Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)

Andy Bierman <andy@yumaworks.com> Tue, 21 April 2020 16:20 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 992753A0DA4 for <netmod@ietfa.amsl.com>; Tue, 21 Apr 2020 09:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1GCpIuCgf8N for <netmod@ietfa.amsl.com>; Tue, 21 Apr 2020 09:20:35 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7AC03A0D91 for <netmod@ietf.org>; Tue, 21 Apr 2020 09:20:34 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id f13so7603244ybk.7 for <netmod@ietf.org>; Tue, 21 Apr 2020 09:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jLdF29kDKCpHHZlhWLOLmXtv8q5MmOOxKMVjwyX2DvQ=; b=PHq/5uXKbRh5W+QqnLZIljJYyoJQlNk3eAOeg0sLmjMyuhIgikZzLjioqE7hUnUwTA 3D5gdJtFx8YlmAc+ouZsm8zn6kGoN7N9MQSEcf7CagYdNIvuEh84gt/nvF40g35xorQ8 FLp4NfQe2Y5AuHyWt4YPMU4DkZlyrsOI1mqIba68ICn0XDkINO0ze0T8LySWjrmNC/Rf SdEWYU8I0p/wmog5xEjOo26+iafDdXdGVBRfuU/stJAEKjUNIuZul7o9cV4cDm+OE537 16d86wjz+/4xLW/7EC+TWYecg1ogBxLsCli6xAptuqAQCSPn8YGaZMQZ/STCAfmicN41 emeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jLdF29kDKCpHHZlhWLOLmXtv8q5MmOOxKMVjwyX2DvQ=; b=COCgMq5exl6GsDGjsnlMScHxfJ7GEqNogZUrt+Az2AzYBzvm2Pf5YLPTMomU06xkxm cU2X4cv303iIEq1HsIVWtMWx/oCO7y+NURDIAZAWr9XV4tx4vGmslnoZErJVRJkUBhsS RH4VSN46WAuCIf8ZvKTpTih9uD/0LA+tCdXjOqAUTtV1f8mSJO9U/h2SqsDMuWOoG9g/ Ts7fCNt7xtHeBiNMnIy8itubFZvfyowKmzS5sZX/hjyHLC7CWhQpsxuh+H8a8b2A+5MI z7aFrxlSpq96RHJU8nDwWooG/obXv43A8azd05voj/GkVjJ+eqBH6MURCsfbwi0Maj5E lQBQ==
X-Gm-Message-State: AGi0PuaNVMOjW+HTl8C4LiLRSvRBfHJDu6HB309/YuubzVexM2El8Ua5 jkmDIIAv8je+J4J79d3XE9OizGYrAl6lAG4H30bBDg==
X-Google-Smtp-Source: APiQypL4PwtgO0F58+jUZ3v/lawZ1bxsUDfaIAGZwWNZL2Sjl+OkTqjPExpVlklvIoOeDnkMqjPZZocqMslry//bJTI=
X-Received: by 2002:a5b:cd0:: with SMTP id e16mr5393448ybr.107.1587486030569; Tue, 21 Apr 2020 09:20:30 -0700 (PDT)
MIME-Version: 1.0
References: <B8F9A780D330094D99AF023C5877DABAAD620C2A@dggeml511-mbx.china.huawei.com> <010001719d742c56-71daa55d-c510-4ab5-937d-fbb2d78017aa-000000@email.amazonses.com>
In-Reply-To: <010001719d742c56-71daa55d-c510-4ab5-937d-fbb2d78017aa-000000@email.amazonses.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 21 Apr 2020 09:20:19 -0700
Message-ID: <CABCOCHQzoKF41cZBmg=p+Z6QbVgtpYOj0gf7BzRwQ7z9jxk=KQ@mail.gmail.com>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: Qin Wu <bill.wu@huawei.com>, Roman Danyliw <rdd@cert.org>, "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, The IESG <iesg@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, "draft-ietf-netmod-factory-default@ietf.org" <draft-ietf-netmod-factory-default@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f0394105a3cf64a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/qyeFWqHTYyUjLb8EDMPhF7u3wmc>
Subject: Re: [netmod] Roman Danyliw's Discuss on draft-ietf-netmod-factory-default-14: (with DISCUSS and COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 16:20:40 -0000

On Tue, Apr 21, 2020 at 8:56 AM Kent Watsen <kent+ietf@watsen.net> wrote:

> Hi Roman,
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Please use YANG security considerations template from
> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
> Specifically (as a DISCUSS item):
>
> ** (Per the template questions “for all YANG modules you must evaluate
> whether any readable data”) Would factory-default contain any sensitive
> information in certain network environments where the ACLs should be more
> restrictive that world readable for everyone?
> [Qin]: It does follows yang-security-guidelines but there is no readable
> data node defined within rpc, that's why we don't use third paragraph
> boilerplate and fourth paragraph boilerplate of yang-security-guidelines.
> YANG-security-guidelines are more applicable to YANG data model with more
> readable/writable data nodes.
> In addition, as clarified in the second paragraph, section 6 of this
> draft, NACM can be used to restrict access for particular NETCONF or
> RESTCONF users to a preconfigured subset of all available NETCONF or
> RESTCONF protocol operations (i.e., factory-reset rpc)
>
> Per “The operational disruption caused by setting the config to factory
> default contents varies greatly depending on the implementation and current
> config”, it seems like it could be worse than just an operational
> disruption.  Please note that a default configuration could be insecure or
> not have security controls enabled whereby exposing the network to
> compromise.
>
> [Qin]: As described in the second paragraph of section 6 it by default
> restrict access for everyone by using the "default-deny-all" access control
> defined [RFC8341], what else does it need to address this security concern?
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Please use YANG security considerations template from
> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines.
> Specifically (as a COMMENT item):
>
> ** Add “The Network Configuration Access Control Model (NACM) [RFC8341]
> provides the means to …”
>
> [Qin]: We did follow this template, I am wondering how it is different
> from the second paragraph of section 6? I see they are equivalent but with
> more fine granularity security measures, if my understanding is correct.
>
>
>
> Regarding the use of the YANG security considerations template from [1],
> it has been noted that the template is imperfect in several ways…
>
> For instance, a YANG module  may not define any protocol accessible nodes
> (e.g., they only define identities, typedefs, yang-data, or structures).
> In another example, the YANG module may only define RPCs (such as in this
> case) and/or notifications.  In yet another example, the YANG module may be
> only for use with RESTCONF (not NETCONF), and thus mentioning NETCONF at
> all would be odd (i.e., RFC 8572).
>
> In such cases, strict adherence to the template does not make sense.  As
> chair/shepherd/author, I’ve struggled with how to best satisfy the
> intention adequately.   Of course, each case varies, but one idea that I’ve
> been exploring is to start the section with a disclaimer explaining why/how
> template [1] is (or not) followed.  This approach is appealing as it
> immediately conveys to the IESG that the template was not ignored.
> However, it is unappealing in that it may be wrong for the published
> Security Considerations section to have a link to the template.
>
>

Section 3 defines a factory-default datastore.
This exposes the factory default values of all configuration data nodes.
It seems like this should be mentioned in security considerations.

The template is a guideline, nothing more.

IMO even a typedef can require some security documentation:

   typedef password {
       type string;
       description
         "contains the text password for access to all confidential server
data";
   }



Please advise.
> Kent  // as chair and shepherd
>
>

Andy



> [1] https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines
>
>
>
>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod
>