Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 22 April 2020 13:35 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85F333A0C7B; Wed, 22 Apr 2020 06:35:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=SSlo6995; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JEzjqB/u
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuZ9itE8odgL; Wed, 22 Apr 2020 06:35:34 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18C4A3A0C78; Wed, 22 Apr 2020 06:35:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20022; q=dns/txt; s=iport; t=1587562534; x=1588772134; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=OOQtL1kWt8uw9guQTju6W7pfZNmC8HGAw+iq71Q6uDk=; b=SSlo6995AAhcDmcj/2LxszqIAtDzD2s6m25Cbe+MK469xYcVpc1QrdjZ DbBGceqTOA3jPUXO3f0uVZFpqa72qvW48qV72XxbjgTvSQwanxCqfPsoI WS2O5GXe4y/2jR0w4oqtH39HvaxHVd1XY0JQaZO0u7YqbRdYXyAFUVRVw M=;
IronPort-PHdr: =?us-ascii?q?9a23=3ARqMZbxLMpytsxyhkqNmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUg?= =?us-ascii?q?Mdz8AfngguGsmAXFfkLfr2aCoSF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BBAAAjR6Be/4cNJK1mGwEBAQEBAQE?= =?us-ascii?q?FAQEBEQEBAwMBAQGBaQQBAQELAYEkLykoBWxYIAQLKgqEFINGA4pogl+TS4R?= =?us-ascii?q?hgS4UgRADVAoBAQEMAQEjCgIEAQGERAIXggYkNgcOAgMBAQsBAQUBAQECAQU?= =?us-ascii?q?EbYUqAQckDIVxAQEBAQMSEQoTAQE3AQ8CAQYCEQQBASQHAgICMB0IAQEEAQ0?= =?us-ascii?q?FCBqDBYF+TQMuAQMLlBCQZwKBOYhidYEygwABAQWFQBiCDgMGgTgBgmKIN4E?= =?us-ascii?q?fGoFBP4ERQ4JNPoJnAoFLARsrgmUygi2OMoMDhhKKWY92CoJEiAuQBYJYgiO?= =?us-ascii?q?GLowZhR+Pc4lAkzUCBAIEBQIOAQEFgVkLJ4FWcBWDJFAYDYEdgzyQVwwXFW8?= =?us-ascii?q?BAoJJhRSFQnQNgRyNNgGBDwEB?=
X-IronPort-AV: E=Sophos;i="5.72,414,1580774400"; d="scan'208,217";a="482947489"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Apr 2020 13:35:32 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 03MDZV4x021892 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 22 Apr 2020 13:35:31 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 22 Apr 2020 08:35:31 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 22 Apr 2020 08:35:30 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 22 Apr 2020 08:35:30 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jb2GlT/JczSWUPW1PEZ0DeKJUxOHOQC6Kdir4FlIzZN87hJrgOV0Pt0FUiywDNdXBSUHVuzmFRX/OIvfj/8/pflcwNApSmNadnyCSRsqWqOW/C1wo9ytSDekbmJYjRGbzABhmn8sXYK1BsfLjHh0kfqfYF6NPiS2sdMMl1ffgn8w5h3CjZ8Dck9pWfUJu/Ur17dSwyNaXJ4hbxuO8dtM7HSoRdadVbzC0BEXw/tTcbVSIpG3pzJEd2Mteew7M0xdv/z6JqaV+k6+aLJXct/mdC7AVyR6yk4otRn4mriiybOS71YdnwkUgXhxSphzkZrvYQ6PGvLD0OpyUXeXpbJdxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OOQtL1kWt8uw9guQTju6W7pfZNmC8HGAw+iq71Q6uDk=; b=XMY4UN7GZV1OquZbDhM0T8T0xPetF0a2v5piagEp9n06FXb1GixHhMdWAbalc4Pe+v4cDoBkDixPuEGQxrmxeDW8u47VNeUDViwMbkkdymp3Q3hsflCX4ZFFIRJpgBV1seIFQr0aGYWrXlcHHfO2TlPrqJqrokTi5GfBqVTztdK9F71TL74BT2Hsay4rh6CbQq441VSk2FYmZTpSiZ1uKpBqmqCdIyLLYZkJekEUC3JDYZLk6G3yySsIRnTEbVL9HTXDnb1SPTaNYof22Yd7I2ZBs8ZCIgBtz4r4O/IzfjG5FAmlFtFq2z7eBecUU9w7j4Os4wPK1yxryHaZZ85/WA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OOQtL1kWt8uw9guQTju6W7pfZNmC8HGAw+iq71Q6uDk=; b=JEzjqB/uWVIWgxnl37R/h1c7BnxY5yYcmJCkGnGC3fJlJIqT1489ufWpix/60dxBwgHJC7BHAwDKAdT1w35RaD0Sk+8rm4QaWfA0B9tFc3pTdUhXE1TK3wvLu6sE7FRphA97zximmoKn7vJHPy9EkZWdCnRKb1B2jT/rs9aWktQ=
Received: from BY5PR11MB4355.namprd11.prod.outlook.com (2603:10b6:a03:1c3::13) by BY5PR11MB4497.namprd11.prod.outlook.com (2603:10b6:a03:1cc::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.25; Wed, 22 Apr 2020 13:35:29 +0000
Received: from BY5PR11MB4355.namprd11.prod.outlook.com ([fe80::6911:81bd:3157:eeff]) by BY5PR11MB4355.namprd11.prod.outlook.com ([fe80::6911:81bd:3157:eeff%7]) with mapi id 15.20.2937.012; Wed, 22 Apr 2020 13:35:29 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>, Qin Wu <bill.wu@huawei.com>, "Roman Danyliw" <rdd@cert.org>
CC: "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, The IESG <iesg@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>
Thread-Topic: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
Thread-Index: AdYX31BAcjZyyoisREivDOhxrSDBSwAFg82AAC0oBjA=
Date: Wed, 22 Apr 2020 13:35:29 +0000
Message-ID: <BY5PR11MB4355E16D08FD4B8EAAC1CFF0B5D20@BY5PR11MB4355.namprd11.prod.outlook.com>
References: <B8F9A780D330094D99AF023C5877DABAAD620C2A@dggeml511-mbx.china.huawei.com> <010001719d742c56-71daa55d-c510-4ab5-937d-fbb2d78017aa-000000@email.amazonses.com>
In-Reply-To: <010001719d742c56-71daa55d-c510-4ab5-937d-fbb2d78017aa-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [82.15.79.32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9adce37f-af77-49ae-6570-08d7e6c20626
x-ms-traffictypediagnostic: BY5PR11MB4497:
x-microsoft-antispam-prvs: <BY5PR11MB4497534BDB1BBD23BA334853B5D20@BY5PR11MB4497.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03818C953D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4355.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(366004)(39860400002)(376002)(136003)(346002)(478600001)(6506007)(33656002)(110136005)(2906002)(8676002)(8936002)(7696005)(81156014)(9326002)(316002)(5660300002)(186003)(54906003)(53546011)(966005)(26005)(71200400001)(86362001)(52536014)(9686003)(76116006)(66446008)(66556008)(64756008)(4326008)(66476007)(55016002)(66946007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GwRZ1yM9IyJvHZ8no/1Ly75KzUX1W2NbNw+YsdCQJgulgGevbJrDhbgUK/5WVcV6TryFWh1GWxS9lYplpn1eDQDwQeYnKar5q1oRJM3xxNmSbvtQE4Rf3t3QQRWqzSlUHBzuI5eP8vSEHy20AB6Scjv+r8GwnyyC6gzjlVszeyZwe9yTz/wzYXbqK0RTQaWolEwFV6h0n7lRBvUdsAVQvtxfHZg+WK/bE/Y5/s32wAOOfy6S1N675ezYswukrGNtDBOuFYIhHSO0z8tnRaeNPID826AdrsD9mIN1/GZfpKmhISbWKVySt51XT4QqHlMzKbqYtDlpqaE1JlQ1JXLzb/dehAEq9AZ6DERSOAc+4WM/c//lINbxG5MWpBISxSLtjnye3JYyXGRJJ5/65YiO2px3ZhHVm8BlDmQh3N/59jGpZaF6Eo2f3tZ83bB7JT14yEK+vym1C+MRl4aarlG864UYHQyinLCOM7DA1m7nsRUmDooRCpe/Dfx3kZrsdj+2rpJvdwxMzM8VCX1o8DTBEA==
x-ms-exchange-antispam-messagedata: tGrM4hUweJaieeKOBO1+pvqvBintRodXr9508IzoIZeOxJS5wmJZZqeUIKy6rFOnyN0b+J8bxszSsTbXN8YqRlFM89fijrZTm9QpNa0+sO+8hrazmfQb9q24QC1Y25xCuLSZU9GYLJdTHIXfi8MWRA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR11MB4355E16D08FD4B8EAAC1CFF0B5D20BY5PR11MB4355namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9adce37f-af77-49ae-6570-08d7e6c20626
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2020 13:35:29.5539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QhDfZVR12ZGvJPrg1HLMhkkUq9NXvUjCI+z7+8yrkYWTt9oLAhmu5HSfaFaG6IAdM8opOArM9Ay92uDOOOkSaQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4497
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/blUHkQGbwAgOrnRyMB2vTXIuyvU>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 13:35:37 -0000

Hi Kent,


From: netmod <netmod-bounces@ietf.org> On Behalf Of Kent Watsen
Sent: 21 April 2020 16:56
To: Qin Wu <bill.wu@huawei.com>
Cc: Roman Danyliw <rdd@cert.org>rg>; netmod-chairs@ietf.org; The IESG <iesg@ietf.org>rg>; netmod@ietf.org; draft-ietf-netmod-factory-default@ietf.org
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Hi Roman,

----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Please use YANG security considerations template from https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.  Specifically (as a DISCUSS item):

** (Per the template questions “for all YANG modules you must evaluate whether any readable data”) Would factory-default contain any sensitive information in certain network environments where the ACLs should be more restrictive that world readable for everyone?
[Qin]: It does follows yang-security-guidelines but there is no readable data node defined within rpc, that's why we don't use third paragraph boilerplate and fourth paragraph boilerplate of yang-security-guidelines. YANG-security-guidelines are more applicable to YANG data model with more readable/writable data nodes.
In addition, as clarified in the second paragraph, section 6 of this draft, NACM can be used to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations (i.e., factory-reset rpc)

Per “The operational disruption caused by setting the config to factory default contents varies greatly depending on the implementation and current config”, it seems like it could be worse than just an operational disruption.  Please note that a default configuration could be insecure or not have security controls enabled whereby exposing the network to compromise.

[Qin]: As described in the second paragraph of section 6 it by default restrict access for everyone by using the "default-deny-all" access control defined [RFC8341], what else does it need to address this security concern?
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Please use YANG security considerations template from https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.  Specifically (as a COMMENT item):

** Add “The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to …”

[Qin]: We did follow this template, I am wondering how it is different from the second paragraph of section 6? I see they are equivalent but with more fine granularity security measures, if my understanding is correct.


Regarding the use of the YANG security considerations template from [1], it has been noted that the template is imperfect in several ways…

For instance, a YANG module  may not define any protocol accessible nodes (e.g., they only define identities, typedefs, yang-data, or structures).  In another example, the YANG module may only define RPCs (such as in this case) and/or notifications.  In yet another example, the YANG module may be only for use with RESTCONF (not NETCONF), and thus mentioning NETCONF at all would be odd (i.e., RFC 8572).

In such cases, strict adherence to the template does not make sense.  As chair/shepherd/author, I’ve struggled with how to best satisfy the intention adequately.   Of course, each case varies, but one idea that I’ve been exploring is to start the section with a disclaimer explaining why/how template [1] is (or not) followed.  This approach is appealing as it immediately conveys to the IESG that the template was not ignored.  However, it is unappealing in that it may be wrong for the published Security Considerations section to have a link to the template.
[RW]
Perhaps add such as section in [], and mark it to be removed before publication.

E.g. [RFC Editor: Please remove this comment before publication. For reviewers:  This section has been modified from the standard template because …]

I’m obviously not saying that we need to do this for this document, just as a suggestion for future documents.

Regards,
Rob


Please advise.
Kent  // as chair and shepherd

[1] https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines