Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 24 April 2020 16:54 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9DD03A0F8C; Fri, 24 Apr 2020 09:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=PuDcjt41; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=WjwaRkR2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bb0BJPk8E38E; Fri, 24 Apr 2020 09:54:08 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8453A0F98; Fri, 24 Apr 2020 09:54:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7090; q=dns/txt; s=iport; t=1587747247; x=1588956847; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=afH37EAH0Tzd7CSvLbr0b9kfk46kynROWx5AGHWSF88=; b=PuDcjt4193TBgbBo4zIair4GRq4eTeX1/uZkDT+HxAynMzhKSN5b8V+f RcXt0gLg09skkkA48nJrg0D+LwK0/lWNJJYTErKL/bpVcqajF6QR9i8oz Xt8sqQ7RWPHo3RgPHuyt0UzhrXlpOjjs2q83IWOHgLCofQ4iQSxIMG5e5 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3ANMS2Xxb21y2aD5g9BfU08Ez/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavwcC0+AMNEfFRk5Hq8d0NSHZW2ag=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B1AACJGKNe/5NdJa1mHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBPIE0BgEBCwGBU1EFbFggBAsqCoQVg0YDinKCX5gwgS4UgRADVAs?= =?us-ascii?q?BAQEMAQEjCgIEAQGERAIXgg8kNQgOAgMBAQsBAQUBAQECAQUEbYUqCCQMhXE?= =?us-ascii?q?BAQEBAxIREQwBATcBCwQCAQYCDgMEAQEDAiMDAgICMBQBCAgBAQQBDQUIGoM?= =?us-ascii?q?FgksDLgEDC5YokGcCgTmIYXaBMoMAAQEFgUZBgyUYgg4DBoEOKgGCYolWGoF?= =?us-ascii?q?BP4ERQ4JNPoJnAgECAYEsARIBCBuDEDKCLY40DiGCVKBoCoJFiAyLLYRfglq?= =?us-ascii?q?IVoR0hy2FII94iUWTOQIEAgQFAg4BAQWBVAE2ZlgRB3AVgyRQGA2BHZAXDBc?= =?us-ascii?q?VgzqFFIVCdAILKAIGAQcBAQMJfI0cAYEPAQE?=
X-IronPort-AV: E=Sophos;i="5.73,311,1583193600"; d="scan'208";a="757394687"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Apr 2020 16:54:06 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 03OGs6O3002253 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 24 Apr 2020 16:54:06 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 24 Apr 2020 11:54:06 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 24 Apr 2020 11:54:06 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 24 Apr 2020 12:54:05 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P+h3AvKtynhI4U1di0tNLzqm/UJgFEfJsGhAncQQ11IM0SosRleGNcwbc65xhXViqs9yi1KZAc4IJCxdHr0VMw25SFcAKufzhnPIWEH3kN/AXXLnd5YlNRBl6IXaGMLCHpKRRLYIjo6ZZS1FpuKs/VaZ4RHx8QjebltdrYKqR3O5jr3FIjgP3yLPBjAiYdNK11jSqTeXVY/rogTYsQYVBTGqiWLTTEUdC8DDf0GvQwTzWA8iFXXVC41jOUejpueaFvFyPAtRD41TODmNASxety4k8elTtczjSGrux9tEIrPPKewFpgZvMiSYlGc1rcXoveGQxDHjScodJhWlGsRDGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=afH37EAH0Tzd7CSvLbr0b9kfk46kynROWx5AGHWSF88=; b=cMwRLRbCEvtfj+163wWgUf6KiUO5b0Nw1JPlw2PwlTqemUPthDJH40JERoajUPAtaJprv0EOAz5IMEE2w3x64qfD35e2IBOH62qfEZjy5aRlh/rIR8+9UVRU99UMkn/q463HGaYaBOE/cAY4wJ07hdC+/NHCkOVoamWST8utwakemi0AGU1AwrbE46KenVXcKWfshb8xJ2KvAljG7M1LsbFLcCv6C6LXWd9Es0emiSi9FEX9KgXDmVi5O4vRVLNc6CwDMAcLT2JsG1Fr8BebwyYO9Kyfibb18HKmMLoJH2vg78d8VYt47JsLA/Jp4KkduM67k1xJPpXXaJxA2FjDSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=afH37EAH0Tzd7CSvLbr0b9kfk46kynROWx5AGHWSF88=; b=WjwaRkR2y2uOPOp3guf2r1wa2BdBb19LQaGxYKXam/n3pr9QGSMBYu6Djm8Ng/oQF01pzYDmzMFt50EIw0AvRDjZSnqMB3nb1IihP/hTR0vW7SXZdIdYXrOJXnldISp50VjZ0BT7m0CrYzLe4PwdGmkiHQBaggSKRHO9GQrS9Bo=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4600.namprd11.prod.outlook.com (2603:10b6:208:26e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Fri, 24 Apr 2020 16:54:05 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::3:2164:a8e2:33b3]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::3:2164:a8e2:33b3%5]) with mapi id 15.20.2937.020; Fri, 24 Apr 2020 16:54:05 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Qin Wu <bill.wu@huawei.com>, Roman Danyliw <rdd@cert.org>
CC: "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, Kent Watsen <kent+ietf@watsen.net>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
Thread-Index: AdYX31BAcjZyyoisREivDOhxrSDBSwCeXy/Q
Date: Fri, 24 Apr 2020 16:54:04 +0000
Message-ID: <MN2PR11MB436656E179DA492EA53477A3B5D00@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <B8F9A780D330094D99AF023C5877DABAAD620C2A@dggeml511-mbx.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAAD620C2A@dggeml511-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [82.15.79.32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21e7c65b-47a9-4002-37c0-08d7e8701909
x-ms-traffictypediagnostic: MN2PR11MB4600:
x-microsoft-antispam-prvs: <MN2PR11MB460051AB759A6720239634C8B5D00@MN2PR11MB4600.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03838E948C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(136003)(366004)(396003)(346002)(9686003)(81156014)(55016002)(8936002)(110136005)(966005)(478600001)(86362001)(54906003)(186003)(4326008)(52536014)(2906002)(76116006)(33656002)(66946007)(66556008)(64756008)(316002)(66446008)(66476007)(8676002)(26005)(71200400001)(6506007)(53546011)(7696005)(5660300002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eoUtvjlMJJTvfoZsmz77JZS5HD+P45VzWjaQYf9+hPR4/+Lvco236ym7LY1QmRxxcJD0cXuxlFQMeDnAfTwEV0Fo155+rgo16Ig53WRZMET85BZDLSvpemgNFC9WRn4vo+/R7VpfZI7ovrtk8yCPB4QXki5L/zBsW/VRcp4w01ZS88OEbwMeRnCbb67vi1lSTGvOtJuYenTcWr//Ovv8tXUa6sSMo9X0nQ4rusNAnbSY+sl/18Mv1uzqzqkieAiwi9vUpyZ0RdfkCyT+kmOYNjkIgKSeGVmQX4gXV3mrSQgXxusu95eSR5zAZeZxOfT1J1jGUyag1PK1e1sBxa7KS3QbIIf/QllaptR/cUtvIOt8q3695K1FZj6v3bHV/2h9zmqyjFfckvYt48FJ9auDr0qD2o+eY1VULT4rSNyt0rut5taPhF6l7RT3A5pu1GRtKd7Zp20YxHpzBC3ozIcIR7PUDPKWJgKzq9zPYtFgJ6H0ivuGcXmnGaLgnyB1kQuoHJRp0OLWPVE/uhU21cYxsQ==
x-ms-exchange-antispam-messagedata: a8ImXZpr0If0AxhH0rv63IxmAyOtISTP3joYBGtCKOkzH6Aa+lUrWBD4e7vowF9YRNSpnsOGai8WyAi1/Xpd+xUjaPrVsO0jo+Styv8sfabaNqifrQY1uikCk+dW0zlxu87Wdvz2rs7VXBFhj61f3Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 21e7c65b-47a9-4002-37c0-08d7e8701909
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2020 16:54:04.9300 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DFFSj5HXy74ZwEK6ytCp1xTyPjEW3naQQVuChLn5efzcdkXoLiFvMGLaQ+iI3uNDtZzLMk9cxn/FIkP1NMmzAA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4600
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/edFOhav4ZXtnVm8GOGfOxPvnWPM>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 16:54:12 -0000

Hi Qin,

This document was discussed today.  I think that Roman plans to follow up regarding the security considerations discuss.

From the discussion today, and reading the Discuss, my understanding is that Roman has two concerns that are more about the specific text than the use of the template:

1) Concerns read access to the factory-default datastore which could contain sensitive information.  Perhaps read access to that datastore should default to nacm:default-deny-all?  If so, then this should probably be documented in section 3, with a sentence in section 6 to explain that is how it is protected.

2) The second point is asking to expand this paragraph:

   The operational disruption caused by setting the config to factory
   default contents varies greatly depending on the implementation and
   current config.

Such that the description also covers "Please note that a default configuration could be insecure or not have security controls enabled whereby exposing the network to compromise."

I see that you are already addressing the other comments that have been raised.

Regards,
Rob


> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Qin Wu
> Sent: 21 April 2020 14:20
> To: Roman Danyliw <rdd@cert.org>rg>; The IESG <iesg@ietf.org>
> Cc: netmod-chairs@ietf.org; Kent Watsen <kent+ietf@watsen.net>et>; draft-
> ietf-netmod-factory-default@ietf.org; netmod@ietf.org
> Subject: RE: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-
> 14: (with DISCUSS and COMMENT)
> 
> Hi, Roman:
> A few clarification inline below.
> -----邮件原件-----
> 发件人: Roman Danyliw via Datatracker [mailto:noreply@ietf.org]
> 发送时间: 2020年4月21日 20:52
> 收件人: The IESG <iesg@ietf.org>
> 抄送: draft-ietf-netmod-factory-default@ietf.org; netmod-chairs@ietf.org;
> netmod@ietf.org; Kent Watsen <kent+ietf@watsen.net>et>; kent+ietf@watsen.net
> 主题: Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14:
> (with DISCUSS and COMMENT)
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-netmod-factory-default-14: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-netmod-factory-default/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Please use YANG security considerations template from
> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
> Specifically (as a DISCUSS item):
> 
> ** (Per the template questions “for all YANG modules you must evaluate
> whether any readable data”) Would factory-default contain any sensitive
> information in certain network environments where the ACLs should be more
> restrictive that world readable for everyone?
> [Qin]: It does follows yang-security-guidelines but there is no readable
> data node defined within rpc, that's why we don't use third paragraph
> boilerplate and fourth paragraph boilerplate of yang-security-guidelines.
> YANG-security-guidelines are more applicable to YANG data model with more
> readable/writable data nodes.
> In addition, as clarified in the second paragraph, section 6 of this
> draft, NACM can be used to restrict access for particular NETCONF or
> RESTCONF users to a preconfigured subset of all available NETCONF or
> RESTCONF protocol operations (i.e., factory-reset rpc)
> 
> Per “The operational disruption caused by setting the config to factory
> default contents varies greatly depending on the implementation and
> current config”, it seems like it could be worse than just an operational
> disruption.  Please note that a default configuration could be insecure or
> not have security controls enabled whereby exposing the network to
> compromise.
> 
> [Qin]: As described in the second paragraph of section 6 it by default
> restrict access for everyone by using the "default-deny-all" access
> control defined [RFC8341], what else does it need to address this security
> concern?
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Please use YANG security considerations template from
> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
> Specifically (as a COMMENT item):
> 
> ** Add “The Network Configuration Access Control Model (NACM) [RFC8341]
> provides the means to …”
> 
> [Qin]: We did follow this template, I am wondering how it is different
> from the second paragraph of section 6? I see they are equivalent but with
> more fine granularity security measures, if my understanding is correct.