IETF Logo Mail Archive

Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 22 November 2023 02:37 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0C3C14F75F; Tue, 21 Nov 2023 18:37:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9aGF44ry1cL; Tue, 21 Nov 2023 18:37:49 -0800 (PST)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C51D3C14CF13; Tue, 21 Nov 2023 18:37:49 -0800 (PST)
Received: by mail-pg1-x531.google.com with SMTP id 41be03b00d2f7-5bdbe2de25fso4804626a12.3; Tue, 21 Nov 2023 18:37:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700620669; x=1701225469; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=S0qE9smf3UCfJ1+DKzKSO7bq1Xf4VRyYgrQnR/l4b30=; b=lbfv/TbF2TA69crGwlQjvim7lUHZYRe/UFImfqzcCw8mgkagXTgNJc+CCtmrbY7H5w XpsnRj0CLSvEgfUwdKlWrlYxbcefWaJYiqwsMH4zesQOy90FjE27vD+PbhcrjQ0lUC+v 7zsUEJc6IFw5XOXbz/RjhlfkVP+L+QRQQvBY6/etAy1hSLGSqGaERwB4mzSB78Z/bX3p UckdgL1++GhZL7fwrLcn1uKOABWLrRUPE+APZn5PjHzd14KGxFmMOKAJyPQUnPtoAm5e VAhuGzU2yGRqGwdEAUTGuQHrOeTMpv79PcOEQP+UMbI02d9ohDRDb1r4zKBbgfNGKcve aOpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700620669; x=1701225469; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=S0qE9smf3UCfJ1+DKzKSO7bq1Xf4VRyYgrQnR/l4b30=; b=MLEdIYNQ0R1StRbtKcY9K0UuHL4E7LftZVSa2z0unHykS/FYpGZIcstADcLgofgUhM mdGwOBHt4Be/VwO/USs3l4WFPZAjyXNxRt+wje6xhSPzM6kH9Rlh2rOz8XgD4FxBXial 9FZcPLAw1jO/QuKFdh9QnQdNNWSnjdbRZ1q0pySymvJpLcDq0KjDA4dTdohS3Qlo6fMo X79FEzoJmV7iSTZrfsCn+79H//YOXWqdyEok0G/ALqYtRTft3s+WxYUm/2OlZIo09pac nx1+bVL5FbcgSDpiNHumS6gd9Z6hwt3g8xAz5VIMesoyGxiGgq9hT67z2ja3SebtsybK raow==
X-Gm-Message-State: AOJu0Yzkrsc6ngYTwbvRLl+lByfgM2RLfaKJ/8dAtA20aO84F+vXIGdD T9s8C9OGHqm7YTEDUIc8S7HqO9fx/DCkxQ==
X-Google-Smtp-Source: AGHT+IEQAhP2DgGQ17ut34hvmQ9BpQ9GFwC3KRQNrFSOrvueVJzMUIbx0JwHRoqhogk43hNzmRiNiA==
X-Received: by 2002:a17:90b:3b85:b0:282:e851:a7ea with SMTP id pc5-20020a17090b3b8500b00282e851a7eamr1020280pjb.48.1700620668696; Tue, 21 Nov 2023 18:37:48 -0800 (PST)
Received: from smtpclient.apple (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id ci4-20020a17090afc8400b00284ad0791a5sm215646pjb.50.2023.11.21.18.37.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2023 18:37:47 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <195915E8-B487-4780-909D-27143BC88469@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_73DC290B-4723-4693-A95C-1888803459D6"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Date: Tue, 21 Nov 2023 18:37:46 -0800
In-Reply-To: <167096607866.46389.13136814861583410871@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-https-notif@ietf.org, netconf-chairs <netconf-chairs@ietf.org>, netconf <netconf@ietf.org>, maqiufang1@huawei.com
To: Roman Danyliw <rdd@cert.org>
References: <167096607866.46389.13136814861583410871@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/sDbSERg8KahFhSYAqH8icZWj_Iw>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2023 02:37:53 -0000

Hi Roman,

Sorry for taking the time to get back to this. Thanks for providing review comments. Please see inline.

> On Dec 13, 2022, at 1:14 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-netconf-https-notif-13: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> ** Section 6.2
> 
>       container receiver-identity {
>         if-feature receiver-identity;
>         description
>           "Maps the receiver's TLS certificate to a local identity
>            enabling access control to be applied to filter out
>            notifications that the receiver may not be authorized
>            to view.";
>         container cert-maps {
>           uses x509c2n:cert-to-name;
>           description
>             "The cert-maps container is used by a TLS-based HTTP
>              server to map the HTTPS client's presented X.509
>              certificate to a 'local' username. If no matching and
>              valid cert-to-name list entry is found, the publisher
>              MUST close the connection, and MUST NOT send any
>              notifications over it.";

> 
> The ietf-x509-cert-to-name module exposes many certificate fields.  What
> specific fields need to be matched from this module and the local identity
> value?

How about this update to the description field:

        description
          "The cert-maps container is used by a TLS-based HTTP
           server to map the HTTPS client's presented X.509
           certificate to a 'local' username. Specifically, the
           'name' field within the module is used to along with
           'specified' identity to perform the match. If no
           matching and valid cert-to-name list entry is found,
           the publisher MUST close the connection, and MUST
           NOT send any notifications over it.”;

> 
> ** Unsafe TLS configurations seem possible.
> 
> (a) Section 6.2.
>     grouping https-receiver-grouping {
>       description
>         "A grouping that may be used by other modules wishing to
>          configure HTTPS-based notifications without using RFC 8639.";
>       uses httpc:http-client-stack-grouping {
> 
> (b) Section 7
>   The YANG modules in this document make use of grouping that are
>   defined in YANG Groupings for HTTP Clients and HTTP Servers
>   [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP
>   Configuration [RFC7407].  Please see the Security Considerations
>   section of those documents for considerations related to sensitivity
>   and vulnerability of the data nodes defined in them.
> 
> Per (a) “grouping https-receiver-grouping” seems to reference
> draft-ietf-netconf-netconf-client-server which in turn seems to reference
> draft-ietf-netconf-tls-client-server.
> 
> Per (b), the Security Considerations for
> draft-ietf-ietf-netconf-http-client-server say none of the modules are read or
> write sensitive.  Draft-ietf-netconf-tls-client-server’s Security
> Considerations (not referenced here) do note that write access could alter the
> security policy.
> 
> Please provide a declarative caution here about writing to
> https-receiver-group.  Additionally, are any TLS parameters in
> transport/tls/tls/http/client-parameters acceptable?  Should they conform to
> draft-ietf-uta-rfc7525bis?

Ok. I have updated that paragraph as follows

OLD:

  The YANG modules in this document make use of grouping that are
  defined in YANG Groupings for HTTP Clients and HTTP Servers
  [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP
  Configuration [RFC7407].  Please see the Security Considerations
  section of those documents for considerations related to sensitivity
  and vulnerability of the data nodes defined in them.

NEW:

The YANG modules in this document make use of grouping that are 
defined in YANG Groupings for HTTP Clients and HTTP Servers 
[I-D.ietf-netconf-http-client-server], YANG Groupings for TLS Clients 
and TLS Servers [I-D.ietf-netconf-tls-client-server], and A YANG 
Data Model for SNMP Configuration [RFC7407]. Please see the 
Security Considerations section of those documents for considerations 
related to sensitivity and vulnerability of the data nodes defined in them. 
Additionally, the parameters defined in the tls-client-grouping in the 
ietf-tls-client module should follow the recommendations specified in 
Recommendations for Secure Use of Transport Layer Security (TLS) 
and Datagram Transport Layer Security (DTLS) [RFC9325].

> 
> ** Section 10.
>   *  The "path" node in "ietf-subscribed-notif-receivers" module can be
>      modified by a malicious user to point to an invalid URI.
> 
> It could be worse than that.  An attacker could direct the to a URL of their
> choosing which could (a) serve an exploit against a vulnerable client; or (b)
> assuming redirects are followed, track usage.

I have added text that pretty much reflects these comments.

> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you to Leif Johansson for the SECDIR review
> 
> I support Lars Eggert’s and Éric Vyncke’s related DISCUSS position.
> 
> Editorially, due to the module imports, it was difficulty to read the YANG tree
> view in Section 6.1 and reconcile it with the module in Section 6.2.

Would adding a complete tree diagram in the Appendix help?

Thanks.
> 
> 
> 


Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email