IETF Logo Mail Archive

Re: [netmod] security considerations boilerplate updates to cover RESTCONF

Kent Watsen <kwatsen@juniper.net> Fri, 17 March 2017 15:36 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80BE11294AC; Fri, 17 Mar 2017 08:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GU35sv-Ot-T9; Fri, 17 Mar 2017 08:36:16 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0115.outbound.protection.outlook.com [104.47.40.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC7F3129479; Fri, 17 Mar 2017 08:36:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bMOoZ5N0kGgkWPwnuk1dxT76YHS5IadE7eKL8loYAiQ=; b=Y1ht6nZTtVD66KFwaKwiazvAJh5T06LE0Cht9c4sXl7dxxrCf6spef7HLdfDsEQqEBXEx8S/EEidNEF3hxqD+OLx3R9ZHSValiIr3jX/sNYTJ3AhZ316a+kJo+CPJHhFXlSs8x/sAu5HTmN9m0rVN4c7Yp/GuvJes7IY8LeEvrU=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1443.namprd05.prod.outlook.com (10.160.117.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.5; Fri, 17 Mar 2017 15:36:13 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0977.013; Fri, 17 Mar 2017 15:36:13 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Ladislav Lhotka <lhotka@nic.cz>, Benoit Claise <bclaise@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>, "sec-ads@ietf.org" <sec-ads@ietf.org>
Thread-Topic: [netmod] security considerations boilerplate updates to cover RESTCONF
Thread-Index: AQHSnauR8sIuzui9AkeB/6DkSo5/yqGV5dqAgABeZQCAAM4UgIAAAraAgAAFZICAAAFwAIAADPwAgAHmpID//9qHAA==
Date: Fri, 17 Mar 2017 15:36:13 +0000
Message-ID: <696C1A19-0A68-49A1-A6DA-8B3ACEEFC85B@juniper.net>
References: <20170313212537.GB53972@elstar.local> <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com> <8E887FD1-9849-4A05-A43F-CF675056A7B5@juniper.net> <1fdc07f6-0434-a490-024d-af039877ae33@cisco.com> <20170316072757.GD59114@elstar.local> <0138111b-6c95-0edc-23c4-2797312bb51a@cisco.com> <20170316075657.GF59114@elstar.local> <fc506ce0-0b56-ffbd-53a9-895c927bc5be@cisco.com> <7FB88E83-589D-4F3B-BC55-C7D0B2F858A8@juniper.net> <m27f3odnc4.fsf@birdie.labs.nic.cz>
In-Reply-To: <m27f3odnc4.fsf@birdie.labs.nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: nic.cz; dkim=none (message not signed) header.d=none;nic.cz; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.13]
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1443; 7:ao98TudQ8dC74o9WV51DsQKztwLu0LQ3XWp4MjPp34zQTVltxhGFRnF+iT+Hbuh5k/KkELoDHJmzLipeZpYsys2ciLim9+4m9ef5giFNHYs6mma0b3n4+nomVfpRgcG0OdKLsVGNtjZFGzTDuh9edwg2nRkUEddoUtyyaBye+IXOD90Hc2dOKpI58XWtFChtAAiFsT5TTem0mfAasMvUwp9uWlo8syKaWyE4xjXgATJgNwsxaqV2Tt8yZ/34bI6dEWKhlchVSKv9zNGdkBFTj9yx5VK9H2hczIkP71ZGczzy4W59h/G8gNM9EROLwBtJ2QuLfe2lvSrkmpKofQAQ0g==
x-ms-office365-filtering-correlation-id: eef1dfa8-7965-4b7f-5cc1-08d46d4b5842
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR0501MB1443;
x-microsoft-antispam-prvs: <BN3PR0501MB1443C1ACBADF9DCEE39FD400A5390@BN3PR0501MB1443.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(138986009662008)(788757137089);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123560025)(20161123558025)(20161123562025)(20161123555025)(6072148); SRVR:BN3PR0501MB1443; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1443;
x-forefront-prvs: 0249EFCB0B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39850400002)(39450400003)(39840400002)(39860400002)(24454002)(377454003)(93886004)(122556002)(53936002)(3280700002)(3660700001)(15650500001)(2906002)(8676002)(7736002)(81166006)(66066001)(38730400002)(102836003)(53546008)(6116002)(6246003)(3846002)(6486002)(54356999)(305945005)(99286003)(6436002)(36756003)(77096006)(189998001)(2501003)(2950100002)(6512007)(50986999)(25786008)(76176999)(6506006)(229853002)(5660300001)(8936002)(561944003)(83506001)(86362001)(6306002)(33656002)(4001350100001)(2201001)(5890100001)(2900100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1443; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F75A533F8C7D8042B3564799B5180E7B@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2017 15:36:13.4379 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1443
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/1WwBwIWT2mSSFU0NiMiQEud5Iis>
Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 15:36:19 -0000

Adding a final thought to this, I found it strange when I copied the
Security guidelines into some of my YANG-model focused drafts, that
I suddenly had to add Informative References for some transport
protocols.   Why should a YANG model care about transport protocols?
Are we going to extend this statement to include all future protocols
too (CoAP, gRPC, etc.)?  Not to mention YANG modules that only define
an artifact (i.e. rc:yang-data).  Where does it end?

I think the 90% of the guidelines are okay, putting focus on select
readable nodes, writable nodes, and RPCs is good.  It's just the 
first  paragraph I have issue with.  The more I think about it, the
more I think the first paragraph should, for the most part, disappear.

K. // contributor



-----ORIGINAL MESSAGE-----

Kent Watsen <kwatsen@juniper.net> writes:

> A couple comments:
>
> 1) drilling down on the mandatory-to-implement NC/RC protocols
>    is somewhat missing the point.  The important bit is that
>    *all* protocols transporting YANG-modeled data *only* have
>    secure transport layers.  More specifically, YANG-modeledq
>    data may be transported over other protocols (e.g., coap),
>    and also one of the protocols have an insecure transport
>    protocol (e.g., it doesn't much help to talk about HTTPS
>    being mandatory-to-implement if RESTCONF allowed HTTP).

I agree, and it will become even more relevant if we make YANG
protocol-independent. In fact, data models may be useful even without
any network transport involved, e.g. for a local CLI implementation.

>
> 2) just stating that there are secure transport layers still
>    isn’t sufficient, as these protocols must also require
>    mutual authentication in order to be secure, and for 
>    statements regarding NACM to make sense.  The text I posted
>    before had a statement like this in it.

Right, security considerations attached to data models should deal with
security aspects of the static data (which items are security-sensitive
etc.) and not with transport security.

Lada

>
> I'm beginning to become a fan of the idea of defining a generic
> "Requirements for Protocols Transporting YANG-modeled Data"
> document - that would not only discuss security aspects, but
> also generic protocol operations, that documents like NC, RC,
> CoAP, etc. can point to...and even YANG (RFC 7950), rather than
> pointing directly at NETCONF as it does today...
>
> Kent // contributor
>
>
> On 3/16/2017 8:56 AM, Juergen Schoenwaelder wrote:
>> On Thu, Mar 16, 2017 at 08:37:39AM +0100, Benoit Claise wrote:
>>> Latest proposal:
>>>
>>>      The YANG module defined in this document is designed to be accessed
>>>      via network management protocols such as NETCONF [RFC6241] or
>>>      RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
>>> layer,
>>>      and mandatory-to-implement secure transport is Secure Shell (SSH)
>>> [RFC6242],
>>>      while the lowest RESTCONF layer is HTTP, and the mandatory-to-implement
>>> secure
>>>      transport is Transport Layer Security (TLS) [RFC5246].
>> Picking wording from Section 12 of RFC 8040 to replace your second
>> sentence I get this:
>>
>>      The YANG module defined in this document is designed to be
>>      accessed via network management protocols such as NETCONF
>>      [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the
>>      secure transport layer, and the mandatory-to-implement secure
>>      transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF
>>      layer is HTTPS, and the mandatory-to-implement secure transport is
>>      TLS [RFC5246].
>>
>>      The NETCONF access control model [RFC6536] provides the means to
>>      restrict access for particular NETCONF or RESTCONF users to a
>>      pre-configured subset of all available NETCONF or RESTCONF
>>      protocol operations and content.
> Yes, thank you.
>
> Regards, B.
>>
>> /js
>>
>
>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod

-- 
Ladislav Lhotka, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67

v2.23.0 | Report a Bug | By Email