Re: [Netconf] 回复: [Technical Errata Reported] RFC6242 (5305)
Ignas Bagdonas <ibagdona@gmail.com> Tue, 27 March 2018 17:47 UTC
Return-Path: <ibagdona@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7641312D7F7 for <netconf@ietfa.amsl.com>; Tue, 27 Mar 2018 10:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mezTNaU2ipTK for <netconf@ietfa.amsl.com>; Tue, 27 Mar 2018 10:47:42 -0700 (PDT)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12E1C127342 for <netconf@ietf.org>; Tue, 27 Mar 2018 10:47:42 -0700 (PDT)
Received: by mail-pf0-x22c.google.com with SMTP id v66so6673901pfv.7 for <netconf@ietf.org>; Tue, 27 Mar 2018 10:47:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=3iDiiekWLkN2TYAc2YNoDRaBxnqIM8tTGf3V2yL/oDM=; b=bmuoQKUZA6yfnYfRNUTWCIM4SLKStaFJBsnKEv0rAKS+jF+Md8seOm03RXNGgLDDaE OPWKknL/dNVv2Gsoz7//5AZQwro8W/hWbjnF6iegunlA7CfcGyKep8437jECleeHRrxx 9YI3RzIhiG4HCQbXjRp8GN5W/keY6mGoRKSJc9/YnPcw6XksVJ+a81XOmxpKM5KjfEQf zux/xoaIt1ifHiUIYbwdIl1d67ByKqSm5DtYIqw0TgCVVxB2v2+pz04zma86yOId0JWj iJtRA3Gd4oy9rHANJJndGKt6uQKhwIE9V8HWsJPvIrnQrZLOcim6qjsr6NX9NOagG8tj hFdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=3iDiiekWLkN2TYAc2YNoDRaBxnqIM8tTGf3V2yL/oDM=; b=nUYchtTn1P39YTDGcyKOl86lRjazFYIlzm8XQJnFs+obCg2ZZZK7K473X9Jf6RqbgR FE4nXpbr02FwQjH4yxB49/VEUkHv0bdvAwF6c0VSz6hnQCkDCvjGMIpGei/0zXwdA8AP MbkudbIsxGMn+kYaoz7dhbC9sa2FHbgySIBI+FMVE8v+0zfIjuS8NLOLEcHbSc8VTsUA MlZ+LfxBEfMJThyZQRcwLIhHYurufeID4XhiJkNu5nhHjo01L3Hc08SC29Vjnq2Pew8X Iq+Aqw8fPubB1BAb6C2LL1qFyQPlkAVDJwiMqUmykshZnOVcqAUyE/Zwq2aaF9McRXj6 W5RQ==
X-Gm-Message-State: AElRT7G/Jjn3bNW1Zu+uZ7ivnlIgusFSN9TA08Ww0kd0w1mVDmf9FcV4 N/L9ewygPBMnglLwNiSs8RaZepD7Sw8=
X-Google-Smtp-Source: AIpwx4/NbHCm2LxXXhK/iOLJpw8S2v5f2yQkGYeHMl4vWMFN0PkasqIB+VLOz4G81t1AId2pu2qvKA==
X-Received: by 10.99.109.136 with SMTP id i130mr183132pgc.380.1522172861224; Tue, 27 Mar 2018 10:47:41 -0700 (PDT)
Received: from [192.168.148.65] (rrcs-173-196-215-70.west.biz.rr.com. [173.196.215.70]) by smtp.gmail.com with ESMTPSA id p12sm3671174pgn.91.2018.03.27.10.47.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Mar 2018 10:47:40 -0700 (PDT)
To: fanhy <fanhycd@qq.com>, Robert Wilton <rwilton@cisco.com>, Kent Watsen <kwatsen@juniper.net>, RFC Errata System <rfc-editor@rfc-editor.org>, "mrw@painless-security.com" <mrw@painless-security.com>, "warren@kumari.net" <warren@kumari.net>, "mjethanandani@gmail.com" <mjethanandani@gmail.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
References: <20180326061924.377B7B82685@rfc-editor.org> <a40115f9-48e5-804e-4683-887e242e565a@gmail.com> <9abc7c13-dcf4-b26c-0599-25d690e7198f@cisco.com> <D7C6AB10-9B2F-4024-BF11-88A89DCE9214@juniper.net> <07a3383d-db50-0112-fb75-1e000e4008f8@cisco.com> <tencent_1081E082E479FAA483FD3421657932E7D509@qq.com>
From: Ignas Bagdonas <ibagdona@gmail.com>
Message-ID: <19350c2e-0488-5f7d-c446-77989b5d13df@gmail.com>
Date: Tue, 27 Mar 2018 18:47:38 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <tencent_1081E082E479FAA483FD3421657932E7D509@qq.com>
Content-Type: multipart/alternative; boundary="------------4FA152E9EC7265FBE37C08CF"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xMBJjW9Sn5xzXZYhwVbRM0Im1fg>
Subject: Re: [Netconf] 回复: [Technical Errata Reported] RFC6242 (5305)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 17:47:45 -0000
Excellent. Will reject it then. On 27/03/2018 15:41, fanhy wrote: > After reading these emails, I understand the original text now. > Neither change nor erratum is needed. > > Thanks, > Fanhy > > ------------------ 原始邮件 ------------------ > *发件人:* "Robert Wilton"<rwilton@cisco.com>; > *发送时间:* 2018年3月27日(星期二) 晚上6:05 > *收件人:* "Kent Watsen"<kwatsen@juniper.net>;"Ignas > Bagdonas"<ibagdona@gmail.com>;"RFC Errata > System"<rfc-editor@rfc-editor.org>;"mrw@painless-security.com"<mrw@painless-security.com>;"warren@kumari.net"<warren@kumari.net>;"mjethanandani@gmail.com"<mjethanandani@gmail.com>; > *抄送:* "fanhy"<fanhycd@qq.com>; "netconf@ietf.org"<netconf@ietf.org>; > *主题:* Re: [Netconf] [Technical Errata Reported] RFC6242 (5305) > > I think of the security considerations section of an RFC as outlining > what the security issues might be present if care isn't taken when > implementing the specification or deploying the technology associated > with it. > > Not being able to access a device because it is blocked by a firewall > seems like a functionality issue rather than a security issue. Normally > you would expect this to be spotted during deployment, and hence I'm not > convinced that additional text is required to cover this case. > > However, unwittingly opening up your device to a new attack vector does > seem to be a security issue, and this is what the text is describing > today. > > So, I'm still not convinced, that any change or erratum is required. > > Thanks, > Rob > > > On 27/03/2018 00:09, Kent Watsen wrote: > > I think both texts are correct, it completely depends on the firewall > > policy in place. In some cases, it may inadvertently grant access > > and, in other it may inadvertently block access. As I see it, the > > current text is technically accurate, it just doesn't tell the whole > > story. So I'd reject the errata as presented, but might consider > > one that more accurately reflects the whole story. > > > > K. > > > > ===== original message ===== > > > > I also think that the existing RFC text looks right. > > > > My reading of the text is that it is suggesting that allowing netconf > > access over other port numbers is a good idea, but care needs to be > > taken to ensure that this doesn't result in unauthorized access to the > > netconf/ssh subsystem. > > > > Thanks, > > Rob > > > > > > On 26/03/2018 17:07, Ignas Bagdonas wrote: > >> Hi there, > >> > >> This paragraph taken out as stand-alone seems to have somewhat > >> different meaning than if read together with the previous one in the > >> document. If NETCONF is used over default port, it is explicitly > >> required to be controlled by security policy, but there is no such > >> requirement when used over non-default port, and the quoted paragraph > >> mentions precisely this non-default port case. Therefore it seems that > >> the text in the document is correct. > >> > >> The other aspect is the operational practice of security policies for > >> network elements - generally it should be deny all allow what is > >> needed, but that is not what the document is focusing on. > >> > >> Any opinions? > >> > >> Thank you, > >> > >> Ignas > >> > >> > >> > >> On 26/03/2018 07:19, RFC Errata System wrote: > >>> The following errata report has been submitted for RFC6242, > >>> "Using the NETCONF Protocol over Secure Shell (SSH)". > >>> > >>> -------------------------------------- > >>> You may review the report below and at: > >>> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rfc-2Deditor.org_errata_eid5305&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=DiWeU-wyrNi7M183Zqrwk2er1MZS4MaIRqDJGXfI8CQ&s=EOfMENEtZKJI8OgKPlj-d_eAd8KPvVUehrS4w2JQBrs&e= > >>> > >>> -------------------------------------- > >>> Type: Technical > >>> Reported by: HengyingFan <fanhycd@qq.com> > >>> > >>> Section: 6 > >>> > >>> Original Text > >>> ------------- > >>> This document also recommends that SSH servers be configurable to > >>> allow access to the "netconf" SSH subsystem over other ports. > >>> Use of > >>> that configuration option without corresponding changes to > firewall > >>> or network device configuration may unintentionally result in the > >>> ability for nodes outside of the firewall or other administrative > >>> boundaries to gain access to the "netconf" SSH subsystem. > >>> > >>> > >>> Corrected Text > >>> -------------- > >>> This document also recommends that SSH servers be configurable to > >>> allow access to the "netconf" SSH subsystem over other ports. > >>> Use of > >>> that configuration option without corresponding changes to > firewall > >>> or network device configuration may unintentionally result in the > >>> inability for nodes outside of the firewall or other > administrative > >>> boundaries to gain access to the "netconf" SSH subsystem. > >>> > >>> > >>> Notes > >>> ----- > >>> ability -> inability > >>> > >>> Instructions: > >>> ------------- > >>> This erratum is currently posted as "Reported". If necessary, please > >>> use "Reply All" to discuss whether it should be verified or > >>> rejected. When a decision is reached, the verifying party > >>> can log in to change the status and edit the report, if necessary. > >>> > >>> -------------------------------------- > >>> RFC6242 (draft-ietf-netconf-rfc4742bis-08) > >>> -------------------------------------- > >>> Title : Using the NETCONF Protocol over Secure Shell > (SSH) > >>> Publication Date : June 2011 > >>> Author(s) : M. Wasserman > >>> Category : PROPOSED STANDARD > >>> Source : Network Configuration > >>> Area : Operations and Management > >>> Stream : IETF > >>> Verifying Party : IESG > >> _______________________________________________ > >> Netconf mailing list > >> Netconf@ietf.org > >> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=DiWeU-wyrNi7M183Zqrwk2er1MZS4MaIRqDJGXfI8CQ&s=sMVpoddABtHDrtsSxGnxZF3r8ZbCAGl0CZpXLnYycRw&e= > >> . > >> > > > >
- [Netconf] [Technical Errata Reported] RFC6242 (53… RFC Errata System
- Re: [Netconf] [Technical Errata Reported] RFC6242… Ignas Bagdonas
- Re: [Netconf] [Technical Errata Reported] RFC6242… Mahesh Jethanandani
- Re: [Netconf] [Technical Errata Reported] RFC6242… Robert Wilton
- Re: [Netconf] [Technical Errata Reported] RFC6242… Kent Watsen
- Re: [Netconf] [Technical Errata Reported] RFC6242… Margaret Cullen
- Re: [Netconf] [Technical Errata Reported] RFC6242… Robert Wilton
- Re: [Netconf] 回复: [Technical Errata Reported] RFC… Ignas Bagdonas