IETF Logo Mail Archive

Re: [netmod] Benjamin Kaduk's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS and COMMENT)

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 26 September 2018 18:25 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DC8130E25; Wed, 26 Sep 2018 11:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CrzHV57IF0D; Wed, 26 Sep 2018 11:25:41 -0700 (PDT)
Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE413130E09; Wed, 26 Sep 2018 11:25:40 -0700 (PDT)
Received: by mail-pg1-x542.google.com with SMTP id g2-v6so6374323pgu.11; Wed, 26 Sep 2018 11:25:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=rB0PCbrStOB912S4/MWJDjfY+v3bFrE5UybNqC5xfzs=; b=WUFkvk63vANSvEqx3+NyZoY0Jt6WkggAZV4PhSKsnydzN2vKOHrDTDGJljwsCGJ0Vt +PK4Ee1ifyPAOeQdUJy5KRHytAl+kIjjkLnkrRUPG8Z5Hijw5Yo5UmB0u0gDc/TTFixs jeWia2Ffg/6loy1SCdUS28Mz2tvlYxBnnu2BcI9IW6Bci0E78HLBXqhz4su+oswxQe8+ VYhMhdqIVwEHdEAbZbV0DNEnMWOMgE07ln9Qx6NbZpLFO0cVejte2Y2IqWmuGYkIc3Eo S9yVQKc4hvHx8OT/OBLZjCLhKxs6KM8IlCiA4iHZSKpSmcgOdtvkU8XMSVXVzfTlrAjG O2/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=rB0PCbrStOB912S4/MWJDjfY+v3bFrE5UybNqC5xfzs=; b=rMBVrKMk3Oq93FUW2WApfWMwrhysWlEXtOpALGz2F2XkMBdVDKlZDAqkpRMrN+eXSs lhi0DhY2xJ+z5cUmjkv0lmAld88MpBq4/rQm08pKkdsEj5mZhb5RHstDgE2KoL66MANz Kvo5xIT6hwTaXN8OxVxXwIfOJrQD3vnS6R/6vrT5pQV8pHScbbFjOxcoNyodkNuvhnGR mxY64n4nrGhiR7hT0qNW4RO/y1vxL+wBCHflTsoXyN8QFpwQl5X6OUiU84hjCXLbcJjE 3Rfc0dX4nImVFmEfRTI/lBwTFxFKSCNUBlWE3wKXJvPJjX3a4XvrE7mIfwhBa3/Ju1Yr N9xA==
X-Gm-Message-State: ABuFfohpHOBZ8QDcIt0SzhzxgRRy1+6RccLt9Wibi8rXqmlgSBkAqIMh Re7e5q/Px36zh7Qq3nGkbTs=
X-Google-Smtp-Source: ACcGV638WleqDa7CS+yno26xAQHmnA0vcP9Ie/gvF4i6nufDo8F3hQvWulPHHKAE30oqHw+Qs/RXNA==
X-Received: by 2002:a17:902:bf43:: with SMTP id u3-v6mr7264037pls.88.1537986340260; Wed, 26 Sep 2018 11:25:40 -0700 (PDT)
Received: from [10.52.174.170] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id m10-v6sm7060573pgp.94.2018.09.26.11.25.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Sep 2018 11:25:38 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <8E8F2331-9C66-40BD-8A4A-0176ABD7EE09@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_83A3254A-3D8E-40C4-93EF-7AF0F3ADBCDF"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 26 Sep 2018 11:25:37 -0700
In-Reply-To: <153798309730.21505.1520623050565556854.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, NetMod WG Chairs <netmod-chairs@ietf.org>, draft-ietf-netmod-acl-model@ietf.org, netmod@ietf.org
To: Benjamin Kaduk <kaduk@mit.edu>
References: <153798309730.21505.1520623050565556854.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/UGYwHpRN4UMMoqFGdxuJVPTSFsU>
Subject: Re: [netmod] Benjamin Kaduk's Discuss on draft-ietf-netmod-acl-model-19: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 18:25:44 -0000

Hi Benjamin,

> On Sep 26, 2018, at 10:31 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-netmod-acl-model-19: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> I think this is good work to have, overall, and the document pretty easy to read.
> That said, I think the Security Considerations need to be expanded a bit more before
> this document get published:
> 
>                                  Write operations (e.g., <edit-config>)
>   to these data nodes without proper protection can have a negative
>   effect on network operations.
> 
> I think the effects can be on more than just *network* operations, there
> can be negative effects for end systems that (e.g.) experience DoS attacks
> that would otherwise have been blocked, receive maliciously crafted packets
> that trigger application bugs, are used as part of (e.g.) UDP amplification
> attacks, etc.

How about this?

OLD:
   Write operations (e.g., <edit-config>)
   to these data nodes without proper protection can have a negative
   effect on network operations.


NEW:
   Write operations (e.g., <edit-config>)
   to these data nodes without proper protection can have a negative
   effect on network operations and end systems. The end systems, for
   example, can experience DoS attacks that would otherwise have been blocked,
   and receive maliciously crafted packets that trigger applications bugs.

> 
>      /acls/acl/aces: This list specifies all the configured access
>      control entries on the device.  Unauthorized write access to this
>      list can allow intruders to access and control the system.
>      Unauthorized read access to this list can allow intruders to spoof
>      packets with authorized addresses thereby compromising the system.

Back in July we went through this section, and here was the change that was proposed, that Steve had accepted. Since they were provided for the current version of the draft (-19), they were not applied till we had received all the reviews. Were you looking for changes in addition to this?

OLD:
      /acls/acl/aces: This list specifies all the configured access
      control entries on the device.  Unauthorized write access to this
      list can allow intruders to access and control the system.
      Unauthorized read access to this list can allow intruders to spoof
      packets with authorized addresses thereby compromising the system.


NEW:
              /acls/acl/aces: This list specifies all the configured access
      control entries on the device.  Unauthorized write access to this
      list can allow intruders to modify the entries so as to permit traffic
      that should not be permitted, or deny traffic that should be permitted.
      The former may result in a DoS attack, or compromise the device.
      The latter may result in a DoS attack. The impact of an unauthorized 
      read access to the list will allow the attacker to determine which rules
      are in effect, to better craft an attack.


> 
> I agree with the secdir reviewer that "the system" needs to be clarified,
> and that the consequences of unauthorized write and read access need to be
> more clearly described.
> His proposed text is much better than the present text, though there are
> other ways to convey the needed information.
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> I tried to call out the editorial nits as such; there are a couple non-editorial
> comments embedded within.
> 
> Section 1
> 
>   The match criteria allows for definition of packet headers and
>   metadata, all of which must be true for the match to occur.
> 
> nit: Is this missing a word like "contents”?

I am not sure if we are, possibly because I do not understand what you mean by “contents”.  ACL rules are written to match against packet headers and metadata. They are not written to match against the “contents” of the packet.

> 
>   The matching of filters and actions in an ACE/ACL are triggered only
>   after application/attachment of the ACL to an interface, VRF, vty/tty
>   session, QoS policy, routing protocols amongst various other config
>   attachment points.
> 
> nit: I think the end of this list needs some clarification/termination,
> like "and routing protocols, amongst”

Ok. Will add the word ‘and’ after the comma. 

> 
> Section 3
> 
>                                                                  The
>   match criteria allows for definition of packet headers or metadata,
>   if supported by the vendor.  [...]
> 
> (same nit as above re "contents")
> 
>   Metadata matching applies to fields associated with the packet, but
>   not in the packet header such as input interface, packet length, or
>   source or destination prefix length.  The actions can be any sort of
> 
> nit: comma after "not in the packet header”

Ok.

> 
> Section 4.1
> 
> nit: The feature match-on-udp and -icmp descriptions should probably use
> the plural "headers" to match the other features' descriptions.

Ok.

> 
> The mixed-<blah> features seem to implicitly assume that if features X and
> Y are individually supported, then the combination is also supported.  I
> could imagine that there might exist hardware for which that assumption is
> not true, but don't know if there actually is any such hardware or it's
> common enough to be worth caring about here.

The individual feature statements exist to allow for the server to pick what the hardware supports. If the hardware does not support the combination, the server will choose not to advertise the feature statements for the combinations.

> 
>   grouping acl-counters {
>     leaf matched-packets {
>      [...]
>          An implementation should provide this counter on a
>          per-interface per-ACL-entry if possible.
> 
> nit: missing "basis"?  (Also in subsequent instances.)

Ok.

> 
> Section A.1
> 
> It's unclear that using abc@newco.com (in particular, the @newco.com part)
> in an example is reasonable; @newco.example would be better.

I do not know if a contact e-mail address, in an example of a YANG model, is significant.

Thanks.

> 
> 
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email