Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 22 November 2023 02:37 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0C3C14F75F; Tue, 21 Nov 2023 18:37:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9aGF44ry1cL; Tue, 21 Nov 2023 18:37:49 -0800 (PST)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C51D3C14CF13; Tue, 21 Nov 2023 18:37:49 -0800 (PST)
Received: by mail-pg1-x531.google.com with SMTP id 41be03b00d2f7-5bdbe2de25fso4804626a12.3; Tue, 21 Nov 2023 18:37:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700620669; x=1701225469; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=S0qE9smf3UCfJ1+DKzKSO7bq1Xf4VRyYgrQnR/l4b30=; b=lbfv/TbF2TA69crGwlQjvim7lUHZYRe/UFImfqzcCw8mgkagXTgNJc+CCtmrbY7H5w XpsnRj0CLSvEgfUwdKlWrlYxbcefWaJYiqwsMH4zesQOy90FjE27vD+PbhcrjQ0lUC+v 7zsUEJc6IFw5XOXbz/RjhlfkVP+L+QRQQvBY6/etAy1hSLGSqGaERwB4mzSB78Z/bX3p UckdgL1++GhZL7fwrLcn1uKOABWLrRUPE+APZn5PjHzd14KGxFmMOKAJyPQUnPtoAm5e VAhuGzU2yGRqGwdEAUTGuQHrOeTMpv79PcOEQP+UMbI02d9ohDRDb1r4zKBbgfNGKcve aOpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700620669; x=1701225469; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=S0qE9smf3UCfJ1+DKzKSO7bq1Xf4VRyYgrQnR/l4b30=; b=MLEdIYNQ0R1StRbtKcY9K0UuHL4E7LftZVSa2z0unHykS/FYpGZIcstADcLgofgUhM mdGwOBHt4Be/VwO/USs3l4WFPZAjyXNxRt+wje6xhSPzM6kH9Rlh2rOz8XgD4FxBXial 9FZcPLAw1jO/QuKFdh9QnQdNNWSnjdbRZ1q0pySymvJpLcDq0KjDA4dTdohS3Qlo6fMo X79FEzoJmV7iSTZrfsCn+79H//YOXWqdyEok0G/ALqYtRTft3s+WxYUm/2OlZIo09pac nx1+bVL5FbcgSDpiNHumS6gd9Z6hwt3g8xAz5VIMesoyGxiGgq9hT67z2ja3SebtsybK raow==
X-Gm-Message-State: AOJu0Yzkrsc6ngYTwbvRLl+lByfgM2RLfaKJ/8dAtA20aO84F+vXIGdD T9s8C9OGHqm7YTEDUIc8S7HqO9fx/DCkxQ==
X-Google-Smtp-Source: AGHT+IEQAhP2DgGQ17ut34hvmQ9BpQ9GFwC3KRQNrFSOrvueVJzMUIbx0JwHRoqhogk43hNzmRiNiA==
X-Received: by 2002:a17:90b:3b85:b0:282:e851:a7ea with SMTP id pc5-20020a17090b3b8500b00282e851a7eamr1020280pjb.48.1700620668696; Tue, 21 Nov 2023 18:37:48 -0800 (PST)
Received: from smtpclient.apple (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id ci4-20020a17090afc8400b00284ad0791a5sm215646pjb.50.2023.11.21.18.37.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2023 18:37:47 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <195915E8-B487-4780-909D-27143BC88469@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_73DC290B-4723-4693-A95C-1888803459D6"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Date: Tue, 21 Nov 2023 18:37:46 -0800
In-Reply-To: <167096607866.46389.13136814861583410871@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-https-notif@ietf.org, netconf-chairs <netconf-chairs@ietf.org>, netconf <netconf@ietf.org>, maqiufang1@huawei.com
To: Roman Danyliw <rdd@cert.org>
References: <167096607866.46389.13136814861583410871@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/sDbSERg8KahFhSYAqH8icZWj_Iw>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-https-notif-13: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2023 02:37:53 -0000
Hi Roman, Sorry for taking the time to get back to this. Thanks for providing review comments. Please see inline. > On Dec 13, 2022, at 1:14 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-netconf-https-notif-13: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-https-notif/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** Section 6.2 > > container receiver-identity { > if-feature receiver-identity; > description > "Maps the receiver's TLS certificate to a local identity > enabling access control to be applied to filter out > notifications that the receiver may not be authorized > to view."; > container cert-maps { > uses x509c2n:cert-to-name; > description > "The cert-maps container is used by a TLS-based HTTP > server to map the HTTPS client's presented X.509 > certificate to a 'local' username. If no matching and > valid cert-to-name list entry is found, the publisher > MUST close the connection, and MUST NOT send any > notifications over it."; > > The ietf-x509-cert-to-name module exposes many certificate fields. What > specific fields need to be matched from this module and the local identity > value? How about this update to the description field: description "The cert-maps container is used by a TLS-based HTTP server to map the HTTPS client's presented X.509 certificate to a 'local' username. Specifically, the 'name' field within the module is used to along with 'specified' identity to perform the match. If no matching and valid cert-to-name list entry is found, the publisher MUST close the connection, and MUST NOT send any notifications over it.”; > > ** Unsafe TLS configurations seem possible. > > (a) Section 6.2. > grouping https-receiver-grouping { > description > "A grouping that may be used by other modules wishing to > configure HTTPS-based notifications without using RFC 8639."; > uses httpc:http-client-stack-grouping { > > (b) Section 7 > The YANG modules in this document make use of grouping that are > defined in YANG Groupings for HTTP Clients and HTTP Servers > [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP > Configuration [RFC7407]. Please see the Security Considerations > section of those documents for considerations related to sensitivity > and vulnerability of the data nodes defined in them. > > Per (a) “grouping https-receiver-grouping” seems to reference > draft-ietf-netconf-netconf-client-server which in turn seems to reference > draft-ietf-netconf-tls-client-server. > > Per (b), the Security Considerations for > draft-ietf-ietf-netconf-http-client-server say none of the modules are read or > write sensitive. Draft-ietf-netconf-tls-client-server’s Security > Considerations (not referenced here) do note that write access could alter the > security policy. > > Please provide a declarative caution here about writing to > https-receiver-group. Additionally, are any TLS parameters in > transport/tls/tls/http/client-parameters acceptable? Should they conform to > draft-ietf-uta-rfc7525bis? Ok. I have updated that paragraph as follows OLD: The YANG modules in this document make use of grouping that are defined in YANG Groupings for HTTP Clients and HTTP Servers [I-D.ietf-netconf-http-client-server], and A YANG Data Model for SNMP Configuration [RFC7407]. Please see the Security Considerations section of those documents for considerations related to sensitivity and vulnerability of the data nodes defined in them. NEW: The YANG modules in this document make use of grouping that are defined in YANG Groupings for HTTP Clients and HTTP Servers [I-D.ietf-netconf-http-client-server], YANG Groupings for TLS Clients and TLS Servers [I-D.ietf-netconf-tls-client-server], and A YANG Data Model for SNMP Configuration [RFC7407]. Please see the Security Considerations section of those documents for considerations related to sensitivity and vulnerability of the data nodes defined in them. Additionally, the parameters defined in the tls-client-grouping in the ietf-tls-client module should follow the recommendations specified in Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [RFC9325]. > > ** Section 10. > * The "path" node in "ietf-subscribed-notif-receivers" module can be > modified by a malicious user to point to an invalid URI. > > It could be worse than that. An attacker could direct the to a URL of their > choosing which could (a) serve an exploit against a vulnerable client; or (b) > assuming redirects are followed, track usage. I have added text that pretty much reflects these comments. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Leif Johansson for the SECDIR review > > I support Lars Eggert’s and Éric Vyncke’s related DISCUSS position. > > Editorially, due to the module imports, it was difficulty to read the YANG tree > view in Section 6.1 and reconcile it with the module in Section 6.2. Would adding a complete tree diagram in the Appendix help? Thanks. > > > Mahesh Jethanandani mjethanandani@gmail.com
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Mahesh Jethanandani
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Mahesh Jethanandani