[netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 13 December 2022 21:14 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: netconf@ietf.org
Delivered-To: netconf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A47ABC14CF09; Tue, 13 Dec 2022 13:14:38 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-https-notif@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org, maqiufang1@huawei.com, maqiufang1@huawei.com
X-Test-IDTracker: no
X-IETF-IDTracker: 9.2.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <167096607866.46389.13136814861583410871@ietfa.amsl.com>
Date: Tue, 13 Dec 2022 13:14:38 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/LhRYO54ZjJnjhlh7O0vWNJ1mu9E>
Subject: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2022 21:14:38 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-netconf-https-notif-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- ** Section 6.2 container receiver-identity { if-feature receiver-identity; description "Maps the receiver's TLS certificate to a local identity enabling access control to be applied to filter out notifications that the receiver may not be authorized to view."; container cert-maps { uses x509c2n:cert-to-name; description "The cert-maps container is used by a TLS-based HTTP server to map the HTTPS client's presented X.509 certificate to a 'local' username. If no matching and valid cert-to-name list entry is found, the publisher MUST close the connection, and MUST NOT send any notifications over it."; The ietf-x509-cert-to-name module exposes many certificate fields. What specific fields need to be matched from this module and the local identity value? ** Unsafe TLS configurations seem possible. (a) Section 6.2. grouping https-receiver-grouping { description "A grouping that may be used by other modules wishing to configure HTTPS-based notifications without using RFC 8639."; uses httpc:http-client-stack-grouping { (b) Section 7 The YANG modules in this document make use of grouping that are defined in YANG Groupings for HTTP Clients and HTTP Servers [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP Configuration [RFC7407]. Please see the Security Considerations section of those documents for considerations related to sensitivity and vulnerability of the data nodes defined in them. Per (a) “grouping https-receiver-grouping” seems to reference draft-ietf-netconf-netconf-client-server which in turn seems to reference draft-ietf-netconf-tls-client-server. Per (b), the Security Considerations for draft-ietf-ietf-netconf-http-client-server say none of the modules are read or write sensitive. Draft-ietf-netconf-tls-client-server’s Security Considerations (not referenced here) do note that write access could alter the security policy. Please provide a declarative caution here about writing to https-receiver-group. Additionally, are any TLS parameters in transport/tls/tls/http/client-parameters acceptable? Should they conform to draft-ietf-uta-rfc7525bis? ** Section 10. * The "path" node in "ietf-subscribed-notif-receivers" module can be modified by a malicious user to point to an invalid URI. It could be worse than that. An attacker could direct the to a URL of their choosing which could (a) serve an exploit against a vulnerable client; or (b) assuming redirects are followed, track usage. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Leif Johansson for the SECDIR review I support Lars Eggert’s and Éric Vyncke’s related DISCUSS position. Editorially, due to the module imports, it was difficulty to read the YANG tree view in Section 6.1 and reconcile it with the module in Section 6.2.
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Mahesh Jethanandani
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Mahesh Jethanandani