IETF Logo Mail Archive

Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 26 March 2018 16:27 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE511270B4 for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 09:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztcTXidIwc9X for <netconf@ietfa.amsl.com>; Mon, 26 Mar 2018 09:27:04 -0700 (PDT)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74A41120724 for <netconf@ietf.org>; Mon, 26 Mar 2018 09:27:04 -0700 (PDT)
Received: by mail-pf0-x234.google.com with SMTP id y69so1444320pfb.5 for <netconf@ietf.org>; Mon, 26 Mar 2018 09:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=p/1aztyxfltw6uxyQ1RbYXZjU5nZI97a02smT6yt54Q=; b=kjk970Pj7ReRQpSHMnyql4glsGnnD9BIkil6VaC/7fy57v/2vaoP0d0jgV28Eevn4s QbnY0rDIQrAwtxu++6a5iGoqS0kD3OsCaJH/TFowjfejgddKU5gPUEKeeGWmaB64Xi66 bH7E/LIJhydXrOCi1yHO6NUGhaNxMlKBD2uzF1QuwsyKNh6n3a9eRKg5TskPplPFhoTq kSsw5CzzEhuzZGJEMMG19eIsSzRcL3M6Vr+wPSc/6jKSwgzkcIkwud6Mp791pxpl0kaO ywMK7W2e6Ow5UVJys6TAMLdVV2pkfkhAsmFUHNKh7xXS+fs/ETAqt6vchIMap2t3itMu l2ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=p/1aztyxfltw6uxyQ1RbYXZjU5nZI97a02smT6yt54Q=; b=b7C1/E57M5+D689lcNjLe684irZbS6rjx0ntZkVlCiQGWTQ0YXz7LyevBjnNG2HB0V XxQ2/oZPoM+4H+T9NkohfMMpRkSTbz/Y6zd+qXn33ECMnC2V0LGlHF51Hq9g0fIuM7iG KRtYiDAjawHmfIxBriZxgCCkoy+wQQnXU2xZPPKUv4Rz2y9ufHoDG6ysFbGmKJC9LFMy fuGlhOPBvWXadyoj9uUO1BNd/x9qCQyX4USvtGtGACefEF9oSSA3cAoh13bmdBP/K3cb 2BTqrX4oqGx3fZXIPkYV0m6CVtEYYqACcMj7l2Dkk2QcKfODdbFDvqG/emFOGnlPqc6r e4Mg==
X-Gm-Message-State: AElRT7GubEkxnPAPi5TMBsnCpqfXYjrO/Vu74lES2GpeeJLrYbsxi4Gf hmlXmi1qky51qOi7NZGI1z0=
X-Google-Smtp-Source: AG47ELsGW7rhU1oKaXsuBUWA4c99mxS5SmblfdaOfm8luNh8ROdKAXVTrzgJb5Ned5MZDhQVMOmVBQ==
X-Received: by 10.99.126.24 with SMTP id z24mr29092498pgc.110.1522081623880; Mon, 26 Mar 2018 09:27:03 -0700 (PDT)
Received: from ?IPv6:2601:647:4700:1280:b9a6:76b9:6cef:f04? ([2601:647:4700:1280:b9a6:76b9:6cef:f04]) by smtp.gmail.com with ESMTPSA id d13sm26408716pgn.64.2018.03.26.09.27.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Mar 2018 09:27:02 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <a40115f9-48e5-804e-4683-887e242e565a@gmail.com>
Date: Mon, 26 Mar 2018 09:28:07 -0700
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, mrw@painless-security.com, warren@kumari.net, Kent Watsen <kwatsen@juniper.net>, fanhycd@qq.com, netconf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <00E2E79B-B4D0-47D8-9C06-631B7644465E@gmail.com>
References: <20180326061924.377B7B82685@rfc-editor.org> <a40115f9-48e5-804e-4683-887e242e565a@gmail.com>
To: Ignas Bagdonas <ibagdona@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/akA6dxoCst4RDRwIabWdXxG0pgY>
Subject: Re: [Netconf] [Technical Errata Reported] RFC6242 (5305)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 16:27:07 -0000

My recommendation is to reject the errata. The text as it exists, is correct in saying that if non-default port is used, an the firewall rules are not updated, that it may result in the ability to access the NETCONF SSH subsystem, which may not be covered by firewall or other administrative boundaries.

> On Mar 26, 2018, at 9:07 AM, Ignas Bagdonas <ibagdona@gmail.com> wrote:
> 
> Hi there,
> 
> This paragraph taken out as stand-alone seems to have somewhat different meaning than if read together with the previous one in the document. If NETCONF is used over default port, it is explicitly required to be controlled by security policy, but there is no such requirement when used over non-default port, and the quoted paragraph mentions precisely this non-default port case. Therefore it seems that the text in the document is correct.
> 
> The other aspect is the operational practice of security policies for network elements - generally it should be deny all allow what is needed, but that is not what the document is focusing on.
> 
> Any opinions?
> 
> Thank you,
> 
> Ignas
> 
> 
> 
> On 26/03/2018 07:19, RFC Errata System wrote:
>> The following errata report has been submitted for RFC6242,
>> "Using the NETCONF Protocol over Secure Shell (SSH)".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5305
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: HengyingFan <fanhycd@qq.com>
>> 
>> Section: 6
>> 
>> Original Text
>> -------------
>>    This document also recommends that SSH servers be configurable to
>>    allow access to the "netconf" SSH subsystem over other ports.  Use of
>>    that configuration option without corresponding changes to firewall
>>    or network device configuration may unintentionally result in the
>>    ability for nodes outside of the firewall or other administrative
>>    boundaries to gain access to the "netconf" SSH subsystem.
>> 
>> 
>> Corrected Text
>> --------------
>>    This document also recommends that SSH servers be configurable to
>>    allow access to the "netconf" SSH subsystem over other ports.  Use of
>>    that configuration option without corresponding changes to firewall
>>    or network device configuration may unintentionally result in the
>>    inability for nodes outside of the firewall or other administrative
>>    boundaries to gain access to the "netconf" SSH subsystem.
>> 
>> 
>> Notes
>> -----
>> ability -> inability
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>> 
>> --------------------------------------
>> RFC6242 (draft-ietf-netconf-rfc4742bis-08)
>> --------------------------------------
>> Title               : Using the NETCONF Protocol over Secure Shell (SSH)
>> Publication Date    : June 2011
>> Author(s)           : M. Wasserman
>> Category            : PROPOSED STANDARD
>> Source              : Network Configuration
>> Area                : Operations and Management
>> Stream              : IETF
>> Verifying Party     : IESG
> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email