IETF Logo Mail Archive

Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)

Andy Bierman <andy@yumaworks.com> Fri, 11 November 2016 17:08 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A10D51293DC for <netconf@ietfa.amsl.com>; Fri, 11 Nov 2016 09:08:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPLgqDJGZyeP for <netconf@ietfa.amsl.com>; Fri, 11 Nov 2016 09:08:15 -0800 (PST)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B163129959 for <netconf@ietf.org>; Fri, 11 Nov 2016 09:08:13 -0800 (PST)
Received: by mail-ua0-x233.google.com with SMTP id 20so18035865uak.0 for <netconf@ietf.org>; Fri, 11 Nov 2016 09:08:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p5ArLVBhJmWJS+GR1tNRC2Vay6khJ8bJNyPmWVcSDDc=; b=jJhqnzXKCSTkWu9ajzv5a24EIdtOiKQfdoaOfobG/WJcCon2EtNeaf4GY6XgcnSB5J YksOYHlv7FEcKtxsfYzR+1th6YYTs3hfFsx4pxw5Q8ON+Rtwm1oRWQQO00DKhFCV4LAU sucONtGQjtqKQSTLzqqzH/NYBuWGXiLOJqlA/9/3zd9Ac/qFo0mVQOdrDoaCOhlBM1T7 ioWb1hNFtthy1rVrGQ/4gPHhH14//01+a9Qm87vbWM1MRDES5spT0LTyOHPryqMAPZcz A/ksSSeBgKMAkKn1sUMcOBr23PSgkjy3lJe0PJsfOS+MzFmk1Nk+g7sx1YDQ0Q8fTrOg FXAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p5ArLVBhJmWJS+GR1tNRC2Vay6khJ8bJNyPmWVcSDDc=; b=EF/kctUlsB1CmwDJ8CrJbrJPHo9RyQjsUNa/6vrxT2/0r75wxLkJKPaDALQeSIh19k l9h0dpiCQ8tBfWDouP6sHhe5fUumg/BZqloeAIKvPiMgTHKwBWXrSWH3UVJG2F8Cc0fA GonmlxeByiJnLETzRu+Z7Qj6iVehHJeQleiLvCD45ZySvxJd+Y29A+f+t6ogZXbxJIUM ImhO/pWM3MP9K0sD8k1vZXXy2Ogd4mWs0i/N+XO7dQuHhwQwYi9ltEqvsYuZpOQNw0Ov b6B8bHQBg6uonkzE2Y7ZLPXBUPVgHj+VnMhoFqtk4gjxOshFaqikhSnPDQi6/mRDd9uL txeA==
X-Gm-Message-State: ABUngvewfGlG/vZrhebtrMd2B9+lRgZNvKSg2TxmZKWx4a6rKMvMGHB2Yr63oA5wWiOwtn54/k44hlwEMUuBJw==
X-Received: by 10.159.39.7 with SMTP id a7mr2110843uaa.95.1478884092256; Fri, 11 Nov 2016 09:08:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.64.129 with HTTP; Fri, 11 Nov 2016 09:08:11 -0800 (PST)
In-Reply-To: <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com>
References: <147792772371.32484.10246456033559418730.idtracker@ietfa.amsl.com> <392E80E1-C6EC-4466-8327-A890145E6A06@gmail.com> <CABCOCHRqVoomQO-sa+HEVD5DpN5rBpwgWpG2R8+LXVBvgO6_Mg@mail.gmail.com> <CAHbuEH5c4bS5+Sh99uCYkFxRknCiQ8cnTfdegVq=bFDW9Yc5ZA@mail.gmail.com> <37602BEB-A072-4ACC-80E9-704867789A90@gmail.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Fri, 11 Nov 2016 09:08:11 -0800
Message-ID: <CABCOCHS=rYD86GHEqB=EW24_q2E8AhHovekJycLWcTSQk_o_+A@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c1244f6fbb93205410988b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/rWvaUufl-aoygQdwAKp0KjfByWA>
Cc: Netconf <netconf@ietf.org>, draft-ietf-netconf-yang-patch@ietf.org, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, NETCONF Working Group <netconf-chairs@ietf.org>
Subject: Re: [Netconf] Kathleen Moriarty's Discuss on draft-ietf-netconf-yang-patch-12: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 17:08:16 -0000

On Fri, Nov 11, 2016 at 6:04 AM, Mahesh Jethanandani <
mjethanandani@gmail.com> wrote:

> Andy,
>
> I am looking at -13 version of the document and following up on all the
> DISCUSS on the document to make sure they have been addressed. In
> particular -
>
> On Nov 3, 2016, at 9:35 PM, Kathleen Moriarty <
> Kathleen.Moriarty.ietf@gmail.com> wrote:
>
> Hi Andy,
>
> Thanks for your response and sorry I didn't see it sooner.  Inline
>
> On Tue, Nov 1, 2016 at 5:21 PM, Andy Bierman <andy@yumaworks.com> wrote:
>
>>
>>
>> On Tue, Nov 1, 2016 at 7:15 AM, Mahesh Jethanandani <mjethanandani@
>> gmail.com> wrote:
>>
>>> Authors,
>>>
>>> Can we address Kathleen's comments?
>>>
>>> Mahesh Jethanandani
>>> mjethanandani@gmail.com
>>>
>>> > On Oct 31, 2016, at 8:28 AM, Kathleen Moriarty <
>>> Kathleen.Moriarty.ietf@gmail.com> wrote:
>>> >
>>> > Kathleen Moriarty has entered the following ballot position for
>>> > draft-ietf-netconf-yang-patch-12: Discuss
>>> >
>>> > When responding, please keep the subject line intact and reply to all
>>> > email addresses included in the To and CC lines. (Feel free to cut this
>>> > introductory paragraph, however.)
>>> >
>>> >
>>> > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.
>>> html
>>> > for more information about IESG DISCUSS and COMMENT positions.
>>> >
>>> >
>>> > The document, along with other ballot positions, can be found here:
>>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-yang-patch/
>>> >
>>> >
>>> >
>>> > ----------------------------------------------------------------------
>>> > DISCUSS:
>>> > ----------------------------------------------------------------------
>>> >
>>> > This should be easy to resolve through discussion or some text tweaks.
>>> > In the security considerations section, I see some text that hints at
>>> my
>>> > questions below, but isn't clear enough, so I'd like to discuss it to
>>> see
>>> > if these things are covered, or why they are not, and to see if we can
>>> > tweak the text a bit.
>>> >
>>> > The following text is helpful, is PATCH described in
>>> > [I-D.ietf-netconf-restconf]?
>>> >   This document defines edit processing
>>> >   instructions for a variant of the PATCH method, as used within the
>>> >   RESTCONF protocol.
>>> >
>>> > I see section 2.7 discusses error handling and validating the YANG
>>> > module, but is there a way that the hash (or some other mechanism) of
>>> the
>>> > patch could be validated to ensure the patch was not altered.  Is that
>>> > already described for PATCH?
>>>
>>
>> The YANG Patch requests are not signed.
>> These messages are sent within the RESTCONF protocol, which MUST use TLS.
>>
>> Sec 1. says:
>>
>>    It may be possible to use YANG Patch with other protocols besides
>>    RESTCONF.  This is outside the scope of this document.  It may be
>>    possible to use YANG Patch with datastore types other than a
>>
>>        configuration datastore. This is outside the scope of this
>> document.
>>
>> The security requirements for protocols other than RESTCONF are not
>> discussed.
>> Should I add text somewhere to make it clear the document applies only
>> to RESTCONF use of YANG Patch?
>>
>
> Yes, that text would be good.  It might be good to mention that there is
> no capability to sign or validate patches with RESTCONF as well so this is
> clear in the considerations.
>
>
> Is this addressed somewhere? I looked at Section 1 and Security
> Considerations, but could not find any explicit mention.
>

sec. 1, para 2:

This document only specifies the use of

   the YANG Patch media type with the RESTCONF protocol.


>
>
>>
>> >
>>> > I also see this text in the security considerations section:
>>> >   It is important for RESTCONF server implementations to carefully
>>> >   validate all the edit request parameters in some manner.
>>> >
>>> > Is the source of the patch authenticated?  Can the client receiving the
>>> > patch be authenticated?  Is this handled through RESTCONF?  Since YANG
>>> > modules could add in write capabilities, unauthenticated patches could
>>> > result in opening backdoors or revealing information that was not
>>> > intended.  You are covering it with that statement, but it's not clear
>>> if
>>> > both ends can be authenticated and there are attacks if they are not
>>> > authenticated.
>>> >
>>> >
>>>
>>
>>
>> It is covered by RESTCONF. Both client and server are authenticated.
>>
>
> Great, can you re-word the sentence to make sure it is clear that this is
> done with RESTCONF, but maybe not other protocols?
>
>
> And this.
>


sec 5, para 3

 For RESTCONF, both the client and server MUST be authenticated,

   according to section 2 of [I-D.ietf-netconf-restconf
<https://tools.ietf.org/html/draft-ietf-netconf-yang-patch-13#ref-I-D.ietf-netconf-restconf>
].


Andy



>
>
>
>>
>> However, security considerations sec. has this text
>> similar to sec. 1:
>>
>>   It may be possible to use YANG Patch with other protocols besides
>>
>>     RESTCONF, which is outside the scope of this document.
>>
>> Regarding this text:
>>
>> > Since YANG
>> > modules could add in write capabilities, unauthenticated patches could
>> > result in opening backdoors or revealing information that was not
>> > intended.
>>
>> I am not aware how YANG allows this vulnerability.
>> The patch represents instance data which is supposed to conform to
>> the schema nodes in the YANG modules advertised by the server.
>>
>
> RESTCONF doing server and client auth covers this.  Thank you.
>
>>
>>
>>
>>
>>> > ----------------------------------------------------------------------
>>> > COMMENT:
>>> > ----------------------------------------------------------------------
>>> >
>>> > Nit: In section 2.2
>>> >
>>> >   YANG Patch does not provide any access to specific datastores.  It is
>>> >   am implementation detail
>>> >
>>> > s/am/an/
>>>
>>
>> fixed
>>
>>
>>> >
>>> >
>>>
>>
>>
>> Andy
>>
>>
>
> Thank you!
>
>
> --
>
> Best regards,
> Kathleen
>
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
>

v2.23.0 | Report a Bug | By Email