IETF Logo Mail Archive

Re: [netmod] security considerations boilerplate updates to cover RESTCONF

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 16 March 2017 14:38 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA03129519; Thu, 16 Mar 2017 07:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBmRej1Tnn3N; Thu, 16 Mar 2017 07:38:04 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 920BE1294E7; Thu, 16 Mar 2017 07:38:04 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 6707A699; Thu, 16 Mar 2017 15:38:03 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.205]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id 2Tadrpc5TtXY; Thu, 16 Mar 2017 15:38:01 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Thu, 16 Mar 2017 15:38:02 +0100 (CET)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id DAF1E20033; Thu, 16 Mar 2017 15:38:02 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id DcuUwgHYZoOU; Thu, 16 Mar 2017 15:38:02 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 600E320035; Thu, 16 Mar 2017 15:38:02 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id C831D3EE87E7; Thu, 16 Mar 2017 15:38:05 +0100 (CET)
Date: Thu, 16 Mar 2017 15:38:05 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Alia Atlas <akatlas@gmail.com>
Cc: Kent Watsen <kwatsen@juniper.net>, Benoit Claise <bclaise@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>, "sec-ads@ietf.org" <sec-ads@ietf.org>
Message-ID: <20170316143803.GB23686@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Alia Atlas <akatlas@gmail.com>, Kent Watsen <kwatsen@juniper.net>, Benoit Claise <bclaise@cisco.com>, "netmod@ietf.org" <netmod@ietf.org>, "sec-ads@ietf.org" <sec-ads@ietf.org>
References: <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com> <8E887FD1-9849-4A05-A43F-CF675056A7B5@juniper.net> <1fdc07f6-0434-a490-024d-af039877ae33@cisco.com> <20170316072757.GD59114@elstar.local> <0138111b-6c95-0edc-23c4-2797312bb51a@cisco.com> <20170316075657.GF59114@elstar.local> <fc506ce0-0b56-ffbd-53a9-895c927bc5be@cisco.com> <7FB88E83-589D-4F3B-BC55-C7D0B2F858A8@juniper.net> <20170316135145.GB23450@elstar.local> <CAG4d1rfjNk3Po1_zH-xb++wcojeEfmCkFMPMBYGbPYxV2soZ1Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAG4d1rfjNk3Po1_zH-xb++wcojeEfmCkFMPMBYGbPYxV2soZ1Q@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/92WVuRIPpUUVmJ9iLxIgA4HemaA>
Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 14:38:07 -0000

On Thu, Mar 16, 2017 at 10:13:18AM -0400, Alia Atlas wrote:
> >
> > Keep in mind that I2RS believes in a requirement for cleartext
> > transport protocols. Perhaps this never makes it through the IESG but
> > so far it was not possible to stop this...
> >
> 
> This is solely for notifications that can be sent, just as IPFIX
> information may
> be sent unencrypted.  Those requirements are in
> draft-ietf-i2rs-protocol-security-requirements-17
> <https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/>,
> which is in the RFC Editor queue.
>

   The new features are priority, an opaque secondary identifier, and an
   insecure protocol for read-only data constrained to specific standard
   usages.

   The optional insecure transport can only be used
   restricted set of publically data available (events or information)
   or a select set of legacy data.  Data passed over the insecure
   transport channel MUST NOT contain any data which identifies a
   person.

I think your statement that it is only for notifications is wrong.
The fact that some data ships in a notification does not mean the data
is not sensitive. Furthermore, I think we all meanwhile know that
IPFIX data is highly sensitive if you have the right context
information (so the analogy is flawed). And what the heck is a 'select
set of legacy data'?

      SEC-REQ-06: An I2RS agent receiving an I2RS message over an
      insecure transport MUST confirm that the content is suitable for
      transfer over such a transport.

An agent can't decide this. It is the context information that often
decides whether a piece of information is sensitive or not. So the
only decision an agent can do is to only allow messages with empty
content over an insecure transport.

   The I2RS architecture defines three scopes: read, write, and
   notification scope.  Insecure data can only be used for read scope
   and notification scope of "non-confidential data".

I understand that the IESG approved the security requirements. I do
not know why the security ADs did let this pass - perhaps since the
document is just about requirements and they will look closer at a
solution and then ask questions what 'non-confidentail' data' is, what
a 'select set of legacy data' is, or how an agent confirms that the
content of messages is suitable for an insecure transport.

Anyway, this does not belong here, the point I wanted to make is
simply that Kent's assumption that a protocol transporting YANG
defined data is always protecting the data is not true from the
viewpoint of the I2RS proponents. Thanks for confirming this.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email