Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
Ignas Bagdonas <ibagdona@gmail.com> Mon, 26 March 2018 16:07 UTC
Return-Path: <ibagdona@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAFFF126CD8 for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 09:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tutd_TXz-1Sb for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 09:07:38 -0700 (PDT)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A31126CC4 for <netconf@ietf.org>; Mon, 26 Mar 2018 09:07:38 -0700 (PDT)
Received: by mail-pf0-x22c.google.com with SMTP id a16so7692430pfn.9 for <netconf@ietf.org>; Mon, 26 Mar 2018 09:07:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=SuXueVM7kemuQJ+XYoRVjn8zlhrXtedhEhCsRiovsLc=; b=Rjomv7Bxx0RV9FfvJinmgITLjMEFuiJ1cEmDJQU6jwdRdvsBKhRFCSqjkfOV5Emayz Av7GGfbZH8kC8rFyiFW6rhOI/f9hayIW5GGpX1szxFQlwtgVaYp1KabUcKKbEJQx7fRj jDh3FswnS2g9/CjdLASZ+BV7iCL8HOdaCBl37QGdNwGnjvnFdfUjQBjrO9rRqYimbNvy x2z8PgXJD3hjIbVKCdy7KDGrvjU+T4QqwTANMAscGccRAxGwRuA+QiJ2pmreD4Hhs9yq CwONciGBngFWpT61hIsx/k/YfTQn9NKdCFX+1SdvZFrpaZDIUzP9S8y28bVkAZUpOrkX hrcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=SuXueVM7kemuQJ+XYoRVjn8zlhrXtedhEhCsRiovsLc=; b=GUVXINyb5F0Zftz7ExVwFwpeeKAlonianwHyO71Z5hdtC7duu3Ka+naWv2k9z9Y/v1 MK7hjichFC7XnfZcPMZHiHT9x8Hf49BbMvXfG4kdejRwZx492bfmg01NWHwZrqsf6a5+ Onc4wDlj1DTKiwRB5rdQA4AFs91W9HNqnlFsr0UoEe7EWooPKB/nUGYBlMcPC1vgfW7S 9EdgUtgGWL/rnxT1JJwl78gyMOxqVqf+atmBpa0Y2mL8bSTRfPqEd3JZaL0JH4f3shGl T/mINUz731r3Gf/5FxOOvVjq6R9oaZ5rmX7kSwt6V7gGddTNCVX1bnmqvQ1hgCUZtXps jKSQ==
X-Gm-Message-State: AElRT7Ekz58ngvZug6qu3vhiswXYW+Z9t40jGOQLn++puWxmSlBkgWIa 00CMe5QltTM47KckbUUP/YVFX9o7UaU=
X-Google-Smtp-Source: AG47ELuTWkw8uNR3/Zl2QaF2HGSuDdz36HttEUp6Ho8MarL/cYdvRgSE63S4x2V3MsbuazJc5ydNhQ==
X-Received: by 10.99.127.91 with SMTP id p27mr28702716pgn.28.1522080457806; Mon, 26 Mar 2018 09:07:37 -0700 (PDT)
Received: from [172.20.2.194] ([216.221.228.6]) by smtp.gmail.com with ESMTPSA id q62sm34466071pfd.61.2018.03.26.09.07.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Mar 2018 09:07:37 -0700 (PDT)
To: RFC Errata System <rfc-editor@rfc-editor.org>, mrw@painless-security.com, warren@kumari.net, kwatsen@juniper.net, mjethanandani@gmail.com
Cc: fanhycd@qq.com, netconf@ietf.org
References: <20180326061924.377B7B82685@rfc-editor.org>
From: Ignas Bagdonas <ibagdona@gmail.com>
Message-ID: <a40115f9-48e5-804e-4683-887e242e565a@gmail.com>
Date: Mon, 26 Mar 2018 17:07:35 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180326061924.377B7B82685@rfc-editor.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/TtU8mnsnTKXw_ciFOcJh0FVKBRw>
Subject: Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 16:07:41 -0000
Hi there, This paragraph taken out as stand-alone seems to have somewhat different meaning than if read together with the previous one in the document. If NETCONF is used over default port, it is explicitly required to be controlled by security policy, but there is no such requirement when used over non-default port, and the quoted paragraph mentions precisely this non-default port case. Therefore it seems that the text in the document is correct. The other aspect is the operational practice of security policies for network elements - generally it should be deny all allow what is needed, but that is not what the document is focusing on. Any opinions? Thank you, Ignas On 26/03/2018 07:19, RFC Errata System wrote: > The following errata report has been submitted for RFC6242, > "Using the NETCONF Protocol over Secure Shell (SSH)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata/eid5305 > > -------------------------------------- > Type: Technical > Reported by: HengyingFan <fanhycd@qq.com> > > Section: 6 > > Original Text > ------------- > This document also recommends that SSH servers be configurable to > allow access to the "netconf" SSH subsystem over other ports. Use of > that configuration option without corresponding changes to firewall > or network device configuration may unintentionally result in the > ability for nodes outside of the firewall or other administrative > boundaries to gain access to the "netconf" SSH subsystem. > > > Corrected Text > -------------- > This document also recommends that SSH servers be configurable to > allow access to the "netconf" SSH subsystem over other ports. Use of > that configuration option without corresponding changes to firewall > or network device configuration may unintentionally result in the > inability for nodes outside of the firewall or other administrative > boundaries to gain access to the "netconf" SSH subsystem. > > > Notes > ----- > ability -> inability > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6242 (draft-ietf-netconf-rfc4742bis-08) > -------------------------------------- > Title : Using the NETCONF Protocol over Secure Shell (SSH) > Publication Date : June 2011 > Author(s) : M. Wasserman > Category : PROPOSED STANDARD > Source : Network Configuration > Area : Operations and Management > Stream : IETF > Verifying Party : IESG
- [Netconf] [Technical Errata Reported] RFC6242 (53… RFC Errata System
- Re: [Netconf] [Technical Errata Reported] RFC6242… Ignas Bagdonas
- Re: [Netconf] [Technical Errata Reported] RFC6242… Mahesh Jethanandani
- Re: [Netconf] [Technical Errata Reported] RFC6242… Robert Wilton
- Re: [Netconf] [Technical Errata Reported] RFC6242… Kent Watsen
- Re: [Netconf] [Technical Errata Reported] RFC6242… Margaret Cullen
- Re: [Netconf] [Technical Errata Reported] RFC6242… Robert Wilton
- Re: [Netconf] 回复: [Technical Errata Reported] RFC… Ignas Bagdonas