IETF Logo Mail Archive

Re: [netmod] security considerations boilerplate updates to cover RESTCONF

Kent Watsen <kwatsen@juniper.net> Wed, 15 March 2017 17:32 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2239513174B; Wed, 15 Mar 2017 10:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fU4wjdM7OPFB; Wed, 15 Mar 2017 10:32:35 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0097.outbound.protection.outlook.com [104.47.37.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD53413172F; Wed, 15 Mar 2017 10:32:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=G4snYr0vtgoblw1z/l/nRponu75/GAjn6ML5IbGOslE=; b=e3kdv62AigiNaRWc0hYk7XqX+LkGhusa5cZEVHvFR34O5ldXz+hOjBLVnyu/ZXjTzTJU517urzj3ZsISQDBp/nhTbKLhmctna+iMcACQRTAXVWYG/x9/Pj9PXfUUNNGSyMomX/seR0Fvugy3iA3jN20/DStDtqwbRFWPqA1qY1A=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.5; Wed, 15 Mar 2017 17:32:32 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0977.010; Wed, 15 Mar 2017 17:32:32 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Benoit Claise <bclaise@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>
CC: "sec-ads@ietf.org" <sec-ads@ietf.org>
Thread-Topic: [netmod] security considerations boilerplate updates to cover RESTCONF
Thread-Index: AQHSnauR8sIuzui9AkeB/6DkSo5/yqGV5dqA
Date: Wed, 15 Mar 2017 17:32:32 +0000
Message-ID: <8E887FD1-9849-4A05-A43F-CF675056A7B5@juniper.net>
References: <20170313212537.GB53972@elstar.local> <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com>
In-Reply-To: <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.13]
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1442; 7:yXGsQPk1fB9qgseLQS1X8OXL15PlBtck84wbBWzY3pSXCviN9mvmRhC9ecyjTEMq9XQ+YV9HCXoSeO2nFFtARgArTQbVtQe4HSBWF8EcP3zDbXvTSQJn/6z+uZ+EPVf12fNhTnqT9N7kuhvzJMyo6VbG7qywEMb5g93iYP6yPFWs/ed3M7pI03a/ahZwPRTw0aQHAFshC9uRuLl2rK0Oh6TOmwxFxjPOwqa9d5HnWPBPfg5QPKgtkbtrg9R9YnXMFNvWwtMseNJ0OzwfXbJEXpGzIJulUOYEoBNGdYlSss0MaK3SJFgzc/i9y7o4KQKU/y7bfCLyQs7Q/UA8Yjpd9g==
x-ms-office365-filtering-correlation-id: 04ef71b6-ca21-4fe9-0f17-08d46bc94350
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR0501MB1442;
x-microsoft-antispam-prvs: <BN3PR0501MB1442FE515C7ADB618CFAE4C5A5270@BN3PR0501MB1442.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(209352067349851)(192374486261705)(95692535739014)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123562025)(20161123560025)(20161123558025)(20161123555025)(6072148); SRVR:BN3PR0501MB1442; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1442;
x-forefront-prvs: 02475B2A01
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39850400002)(39860400002)(39450400003)(39840400002)(57704003)(377454003)(24454002)(3660700001)(83716003)(2950100002)(2906002)(50986999)(3280700002)(76176999)(10710500007)(54356999)(5660300001)(36756003)(82746002)(189998001)(33656002)(7110500001)(102836003)(122556002)(606005)(561944003)(38730400002)(8676002)(77096006)(25786008)(6486002)(6506006)(6436002)(2900100001)(53936002)(6116002)(6512007)(236005)(3846002)(99286003)(7906003)(6306002)(8936002)(53546007)(81166006)(86362001)(229853002)(4326008)(2501003)(966004)(4001350100001)(2420400007)(6246003)(7736002)(15650500001)(66066001)(54896002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1442; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_8E887FD198494A05A43FCF675056A7B5junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2017 17:32:32.5419 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1442
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/4mCl8sF832GbNsKGwwoSnSn0Q6U>
Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 17:32:38 -0000

Benoit,

I fixed this text in my drafts already.  Actually, I found the old text difficult to
read, so I fixed it like this:

   The YANG module defined in this document is designed to be accessed
   via YANG based management protocols, such as NETCONF [RFC6241<https://tools.ietf.org/html/rfc6241>] and
   RESTCONF [RFC8040<https://tools.ietf.org/html/rfc8040>].  Both of these protocols have mandatory-to-
   implement secure transport layers (e.g., SSH, TLS) with mutual
   authentication.

   The NETCONF access control model (NACM) [RFC6536<https://tools.ietf.org/html/rfc6536>] provides the means
   to restrict access for particular users to a pre-configured subset of
   all available protocol operations and content.

   (from: https://tools.ietf.org/html/draft-ietf-netconf-keystore-01#section-4).

Related, I wasn't entirely sure how to handle the situation where a draft uses
groupings from another draft.  Does it simply point to the other draft's Security
Considerations, or recreate them in its Security Considerations section?  For now,
I chose the former, for instance:

   The YANG module defined in this document uses groupings defined in
   [I-D.ietf-netconf-ssh-client-server<https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server-02#ref-I-D.ietf-netconf-ssh-client-server>] and [I-D.ietf-netconf-tls-client-server<https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server-02#ref-I-D.ietf-netconf-tls-client-server>].
   Please see the Security Considerations section in those documents for
   concerns related those groupings.

   (from: https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server-02#section-5)


Thanks,
Kent  // contributor


-----ORIGINAL MESSAGE------

On 3/15/17, 12:45 PM, "netmod on behalf of Benoit Claise" <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org> on behalf of bclaise@cisco.com<mailto:bclaise@cisco.com>> wrote:

Dear all,

[copying the security ADs to make sure the new security section is fine]
Let's separate the two issues

1. the multiple URLs in draft-ietf-netmod-rfc6087bis-12.txt
Basically, I agree with Jürgen
I see section 4.7:

   This section MUST be patterned after the latest approved template

   (available at http://trac.tools.ietf.org/area/ops/trac/wiki/<http://trac.tools.ietf.org/area/ops/trac/wiki/yang-security-guidelines>

   yang-security-guidelines<http://trac.tools.ietf.org/area/ops/trac/wiki/yang-security-guidelines>).  Section 7.1<https://tools.ietf.org/html/draft-ietf-netmod-rfc6087bis-12#section-7.1> contains the security

   considerations template dated 2013-05-08.  Authors MUST check the WEB

   page at the URL listed above in case there is a more recent version

   available.
Then, I see section 7:

  The following section contains the security considerations template

   dated 2010-06-16.
Not sure why it contains this cut/paste? It should just say: the latest version is at this URL.
Then, I see in the same section:

This section MUST be patterned after the latest approved

   template (available at



    http://www.ops.ietf.org/netconf/yang-security-considerations.txt
This page is not found.
This should be corrected in rfc6087bis.


2. the new security guidelines must include RESTCONF.
At this point, this is a blocking factor for the publication of YANG module. As an example,
draft-ietf-lmap-yang-11<https://datatracker.ietf.org/doc/draft-ietf-lmap-yang/>, A YANG Data Model for LMAP Measurement Agents, on the telechat tomorrow.
As mentioned the most up to date version is https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines

Here is the proposal, discussed on the YANG doctors list:

        OLD
The YANG module defined in this memo is designed to be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF users to a pre-configured subset of all available NETCONF protocol operations and content.
NEW

The YANG module defined in this memo is designed to be accessed via the NETCONF [RFC6241] or RESTCONF [RFC8040] protocol. The lowest NETCONF layer is the secure transport layer, and mandatory-to-implement is Secure Shell (SSH) [RFC6242], while the lowest RESTCONF layer is HTTP, and the mandatory-to-implement secure transport is Transport Layer Security (TLS) [RFC5246].
The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF or RESTCONF users to a pre-configured subset of all available NETCONF or RESTCONF protocol operations and content.
Any objections?
Have covered all that we need for the new RESTCONF protocol?
Regards, Benoit


Hi,



this came up during IESG processing of a YANG module - is there a new

security guideline boilerplate text covering RESTCONF? This was

briefly discussed on the yang-doctors but somehow the discussion

stopped because RESTCONF was not published yet at that time. I think

this affects draft-ietf-netmod-rfc6087bis-12.txt.



draft-ietf-netmod-rfc6087bis-12.txt has several pointers to read

online documents - why do we need several points? I think some are

also not working. Ideally, there should be a single stable URL.



/js

v2.23.0 | Report a Bug | By Email