Re: [Netconf] draft-ietf-netconf-rfc6536bis: one week review of a specific change
Andy Bierman <andy@yumaworks.com> Fri, 17 November 2017 20:25 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D101201F2 for <netconf@ietfa.amsl.com>; Fri, 17 Nov 2017 12:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBhwrFLOgQdx for <netconf@ietfa.amsl.com>; Fri, 17 Nov 2017 12:25:22 -0800 (PST)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9011A120454 for <netconf@ietf.org>; Fri, 17 Nov 2017 12:25:19 -0800 (PST)
Received: by mail-lf0-x234.google.com with SMTP id y2so3070218lfj.4 for <netconf@ietf.org>; Fri, 17 Nov 2017 12:25:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xWJ2Bik/S9kK42yPNdv5WYn8NtN+VBWEwynXg9TtOBw=; b=TLOCniv9bcKX223ENjGJnmn4yCN6qn0ui09Q+1fiU/NTUHf1Sw5L7Zr0cr3dAZH8gS xi93tpHVNCmA+OzstYpjieys4l4Gw360Y1h1x6tYVHeWSeSTZtKv0ggkmLKJYNPmUu7W ai0wHP58f/EU0WsiiQ92d7wzpDUJGdL8+KpLLE/UAuLSmbGtd159El3w6wkwtT1jwz/t siE0UHJ58HPK13oXB+yC1jK5Usw5fI+gg2BRvpdCe1B/5MOhltnQVKMhgCjkYfMmZ7zT XLlugIiMwFP/S7z2fE7mXZUNmmedDLbC9pjzRzll27jLT422OYxUASMHnDABspueBrWi mUIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xWJ2Bik/S9kK42yPNdv5WYn8NtN+VBWEwynXg9TtOBw=; b=dzy2066z9i1NtFp1b8rKvTulrFvnwXnxXR0Rn8NOu04K6Y3y8PziD/+9BGiKiDdIZW VUQmahYw+Ifw24r2uHCmKXQbzy35ZNXHIQZ5eyvnbnoHR3QHijK2P6k9qUqxZGkG3gUM GNEfCWGQbulEOl93SjGMuFYUmcI/CyHRV/kngVbpFrbNfAkrG+iio+0j1wCqDqwWEPED lGhYAZwp1hciffsEqShxRu6yn+0ulKlPuB+iypzPa6p04znlkO7ui291Y2AMcXgKCdNe bPqOH8zoLxWs3YUxyWaIG/3SufwQidzF6rfCbOGm4s72wvzC+0TRNJynU/eK1GbV2V07 5wcA==
X-Gm-Message-State: AJaThX5bx3oHrWj6i7bB9r7RH1CJTBDeyy4dr3jJHMnvkVtVR1dQUrtB nbaDGZJ4Bf5TVdXgSZ9k7DyeLFMxvbQ/VTM+QngmGA==
X-Google-Smtp-Source: AGs4zMaGEGGppRkEMiSJHl2oj2ELVBStIgLQR4GeCJglIZEjPc083SKpTidqqfWyCX7pv94sTpc4Bzeqi1DuaN2X54k=
X-Received: by 10.25.21.77 with SMTP id l74mr1241237lfi.134.1510950317762; Fri, 17 Nov 2017 12:25:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.33.81 with HTTP; Fri, 17 Nov 2017 12:25:16 -0800 (PST)
In-Reply-To: <041e8574-4eb2-315d-1259-357185065b6b@cisco.com>
References: <CABCOCHSYYFrZxC11v_++adG2uCP7urxR=VOKX-+8zXA-qiBCTA@mail.gmail.com> <60763bcf-47d9-d538-f1b3-6d71e3c80d1d@cisco.com> <CABCOCHTEXwhAq6NzoAGHcC-EE19bXJ0kbqPS0hwJB5_+RtOfyg@mail.gmail.com> <20171113.162810.1853130535954821831.mbj@tail-f.com> <272FF52B-B843-46DA-A502-0080B66FA8E7@gmail.com> <CABCOCHR2OYsN9LLcEZ9AuGQ-_9mYp788CzsEPcbfxHKeAquNpg@mail.gmail.com> <c15ea143-071d-c06b-7f75-e0f461f1b3db@cisco.com> <A766BBC2-8A02-4C70-8A65-1BC8936B0A3D@gmail.com> <0cd2df0d-08cb-2f8b-2c66-906c699f4d83@cisco.com> <91F5996E-16B2-443D-B826-3A3116E8FA48@gmail.com> <041e8574-4eb2-315d-1259-357185065b6b@cisco.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Fri, 17 Nov 2017 12:25:16 -0800
Message-ID: <CABCOCHSJdJ7T8Yk-eeKv_qsBji7A4pUX6PP+ebvQQO5bsMJaUg@mail.gmail.com>
To: Robert Wilton <rwilton@cisco.com>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, sec-ads@ietf.org, netconf <netconf@ietf.org>, Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a11402ddaf6b75f055e338842"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/rb-vxxWDJx1ts7Rz8dNRpu8KRoY>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis: one week review of a specific change
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 20:25:25 -0000
Hi, I updated the draft-pre-09.txt version with these changes. Andy On Fri, Nov 17, 2017 at 12:16 PM, Robert Wilton <rwilton@cisco.com> wrote: > The updated text looks OK to me. > > We also need to delete this paragraph from the end of section 1.2: > > REMOVE: > The server message processing behavior for the edit operation "none", > used in the <edit-config>, has been changed. Now read access is > required for such data nodes, instead of no access required. > > Thanks, > Rob > > > On 16/11/2017 11:40, Mahesh Jethanandani wrote: > > I have verified that the proposed changes have been incorporated in -09 > version of the draft in GitHub. > > Based on my discussion with Eric, there is a little more tweak that we > need to provide to Security Considerations section in the third paragraph. > > OLD: > > There is a risk related to the lack of access control enforcement for > the RESTCONF OPTIONS method. The risk here is that the response to > OPTIONS may vary based on the presence or absence of a resource > corresponding to the URL's path. If this is the case, then it can be > used to trivially probe for the presence or absence of values within > a tree. Therefore, a server MUST NOT vary their OPTIONS responses > based on the existence of the underlying resource, which would > indicate the presence or absence of resource instances. > > NEW: > > There is a risk related to the lack of access control enforcement for > the RESTCONF OPTIONS and PATCH methods. The risk here is that the response to > OPTIONS and PATCH may vary based on the presence or absence of a resource > corresponding to the URL's path. If this is the case, then it can be > used to trivially probe for the presence or absence of values within > a tree. Therefore, a server MUST NOT vary its responses > based on the existence of the underlying resource, which would > indicate the presence or absence of resource instances. In particular > > servers should not expose any instance information before ensuring > that the client has the necessary access permissions to obtain that > information. In such cases, servers are expected to always return the “access- > > denied” error response. > > > > On Nov 16, 2017, at 1:56 PM, Robert Wilton <rwilton@cisco.com> wrote: > > I'm not sure I understand exactly what point the previous text was stating > so I'm not sure whether my proposed text is stating the same thing (or > whether this has already been stated elsewhere in the draft): > > OLD: > > Therefore, a server MUST NOT vary their OPTIONS responses > based on the existence of the underlying resource, which would > indicate the presence or absence of resource instances. In particular > servers should not expose instance information before validating field > information. > > > NEW: > > Therefore, a server MUST NOT vary their OPTIONS responses > based on the existence of the underlying resource, which would > indicate the presence or absence of resource instances. In particular > > servers should not expose any instance information before ensuring > that the client has the necessary access permissions to obtain that > information. > > > > Is that any more clear? Or have I missed the point? > > Thanks, > Rob > > > On 16/11/2017 12:55, Mahesh Jethanandani wrote: > > Can you provide text? > > On Nov 16, 2017, at 12:29 PM, Robert Wilton <rwilton@cisco.com> wrote: > > "validating field information" is slightly unclear to me, can this be > reworded slightly? > > Thanks, > Rob > > On 16/11/2017 03:12, Andy Bierman wrote: > > Hi, > > I updated the draft with these changes on github. > There is a draft-pre-09.txt file now for you to review. > > > Andy > > > On Tue, Nov 14, 2017 at 5:05 PM, Mahesh Jethanandani < > mjethanandani@gmail.com> wrote: > >> Andy, >> >> I assume you will incorporate these changes in the -09 version of the >> draft. >> >> However, I am unable to review the changes in github. Can you post the >> diffs of the draft w.r.t. -08 version. >> >> That still leaves us with one issue, and that has to do with the what >> permission to give edit-operation. I am assuming the WG agrees that making >> the change from ‘none’ to ‘read’ for edit operations makes maintenance more >> difficult and makes the operation more vulnerable, unless all the deny >> rules are in place. >> >> We will need to update the security considerations section to address >> Eric’s concerns. How about this update? >> >> OLD: >> >> Therefore, a server MUST NOT vary their OPTIONS responses >> based on the existence of the underlying resource, which would >> indicate the presence or absence of resource instances. >> >> >> NEW: >> >> Therefore, a server MUST NOT vary their OPTIONS responses >> based on the existence of the underlying resource, which would >> indicate the presence or absence of resource instances. In particular >> >> servers should not expose instance information before validating field >> >> information. >> >> >> Cheers. >> >> On Nov 13, 2017, at 11:28 PM, Martin Bjorklund <mbj@tail-f.com> wrote: >> >> Hi, >> >> I just read this thread, and I agree with the changes, but see below >> for a comment. >> >> >> Andy Bierman <andy@yumaworks.com> wrote: >> >> Hi, >> >> Here are some proposed edits to make the data rule consistent with the >> examples. >> Note that this issue is not related to the edit in the original 1-week >> change. >> >> >> sec. 3.3.5: >> >> OLD: >> >> >> data node rule: controls access for a specific data node, identified >> by its path location within the conceptual XML document for the >> data node. >> >> >> NEW: >> >> data node rule: controls access for a specific data node and its >> descendants, >> identified by its path location within the conceptual XML document >> for the >> data node. >> >> >> sec 3.4.5, step 6, bullet 2: >> >> >> OLD: >> >> * The rule does not have a "rule-type" defined or the "rule- >> type" is "data-node" and the "path" matches the requested >> data node, action node, or notification node. >> >> >> NEW: >> >> >> * The rule does not have a "rule-type" defined or the "rule- >> type" is "data-node" and the "path" matches the requested >> data node, action node, or notification node. A path is >> considered to match if the current data node is the data node >> specified by the path, or is a descendant data node of this >> data node. >> >> >> I propose: >> >> The rule does not have a "rule-type" defined or the >> "rule-type" is "data-node" and the "path" matches the >> requested data node, action node, or notification node. >> A path is considered to match if the requested node >> is the node specified by the path, or is a >> descendant node of the path. >> >> Note: s/current node/requested node/ which is the term used in the >> first sentence. And then s/data node/node/ since the first sentence >> refer to data-, action-, and notification node. >> >> I have checked in this fix in the repo. >> >> >> /martin >> >> _______________________________________________ >> Netconf mailing list >> Netconf@ietf.org >> https://www.ietf.org/mailman/listinfo/netconf >> >> >> Mahesh Jethanandani >> mjethanandani@gmail.com >> >> > > > _______________________________________________ > Netconf mailing listNetconf@ietf.orghttps://www.ietf.org/mailman/listinfo/netconf > > > > Mahesh Jethanandani > mjethanandani@gmail.com > > > > Mahesh Jethanandani > mjethanandani@gmail.com > > >
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Kent Watsen
- [Netconf] draft-ietf-netconf-rfc6536bis: one week… Benoit Claise
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Mahesh Jethanandani
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Per Hedeland
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Mahesh Jethanandani
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Mahesh Jethanandani
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Mahesh Jethanandani
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Mahesh Jethanandani
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Benoit Claise
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Benoit Claise
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Martin Bjorklund
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … t.petch
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Randy Presuhn
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Randy Presuhn
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … t.petch
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Ladislav Lhotka
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Ladislav Lhotka
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Ladislav Lhotka
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Robert Wilton
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Ladislav Lhotka
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Andy Bierman
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … t.petch
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Ladislav Lhotka
- Re: [Netconf] draft-ietf-netconf-rfc6536bis: one … Benoit Claise