IETF Logo Mail Archive

Re: [Netconf] draft-ietf-netconf-rfc6536bis: one week review of a specific change

Ladislav Lhotka <lhotka@nic.cz> Mon, 27 November 2017 15:32 UTC

Return-Path: <lhotka@nic.cz>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE7C126CD8 for <netconf@ietfa.amsl.com>; Mon, 27 Nov 2017 07:32:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mlsr5gXO3jL for <netconf@ietfa.amsl.com>; Mon, 27 Nov 2017 07:32:48 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33682126BF3 for <netconf@ietf.org>; Mon, 27 Nov 2017 07:32:48 -0800 (PST)
Received: from birdie8 (unknown [IPv6:2001:718:1a02:1::380]) by mail.nic.cz (Postfix) with ESMTPSA id 57ACF63918 for <netconf@ietf.org>; Mon, 27 Nov 2017 16:32:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1511796766; bh=ZPdxMr+/WEjpu+3g34JE5LjgjLpexFkVNPXa98eaSJY=; h=From:To:Date; b=frMNRnC4q1PUJC6vvrDQ4+BrxsuAXhKAmgBqML52Vcso8cNpA2YLPeHF0Sd6dmKG6 O34MQI0WSqJTBUAncpBDJwaX/VbH68tyiVdyTBoWXxBKCmhGbKfbxTtzKyS7jPOu4m YlObP/1vN+jWEZxQ1UHRe3hq8UL0w20+kGJenQHI=
Message-ID: <1511796766.6244.27.camel@nic.cz>
From: Ladislav Lhotka <lhotka@nic.cz>
To: netconf@ietf.org
Date: Mon, 27 Nov 2017 16:32:46 +0100
In-Reply-To: <CABCOCHR-KPG69Ngzc=fb6cmcU4q+SEOt51AX=iYGYJR=pECxPg@mail.gmail.com>
References: <987f0de3-00d3-37f0-c919-4fe4f0f16efc@cisco.com> <2F1909ED-61A5-43FC-B2D8-FD08DEF49183@gmail.com> <3138dace-d750-308f-0169-a26e8abce5d1@cisco.com> <5A05A4A4.3000304@tail-f.com> <CABCOCHT_5zHWf3mdNM+8uUd8sqZMKKiwVtr=O4C4BhNrbygNzw@mail.gmail.com> <4e2ff4c7-70bb-280d-b49d-423e70e7f42d@cisco.com> <CABCOCHSYYFrZxC11v_++adG2uCP7urxR=VOKX-+8zXA-qiBCTA@mail.gmail.com> <60763bcf-47d9-d538-f1b3-6d71e3c80d1d@cisco.com> <CABCOCHTEXwhAq6NzoAGHcC-EE19bXJ0kbqPS0hwJB5_+RtOfyg@mail.gmail.com> <e418e007-fbac-029d-9c77-ed33df3d233b@cisco.com> <c2663103-70c2-0f52-f24f-852462509e27@cisco.com> <e41c2a8f-5ed7-9f3e-6dc1-85182c66adbf@cisco.com> <CABCOCHQrSOgGEAPdz5TdGBCGBSPzgAspGRQkgQDr3=H4Xp9JSQ@mail.gmail.com> <d056fdcd-20a8-5459-24ea-81fcfe53e59b@cisco.com> <015101d36513$bba345e0$4001a8c0@gateway.2wire.net> <CABCOCHTg5x_3=u4fMVtF-Rn1T6+gH2ZLMKeo6z5iekUWNt3RXg@mail.gmail.com> <00a701d365ea$e207f000$4001a8c0@gateway.2wire.net> <CABCOCHQHDB_9vQ0W5uA+u__=sezGrVgNtvt==DQhbK1r2MsPUw@mail.gmail.com> <eef4d5a8-4185-24d7-36a7-0f5958804be2@cisco.com> <CABCOCHR-KPG69Ngzc=fb6cmcU4q+SEOt51AX=iYGYJR=pECxPg@mail.gmail.com>
Organization: CZ.NIC
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xcqyGXYNBRt0-gLxrid2fN9FwF8>
Subject: Re: [Netconf] draft-ietf-netconf-rfc6536bis: one week review of a specific change
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 15:32:52 -0000

On Mon, 2017-11-27 at 07:12 -0800, Andy Bierman wrote:
> 
> 
> On Mon, Nov 27, 2017 at 2:39 AM, Robert Wilton <rwilton@cisco.com> wrote:
> > I do get the point that Tom is making here, and have quite a lot of sympathy
> > for it.  E.g. by automatically allowing the side effects of when/choice
> > statements then we are introducing a potential security hole here that
> > operators may find hard to be aware of and mitigate.
> > It also seems odd to me that a client is allowed to implicitly remove some
> > configuration through the side effect of a when/choice       statement that
> > they are not allowed to delete explicitly.
> > The alternative of requiring appropriate access for the side-effects, seems
> > like an intuitively safer design, but I also get Andy's concern that
> > security isn't useful if it become so unwieldy that nobody uses it.
> > So, I guess the question here is, do we have some concrete examples using
> > real data models where the extra NACM delete rules would be required?  If
> > not then perhaps requiring the explicit access for side effects would be
> > better.
> > 
> 
> 
> Yes -- please provide some examples where it is better to force the operator
> to provide extra "delete" rules to allow false-when data nodes to be deleted.
> It seems to me that these rules would allow individual data structures to be
> removed by the client, that would not otherwise be possible.

Here is an example:

Module A contains a choice with two cases, say "foo" and "bar". An operator
installs an instance of case "foo" and specifies NACM rules so that a non-
privileged client cannot remove it. Later, module B is added to the data model,
and it augments the choice with another case "baz". If a non-privileged user is
now allowed to create an instance of case "baz", he can trick the server into
deleting the protected instance of "foo".

So, module A may have bullet-proof security considerations and still, side
effects from module B create a security hole.

Lada  

> 
> If 3 data structures need to be in place "when /foo exists" then
> deleting 1 or 2 of them directly may not be desirable.  Deleting
> them all together (i.e., via when-false deletion) may be the intended usage.
> 
> The vendor and operator need to be aware of the data model dependencies.
> That said, how come CLI-based configuration does not have this problem?
> (Or rather, why has this problem been ignored for so long? Maybe it not that
> real?)
> 
> > Thanks,
> > Rob
> > 
> 
> Andy
>  
> > On 25/11/2017 15:53, Andy Bierman wrote:
> > > 
> > > On Sat, Nov 25, 2017 at 4:42 AM, t.petch <ietfc@btconnect.com> wrote:
> > > > ----- Original Message -----
> > > > From: "Andy Bierman" <andy@yumaworks.com>
> > > > To: "t.petch" <ietfc@btconnect.com>
> > > > 
> > > > 
> > > > > On Fri, Nov 24, 2017 at 3:02 AM, t.petch <ietfc@btconnect.com> wrote:
> > > > >
> > > > > > <inline>
> > > > > >
> > > > > > Tom Petch
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Robert Wilton" <rwilton@cisco.com>
> > > > > > Sent: Thursday, November 23, 2017 10:44 AM
> > > > > >
> > > > > > > Hi Andy,
> > > > > > >
> > > > > > > On 22/11/2017 18:09, Andy Bierman wrote:
> > > > > > > > On Wed, Nov 22, 2017 at 5:41 AM, Benoit Claise wrote:
> > > > > > > >
> > > > > > > >     Hi Rob,
> > > > > > > >
> > > > > > > >     At that points in time, if it clarifies the spec. and the
> > > > > > authors
> > > > > > > >     agree with this, let's do the right thing.
> > > > > > > >
> > > > > > > > I will add the new text if that is what the WG wants.
> > > > > >
> > > > > > > Having read this draft, I was undecided what the intended behavior
> > > > > > > actually should be.
> > > > > > >
> > > > > > > The way that Yumapro and Tail-f have implemented this is
> > > > reasonable,
> > > > > > and
> > > > > > > is probably also the way that I would implemented it.
> > > > > > >
> > > > > > > But I also think that it would be a reasonable implementation for
> > > > a
> > > > > > > server to calculate the full change set (taking account of side
> > > > > > effects
> > > > > > > from when and choice statements) to the datastore before checking
> > > > the
> > > > > > > "write data node access control" against the resultant change set.
> > > > > > >
> > > > > > > My interpretation is that the RFC text is ambiguous on what the
> > > > > > correct
> > > > > > > behavior is, and one could make a reasonable argument that the
> > > > current
> > > > > > > RFC actually specifies that the alternative behavior is correct,
> > > > i.e.
> > > > > > > requiring delete access even if a node is implicitly changes as a
> > > > side
> > > > > > > effect. E.g. section 3.2.3 of RFC 6536 states:
> > > > > > >
> > > > > > >     If the protocol operation would result in the deletion of a
> > > > > > datastore
> > > > > > >     node and the user does not have "delete" access permission for
> > > > > > that
> > > > > > >     node, the protocol operation is rejected with an
> > > > "access-denied"
> > > > > > >     error.
> > > > > >
> > > > > > Rob
> > > > > >
> > > > > > I have been reading that paragraph since this thread started and
> > > > > > wondering how it could be thought unclear, what am I missing:-)
> > > > > >
> > > > > > To me it clearly states that the user must have the appropriate
> > > > access
> > > > > > for the consequences of whatever they do, be that 'when', 'choice'
> > > > or
> > > > > > anything else! Indeed, I see exactly that behaviour in operational
> > > > > > (non-network) databases of which I am a user with limited
> > > > privileges.
> > > > > >
> > > > > >
> > > > >
> > > > > This is not correct.
> > > > > The server is the entity that is cleaning up false when-stmt or
> > > > unselected
> > > > > cases
> > > > > for a choice-stmt.
> > > > >
> > > > > NACM does not prevent the sever from making any changes to the system.
> > > > > It only affects the operations requested by a client.
> > > > 
> > > > Andy
> > > > 
> > > > My model is slightly different, that the server is a black box, with an
> > > > interface through which I can make authorised changes.  If something I
> > > > do causes the deletion of something I am not allowed to delete, may be
> > > > not even to read, well, we part company on the acceptability of that!
> > > > 
> > > > I do accept, as Randy points out, that the situation is complicated.  I
> > > > am reminded of the issues that came up relating to the 'when' statement
> > > > when preparing YANG 1.1.  Yes, 'when' makes things possible and is very
> > > > useful but at the same time, its side effects can be troublesome.  I
> > > > would like to wrap it up in a conceptual bubble so you could not have
> > > > the sort of fine-grained access control that allows the case that Rob
> > > > postulates to occur but have no idea what that might look like.  And I
> > > > don't know how much 'when' is used in that way in existing YANG
> > > > modules - uh huh, more reading required.
> > > > 
> > > 
> > > 
> > > When the access control is too complicated, it does not get used.
> > > Instead, the most likely access control is "everybody is the root user".
> > > The server pruning of false when/choice data nodes is considered cleanup.
> > > The pruned data is no longer relevant to the data model. This is the
> > > indended
> > > use, but when-stmt can easily be abused.
> > > 
> > > The complex tangled web of dependencies is no worse
> > > than it has been with CLI for 30 years, where every dependency is ad-hoc
> > > and probably undocumented. The granularity of CLI-based access control
> > > is less granular than NACM.
> > > 
> > > It is possible that vendors and operators are willing to spend hours and
> > > days
> > > figuring out how to tune the NACM rules to allow a specific edit to work.
> > > Of course the operator will not even be told by the server which nodes
> > > are blocking the edit. That would be a security risk.
> > > 
> > > IMO NACM will be completely unusable if rules are needed to allow
> > > server cleanup of dead nodes.  The additional NACM rules required
> > > might provide more access than intended (unless lots of delete-only
> > > rules are added). The huge jump in NACM rule management complexity is
> > > a new security vulnerability, which might even be worse than the
> > > vulnerability it is intended to fix.
> > > 
> > > 
> > > > Tom Petch
> > > > 
> > > > >
> > > > > Andy
> > > > >
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > > Andy
> > > 
> > >  
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > > > My other thought was that given all the complexities of 'when' that
> > > > > > emerged during the specification of YANG 1.1, perhaps, were I an
> > > > > > implementor of this, I would take the easy option and ignore the
> > > > side
> > > > > > effects of 'when'; but I might feel guilty about doing so.
> > > > > >
> > > > > > If the new paragraphs go in as proposed, then I think that the two
> > > > > > paragraphs you quote need changing else that section looks to me
> > > > like an
> > > > > > oxymoron.
> > > > > >
> > > > > > Tom Petch
> > > > > >
> > > > > > > An <edit-data> request that causes a when constraint to evaluate
> > > > > > > differently does result in a deletion of those data nodes from the
> > > > > > > datastore, and hence according to the text above, requires
> > > > explicit
> > > > > > > "delete" access permission to accomplish that.
> > > > > > >
> > > > > > > Clearly it would be an interop issue if different servers
> > > > implemented
> > > > > > > the NACM path based filtering differently.
> > > > > > >
> > > > > > > Hence why I think that it would be prudent for the draft to be
> > > > more
> > > > > > > explicit on when and choice statement handling.
> > > > > > >
> > > > > > > Rob
> > > > > > >
> > > > > > > > There have not been any comments on this issue.
> > > > > > > >
> > > > > > > > Andy
> > > > > > > >
> > > > > > > >     Regards, Benoit.
> > > > > > > >>
> > > > > > > >>     Hi Benoit,
> > > > > > > >>
> > > > > > > >>     There is also one further, unrelated change that I am
> > > > proposing
> > > > > > > >>     is made the draft before it is published, to help better
> > > > > > clarify
> > > > > > > >>     the expected behavior. It isn't the end of the world if
> > > > this
> > > > > > > >>     doesn't go in, but I think that it prevents sometime taking
> > > > a
> > > > > > > >>     different, but IMO reasonable, interpretation of how "when"
> > > > > > > >>     statements are considered, and then having a future
> > > > argument
> > > > > > > >>     about what behavior it specified in the standard.
> > > > > > > >>
> > > > > > > >>     If we clarify it now, then it closes that door :-)
> > > > > > > >>
> > > > > > > >>     I've proposed text to Andy and Martin on Monday, but I've
> > > > not
> > > > > > > >>     heard back yet.
> > > > > > > >>
> > > > > > > >>     Netconf email with proposed text attached. The text doesn't
> > > > > > > >>     necessarily have to match this, but personally I think that
> > > > it
> > > > > > is
> > > > > > > >>     useful if the draft says something on this.
> > > > > > > >>
> > > > > > > >>     Thanks,
> > > > > > > >>     Rob
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>     On 22/11/2017 13:25, Benoit Claise wrote:
> > > > > > > >>>     On 11/10/2017 7:23 PM, Andy Bierman wrote:
> > > > > > > >>>>     Hi,
> > > > > > > >>>>
> > > > > > > >>>>     Here are some proposed edits to make the data rule
> > > > consistent
> > > > > > > >>>>     with the examples.
> > > > > > > >>>>     Note that this issue is not related to the edit in the
> > > > > > original
> > > > > > > >>>>     1-week change.
> > > > > > > >>>     That's right, but we found a source of misinterpretation
> > > > in
> > > > > > the
> > > > > > > >>>     draft and you have rightly corrected it in the github v9.
> > > > > > > >>>
> > > > > > > >>>     Regards, Benoit
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>     sec. 3.3.5:
> > > > > > > >>>>
> > > > > > > >>>>     OLD:
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>     data node rule: controls access for a specific data
> > > > > > > >>>>     node, identified
> > > > > > > >>>>     by its path location within the conceptual XML document
> > > > > > > >>>>     for the
> > > > > > > >>>>     data node.
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>     NEW:
> > > > > > > >>>>
> > > > > > > >>>>     data node rule: controls access for a specific data node
> > > > > > > >>>>     and its descendants,
> > > > > > > >>>>     identified by its path location within the conceptual XML
> > > > > > > >>>>     document for the
> > > > > > > >>>>     data node.
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>     sec 3.4.5, step 6, bullet 2:
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>     OLD:
> > > > > > > >>>>
> > > > > > > >>>>     * The rule does not have a "rule-type" defined or the
> > > > > > > >>>>     "rule-
> > > > > > > >>>>     type" is "data-node" and the "path" matches the
> > > > > > > >>>>     requested
> > > > > > > >>>>     data node, action node, or notification node.
> > > > > > > >>>>
> > > > > > > >>>>     NEW:
> > > > > > > >>>>     * The rule does not have a "rule-type" defined or the
> > > > > > > >>>>     "rule-
> > > > > > > >>>>     type" is "data-node" and the "path" matches the
> > > > > > > >>>>     requested
> > > > > > > >>>>     data node, action node, or notification node. A path is
> > > > > > > >>>>     considered to match if the current data node is the
> > > > > > > >>>>     data node
> > > > > > > >>>>     specified by the path, or is a descendant data node
> > > > > > > >>>>     of this data node.
> > > > > > > >>>>     appendix B.4: (2 bugs in explanation)
> > > > > > > >>>>     OLD:
> > > > > > > >>>>     deny-nacm: This rule denies the "guest" group any access
> > > > to
> > > > > > the
> > > > > > > >>>>     <nacm> subtree. Note that the default namespace is only
> > > > > > > >>>>     applicable because this subtree is defined in the same
> > > > > > > >>>>     namespace as the <data-rule> element.
> > > > > > > >>>>     NEW:
> > > > > > > >>>>     deny-nacm: This rule denies the "guest" group any access
> > > > to
> > > > > > the
> > > > > > > >>>>     <nacm> subtree.
> > > > > > > >>>>     Andy
> > > > > > > >>>>
> > > > > > > >>>>     On Fri, Nov 10, 2017 at 9:24 AM, Robert Wilton
> > > > > > > >>>>     <rwilton@cisco.com <mailto:rwilton@cisco.com>> wrote:
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>         On 10/11/2017 16:33, Andy Bierman wrote:
> > > > > > > >>>>>
> > > > > > > >>>>>
> > > > > > > >>>>>         On Fri, Nov 10, 2017 at 8:16 AM, Robert Wilton
> > > > > > > >>>>>         <rwilton@cisco.com <mailto:rwilton@cisco.com>>
> > > > wrote:
> > > > > > > >>>>>
> > > > > > > >>>>>
> > > > > > > >>>>>
> > > > > > > >>>>>             On 10/11/2017 15:49, Andy Bierman wrote:
> > > > > > > >>>>>>
> > > > > > > >>>>>>
> > > > > > <snip>
> > > > > >
> > > > > >
> > > > >
> > > > 
> > > > 
> >  
> 
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
-- 
Ladislav Lhotka
Head, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67

v2.23.0 | Report a Bug | By Email