Re: [netmod] security considerations boilerplate updates to cover RESTCONF

Benoit Claise <bclaise@cisco.com> Thu, 16 March 2017 17:43 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 194761296CB; Thu, 16 Mar 2017 10:43:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5P5ViqEjYPP; Thu, 16 Mar 2017 10:43:26 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A50201296FA; Thu, 16 Mar 2017 10:43:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8737; q=dns/txt; s=iport; t=1489686205; x=1490895805; h=subject:to:references:from:message-id:date:mime-version: in-reply-to; bh=dkhzIi2WkblxC/O3jBoUtXSpTHZFgPBd9UbCoeCQFtM=; b=S+EWcnlQFn+TQk4gNDVpbuemUyDNIUjQpBBg6por4XfJ3P7H4mLKSR5U kgETVLYUshoLKW70xCrm+4zJLV8pKxgKWnk4ReljXqw55YPkQhTmAkb8p vXn0nPCPiImTazOhRwpzGNiX66wIIWZbkpVZ8DwuXQMIiWcmKUBmDpytP g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AdAQCSzcpY/xbLJq1eGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgyeBCyqOUHOQZZARgx+CD4IOLIV2AoNFGAECAQEBAQEBAWsohRY?= =?us-ascii?q?BBYEJCw4EBi5JDgYBCQMIAQEXiWUOs08riiQBAQEBAQEBAQIBAQEBAQEBAQEaB?= =?us-ascii?q?YZOggWCaoo5BZxFhneLR4F7iFsjhjCLPogPHziBBCMWCBcVhRgdgWQ/iX0BAQE?=
X-IronPort-AV: E=Sophos;i="5.36,173,1486425600"; d="scan'208,217";a="650479244"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Mar 2017 17:43:21 +0000
Received: from [10.60.67.87] (ams-bclaise-8916.cisco.com [10.60.67.87]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v2GHhKXT014717; Thu, 16 Mar 2017 17:43:20 GMT
To: Alia Atlas <akatlas@gmail.com>, Kent Watsen <kwatsen@juniper.net>, "netmod@ietf.org" <netmod@ietf.org>, "sec-ads@ietf.org" <sec-ads@ietf.org>
References: <7de29e11-f045-b0a1-808f-38044f6f7352@cisco.com> <8E887FD1-9849-4A05-A43F-CF675056A7B5@juniper.net> <1fdc07f6-0434-a490-024d-af039877ae33@cisco.com> <20170316072757.GD59114@elstar.local> <0138111b-6c95-0edc-23c4-2797312bb51a@cisco.com> <20170316075657.GF59114@elstar.local> <fc506ce0-0b56-ffbd-53a9-895c927bc5be@cisco.com> <7FB88E83-589D-4F3B-BC55-C7D0B2F858A8@juniper.net> <20170316135145.GB23450@elstar.local> <CAG4d1rfjNk3Po1_zH-xb++wcojeEfmCkFMPMBYGbPYxV2soZ1Q@mail.gmail.com> <20170316143803.GB23686@elstar.local>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <328c7b27-389a-3c58-4efd-dc5a86fedfbc@cisco.com>
Date: Thu, 16 Mar 2017 18:43:20 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <20170316143803.GB23686@elstar.local>
Content-Type: multipart/alternative; boundary="------------184BC62530535F7C5500B4BA"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/S94l6bn-Bu27YzT7CPLlk1Yo8QA>
Subject: Re: [netmod] security considerations boilerplate updates to cover RESTCONF
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 17:43:29 -0000

Dear all,

As discussed during the IESG telechat today, we should only focus on the 
addition of the RESTCONF bits, and not attempt to include the I2RS 
future protocol now.
Hence this minimum change proposal:

          The YANG module defined in this document is designed to be
          accessed via network management protocols such as NETCONF
          [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the
          secure transport layer, and the mandatory-to-implement secure
          transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF
          layer is HTTPS, and the mandatory-to-implement secure
    transport is
          TLS [RFC5246].

          The NETCONF access control model [RFC6536] provides the means to
          restrict access for particular NETCONF or RESTCONF users to a
          pre-configured subset of all available NETCONF or RESTCONF
          protocol operations and content. 

Regards, Benoit
> On Thu, Mar 16, 2017 at 10:13:18AM -0400, Alia Atlas wrote:
>>> Keep in mind that I2RS believes in a requirement for cleartext
>>> transport protocols. Perhaps this never makes it through the IESG but
>>> so far it was not possible to stop this...
>>>
>> This is solely for notifications that can be sent, just as IPFIX
>> information may
>> be sent unencrypted.  Those requirements are in
>> draft-ietf-i2rs-protocol-security-requirements-17
>> <https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/>,
>> which is in the RFC Editor queue.
>>
>     The new features are priority, an opaque secondary identifier, and an
>     insecure protocol for read-only data constrained to specific standard
>     usages.
>
>     The optional insecure transport can only be used
>     restricted set of publically data available (events or information)
>     or a select set of legacy data.  Data passed over the insecure
>     transport channel MUST NOT contain any data which identifies a
>     person.
>
> I think your statement that it is only for notifications is wrong.
> The fact that some data ships in a notification does not mean the data
> is not sensitive. Furthermore, I think we all meanwhile know that
> IPFIX data is highly sensitive if you have the right context
> information (so the analogy is flawed). And what the heck is a 'select
> set of legacy data'?
>
>        SEC-REQ-06: An I2RS agent receiving an I2RS message over an
>        insecure transport MUST confirm that the content is suitable for
>        transfer over such a transport.
>
> An agent can't decide this. It is the context information that often
> decides whether a piece of information is sensitive or not. So the
> only decision an agent can do is to only allow messages with empty
> content over an insecure transport.
>
>     The I2RS architecture defines three scopes: read, write, and
>     notification scope.  Insecure data can only be used for read scope
>     and notification scope of "non-confidential data".
>
> I understand that the IESG approved the security requirements. I do
> not know why the security ADs did let this pass - perhaps since the
> document is just about requirements and they will look closer at a
> solution and then ask questions what 'non-confidentail' data' is, what
> a 'select set of legacy data' is, or how an agent confirms that the
> content of messages is suitable for an insecure transport.
>
> Anyway, this does not belong here, the point I wanted to make is
> simply that Kent's assumption that a protocol transporting YANG
> defined data is always protecting the data is not true from the
> viewpoint of the I2RS proponents. Thanks for confirming this.
>
> /js
>