Re: [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03 (20131220)
Martin Bjorklund <mbj@tail-f.com> Sat, 11 January 2014 10:51 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE681ADF6D for <netmod@ietfa.amsl.com>; Sat, 11 Jan 2014 02:51:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHnZRvCETJ8C for <netmod@ietfa.amsl.com>; Sat, 11 Jan 2014 02:51:46 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [109.74.15.94]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9861ADBC9 for <netmod@ietf.org>; Sat, 11 Jan 2014 02:51:46 -0800 (PST)
Received: from localhost (unknown [193.12.32.88]) by mail.tail-f.com (Postfix) with ESMTPSA id 67F1B240C187; Sat, 11 Jan 2014 11:51:35 +0100 (CET)
Date: Sat, 11 Jan 2014 11:51:34 +0100
Message-Id: <20140111.115134.528610893.mbj@tail-f.com>
To: randy_presuhn@mindspring.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <005c01cf0eb3$56649180$6b01a8c0@oemcomputer>
References: <014201cef85b$81260cf0$837226d0$@comcast.net> <20140111.101300.219049272.mbj@tail-f.com> <005c01cf0eb3$56649180$6b01a8c0@oemcomputer>
X-Mailer: Mew version 6.5rc2 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: netmod@ietf.org
Subject: Re: [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03 (20131220)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 10:51:48 -0000
"Randy Presuhn" <randy_presuhn@mindspring.com> wrote: > Hi - > > > From: "Martin Bjorklund" <mbj@tail-f.com> > > To: <ietfdbh@comcast.net> > > Cc: <netmod@ietf.org> > > Sent: Saturday, January 11, 2014 1:13 AM > > Subject: Re: [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03 (20131220) > ... > > > 5) The security implications of not using the RFC3414 method for cloning > > > and > > > key change are not discussed. > > > > NETCONF generally over a secure and encrypted transport (this is > > pointed out in the Security Considerations section) hence the SNMP > > cloning mechanism is not needed. I am not sure what kind of text you > > are looking for. > ... > > There's more to cloning than transport security. The way keyChange works > requires the cloner to know the authKey/privKey of the clone-from user as > well as the secret key(s) to be used for the new user. > > The Netconf client does not need to know a cloneFrom authKey/privKey to > create new users, nor does it need to reference an existing user to clone > from. Both of these are paths permitting the potential creation of users with > combinations of protocols not represented in the usmUserTable, or to which > clone access would have been effectively blocked by an unpublished key change. > This could, for example, result in a situation where the SNMP security > administrator > has blocked the ability for delegated administrators to create a noAuth/noPriv > user, but left them the ability to create auth/priv users; yet the Netconf > interface > would restore that ability to those delegated administrators. > > That's a fairly obvious security implication. There are probably subtler ones, > too. > I don't know whether you consider it a problem, but the properties *are* > different and should be systematically thought through and documented. Ok, I agree it makes sense to document this. It could be viewed as a feature since we now have a standardized way for the "SNMP security administrator" to actually set up usm entries for cloning. These delegated administrators don't have to have NETCONF access of course. /martin
- [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03… David Kessens
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… ietfdbh
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… ietfdbh
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… ietfdbh
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… ietfdbh
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Juergen Schoenwaelder
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Randy Presuhn
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… B Lukovic
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… B Lukovic
- Re: [netmod] Last Call: draft-ietf-netmod-snmp-cf… Martin Bjorklund