Re: [netmod] Eric Rescorla's Discuss on draft-ietf-netmod-schema-mount-11: (with DISCUSS)

joel jaeggli <joelja@gmail.com> Tue, 16 October 2018 16:05 UTC

Return-Path: <joelja@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F646130E1B; Tue, 16 Oct 2018 09:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGxv7uOiaA5O; Tue, 16 Oct 2018 09:05:54 -0700 (PDT)
Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3AD0130DF7; Tue, 16 Oct 2018 09:05:54 -0700 (PDT)
Received: by mail-pl1-x642.google.com with SMTP id f8-v6so11257790plb.2; Tue, 16 Oct 2018 09:05:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=bq/ri17kbcdrqNgxGgrmaqpu5Z9zgjTJn6pZKq71OuU=; b=OZZUwg/BP/Cu9tkXiFXtJfRcYsFD0bAyqGWc2Q7j1Zsgi6NoJlWdkEMCgD67JAactl ffD2tF7nEiSUCnRFTginxRfkGHKF1JpIehi/L21x2tviY58KBDXOG7po7TbM0TVnpKpA eGwwhWyYYv8P5cJvOxw7neetR6atcmEr7xAYsVM14zsTCIqwBqJEvRfCLN2pfcXgRWTp Vbl+JTDHce99wsWS0QJQ0OKza56Bpo+JJHrMu0RkzHClRm+shBiwBXIaZZkGWfyF14pp AYcWAB92PGCOoJektWfo2I5g2j/55KHh/owe1ebl8TTU2DuJ1TcqicGpEz/P+r7d6UuA Lmhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=bq/ri17kbcdrqNgxGgrmaqpu5Z9zgjTJn6pZKq71OuU=; b=iqUJtyRvdhCmnFOK/I/wWu9sjm06pEAC1sJ2XKUqaw0dCSbjufr7CrILlv8qyRR6Sw YPsjqbowUKBACnqUVkfRWpvjRuFuiL4xN7tQZvhXEjhkzikOFpoEfA6uYymwCkFFo/e1 U4IgwtlYCa4n99gxmi37AUK0Hxrnz3J0rTfRkcjKH6h/cRgK6Tsff2uN8wH65qVF66N/ 0S3dYuEjs0fV9v+UsCkBJ2Nez/dKWHPsX/m40XgVPNzPlbja4LJQb2S/nmgo/78gJnxH vO4ihKCgbFsOLWBCob1s5T52SV1GiVv2VaADKLInZVoSoUtH6pb8w1XqmZubZVSdsIVR /d5w==
X-Gm-Message-State: ABuFfogC6g3PVjuqX/s9mEAqRi9F9ta3FDK2dwfehm6AFnmi4s0j17gT nWJOTpRhwaXyAew57NmEVd0=
X-Google-Smtp-Source: ACcGV60EMFSDNt2plgpB1OTmZy1rtNP7uIznDZXIWopjcug/KNuNdcPXnvD0xA8xFUjdGTMlvimJaQ==
X-Received: by 2002:a17:902:48:: with SMTP id 66-v6mr22228277pla.7.1539705953952; Tue, 16 Oct 2018 09:05:53 -0700 (PDT)
Received: from mb.local (c-73-202-177-209.hsd1.ca.comcast.net. [73.202.177.209]) by smtp.googlemail.com with ESMTPSA id a11-v6sm17257195pfn.66.2018.10.16.09.05.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Oct 2018 09:05:52 -0700 (PDT)
To: Eric Rescorla <ekr@rtfm.com>, =?UTF-8?Q?martin_bj=c3=b6rklund?= <mbj@tail-f.com>
Cc: IESG <iesg@ietf.org>, NetMod WG Chairs <netmod-chairs@ietf.org>, NetMod WG <netmod@ietf.org>, draft-ietf-netmod-schema-mount@ietf.org, Kent Watsen <kwatsen@juniper.net>, Lou Berger <lberger@labn.net>
References: <CABcZeBMJmM_NaRY3GzcV4HO+BB14ooqxJ9oGrrer6nx3ZAqMxw@mail.gmail.com> <20181011.091817.1727547509052700274.mbj@tail-f.com> <CABcZeBNZ+AMXXNu7C5nvxie6NmJdJ_6FbHJXtdkxnMAN3rNGHQ@mail.gmail.com> <20181016.144545.1184951335260453665.mbj@tail-f.com> <CABcZeBPaFXsven2XOC9+CdNqEfxvO4n0RivYuWCLXu9KGFYgDw@mail.gmail.com>
From: joel jaeggli <joelja@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=joelja@gmail.com; prefer-encrypt=mutual; keydata= xsDiBD832SIRBADVEfzsfIX+fuN2XUPyyEXP4Mq8dqpjmcy+XTIHzZLVKzxmP+17zJYTj9MR dMA5vuZRsRpzFoeDMOJyHVVyaQeSwEApO3FJOej+CNAXpaTLYgobL1XcsQXMTbeNT5x9ZK+R ZQtoC8Vunv6UTygY+kHUHvNijhVtJtCcAW0NE2fiWwCgjKPAldaGNbPg6SKvSTFipsPPqoUE ALKjZApjCG/3Yi4kHgzCQw65mfE9u8O7bZcrvmzzRgmwShyQjrRNgxhwl2q9+e8Uo6kuk56q 0Q4On6y873W6EtBRYLTU5MiIK3mspi5YYpIi/F2XTkcW6Dx/C/ZQQ8WddAyX6QLAXHYMus86 x7tzjGM3HVlvJpWTb4CqcDOcvZakA/9aJhMEffleJx+6xrjZTUYvAQDYUSRWNmc+ehyAuh/B KH0DKqhkLlm0SBdsnKvQHXbdjhu9m9K4E6aR/s117QK60jZo1XNrVKJ1oM3X+2DNmDBl/K33 e/tPSC8byvD77doezHvWvE5n50KIEZezVgMkYWDSPWb0nefdXLY5+rgfms0fSm9lbCBKYWVn Z2xpIDxqb2VsamFAYm9ndXMuY29tPsJjBBMRAgAjAhsDBgsJCAcDAgQVAggDBBYCAwECHgEC F4AFAk3mKPcCGQEACgkQ8AA1q7Z/VrJ6vgCfYITQSd0+WXcYjEoj8+tNys5egPcAn3OUUHVt JElVkSSARJ4XWjRYqKiazsNNBD8320MQEACTNxol/GIZW4CGUnyIlr+13Dqx8aHZfbd96UQE Ys9mZkBxwP2V7D00tOETcY5apr9tr9oHf5p4xA2l2oE8KR4xbF6+0XIpeYzRcl5d0iUaSMwm HcX3J/+XyZegJqTG7zMEK72c1tPVrra9DRNZP+rhKFLJJornDiQJFQVhtQE37WA1kmC6rlyR KHA2RMYS3IugAgJfuy5pZn/5jKCv+ZxIv7tnk7GUQWwfPdr4PokPCBxSXUYch98Rcq3dbCio 8FPmrfI6K2Z9NMa/gXGpF3ynmxDJLY31aPgbUiv9VllZoeMkotbXHW1zrsXte/1MEgFrlkiQ WDJ/dHjlCdlFASfaPvVXxdiUgH7LV3cW+BOY2z4VVwhYM6/kTDoLKWZ3opBeN9KcAHPRFCkA fxwAu8PNgi74lMjcFzu66U8vVM37YqSYpXsi+mlwZDhzCJ8qm9FDwaH2bB1LJ7m41F098B29 SRG3s/XXgTCSt0js/yUp9EXRPQpME99GvwiBNFN9p9e45ZqS85Wll6GqHh+Jyvq0ODWH6XOz uop3UUqw6I2Q8rG7e/uxKWcFnt1q48uhdTHA0TfnYC5HpHf/tAuR+ui6s16xrENgFgeeu4b/ q/jA4N1ZuJU7IbnO5f28YTlJOef/HywY3OXBsrdhEXKLIc5xRj6NC4WphyQ9MQrx8cS1bwAD BQ//WNM1WUlr6tIn8/7SIqqHRg3UmzVNu4u+r9rK9LJkYRLA4xKb/TrqDhP9oyO7Oz2S5CsF wjiPc1vzGzfRgIOArPJrejM4BzHQ03tl1qb/5YNDaB1QzfPv6dT9OkhMMuth0tcmH5sjfbiF Nc41aKU5w4FFkTv3XmrXciz4+PWbAYGB7pYbhGmsx//9C2bS56Bu1QkFeSCzN5AvWAmJfyPU yMXFKDe21DlImMdkrn/K838Lm8o0CLOKbJBX8K0pE4rGEf20FLfmHx/bLZRcWhTm8cB/vHNd 8GhwFlvHylj6+5QtR0Tc0hBcOG8SZktjE/hEiYi+dAZCrwT9i8Hjulnx/vu+Knt40+5CB2hk L1VQwdGWLYO4FGqWwwv0Y8XhWOudLYCZQWrgOsIzYezahC5b9iobFx8dgAElXNPTxI/dymrI d/6foyBrGnzzOnV/gfWfQp7N1rbrh0mQXRhwwwQIjlmbUyz8fTlaTcAo8ocXTVUb6WY7U5nr ufzKsFceR/olFnvZKKhbGVG6VvqNLS1r5lcRR1J7GVZM+Sb2ZNKgnwiUf8yxKfWg84NUPt/b etviJ73LVPdjV1PNZgcxfPRO3XL6Y9FaBP9oB4f58ujuhzOLUt+6I0KuzY8H5RBBaIrJJptl DEOnxFn1J7Q0uxQ2BzqfZdKTwJS4OCjm+OsLd8HCRgQYEQIABgUCPzfbQwAKCRDwADWrtn9W soUzAJ4zatxnKYcGdyoFojBc1Y2jqaHZsQCbB25DmeFRx14xxuxdAXb0wsKf35w=
Message-ID: <68a6fced-b67d-633e-fbbc-6b3d3fe4240d@gmail.com>
Date: Tue, 16 Oct 2018 09:05:50 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBPaFXsven2XOC9+CdNqEfxvO4n0RivYuWCLXu9KGFYgDw@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6Guctn3gkvKcuWZ32l3z3dS3OrbuTNxRP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/cZZxnEB2Vxcc_llJKtO9I06Kfqs>
Subject: Re: [netmod] Eric Rescorla's Discuss on draft-ietf-netmod-schema-mount-11: (with DISCUSS)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 16:06:02 -0000

On 10/16/18 06:00, Eric Rescorla wrote:
> I'm sorry, but I still don't think I understand the security impacts of
> this well enough to know if this text is OK.
> 
> Can you provide a more detailed explanation of what XPath expressions
> can and cannot do here? Happy to discuss live either on the phone or in BKK
I'm probably grossly simplifying the goal here, but.

xpath statement allow for referencing another path or applying
constraints e.g. when / must (rfc 6020)

the canonical example in 6020 being something like

  container interface {
      leaf ifType {
          type enumeration {
              enum ethernet;
              enum atm;
          }
      }
      leaf ifMTU {
          type uint32;
      }
      must "ifType != 'ethernet' or " +
           "(ifType = 'ethernet' and ifMTU = 1500)" {
          error-message "An ethernet MTU must be 1500";
      }
      must "ifType != 'atm' or " +
           "(ifType = 'atm' and ifMTU <= 17966 and ifMTU >= 64)" {
          error-message "An atm MTU must be  64 .. 17966";
      }

http://www.yang-central.org/twiki/pub/Main/YangDocuments/rfc6020.html#xpath

Imposing constraints using nodes in mounted modules is kind of a key
application of schema-mount.

> -Ekr
> 
> 
> On Tue, Oct 16, 2018 at 5:45 AM Martin Bjorklund <mbj@tail-f.com
> <mailto:mbj@tail-f.com>> wrote:
> 
>     Hi,
> 
>     Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>     > That seems like it's going to have some pretty surprising
>     consequences and
>     > at minimum needs more information in the Security Considerations.
> 
>     Ok.  Howabout we add a paragraph to the end of the Security
>     Considerations section:
> 
>       Care must be taken when the "parent-reference" XPath expressions are
>       constructed, since the result of the evaluation of these expressions
>       is added to the accessible tree for any XPath expression found in
>       the mounted schema.
> 
> 
>     /martin
> 
>     > On Thu, Oct 11, 2018 at 12:18 AM Martin Bjorklund <mbj@tail-f.com
>     <mailto:mbj@tail-f.com>> wrote:
>     >
>     > > Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>     > > > I'm sorry but I don't understand this.
>     > > >
>     > > > Does the externally visible behavior of any mounted module
>     depend in any
>     > > > way on these XPATH references
>     > >
>     > > Yes, but note that these XPath expressions ("parent-reference") are
>     > > read-only (config false in the YANG model).  Thus they are set
>     by the
>     > > implementation, and used to inform the operator about the
>     environment
>     > > in which other XPath expressions are evaluated.
>     > >
>     > >
>     > > /martin
>     > >
>     > >
>     > > >
>     > > > -Ekr
>     > > >
>     > > >
>     > > >
>     > > >
>     > > > On Wed, Oct 10, 2018 at 6:38 AM Martin Bjorklund
>     <mbj@tail-f.com <mailto:mbj@tail-f.com>> wrote:
>     > > >
>     > > > > Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>     > > > > > On Wed, Oct 10, 2018 at 5:32 AM Martin Bjorklund
>     <mbj@tail-f.com <mailto:mbj@tail-f.com>>
>     > > wrote:
>     > > > > >
>     > > > > > > Hi,
>     > > > > > >
>     > > > > > > Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>     > > > > > > > Eric Rescorla has entered the following ballot
>     position for
>     > > > > > > > draft-ietf-netmod-schema-mount-11: Discuss
>     > > > > > > >
>     > > > > > > > When responding, please keep the subject line intact
>     and reply
>     > > to all
>     > > > > > > > email addresses included in the To and CC lines. (Feel
>     free to
>     > > cut
>     > > > > this
>     > > > > > > > introductory paragraph, however.)
>     > > > > > > >
>     > > > > > > >
>     > > > > > > > Please refer to
>     > > > > > > https://www.ietf.org/iesg/statement/discuss-criteria.html
>     > > > > > > > for more information about IESG DISCUSS and COMMENT
>     positions.
>     > > > > > > >
>     > > > > > > >
>     > > > > > > > The document, along with other ballot positions, can
>     be found
>     > > here:
>     > > > > > > >
>     https://datatracker.ietf.org/doc/draft-ietf-netmod-schema-mount/
>     > > > > > > >
>     > > > > > > >
>     > > > > > > >
>     > > > > > > >
>     > > > >
>     ----------------------------------------------------------------------
>     > > > > > > > DISCUSS:
>     > > > > > > >
>     > > > >
>     ----------------------------------------------------------------------
>     > > > > > > >
>     > > > > > > > Rich version of this review at:
>     > > > > > > > https://mozphab-ietf.devsvcdev.mozaws.net/D3506
>     > > > > > > >
>     > > > > > > >
>     > > > > > > >
>     > > > > > > > DETAIL
>     > > > > > > > S 4.
>     > > > > > > > >
>     > > > > > > > >      It is worth emphasizing that the nodes specified in
>     > > > > > > > >      "parent-reference" leaf-list are available in
>     the mounted
>     > > > > schema
>     > > > > > > only
>     > > > > > > > >      for XPath evaluations.  In particular, they
>     cannot be
>     > > accessed
>     > > > > > > there
>     > > > > > > > >      via network management protocols such as NETCONF
>     > > [RFC6241] or
>     > > > > > > > >      RESTCONF [RFC8040].
>     > > > > > > >
>     > > > > > > > What are the security implications of this XPath reference
>     > > outside
>     > > > > the
>     > > > > > > > mount jail? Specifically, how does it interact with
>     the access
>     > > > > control
>     > > > > > > > for the enclosing module.
>     > > > > > >
>     > > > > > > There is no such interaction, since access control comes
>     into play
>     > > > > > > when some external entity accesses the data through some
>     management
>     > > > > > > protocol, and the nodes from the "parent-reference"
>     expressions
>     > > cannot
>     > > > > > > be accessed via management protocols.
>     > > > > > >
>     > > > > > > The last sentence of the quoted paragraph was supposed
>     to make this
>     > > > > > > clear, but it seems we might need some additional
>     explanation?
>     > > > > > >
>     > > > > >
>     > > > > > Yes, I think so. I guess I'm not clear on what the XPath
>     expressions
>     > > are
>     > > > > > for if they
>     > > > > > can't be accessed via the management protocols. How can
>     they be used?
>     > > > >
>     > > > > These are XPath expressions defined in the YANG models
>     themselves,
>     > > > > such as "must" expressions or "leafrefs".   The description of
>     > > > > "parent-reference" refer to them as:
>     > > > >
>     > > > >                [...] XPath
>     > > > >                expressions whose context nodes are defined
>     in the
>     > > > >                mounted schema
>     > > > >
>     > > > >
>     > > > >
>     > > > > /martin
>     > > > >
>     > >
>