Re: [netmod] Benjamin Kaduk's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 28 September 2018 16:40 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 230A8130E59; Fri, 28 Sep 2018 09:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Psyv04Lhm67q; Fri, 28 Sep 2018 09:40:18 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEAA128D0C; Fri, 28 Sep 2018 09:40:17 -0700 (PDT)
X-AuditID: 1209190e-b3bff700000073e8-a2-5bae596f4e80
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 9F.D4.29672.F695EAB5; Fri, 28 Sep 2018 12:40:16 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w8SGeDiv031250; Fri, 28 Sep 2018 12:40:14 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w8SGe9CP019176 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 28 Sep 2018 12:40:11 -0400
Date: Fri, 28 Sep 2018 11:40:09 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: The IESG <iesg@ietf.org>, NetMod WG Chairs <netmod-chairs@ietf.org>, draft-ietf-netmod-acl-model@ietf.org, netmod@ietf.org
Message-ID: <20180928164008.GL24695@kduck.kaduk.org>
References: <153798309730.21505.1520623050565556854.idtracker@ietfa.amsl.com> <8E8F2331-9C66-40BD-8A4A-0176ABD7EE09@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <8E8F2331-9C66-40BD-8A4A-0176ABD7EE09@gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrMKsWRmVeSWpSXmKPExsUixCmqrVsQuS7aYMNVDotfn3YzWcz4M5HZ 4vSbdWwWq3vVLOZfbGR1YPXYOesuu8eSJT+ZApiiuGxSUnMyy1KL9O0SuDL+HDvPXrDTruLO 4rPsDYxP9bsYOTkkBEwkXm24xgxiCwksZpLoec3axcgFZG9klFh+byE7hHOVSeJOwy92kCoW AVWJ6e/fgdlsAioSDd2XwbpFBAwlTh14wQRiMwu0M0osOJYLYgsL5En8ufoCrJ4XaFv3nKnM EEMbGCWuP26CSghKnJz5hAWiWV3iz7xLQEUcQLa0xPJ/HBBheYnmrbPBdnEK2Er0X2sHaxUV UJbY23eIfQKj4Cwkk2YhmTQLYdIsJJMWMLKsYpRNya3SzU3MzClOTdYtTk7My0st0jXWy80s 0UtNKd3ECA55Sb4djJMavA8xCnAwKvHwzrBfFy3EmlhWXJl7iFGSg0lJlPeyClCILyk/pTIj sTgjvqg0J7X4EKMEB7OSCO++6rXRQrwpiZVVqUX5MClpDhYlcd4JLYujhQTSE0tSs1NTC1KL YLIyHBxKEryJEUBDBYtS01Mr0jJzShDSTBycIMN5gIb/Dgeq4S0uSMwtzkyHyJ9iNOa4ceD/ dGaOtqfXZzALseTl56VKifMeAxknAFKaUZoHNw2UtiSy99e8YhQHek6YdyZIFQ8w5cHNewW0 iglolciBNSCrShIRUlINjGxZ1vtnqLA77dAJF2U5/unasyf2H/a3JuRNynnWseLWNBe/nAO/ Iw3/fHgvPe/z66uO8u57hbY81bm49P3V3b6rryz3UDolI7CsKK5xwlRJvXeLL8drMNzI0zTY tzeyrOzKzEv7T3FP7l7/40zsngM1c45+WSvbf95j281ze0PuHo5YH7RtmfJ7JZbijERDLeai 4kQAOEjfYDYDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/S7iOlvYFyW3qXi2vRer6cdeEc_g>
Subject: Re: [netmod] Benjamin Kaduk's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2018 16:40:21 -0000
Hi Mahesh, On Wed, Sep 26, 2018 at 11:25:37AM -0700, Mahesh Jethanandani wrote: > Hi Benjamin, > > > On Sep 26, 2018, at 10:31 AM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > > > Benjamin Kaduk has entered the following ballot position for > > draft-ietf-netmod-acl-model-19: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > I think this is good work to have, overall, and the document pretty easy to read. > > That said, I think the Security Considerations need to be expanded a bit more before > > this document get published: > > > > Write operations (e.g., <edit-config>) > > to these data nodes without proper protection can have a negative > > effect on network operations. > > > > I think the effects can be on more than just *network* operations, there > > can be negative effects for end systems that (e.g.) experience DoS attacks > > that would otherwise have been blocked, receive maliciously crafted packets > > that trigger application bugs, are used as part of (e.g.) UDP amplification > > attacks, etc. > > How about this? > > OLD: > Write operations (e.g., <edit-config>) > to these data nodes without proper protection can have a negative > effect on network operations. > > > NEW: > Write operations (e.g., <edit-config>) > to these data nodes without proper protection can have a negative > effect on network operations and end systems. The end systems, for > example, can experience DoS attacks that would otherwise have been blocked, > and receive maliciously crafted packets that trigger applications bugs. That looks great; thanks! > > > > /acls/acl/aces: This list specifies all the configured access > > control entries on the device. Unauthorized write access to this > > list can allow intruders to access and control the system. > > Unauthorized read access to this list can allow intruders to spoof > > packets with authorized addresses thereby compromising the system. > > Back in July we went through this section, and here was the change that was proposed, that Steve had accepted. Since they were provided for the current version of the draft (-19), they were not applied till we had received all the reviews. Were you looking for changes in addition to this? > > OLD: > /acls/acl/aces: This list specifies all the configured access > control entries on the device. Unauthorized write access to this > list can allow intruders to access and control the system. > Unauthorized read access to this list can allow intruders to spoof > packets with authorized addresses thereby compromising the system. > > > NEW: > /acls/acl/aces: This list specifies all the configured access > control entries on the device. Unauthorized write access to this > list can allow intruders to modify the entries so as to permit traffic > that should not be permitted, or deny traffic that should be permitted. > The former may result in a DoS attack, or compromise the device. > The latter may result in a DoS attack. The impact of an unauthorized > read access to the list will allow the attacker to determine which rules > are in effect, to better craft an attack. Ah, I was just looking at the -19 as-is and didn't read to the end of the secdir thread. This text is also good; I'll clear my discuss. > > > > > I agree with the secdir reviewer that "the system" needs to be clarified, > > and that the consequences of unauthorized write and read access need to be > > more clearly described. > > His proposed text is much better than the present text, though there are > > other ways to convey the needed information. > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > I tried to call out the editorial nits as such; there are a couple non-editorial > > comments embedded within. > > > > Section 1 > > > > The match criteria allows for definition of packet headers and > > metadata, all of which must be true for the match to occur. > > > > nit: Is this missing a word like "contents”? > > I am not sure if we are, possibly because I do not understand what you mean by “contents”. ACL rules are written to match against packet headers and metadata. They are not written to match against the “contents” of the packet. "definition of packet headers and metadata" sounds like something that a protocol designer or hardware vendor specifies; it's the values of those fields that a firewall device is using for its logic. > > > > The matching of filters and actions in an ACE/ACL are triggered only > > after application/attachment of the ACL to an interface, VRF, vty/tty > > session, QoS policy, routing protocols amongst various other config > > attachment points. > > > > nit: I think the end of this list needs some clarification/termination, > > like "and routing protocols, amongst” > > Ok. Will add the word ‘and’ after the comma. > > > > > Section 3 > > > > The > > match criteria allows for definition of packet headers or metadata, > > if supported by the vendor. [...] > > > > (same nit as above re "contents") > > > > Metadata matching applies to fields associated with the packet, but > > not in the packet header such as input interface, packet length, or > > source or destination prefix length. The actions can be any sort of > > > > nit: comma after "not in the packet header” > > Ok. > > > > > Section 4.1 > > > > nit: The feature match-on-udp and -icmp descriptions should probably use > > the plural "headers" to match the other features' descriptions. > > Ok. > > > > > The mixed-<blah> features seem to implicitly assume that if features X and > > Y are individually supported, then the combination is also supported. I > > could imagine that there might exist hardware for which that assumption is > > not true, but don't know if there actually is any such hardware or it's > > common enough to be worth caring about here. > > The individual feature statements exist to allow for the server to pick what the hardware supports. If the hardware does not support the combination, the server will choose not to advertise the feature statements for the combinations. I must have been misreading the YANG, then; sorry for the confusion. > > > > grouping acl-counters { > > leaf matched-packets { > > [...] > > An implementation should provide this counter on a > > per-interface per-ACL-entry if possible. > > > > nit: missing "basis"? (Also in subsequent instances.) > > Ok. > > > > > Section A.1 > > > > It's unclear that using abc@newco.com (in particular, the @newco.com part) > > in an example is reasonable; @newco.example would be better. > > I do not know if a contact e-mail address, in an example of a YANG model, is significant. I don't either, so this was just a non-blocking comment. Thanks for the quick fixes! -Benjamin
- [netmod] Benjamin Kaduk's Discuss on draft-ietf-n… Benjamin Kaduk
- Re: [netmod] Benjamin Kaduk's Discuss on draft-ie… Mahesh Jethanandani
- Re: [netmod] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [netmod] Benjamin Kaduk's Discuss on draft-ie… Mahesh Jethanandani