU/TKNM34VxHjZaaaRi0ayroxQzwtGBCRnA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F938734546029841BD5A48953CCFFCAD@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a2fe34d-0df1-401d-8bdd-08d5936eaf75
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2018 23:09:54.1413 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3531
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-26_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803260229
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KKMzdMkb6v7dPMbkMoQ8yv42zcA>
Subject: Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 23:10:06 -0000

I think both texts are correct, it completely depends on the firewall
policy in place.  In some cases, it may inadvertently grant access 
and, in other it may inadvertently block access.   As I see it, the 
current text is technically accurate, it just doesn't tell the whole
story.  So I'd reject the errata as presented, but might consider 
one that more accurately reflects the whole story.

K.

===== original message =====

I also think that the existing RFC text looks right.

My reading of the text is that it is suggesting that allowing netconf 
access over other port numbers is a good idea, but care needs to be 
taken to ensure that this doesn't result in unauthorized access to the 
netconf/ssh subsystem.

Thanks,
Rob


On 26/03/2018 17:07, Ignas Bagdonas wrote:
> Hi there,
>
> This paragraph taken out as stand-alone seems to have somewhat 
> different meaning than if read together with the previous one in the 
> document. If NETCONF is used over default port, it is explicitly 
> required to be controlled by security policy, but there is no such 
> requirement when used over non-default port, and the quoted paragraph 
> mentions precisely this non-default port case. Therefore it seems that 
> the text in the document is correct.
>
> The other aspect is the operational practice of security policies for 
> network elements - generally it should be deny all allow what is 
> needed, but that is not what the document is focusing on.
>
> Any opinions?
>
> Thank you,
>
> Ignas
>
>
>
> On 26/03/2018 07:19, RFC Errata System wrote:
>> The following errata report has been submitted for RFC6242,
>> "Using the NETCONF Protocol over Secure Shell (SSH)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rfc-2Deditor.org_errata_eid5305&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=DiWeU-wyrNi7M183Zqrwk2er1MZS4MaIRqDJGXfI8CQ&s=EOfMENEtZKJI8OgKPlj-d_eAd8KPvVUehrS4w2JQBrs&e=
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: HengyingFan <fanhycd@qq.com>
>>
>> Section: 6
>>
>> Original Text
>> -------------
>>     This document also recommends that SSH servers be configurable to
>>     allow access to the "netconf" SSH subsystem over other ports.  
>> Use of
>>     that configuration option without corresponding changes to firewall
>>     or network device configuration may unintentionally result in the
>>     ability for nodes outside of the firewall or other administrative
>>     boundaries to gain access to the "netconf" SSH subsystem.
>>
>>
>> Corrected Text
>> --------------
>>     This document also recommends that SSH servers be configurable to
>>     allow access to the "netconf" SSH subsystem over other ports.  
>> Use of
>>     that configuration option without corresponding changes to firewall
>>     or network device configuration may unintentionally result in the
>>     inability for nodes outside of the firewall or other administrative
>>     boundaries to gain access to the "netconf" SSH subsystem.
>>
>>
>> Notes
>> -----
>> ability -> inability
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC6242 (draft-ietf-netconf-rfc4742bis-08)
>> --------------------------------------
>> Title               : Using the NETCONF Protocol over Secure Shell (SSH)
>> Publication Date    : June 2011
>> Author(s)           : M. Wasserman
>> Category            : PROPOSED STANDARD
>> Source              : Network Configuration
>> Area                : Operations and Management
>> Stream              : IETF
>> Verifying Party     : IESG
>
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=DiWeU-wyrNi7M183Zqrwk2er1MZS4MaIRqDJGXfI8CQ&s=sMVpoddABtHDrtsSxGnxZF3r8ZbCAGl0CZpXLnYycRw&e=
> .
>

v2.23.0 | Report a Bug | By Email