IETF Logo Mail Archive

Re: [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03 (20131220)

Martin Bjorklund <mbj@tail-f.com> Sat, 11 January 2014 10:51 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE681ADF6D for <netmod@ietfa.amsl.com>; Sat, 11 Jan 2014 02:51:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHnZRvCETJ8C for <netmod@ietfa.amsl.com>; Sat, 11 Jan 2014 02:51:46 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [109.74.15.94]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9861ADBC9 for <netmod@ietf.org>; Sat, 11 Jan 2014 02:51:46 -0800 (PST)
Received: from localhost (unknown [193.12.32.88]) by mail.tail-f.com (Postfix) with ESMTPSA id 67F1B240C187; Sat, 11 Jan 2014 11:51:35 +0100 (CET)
Date: Sat, 11 Jan 2014 11:51:34 +0100
Message-Id: <20140111.115134.528610893.mbj@tail-f.com>
To: randy_presuhn@mindspring.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <005c01cf0eb3$56649180$6b01a8c0@oemcomputer>
References: <014201cef85b$81260cf0$837226d0$@comcast.net> <20140111.101300.219049272.mbj@tail-f.com> <005c01cf0eb3$56649180$6b01a8c0@oemcomputer>
X-Mailer: Mew version 6.5rc2 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: netmod@ietf.org
Subject: Re: [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03 (20131220)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 10:51:48 -0000

"Randy Presuhn" <randy_presuhn@mindspring.com> wrote:
> Hi -
>  
> > From: "Martin Bjorklund" <mbj@tail-f.com>
> > To: <ietfdbh@comcast.net>
> > Cc: <netmod@ietf.org>
> > Sent: Saturday, January 11, 2014 1:13 AM
> > Subject: Re: [netmod] Last Call: draft-ietf-netmod-snmp-cfg-03 (20131220)
> ...
> > > 5) The security implications of not using the RFC3414 method for cloning
> > > and
> > > key change are not discussed.
> > 
> > NETCONF generally over a secure and encrypted transport (this is
> > pointed out in the Security Considerations section) hence the SNMP
> > cloning mechanism is not needed.  I am not sure what kind of text you
> > are looking for.
> ...
> 
> There's more to cloning than transport security.  The way keyChange works
> requires the cloner to know the authKey/privKey of the clone-from user as
> well as the secret key(s) to be used for the new user.
> 
> The Netconf client does not need to know a cloneFrom authKey/privKey to
> create new users, nor does it need to reference an existing user to clone
> from.  Both of these are paths permitting the potential creation of users with
> combinations of protocols not represented in the usmUserTable, or to which
> clone access would have been effectively blocked by an unpublished key change.
> This could, for example, result in a situation where the SNMP security
> administrator
> has blocked the ability for delegated administrators to create a noAuth/noPriv
> user, but left them the ability to create auth/priv users; yet the Netconf
> interface
> would restore that ability to those delegated administrators.
> 
> That's a fairly obvious security implication.  There are probably subtler ones,
> too.
> I don't know whether you consider it a problem, but the properties *are*
> different and should be systematically thought through and documented.

Ok, I agree it makes sense to document this.  It could be viewed as a
feature since we now have a standardized way for the "SNMP security
administrator" to actually set up usm entries for cloning.  These
delegated administrators don't have to have NETCONF access of course.


/martin

v2.23.0 | Report a Bug | By Email