IETF Logo Mail Archive

Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)

Margaret Cullen <mrcullen42@gmail.com> Tue, 27 March 2018 00:14 UTC

Return-Path: <mrcullen42@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C82127978 for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 17:14:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V36zBUI4852r for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 17:14:26 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A2C4126BF7 for <netconf@ietf.org>; Mon, 26 Mar 2018 17:14:26 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id s78so22093717qkl.8 for <netconf@ietf.org>; Mon, 26 Mar 2018 17:14:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3lmSet7I0o4k1BXLYx+7DSmPHXjOhBPE2NpUz29vIdg=; b=OYB/OIMC6+8b5Nwehj0tKWQA7U/M4FSrWt6B6iZ1p3QH2/wj7EEFmYKxTiuFtkNH1s 3zcl2h9uuZe3zE/Sj4BL1qwtyeJwcfXB40PoaM2pbrDRO8HIypKh5w2EWnPRjbxThlj6 qprtnmRgzsx1wymTWpVRa5Y2K+EQqBPO3JDe++7/F+V79/tsyf9g1fbOIZ28U20czzqN eoEJDt+QpmcoYATt2hDqbBbUjXQ9GxX+d5b9wVeTeyP2Z4PT/syRXfZ0zpXYIk5ylI7q lWWSvDMplcQt+rpBI5yEaY40YGpbdV/lYbRfBf3j7duJ6dgFb3p83nm34ekmvI/eSGOw 9G5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3lmSet7I0o4k1BXLYx+7DSmPHXjOhBPE2NpUz29vIdg=; b=CfFJTWpJdvt1FiSrUNB9iOAk2AL/lR7eboB1YzgrbDBzGpuvdfH8HY0+gqyI+pwbJT ZRaQ/YikjUsM4hfhU2lt2kt7Z9jRFBhck/fNWoOY875RDgexoeF381XaznSZqvP2oJUH sJ1b/Rr0YxzQ7SNtM7Xi9rYhKbfSXbP6gzQBxwgivKKsUrG4lfDwIOJrrACKPy5EkvjI 0AAU0qiY7iDgv2PSGcWQhJRW/FOid9fFF55DmGgCY9xCfvYJz46efprDsXAe12KfrQbk hvrtcuQ5qrn4X9CCGPuAnkaaXo1PfGjPYKHV7AYFofGsB7iopfBMqphzGKcPCAGHntFp XUdg==
X-Gm-Message-State: AElRT7FRQhCkO3BMyww6SqmXpGqeeDy1UDrAfM396WVwMZjLSoa7gaCT vp09MCwS0GtRyh+PKtCNuB0=
X-Google-Smtp-Source: AIpwx49LL3ri8OeIMR7hLO10+nbN8gOrR/Po1kD1SVdEK8t4v1CvK7KhI4XD8hwDBfXKZm6e3Zk9Hw==
X-Received: by 10.55.98.144 with SMTP id w138mr31481150qkb.300.1522109664984; Mon, 26 Mar 2018 17:14:24 -0700 (PDT)
Received: from [10.0.0.56] ([24.147.162.222]) by smtp.gmail.com with ESMTPSA id y2sm12295173qkj.32.2018.03.26.17.14.21 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 26 Mar 2018 17:14:23 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Margaret Cullen <mrcullen42@gmail.com>
In-Reply-To: <a40115f9-48e5-804e-4683-887e242e565a@gmail.com>
Date: Mon, 26 Mar 2018 20:13:52 -0400
Cc: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, Margaret Wasserman <mrw@painless-security.com>, warren@kumari.net, kwatsen@juniper.net, mjethanandani@gmail.com, fanhycd@qq.com, netconf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <236E433C-98E9-449A-8D28-F42DB355037D@gmail.com>
References: <20180326061924.377B7B82685@rfc-editor.org> <a40115f9-48e5-804e-4683-887e242e565a@gmail.com>
To: Ignas Bagdonas <ibagdona@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/UEeIThtUWtiOnXAdMng4jVZ9qVw>
Subject: Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 00:14:27 -0000

I agree that the text in the original document is correct.  If you have a firewall configured to protect your devices by not allowing outside devices to access NETCONF over SSH on the default port, and you configure one of your devices to use NETCONF over SSH on a non-default port, that device may not be protected by the firewall and may be subject to attack from outside attackers.

Margaret


> On Mar 26, 2018, at 12:07 PM, Ignas Bagdonas <ibagdona@gmail.com> wrote:
> 
> Hi there,
> 
> This paragraph taken out as stand-alone seems to have somewhat different meaning than if read together with the previous one in the document. If NETCONF is used over default port, it is explicitly required to be controlled by security policy, but there is no such requirement when used over non-default port, and the quoted paragraph mentions precisely this non-default port case. Therefore it seems that the text in the document is correct.
> 
> The other aspect is the operational practice of security policies for network elements - generally it should be deny all allow what is needed, but that is not what the document is focusing on.
> 
> Any opinions?
> 
> Thank you,
> 
> Ignas
> 
> 
> 
> On 26/03/2018 07:19, RFC Errata System wrote:
>> The following errata report has been submitted for RFC6242,
>> "Using the NETCONF Protocol over Secure Shell (SSH)".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5305
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: HengyingFan <fanhycd@qq.com>
>> 
>> Section: 6
>> 
>> Original Text
>> -------------
>>   This document also recommends that SSH servers be configurable to
>>   allow access to the "netconf" SSH subsystem over other ports.  Use of
>>   that configuration option without corresponding changes to firewall
>>   or network device configuration may unintentionally result in the
>>   ability for nodes outside of the firewall or other administrative
>>   boundaries to gain access to the "netconf" SSH subsystem.
>> 
>> 
>> Corrected Text
>> --------------
>>   This document also recommends that SSH servers be configurable to
>>   allow access to the "netconf" SSH subsystem over other ports.  Use of
>>   that configuration option without corresponding changes to firewall
>>   or network device configuration may unintentionally result in the
>>   inability for nodes outside of the firewall or other administrative
>>   boundaries to gain access to the "netconf" SSH subsystem.
>> 
>> 
>> Notes
>> -----
>> ability -> inability
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>> 
>> --------------------------------------
>> RFC6242 (draft-ietf-netconf-rfc4742bis-08)
>> --------------------------------------
>> Title               : Using the NETCONF Protocol over Secure Shell (SSH)
>> Publication Date    : June 2011
>> Author(s)           : M. Wasserman
>> Category            : PROPOSED STANDARD
>> Source              : Network Configuration
>> Area                : Operations and Management
>> Stream              : IETF
>> Verifying Party     : IESG
>

v2.23.0 | Report a Bug | By Email