Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Fri, 08 May 2020 20:15 UTC

Return-Path: <rdd@cert.org>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8112F3A0EA9; Fri, 8 May 2020 13:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHTSq05eFLzO; Fri, 8 May 2020 13:15:49 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 379DE3A0E11; Fri, 8 May 2020 13:15:47 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 048KFeOL007134; Fri, 8 May 2020 16:15:40 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 048KFeOL007134
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1588968940; bh=XR/QCe0w6/ytthiMV8hduz3xewGwydg1BtDug9UwRZI=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=ZqONDu87dYdB6KUu7KX6vID0LI9j6WAr6Vho1GsEqBmkNTlLoRhe91oumOSxMGcYq gnDzPNTmVYOSlu1GqzWxR4+Ar339pqZNJbk74GtpAJEF7ob7yF7oV+yfosuERB3t1u UgrSfiuYBM0n8vEr/iYDroFancJcByAVm3sWZgQo=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 048KFa6H027834; Fri, 8 May 2020 16:15:36 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Fri, 8 May 2020 16:15:35 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Fri, 8 May 2020 16:15:35 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Fri, 8 May 2020 16:15:35 -0400
From: Roman Danyliw <rdd@cert.org>
To: Qin Wu <bill.wu@huawei.com>, "Rob Wilton (rwilton)" <rwilton@cisco.com>
CC: "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, Kent Watsen <kent+ietf@watsen.net>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
Thread-Index: AdYbdbsM0Dx0efq5/0GE+QmBUOT5vQJ/0A+w
Date: Fri, 8 May 2020 20:15:35 +0000
Message-ID: <87eb508a780c44c48324e39668f6ce09@cert.org>
References: <B8F9A780D330094D99AF023C5877DABAAD64721A@dggeml531-mbs.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAAD64721A@dggeml531-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.196]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/Ura0U2y2jd2IgT5rCKlZqhuUwTg>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 20:15:57 -0000

Hi Qin!

Top posting to say thanks for the updated texted that was added to -15.  It addresses my DISCUSS points.

Regards,
Roman

> -----Original Message-----
> From: Qin Wu <bill.wu@huawei.com>
> Sent: Saturday, April 25, 2020 11:00 PM
> To: Rob Wilton (rwilton) <rwilton@cisco.com>om>; Roman Danyliw <rdd@cert.org>
> Cc: netmod-chairs@ietf.org; Kent Watsen <kent+ietf@watsen.net>et>; draft-ietf-
> netmod-factory-default@ietf.org; netmod@ietf.org; The IESG <iesg@ietf.org>
> Subject: RE: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14:
> (with DISCUSS and COMMENT)
> 
> -----邮件原件-----
> 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> 发送时间: 2020年4月25日 0:54
> 收件人: Qin Wu <bill.wu@huawei.com>om>; Roman Danyliw <rdd@cert.org>
> 抄送: netmod-chairs@ietf.org; Kent Watsen <kent+ietf@watsen.net>et>; draft-
> ietf-netmod-factory-default@ietf.org; netmod@ietf.org; The IESG
> <iesg@ietf.org>
> 主题: RE: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14:
> (with DISCUSS and COMMENT)
> 
> Hi Qin,
> 
> This document was discussed today.  I think that Roman plans to follow up
> regarding the security considerations discuss.
> 
> From the discussion today, and reading the Discuss, my understanding is that
> Roman has two concerns that are more about the specific text than the use of
> the template:
> 
> 1) Concerns read access to the factory-default datastore which could contain
> sensitive information.  Perhaps read access to that datastore should default to
> nacm:default-deny-all?  If so, then this should probably be documented in
> section 3, with a sentence in section 6 to explain that is how it is protected.
> 
> [Qin]: Please See Jurgen and Andy's comment in this thread, I agree with Jurgen
> we should treat factory in the same way as running and other datastores. If any
> text is needed, I could add a few text in the section 6 based on the discussion in
> this thread:
> "
> Access to the "factory-reset" RPC operation and factory default values of all
> configuration data nodes within "factory-default" datastore is considered
> sensitive and therefore has been restricted using the "default-deny-all" access
> control defined in [RFC8341].
> "
> 2) The second point is asking to expand this paragraph:
> 
>    The operational disruption caused by setting the config to factory
>    default contents varies greatly depending on the implementation and
>    current config.
> 
> Such that the description also covers "Please note that a default configuration
> could be insecure or not have security controls enabled whereby exposing the
> network to compromise."
> 
> [Qin]:So we will see exposing factory default configuration to the network to
> compromise also as one kind of operational disruption, if this is true, here is the
> proposed change:
> OLD TEXT:
> "
>    The operational disruption caused by setting the config to factory
>    default contents varies greatly depending on the implementation and
>    current config.
> "
> NEW TEXT:
> "
> The operational disruption caused by setting the config to factory default
> contents or lacking appropriate security control on factory default
> configuration varies greatly depending on the implementation and current
> config.
> "
> If not, please advise.
> 
> I see that you are already addressing the other comments that have been
> raised.
> 
> Regards,
> Rob
> 
> 
> > -----Original Message-----
> > From: iesg <iesg-bounces@ietf.org> On Behalf Of Qin Wu
> > Sent: 21 April 2020 14:20
> > To: Roman Danyliw <rdd@cert.org>rg>; The IESG <iesg@ietf.org>
> > Cc: netmod-chairs@ietf.org; Kent Watsen <kent+ietf@watsen.net>et>; draft-
> > ietf-netmod-factory-default@ietf.org; netmod@ietf.org
> > Subject: RE: Roman Danyliw's Discuss on
> > draft-ietf-netmod-factory-default-
> > 14: (with DISCUSS and COMMENT)
> >
> > Hi, Roman:
> > A few clarification inline below.
> > -----邮件原件-----
> > 发件人: Roman Danyliw via Datatracker [mailto:noreply@ietf.org]
> > 发送时间: 2020年4月21日 20:52
> > 收件人: The IESG <iesg@ietf.org>
> > 抄送: draft-ietf-netmod-factory-default@ietf.org;
> > netmod-chairs@ietf.org; netmod@ietf.org; Kent Watsen
> > <kent+ietf@watsen.net>et>; kent+ietf@watsen.net
> > 主题: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14:
> > (with DISCUSS and COMMENT)
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-netmod-factory-default-14: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-netmod-factory-default/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Please use YANG security considerations template from
> > https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
> > Specifically (as a DISCUSS item):
> >
> > ** (Per the template questions “for all YANG modules you must evaluate
> > whether any readable data”) Would factory-default contain any
> > sensitive information in certain network environments where the ACLs
> > should be more restrictive that world readable for everyone?
> > [Qin]: It does follows yang-security-guidelines but there is no
> > readable data node defined within rpc, that's why we don't use third
> > paragraph boilerplate and fourth paragraph boilerplate of yang-security-
> guidelines.
> > YANG-security-guidelines are more applicable to YANG data model with
> > more readable/writable data nodes.
> > In addition, as clarified in the second paragraph, section 6 of this
> > draft, NACM can be used to restrict access for particular NETCONF or
> > RESTCONF users to a preconfigured subset of all available NETCONF or
> > RESTCONF protocol operations (i.e., factory-reset rpc)
> >
> > Per “The operational disruption caused by setting the config to
> > factory default contents varies greatly depending on the
> > implementation and current config”, it seems like it could be worse
> > than just an operational disruption.  Please note that a default
> > configuration could be insecure or not have security controls enabled
> > whereby exposing the network to compromise.
> >
> > [Qin]: As described in the second paragraph of section 6 it by default
> > restrict access for everyone by using the "default-deny-all" access
> > control defined [RFC8341], what else does it need to address this
> > security concern?
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Please use YANG security considerations template from
> > https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
> > Specifically (as a COMMENT item):
> >
> > ** Add “The Network Configuration Access Control Model (NACM)
> > [RFC8341] provides the means to …”
> >
> > [Qin]: We did follow this template, I am wondering how it is different
> > from the second paragraph of section 6? I see they are equivalent but
> > with more fine granularity security measures, if my understanding is correct.